diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-12-11 20:32:46 +0100 | 
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2022-12-11 20:32:46 +0100 | 
| commit | 91e7d86a27814ff35a4cc9630585572082ce4138 (patch) | |
| tree | 9b77b3cdce16d6d15ce035cc32a6cef08447174b | |
| parent | 67965db96acdfea20e7b190e7f7d456e6b3d0dc0 (diff) | |
| download | vyos-documentation-91e7d86a27814ff35a4cc9630585572082ce4138.tar.gz vyos-documentation-91e7d86a27814ff35a4cc9630585572082ce4138.zip | |
T4792: add initial documentation for SSTP client
| -rw-r--r-- | docs/configuration/interfaces/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/interfaces/sstp-client.rst | 150 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 6 | 
3 files changed, 154 insertions, 3 deletions
| diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst index 97ad709e..0f02d1e3 100644 --- a/docs/configuration/interfaces/index.rst +++ b/docs/configuration/interfaces/index.rst @@ -19,6 +19,7 @@ Interfaces     wireguard     pppoe     pseudo-ethernet +   sstp-client     tunnel     virtual-ethernet     vti diff --git a/docs/configuration/interfaces/sstp-client.rst b/docs/configuration/interfaces/sstp-client.rst new file mode 100644 index 00000000..27eb9c39 --- /dev/null +++ b/docs/configuration/interfaces/sstp-client.rst @@ -0,0 +1,150 @@ +:lastproofread: 2022-12-11 + +.. _sstp-client-interface: + +########### +SSTP Client +########### + +:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual +Private Network)` tunnel that provides a mechanism to transport PPP traffic +through an SSL/TLS channel. SSL/TLS provides transport-level security with key +negotiation, encryption and traffic integrity checking. The use of SSL/TLS over +TCP port 443 (by default, port can be changed) allows SSTP to pass through +virtually all firewalls and proxy servers except for authenticated web proxies. + +.. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`. + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: /_include/interface-description.txt +   :var0: sstpc +   :var1: sstpc0 + +.. cmdinclude:: /_include/interface-disable.txt +   :var0: sstpc +   :var1: sstpc0 + +.. cmdinclude:: /_include/interface-mtu.txt +   :var0: sstpc +   :var1: sstpc0 + +.. cmdinclude:: /_include/interface-vrf.txt +   :var0: sstpc +   :var1: sstpc0 + +SSTP Client Options +=================== + +.. cfgcmd:: set interfaces sstpc <interface> no-default-route + +   Only request an address from the SSTP server but do not install any default +   route. + +   Example: + +   .. code-block:: none + +     set interfaces sstpc sstpc0 no-default-route + +   .. note:: This command got added in VyOS 1.4 and inverts the logic from the old +     ``default-route`` CLI option. + +.. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance> + +   Set the distance for the default gateway sent by the SSTP server. + +   Example: + +   .. code-block:: none + +     set interfaces sstpc sstpc0 default-route-distance 220 + +.. cfgcmd:: set interfaces sstpc <interface> no-peer-dns + +   Use this command to not install advertised DNS nameservers into the local +   system. + +.. cfgcmd:: set interfaces sstpc <interface> server <address> + +   SSTP remote server to connect to. Can be either an IP address or FQDN. + +.. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu> + +  As Internet wide PMTU discovery rarely works, we sometimes need to clamp our +  TCP MSS value to a specific value. This is a field in the TCP options part of +  a SYN packet. By setting the MSS value, you are telling the remote side +  unequivocally 'do not try to send me packets bigger than this value'. + +  .. note:: This command was introduced in VyOS 1.4 - it was previously called: +    ``set firewall options interface <name> adjust-mss <value>`` + +  .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in +    1452 bytes on a 1492 byte MTU. + +  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to +  automatically set the proper value. + +.. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding + +  Configure interface-specific Host/Router behaviour. If set, the interface will +  switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable> + +  Enable policy for source validation by reversed path, as specified in +  :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict +  mode to prevent IP spoofing from DDos attacks. If using asymmetric routing +  or other complicated routing, then loose mode is recommended. + +  - strict: Each incoming packet is tested against the FIB and if the interface +    is not the best reverse path the packet check will fail. By default failed +    packets are discarded. + +  - loose: Each incoming packet's source address is also tested against the FIB +    and if the source address is not reachable via any interface the packet +    check will fail. + +  - disable: No source validation + +********* +Operation +********* + +.. opcmd:: show interfaces sstpc <interface> + +   Show detailed information on given `<interface>` + +   .. code-block:: none + +     vyos@vyos:~$ show interfaces sstpc sstpc10 +     sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 +         link/ppp +         inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 +            valid_lft forever preferred_lft forever +         inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link +            valid_lft forever preferred_lft forever + +         RX:  bytes  packets  errors  dropped  overrun       mcast +                215        9       0        0        0           0 +         TX:  bytes  packets  errors  dropped  carrier  collisions +                539       14       0        0        0           0 + + +Connect/Disconnect +================== + +.. opcmd:: disconnect interface <interface> + +   Test disconnecting given connection-oriented interface. `<interface>` can be +   ``sstpc0`` as the example. + +.. opcmd:: connect interface <interface> + +   Test connecting given connection-oriented interface. `<interface>` can be +   ``sstpc0`` as the example. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index 4f90260e..f3e062fe 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -1,8 +1,8 @@  .. _sstp: -#### -SSTP -#### +########### +SSTP Server +###########  :abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN  (Virtual Private Network)` tunnel that provides a mechanism to transport PPP | 
