summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-12-11 20:32:46 +0100
committerChristian Poessinger <christian@poessinger.com>2022-12-11 20:32:46 +0100
commit91e7d86a27814ff35a4cc9630585572082ce4138 (patch)
tree9b77b3cdce16d6d15ce035cc32a6cef08447174b /docs/configuration
parent67965db96acdfea20e7b190e7f7d456e6b3d0dc0 (diff)
downloadvyos-documentation-91e7d86a27814ff35a4cc9630585572082ce4138.tar.gz
vyos-documentation-91e7d86a27814ff35a4cc9630585572082ce4138.zip
T4792: add initial documentation for SSTP client
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/interfaces/index.rst1
-rw-r--r--docs/configuration/interfaces/sstp-client.rst150
-rw-r--r--docs/configuration/vpn/sstp.rst6
3 files changed, 154 insertions, 3 deletions
diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst
index 97ad709e..0f02d1e3 100644
--- a/docs/configuration/interfaces/index.rst
+++ b/docs/configuration/interfaces/index.rst
@@ -19,6 +19,7 @@ Interfaces
wireguard
pppoe
pseudo-ethernet
+ sstp-client
tunnel
virtual-ethernet
vti
diff --git a/docs/configuration/interfaces/sstp-client.rst b/docs/configuration/interfaces/sstp-client.rst
new file mode 100644
index 00000000..27eb9c39
--- /dev/null
+++ b/docs/configuration/interfaces/sstp-client.rst
@@ -0,0 +1,150 @@
+:lastproofread: 2022-12-11
+
+.. _sstp-client-interface:
+
+###########
+SSTP Client
+###########
+
+:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual
+Private Network)` tunnel that provides a mechanism to transport PPP traffic
+through an SSL/TLS channel. SSL/TLS provides transport-level security with key
+negotiation, encryption and traffic integrity checking. The use of SSL/TLS over
+TCP port 443 (by default, port can be changed) allows SSTP to pass through
+virtually all firewalls and proxy servers except for authenticated web proxies.
+
+.. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`.
+
+*************
+Configuration
+*************
+
+Common interface configuration
+==============================
+
+.. cmdinclude:: /_include/interface-description.txt
+ :var0: sstpc
+ :var1: sstpc0
+
+.. cmdinclude:: /_include/interface-disable.txt
+ :var0: sstpc
+ :var1: sstpc0
+
+.. cmdinclude:: /_include/interface-mtu.txt
+ :var0: sstpc
+ :var1: sstpc0
+
+.. cmdinclude:: /_include/interface-vrf.txt
+ :var0: sstpc
+ :var1: sstpc0
+
+SSTP Client Options
+===================
+
+.. cfgcmd:: set interfaces sstpc <interface> no-default-route
+
+ Only request an address from the SSTP server but do not install any default
+ route.
+
+ Example:
+
+ .. code-block:: none
+
+ set interfaces sstpc sstpc0 no-default-route
+
+ .. note:: This command got added in VyOS 1.4 and inverts the logic from the old
+ ``default-route`` CLI option.
+
+.. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance>
+
+ Set the distance for the default gateway sent by the SSTP server.
+
+ Example:
+
+ .. code-block:: none
+
+ set interfaces sstpc sstpc0 default-route-distance 220
+
+.. cfgcmd:: set interfaces sstpc <interface> no-peer-dns
+
+ Use this command to not install advertised DNS nameservers into the local
+ system.
+
+.. cfgcmd:: set interfaces sstpc <interface> server <address>
+
+ SSTP remote server to connect to. Can be either an IP address or FQDN.
+
+.. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu>
+
+ As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
+ TCP MSS value to a specific value. This is a field in the TCP options part of
+ a SYN packet. By setting the MSS value, you are telling the remote side
+ unequivocally 'do not try to send me packets bigger than this value'.
+
+ .. note:: This command was introduced in VyOS 1.4 - it was previously called:
+ ``set firewall options interface <name> adjust-mss <value>``
+
+ .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
+ 1452 bytes on a 1492 byte MTU.
+
+ Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
+ automatically set the proper value.
+
+.. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding
+
+ Configure interface-specific Host/Router behaviour. If set, the interface will
+ switch to host mode and IPv6 forwarding will be disabled on this interface.
+
+.. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable>
+
+ Enable policy for source validation by reversed path, as specified in
+ :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict
+ mode to prevent IP spoofing from DDos attacks. If using asymmetric routing
+ or other complicated routing, then loose mode is recommended.
+
+ - strict: Each incoming packet is tested against the FIB and if the interface
+ is not the best reverse path the packet check will fail. By default failed
+ packets are discarded.
+
+ - loose: Each incoming packet's source address is also tested against the FIB
+ and if the source address is not reachable via any interface the packet
+ check will fail.
+
+ - disable: No source validation
+
+*********
+Operation
+*********
+
+.. opcmd:: show interfaces sstpc <interface>
+
+ Show detailed information on given `<interface>`
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces sstpc sstpc10
+ sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
+ link/ppp
+ inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10
+ valid_lft forever preferred_lft forever
+ inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link
+ valid_lft forever preferred_lft forever
+
+ RX: bytes packets errors dropped overrun mcast
+ 215 9 0 0 0 0
+ TX: bytes packets errors dropped carrier collisions
+ 539 14 0 0 0 0
+
+
+Connect/Disconnect
+==================
+
+.. opcmd:: disconnect interface <interface>
+
+ Test disconnecting given connection-oriented interface. `<interface>` can be
+ ``sstpc0`` as the example.
+
+.. opcmd:: connect interface <interface>
+
+ Test connecting given connection-oriented interface. `<interface>` can be
+ ``sstpc0`` as the example.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index 4f90260e..f3e062fe 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -1,8 +1,8 @@
.. _sstp:
-####
-SSTP
-####
+###########
+SSTP Server
+###########
:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
(Virtual Private Network)` tunnel that provides a mechanism to transport PPP