diff options
-rw-r--r-- | docs/services/index.rst | 3 | ||||
-rw-r--r-- | docs/services/references.rst | 2 | ||||
-rw-r--r-- | docs/services/sstp-server.rst | 76 |
3 files changed, 80 insertions, 1 deletions
diff --git a/docs/services/index.rst b/docs/services/index.rst index 57471cf8..03fdc9c4 100644 --- a/docs/services/index.rst +++ b/docs/services/index.rst @@ -18,8 +18,9 @@ This chapter descriptes the available system/network services provided by VyOS. dynamic-dns lldp mdns-repeater - pppoe-server ipoe-server + pppoe-server + sstp-server udp-broadcast-relay snmp ssh diff --git a/docs/services/references.rst b/docs/services/references.rst index 3a2f4b74..257ffe11 100644 --- a/docs/services/references.rst +++ b/docs/services/references.rst @@ -11,3 +11,5 @@ .. _Squidguard: http://www.squidguard.org/ .. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol .. _`arbitrary extension commands`: http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbAZ +.. _`accel-ppp`: https://accel-ppp.org/ +.. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst new file mode 100644 index 00000000..8ee8ef45 --- /dev/null +++ b/docs/services/sstp-server.rst @@ -0,0 +1,76 @@ + +SSTP server +------------ + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be +used with local authentication or a connected RADIUS server. + +.. note:: **Please be aware, due to an upstream bug, config changes/commits + will restart the ppp daemon and will reset existing PPPoE connections from + connected users, in order to become effective.** + +Configuration +^^^^^^^^^^^^^ + +The `Secure Socket Tunneling Protocol`_ (SSTP), provides ppp via a SSL/TLS channel. +Using publically signed certificates as well a by private PKI, is fully supported. +All certficates should be stored on VyOS under ``/config/user-data/sstp``. + + +Self Signed CA and server certificates +====================================== + +To generate the CA, the server private key and certificates the following commands can be used. + +.. code-block:: sh + + vyos@vyos:~$ conf + [edit] + vyos@vyos# mkdir -p /config/user-data/sstp && cd /config/user-data/sstp + [edit] + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt + + Generating a 4096 bit RSA private key + .........................++ + ...............................................................++ + writing new private key to 'server.key' + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + + vyos@vyos# openssl req -new -x509 -key server.key -out ca.crt + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + [edit] + vyos@vyos# + + +The example below will answer configuration request for the user user ``foo``. + +Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``. + +.. code-block:: sh + + set authentication local-users username foo password 'bar' + set authentication mode 'local' + set network-settings client-ip-settings gateway-address '10.100.100.1' + set network-settings client-ip-settings subnet '192.168.0.0/24' + set network-settings dns-server primary-dns '10.100.100.1' + set network-settings dns-server secondary-dns '10.200.100.1' + set sstp-settings ssl-certs ca 'ca.crt' + set sstp-settings ssl-certs server-cert 'server.crt' + set sstp-settings ssl-certs server-key 'server.key' + + +.. include:: references.rst |