summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoraapostoliuk <a.apostoliuk@vyos.io>2024-02-29 16:21:27 +0200
committeraapostoliuk <a.apostoliuk@vyos.io>2024-03-05 10:32:44 +0200
commitd71c4607fa0c330a3c6269811b2126a25ceb91f7 (patch)
tree3dc62414bbf878dd6f9a6b005b3deabb0a955e22
parenta8d2dedab21b996f1aac86d360089a6dbc8e6963 (diff)
downloadvyos-documentation-d71c4607fa0c330a3c6269811b2126a25ceb91f7.tar.gz
vyos-documentation-d71c4607fa0c330a3c6269811b2126a25ceb91f7.zip
Rewritten the SSTP server documentation
Fully rewritten SSTP server documentation.
-rw-r--r--docs/configuration/vpn/sstp.rst595
1 files changed, 403 insertions, 192 deletions
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index a9def827..3749eb7b 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -19,50 +19,43 @@ local and RADIUS authentication.
As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
certificates as well as a private PKI is required.
-.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
- certificates are not stored in the ``/config`` directory they will not be
- migrated during a software update.
+***********************
+Configuring SSTP Server
+***********************
Certificates
============
-Self Signed CA
---------------
-
-To generate the CA, the server private key and certificates the following
-commands can be used.
+Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate
.. code-block:: none
- vyos@vyos:~$ mkdir -p /config/user-data/sstp
- vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
-
- Generating a 4096 bit RSA private key
- .........................++
- ...............................................................++
- writing new private key to 'server.key'
- [...]
- Country Name (2 letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []:
- Email Address []:
-
- vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
- [...]
- Country Name (2 letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []:
- Email Address []:
+ vyos@vyos:~$ generate pki ca install CA
+
+.. code-block:: none
+ vyos@vyos:~$ generate pki certificate sign CA install Server
Configuration
=============
+.. code-block:: none
+
+ set vpn sstp authentication local-users username test password 'test'
+ set vpn sstp authentication mode 'local'
+ set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100'
+ set vpn sstp default-pool 'SSTP-POOL'
+ set vpn sstp gateway-address '10.0.0.1'
+ set vpn sstp ssl ca-certificate 'CA1'
+ set vpn sstp ssl certificate 'Server'
+
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+
+ Set authentication backend. The configured authentication backend is used
+ for all queries.
+
+ * **radius**: All authentication queries are handled by a configured RADIUS
+ server.
+ * **local**: All authentication queries are handled locally.
.. cfgcmd:: set vpn sstp authentication local-users username <user> password
<pass>
@@ -70,137 +63,185 @@ Configuration
Create `<user>` for local authentication on this system. The users password
will be set to `<pass>`.
-.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
- Disable `<user>` account.
+ Use this command to define the first IP address of a pool of
+ addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
+ it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+ used there is possibility to set host/netmask.
-.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
- <address>
+.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
- Assign static IP address to `<user>` account.
+ Use this command to define default address pool name.
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
- download <bandwidth>
+.. cfgcmd:: set vpn sstp gateway-address <gateway>
- Download bandwidth limit in kbit/s for `<user>`.
+ Specifies single `<gateway>` IP address to be used as local address of PPP
+ interfaces.
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
- upload <bandwidth>
+.. cfgcmd:: set vpn sstp ssl ca-certificate <file>
- Upload bandwidth limit in kbit/s for `<user>`.
+ Name of installed certificate authority certificate.
-.. cfgcmd:: set vpn sstp authentication protocols
- <pap | chap | mschap | mschap-v2>
+.. cfgcmd:: set vpn sstp ssl certificate <file>
- Require the peer to authenticate itself using one of the following protocols:
- pap, chap, mschap, mschap-v2.
+ Name of installed server certificate.
-.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+*********************************
+Configuring RADIUS authentication
+*********************************
- Set authentication backend. The configured authentication backend is used
- for all queries.
