Merge pull request #1300 from aapostoliuk/sstp-circinus

Rewritten the SSTP server documentation

1 files changed, 403 insertions, 192 deletions

diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index a9def827..3749eb7b 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -19,50 +19,43 @@ local and RADIUS authentication.
 As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
 certificates as well as a private PKI is required.
 
-.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
-  certificates are not stored in the ``/config`` directory they will not be
-  migrated during a software update.
+***********************
+Configuring SSTP Server
+***********************
 
 Certificates
 ============
 
-Self Signed CA
---------------
-
-To generate the CA, the server private key and certificates the following
-commands can be used.
+Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate
 
 .. code-block:: none
 
-  vyos@vyos:~$ mkdir -p /config/user-data/sstp
-  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
-
-  Generating a 4096 bit RSA private key
-  .........................++
-  ...............................................................++
-  writing new private key to 'server.key'
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
-
-  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
+    vyos@vyos:~$ generate pki ca install CA
+
+.. code-block:: none
 
+    vyos@vyos:~$ generate pki certificate sign CA install Server
 
 Configuration
 =============
+.. code-block:: none
+
+    set vpn sstp authentication local-users username test password 'test'
+    set vpn sstp authentication mode 'local'
+    set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100'
+    set vpn sstp default-pool 'SSTP-POOL'
+    set vpn sstp gateway-address '10.0.0.1'
+    set vpn sstp ssl ca-certificate 'CA1'
+    set vpn sstp ssl certificate 'Server'
+
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
 
 .. cfgcmd:: set vpn sstp authentication local-users username <user> password
    <pass>
@@ -70,137 +63,185 @@ Configuration
   Create `<user>` for local authentication on this system. The users password
   will be set to `<pass>`.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
 
-  Disable `<user>` account.
+   Use this command to define the first IP address of a pool of
+   addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
+   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+   used there is possibility to set host/netmask.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
-   <address>
+.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
 
-  Assign static IP address to `<user>` account.
+   Use this command to define default address pool name.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   download <bandwidth>
+.. cfgcmd:: set vpn sstp gateway-address <gateway>
 
-  Download bandwidth limit in kbit/s for `<user>`.
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   upload <bandwidth>
+.. cfgcmd:: set vpn sstp ssl ca-certificate <file>
 
-  Upload bandwidth limit in kbit/s for `<user>`.
+  Name of installed certificate authority certificate.
 
-.. cfgcmd:: set vpn sstp authentication protocols
-   <pap | chap | mschap | mschap-v2>
+.. cfgcmd:: set vpn sstp ssl certificate <file>
 
-  Require the peer to authenticate itself using one of the following protocols:
-  pap, chap, mschap, mschap-v2.
+  Name of installed server certificate.
 
-.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+*********************************
+Configuring RADIUS authentication
+*********************************
 
-  Set authentication backend. The configured authentication backend is used
-  for all queries.
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
 
-  * **radius**: All authentication queries are handled by a configured RADIUS
-    server.
-  * **local**: All authentication queries are handled locally.
+.. code-block:: none
 
+  set vpn sstp authentication mode radius
 
-.. cfgcmd:: set vpn sstp gateway-address <gateway>
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
 
-  Specifies single `<gateway>` IP address to be used as local address of PPP
-  interfaces.
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
 
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
 
-.. cfgcmd:: set vpn sstp port <port>
+.. code-block:: none
 
-  Specifies the port `<port>` that the SSTP port will listen on (default 443).
+  set vpn sstp authentication radius server 10.0.0.1 key 'foo'
+  set vpn sstp authentication radius server 10.0.0.2 key 'foo'
 
+.. note:: Some RADIUS severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
 
-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
+RADIUS source address
+=====================
 
-   Use this command to define the first IP address of a pool of
-   addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
-   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
-   used there is possibility to set host/netmask.
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. You can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
 
-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
 
-   Use this command to define the next address pool name.
+  Source IPv4 address used in all RADIUS server queires.
 
-.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
 
-   Use this command to define default address pool name.
+RADIUS advanced options
+=======================
 
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
-   mask <number-of-bits>
+  Configure RADIUS `<server>` and its required port for authentication requests.
 