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
- * **radius**: All authentication queries are handled by a configured RADIUS
- server.
- * **local**: All authentication queries are handled locally.
+.. code-block:: none
+ set vpn sstp authentication mode radius
-.. cfgcmd:: set vpn sstp gateway-address <gateway>
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
- Specifies single `<gateway>` IP address to be used as local address of PPP
- interfaces.
+ Configure RADIUS `<server>` and its required shared `<secret>` for
+ communicating with the RADIUS server.
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
-.. cfgcmd:: set vpn sstp port <port>
+.. code-block:: none
- Specifies the port `<port>` that the SSTP port will listen on (default 443).
+ set vpn sstp authentication radius server 10.0.0.1 key 'foo'
+ set vpn sstp authentication radius server 10.0.0.2 key 'foo'
+.. note:: Some RADIUS severs use an access control list which allows or denies
+ queries, make sure to add your VyOS router to the allowed client list.
-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
+RADIUS source address
+=====================
- Use this command to define the first IP address of a pool of
- addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
- it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
- used there is possibility to set host/netmask.
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. You can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
- Use this command to define the next address pool name.
+ Source IPv4 address used in all RADIUS server queires.
-.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+ Best practice would be a loopback or dummy interface.
- Use this command to define default address pool name.
+RADIUS advanced options
+=======================
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
- mask <number-of-bits>
+ Configure RADIUS `<server>` and its required port for authentication requests.
- Use this comand to set the IPv6 address pool from which an SSTP client
- will get an IPv6 prefix of your defined length (mask) to terminate the
- SSTP endpoint at their side. The mask length can be set from 48 to 128
- bit long, the default value is 64.
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+ Mark RADIUS server as offline for this given `<time>` in seconds.
-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
- delegation-prefix <number-of-bits>
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
- Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
- SSTP. You will have to set your IPv6 pool and the length of the
- delegation prefix. From the defined IPv6 pool you will be handing out
- networks of the defined length (delegation-prefix). The length of the
- delegation prefix can be set from 32 to 64 bit long.
+ Temporary disable this RADIUS server.
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
-.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+ Timeout to wait reply for Interim-Update packets. (default 3 seconds)
- Use this command to define default IPv6 address pool name.
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+ Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
-.. cfgcmd:: set vpn sstp name-server <address>
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
- Connected client should use `<address>` as their DNS server. This
- command accepts both IPv4 and IPv6 addresses. Up to two nameservers
- can be configured for IPv4, up to three for IPv6.
+ Port for Dynamic Authorization Extension server (DM/CoA)
-Maximum number of IPv4 nameservers
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
-SSL Certificates
-----------------
+ Secret for Dynamic Authorization Extension server (DM/CoA)
-.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
- Path to `<file>` pointing to the certificate authority certificate.
+ Maximum number of tries to send Access-Request/Accounting-Request queries
-.. cfgcmd:: set vpn sstp ssl cert-file <file>
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
- Path to `<file>` pointing to the servers certificate (public portion).
+ Timeout to wait response from server (seconds)
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
-PPP Settings
-------------
+ Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+ in DM/CoA requests.
-.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
- Disable Compression Control Protocol (CCP).
- CCP is enabled by default.
+ Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+ in DM/CoA requests. Also DM/CoA server will bind to that address.
-.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
- Specifies number of interfaces to keep in cache. It means that don’t
- destroy interface after corresponding session is destroyed, instead
- place it to cache and use it later for new sessions repeatedly.
- This should reduce kernel-level interface creation/deletion rate lack.
- Default value is **0**.
+ Source IPv4 address used in all RADIUS server queires.
-.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
- Specifies IPv4 negotiation preference.
+ Specifies which RADIUS server attribute contains the rate limit information.
+ The default attribute is `Filter-Id`.