-  Use this comand to set the IPv6 address pool from which an SSTP client
-  will get an IPv6 prefix of your defined length (mask) to terminate the
-  SSTP endpoint at their side. The mask length can be set from 48 to 128
-  bit long, the default value is 64.
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
 
+  Mark RADIUS server as offline for this given `<time>` in seconds.
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
-   delegation-prefix <number-of-bits>
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
 
-  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-  SSTP. You will have to set your IPv6 pool and the length of the
-  delegation prefix. From the defined IPv6 pool you will be handing out
-  networks of the defined length (delegation-prefix). The length of the
-  delegation prefix can be set from 32 to 64 bit long.
+  Temporary disable this RADIUS server.
 
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
 
-.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
 
-   Use this command to define default IPv6 address pool name.
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
 
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
 
-.. cfgcmd:: set vpn sstp name-server <address>
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
 
-  Connected client should use `<address>` as their DNS server. This
-  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
-  can be configured for IPv4, up to three for IPv6.
+  Port for Dynamic Authorization Extension server (DM/CoA)
 
-Maximum number of IPv4 nameservers
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
 
-SSL Certificates
-----------------
+  Secret for Dynamic Authorization Extension server (DM/CoA)
 
-.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
 
-  Path to `<file>` pointing to the certificate authority certificate.
+  Maximum number of tries to send Access-Request/Accounting-Request queries
 
-.. cfgcmd:: set vpn sstp ssl cert-file <file>
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
 
-  Path to `<file>` pointing to the servers certificate (public portion).
+  Timeout to wait response from server (seconds)
 
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
 
-PPP Settings
-------------
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
 
-.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
 
-  Disable Compression Control Protocol (CCP).
-  CCP is enabled by default.
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
 
-.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
 
-  Specifies number of interfaces to keep in cache. It means that don’t
-  destroy interface after corresponding session is destroyed, instead
-  place it to cache and use it later for new sessions repeatedly.
-  This should reduce kernel-level interface creation/deletion rate lack.
-  Default value is **0**.
+  Source IPv4 address used in all RADIUS server queires.
 
-.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
 
-  Specifies IPv4 negotiation preference.
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is `Filter-Id`.
 
-  * **require** - Require IPv4 negotiation
-  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
-  * **allow** - Negotiate IPv4 only if client requests (Default value)
-  * **deny** - Do not negotiate IPv4
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+
+  Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
 
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+=========================================
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
+
+
+****
+IPv6
+****
 .. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
 
   Specifies IPv6 negotiation preference.
@@ -210,6 +251,36 @@ PPP Settings
   * **allow** - Negotiate IPv6 only if client requests
   * **deny** - Do not negotiate IPv6 (default value)
 
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an SSTP client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  SSTP endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  SSTP. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.
+
+.. code-block:: none
+
+  set vpn sstp ppp-options ipv6 allow
+  set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set vpn sstp default-ipv6-pool IPv6-POOL
+
+IPv6 Advanced Options
+=====================
 .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
 
   Accept peer interface identifier. By default is not defined.
@@ -231,6 +302,90 @@ PPP Settings
   * **ipv4-addr** - Calculate interface identifier from IPv4 address.
   * **calling-sid** - Calculate interface identifier from calling-station-id.
 
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
 
   Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
@@ -271,112 +426,61 @@ PPP Settings
 
   Defines preferred MRU. By default is not defined.
 
+Global Advanced options
+=======================
 
-RADIUS
-------
-
-Server
-^^^^^^
-
-.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+.. cfgcmd:: set vpn sstp description <description>
 
-  Configure RADIUS `<server>` and its required port for authentication requests.
+  Set description.
 