- * **require** - Require IPv4 negotiation
- * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
- * **allow** - Negotiate IPv4 only if client requests (Default value)
- * **deny** - Do not negotiate IPv4
+.. note:: If you set a custom RADIUS attribute you must define it on both
+ dictionaries at RADIUS server and client.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+
+ Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+
+ Specifies the vendor dictionary, dictionary needs to be in
+ /usr/share/accel-ppp/radius.
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+=========================================
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+ RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+ characters, otherwise the interface won't be renamed.
+
+
+****
+IPv6
+****
.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
Specifies IPv6 negotiation preference.
@@ -210,6 +251,36 @@ PPP Settings
* **allow** - Negotiate IPv6 only if client requests
* **deny** - Do not negotiate IPv6 (default value)
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+ mask <number-of-bits>
+
+ Use this comand to set the IPv6 address pool from which an SSTP client
+ will get an IPv6 prefix of your defined length (mask) to terminate the
+ SSTP endpoint at their side. The mask length can be set from 48 to 128
+ bit long, the default value is 64.
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+ delegation-prefix <number-of-bits>
+
+ Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+ SSTP. You will have to set your IPv6 pool and the length of the
+ delegation prefix. From the defined IPv6 pool you will be handing out
+ networks of the defined length (delegation-prefix). The length of the
+ delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+
+ Use this command to define default IPv6 address pool name.
+
+.. code-block:: none
+
+ set vpn sstp ppp-options ipv6 allow
+ set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+ set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+ set vpn sstp default-ipv6-pool IPv6-POOL
+
+IPv6 Advanced Options
+=====================
.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
Accept peer interface identifier. By default is not defined.
@@ -231,6 +302,90 @@ PPP Settings
* **ipv4-addr** - Calculate interface identifier from IPv4 address.
* **calling-sid** - Calculate interface identifier from calling-station-id.
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script>
+
+ Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script>
+
+ Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script>
+
+ Script to run before session interface comes up
+
+.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script>
+
+ Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+ Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+ <address>
+
+ Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+ download <bandwidth>
+
+ Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+ upload <bandwidth>
+
+ Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols
+ <pap | chap | mschap | mschap-v2>
+
+ Require the peer to authenticate itself using one of the following protocols:
+ pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+ Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+ Disable Compression Control Protocol (CCP).
+ CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+ Specifies number of interfaces to keep in cache. It means that don’t
+ destroy interface after corresponding session is destroyed, instead
+ place it to cache and use it later for new sessions repeatedly.
+ This should reduce kernel-level interface creation/deletion rate lack.
+ Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+ Specifies IPv4 negotiation preference.
+
+ * **require** - Require IPv4 negotiation
+ * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+ * **allow** - Negotiate IPv4 only if client requests (Default value)
+ * **deny** - Do not negotiate IPv4
+
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
@@ -271,112 +426,61 @@ PPP Settings
Defines preferred MRU. By default is not defined.
+Global Advanced options
+=======================
-RADIUS
-------
-
-Server
-^^^^^^
-
-.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+.. cfgcmd:: set vpn sstp description <description>
- Configure RADIUS `<server>` and its required port for authentication requests.
+ Set description.
-.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
-
- Configure RADIUS `<server>` and its required shared `<secret>` for
- communicating with the RADIUS server.
+.. cfgcmd:: set vpn sstp limits burst <value>
-.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+ Burst count
- Mark RADIUS server as offline for this given `<time>` in seconds.
+.. cfgcmd:: set vpn sstp limits connection-limit <value>
-.. cfgcmd:: set vpn sstp authentication radius server <server> disable
+ Acceptable rate of connections (e.g. 1/min, 60/sec)
- Temporary disable this RADIUS server.
+.. cfgcmd:: set vpn sstp limits timeout <value>
-Options
-^^^^^^^
+ Timeout in seconds
-.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
+.. cfgcmd:: set vpn sstp mtu
- Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+ Maximum Transmission Unit (MTU) (default: **1500**)
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+.. cfgcmd:: set vpn sstp max-concurrent-sessions
- Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+ Maximum number of concurrent session start attempts
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
-
- Port for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
-
- Secret for Dynamic Authorization Extension server (DM/CoA)
-
-.. cfgcmd:: set vpn sstp authentication radius max-try <number>
-
- Maximum number of tries to send Access-Request/Accounting-Request queries
-
-.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
-
- Timeout to wait response from server (seconds)
-
-.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
-
- Value to send to RADIUS server in NAS-Identifier attribute and to be matched
- in DM/CoA requests.
-
-.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
-
- Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
- in DM/CoA requests. Also DM/CoA server will bind to that address.
-
-.. cfgcmd:: set vpn sstp authentication radius source-address <address>
-
- Source IPv4 address used in all RADIUS server queires.
-
-.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
-
- Specifies which RADIUS server attribute contains the rate limit information.
- The default attribute is `Filter-Id`.
-
-.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+.. cfgcmd:: set vpn sstp name-server <address>
- Enables bandwidth shaping via RADIUS.
+ Connected client should use `<address>` as their DNS server. This
+ command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+ can be configured for IPv4, up to three for IPv6.
-.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647>
- Specifies the vendor dictionary, dictionary needs to be in
- /usr/share/accel-ppp/radius.
+ Match firewall mark value
+.. cfgcmd:: set vpn sstp snmp master-agent
-Example
-=======
+ Enable SNMP
-* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/25`
+.. cfgcmd:: set vpn sstp wins-server <address>
-.. code-block:: none
+ Windows Internet Name Service (WINS) servers propagated to client
- set vpn sstp authentication local-users username vyos password vyos
- set vpn sstp authentication mode local
- set vpn sstp gateway-address 192.0.2.254
- set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
- set vpn sstp default-pool 'SSTP-POOL'
- set vpn sstp name-server 10.0.0.1
- set vpn sstp name-server 10.0.0.2
- set vpn sstp ssl ca-cert-file /config/auth/ca.crt
- set vpn sstp ssl cert-file /config/auth/server.crt
- set vpn sstp ssl key-file /config/auth/server.key
-
-Testing SSTP
-============
+***********************
+Configuring SSTP client
+***********************
Once you have setup your SSTP server there comes the time to do some basic
testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
PPP configuration/peer file.
+If you use a self-signed certificate, do not forget to install CA on the client side.
+
The following PPP configuration tests MSCHAP-v2:
.. code-block:: none
@@ -429,8 +533,115 @@ A connection attempt will be shown as:
inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever
+**********
+Monitoring
+**********
+.. opcmd:: show sstp-server sessions
-.. _sstpc: https://github.com/reliablehosting/sstp-client
+ Use this command to locally check the active sessions in the SSTP
+ server.
+.. code-block:: none
+
+ vyos@vyos:~$ show sstp-server sessions
+ ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
+ --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
+ sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B
+
+.. code-block:: none
+
+ vyos@vyos:~$ show sstp-server statistics
+ uptime: 0.01:21:54
+ cpu: 0%
+ mem(rss/virt): 6688/100464 kB
+ core:
+ mempool_allocated: 149420
+ mempool_available: 146092
+ thread_count: 1
+ thread_active: 1
+ context_count: 6
+ context_sleeping: 0
+ context_pending: 0
+ md_handler_count: 7
+ md_handler_pending: 0
+ timer_count: 2
+ timer_pending: 0
+ sessions:
+ starting: 0
+ active: 1
+ finishing: 0
+ sstp:
+ starting: 0
+ active: 1
+
+***************
+Troubleshooting
+***************
+
+.. code-block:: none
+
+ vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0
+
+ Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852
+ Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting
+ Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>]
+ Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852)
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9]
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started
+ Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0'
+ Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started
+
+.. _sstpc: https://github.com/reliablehosting/sstp-client
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
.. include:: /_include/common-references.txt