-.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
-
-  Configure RADIUS `<server>` and its required shared `<secret>` for
-  communicating with the RADIUS server.
+.. cfgcmd::  set vpn sstp limits burst <value>
 
-.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+  Burst count
 
-  Mark RADIUS server as offline for this given `<time>` in seconds.
+.. cfgcmd:: set vpn sstp limits connection-limit <value>
 
-.. cfgcmd:: set vpn sstp authentication radius server <server> disable
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
 
-  Temporary disable this RADIUS server.
+.. cfgcmd:: set vpn sstp limits timeout <value>
 
-Options
-^^^^^^^
+  Timeout in seconds
 
-.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
+.. cfgcmd:: set vpn sstp mtu
 
-  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+  Maximum Transmission Unit (MTU) (default: **1500**)
 
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+.. cfgcmd:: set vpn sstp max-concurrent-sessions
 
-  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+  Maximum number of concurrent session start attempts
 
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
-
-  Port for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
-
-  Secret for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set vpn sstp authentication radius max-try <number>
-
-  Maximum number of tries to send Access-Request/Accounting-Request queries
-
-.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
-
-  Timeout to wait response from server (seconds)
-
-.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
-
-  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
-  in DM/CoA requests.
-
-.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
-
-  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
-  in DM/CoA requests. Also DM/CoA server will bind to that address.
-
-.. cfgcmd:: set vpn sstp authentication radius source-address <address>
-
-  Source IPv4 address used in all RADIUS server queires.
-
-.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
-
-  Specifies which RADIUS server attribute contains the rate limit information.
-  The default attribute is `Filter-Id`.
-
-.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+.. cfgcmd:: set vpn sstp name-server <address>
 
-  Enables bandwidth shaping via RADIUS.
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
 
-.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647>
 
-  Specifies the vendor dictionary, dictionary needs to be in
-  /usr/share/accel-ppp/radius.
+  Match firewall mark value
 
+.. cfgcmd:: set vpn sstp snmp master-agent
 
-Example
-=======
+  Enable SNMP
 
-* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/25`
+.. cfgcmd:: set vpn sstp wins-server <address>
 
-.. code-block:: none
+  Windows Internet Name Service (WINS) servers propagated to client
 
-  set vpn sstp authentication local-users username vyos password vyos
-  set vpn sstp authentication mode local
-  set vpn sstp gateway-address 192.0.2.254
-  set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
-  set vpn sstp default-pool 'SSTP-POOL'
-  set vpn sstp name-server 10.0.0.1
-  set vpn sstp name-server 10.0.0.2
-  set vpn sstp ssl ca-cert-file /config/auth/ca.crt
-  set vpn sstp ssl cert-file /config/auth/server.crt
-  set vpn sstp ssl key-file /config/auth/server.key
-
-Testing SSTP
-============
+***********************
+Configuring SSTP client
+***********************
 
 Once you have setup your SSTP server there comes the time to do some basic
 testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
 PPP configuration/peer file.
 
+If you use a self-signed certificate, do not forget to install CA on the client side.
+
 The following PPP configuration tests MSCHAP-v2:
 
 .. code-block:: none
@@ -429,8 +533,115 @@ A connection attempt will be shown as:
        inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
           valid_lft forever preferred_lft forever
 
+**********
+Monitoring
+**********
 
+.. opcmd:: show sstp-server sessions
 
-.. _sstpc: https://github.com/reliablehosting/sstp-client
+   Use this command to locally check the active sessions in the SSTP
+   server.
 
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server sessions
+     ifname | username |    ip    | ip6 | ip6-dp |   calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+    --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
+     sstp0  | test     | 10.0.0.2 |     |        | 192.168.10.100 |            | active | 00:15:46 | 16.3 KiB | 210 B
+
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server statistics
+     uptime: 0.01:21:54
+    cpu: 0%
+    mem(rss/virt): 6688/100464 kB
+    core:
+      mempool_allocated: 149420
+      mempool_available: 146092
+      thread_count: 1
+      thread_active: 1
+      context_count: 6
+      context_sleeping: 0
+      context_pending: 0
+      md_handler_count: 7
+      md_handler_pending: 0
+      timer_count: 2
+      timer_pending: 0
+    sessions:
+      starting: 0
+      active: 1
+      finishing: 0
+    sstp:
+      starting: 0
+      active: 1
+
+***************
+Troubleshooting
+***************
+
+.. code-block:: none
+
+    vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0
+
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852)
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0'
+    Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started
+
+.. _sstpc: https://github.com/reliablehosting/sstp-client
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
 .. include:: /_include/common-references.txt