diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 23 | ||||
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 198 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.rst | 63 | ||||
| -rw-r--r-- | docs/configuration/vpn/pptp.rst | 552 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 595 |
8 files changed, 1121 insertions, 363 deletions
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 9a683d22..ff739418 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -325,6 +325,29 @@ There are a lot of matching criteria against which the packet can be tested. Match criteria based on connection mark. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + conntrack-helper <module> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + conntrack-helper <module> + + Match based on connection tracking protocol helper module to secure use of + that helper module. See below for possible completions `<module>`. + + .. code-block:: none + + Possible completions: + ftp Related traffic from FTP helper + h323 Related traffic from H.323 helper + pptp Related traffic from PPTP helper + nfs Related traffic from NFS helper + sip Related traffic from SIP helper + tftp Related traffic from TFTP helper + sqlnet Related traffic from SQLNet helper + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source address [address | addressrange | CIDR] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> source address [address | addressrange | CIDR] diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 7f06faa8..9158ac1d 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -318,6 +318,16 @@ times: set high-availability vrrp group Foo health-check interval 60 set high-availability vrrp group Foo health-check failure-count 3 +When the vrrp group is a member of the sync group will use only +the sync group health check script. +This example shows how to configure it for the sync group: + +.. code-block:: none + + set high-availability vrrp sync-group Bar health-check script /config/scripts/vrrp-check.sh + set high-availability vrrp sync-group Bar health-check interval 60 + set high-availability vrrp sync-group Bar health-check failure-count 3 + Transition scripts ^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 468b39d9..d43f2385 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -98,6 +98,10 @@ Configuration This diable the external cache and directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. +.. cfgcmd:: set service conntrack-sync disable-syslog + + Disable connection logging via Syslog. + ********* Operation ********* diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index e430dc73..c6deb179 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,33 +143,6 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. -.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> - - Maximum number of times an expired record’s TTL is extended by 30s when - serving stale. Extension only occurs if a record cannot be refreshed. A - value of 0 means the Serve Stale mechanism is not used. To allow records - becoming stale to be served for an hour, use a value of 120. - -.. cfgcmd:: set service dns forwarding exclude-throttle-address <ip|prefix> - - When an authoritative server does not answer a query or sends a reply the - recursor does not like, it is throttled. Any servers matching the supplied - netmasks will never be throttled. - -.. cfgcmd:: set service dns forwarding options ecs-add-for <address> - - The requestor netmask for which the requestor IP Address should be used as the - EDNS Client Subnet for outgoing queries. - -.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits <number> - - Number of bits of client IPv4 address to pass when sending EDNS Client Subnet - address information. - -.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list <address|domain> - - The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. - Example ======= @@ -231,8 +204,8 @@ this only one purpose. ddclient_ uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in compliance with :rfc:`2136`. The second -one involves a third party service, like DynDNS.com or any other similar -website. This method uses HTTP requests to transmit the new IP address. You +one involves a third party service, like DynDNS.com or any other such +service provider. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS. .. _dns:dynmaic_config: @@ -243,46 +216,43 @@ Configuration :rfc:`2136` Based ----------------- -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> - Create new :rfc:`2136` DNS update configuration which will update the IP + Create new dynamic DNS update configuration which will update the IP address assigned to `<interface>` on the service you configured under `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - key <keyfile> +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> key <filename> - File identified by `<keyfile>` containing the secret RNDC key shared with - remote DNS server. + File identified by `<filename>` containing the TSIG authentication key for RFC2136 + nsupdate on remote DNS server. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignment. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - zone <zone> +.. cfgcmd:: set service dns dynamic name <service-name> zone <zone> Configure DNS `<zone>` to be updated. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - record <record> +.. cfgcmd:: set service dns dynamic name <service-name> host-name <record> - Configure DNS `<record>` which should be updated. This can be set multiple - times. + Configure DNS `<record>` which should be updated. This can be set multiple times. -.. cfgcmd:: set service dns dynamic address <interface> rfc2136 <service-name> - ttl <ttl> +.. cfgcmd:: set service dns dynamic name <service-name> ttl <ttl> Configure optional TTL value on the given resource record. This defaults to 600 seconds. -.. cfgcmd:: set service dns dynamic timeout <60-3600> +.. cfgcmd:: set service dns dynamic interval <60-3600> - Specify timeout / update interval to check if IP address changed. - - This defaults to 300 seconds. + Specify interval in seconds to wait between Dynamic DNS updates. + The default is 300 seconds. .. _dns:dynmaic_example: @@ -295,32 +265,48 @@ Example .. code-block:: none + # Configuration commands entered: + # + set service dns dynamic name 'VyOS-DNS' address interface 'eth0' + set service dns dynamic name 'VyOS-DNS' description 'RFC 2136 dynamic dns service' + set service dns dynamic name 'VyOS-DNS' key '/config/auth/my.key' + set service dns dynamic name 'VyOS-DNS' server 'ns1.vyos.io' + set service dns dynamic name 'VyOS-DNS' zone 'vyos.io' + set service dns dynamic name 'VyOS-DNS' host-name 'example.vyos.io' + set service dns dynamic name 'VyOS-DNS' protocol 'nsupdate' + set service dns dynamic name 'VyOS-DNS' ttl '300' + + # Resulting config: + # vyos@vyos# show service dns dynamic - interface eth0.7 { - rfc2136 VyOS-DNS { - key /config/auth/my.key - record example.vyos.io - server ns1.vyos.io - ttl 300 - zone vyos.io + name VyOS-DNS { + address { + interface eth0 } + description "RFC 2136 dynamic dns service" + host-name example.vyos.io + key /config/auth/my.key + protocol nsupdate + server ns1.vyos.io + ttl 300 + zone vyos.io } This will render the following ddclient_ configuration entry: .. code-block:: none + # ddclient configuration for interface "eth0": # - # ddclient configuration for interface "eth0.7": - # - use=if, if=eth0.7 - - # RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io - server=ns1.vyos.io - protocol=nsupdate - password=/config/auth/my.key - ttl=300 - zone=vyos.io + + # Web service dynamic DNS configuration for VyOS-DNS: [nsupdate, example.vyos.io] + use=if, \ + if=eth0, \ + protocol=nsupdate, \ + server=ns1.vyos.io, \ + zone=vyos.io, \ + password='/config/auth/my.key', \ + ttl=300 \ example.vyos.io .. note:: You can also keep different DNS zone updated. Just create a new @@ -335,40 +321,43 @@ VyOS is also able to use any service relying on protocols supported by ddclient. To use such a service, one must define a login, password, one or multiple hostnames, protocol and server. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - host-name <hostname> +.. cfgcmd:: set service dns dynamic name <service-name> address interface <interface> + + Create new dynamic DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. + +.. cfgcmd:: set service dns dynamic name <service-name> description <text> + + Set description `<text>` for dynamic DNS service being configured. + +.. cfgcmd:: set service dns dynamic name <service-name> host-name <hostname> Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS - provider identified by `<service>` when the IP address on address - `<interface>` changes. + provider identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - username <username> +.. cfgcmd:: set service dns dynamic name <service-name> username <username> Configure `<username>` used when authenticating the update request for - DynDNS service identified by `<service>`. - For Namecheap, set the <domain> you wish to update. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - password <password> +.. cfgcmd:: set service dns dynamic name <service-name> password <password> Configure `<password>` used when authenticating the update request for - DynDNS service identified by `<service>`. + DynDNS service identified by `<service-name>`. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - protocol <protocol> +.. cfgcmd:: set service dns dynamic name <service-name> protocol <protocol> - When a ``custom`` DynDNS provider is used the protocol used for communicating + When a ``custom`` DynDNS provider is used, the protocol used for communicating to the provider must be specified under `<protocol>`. See the embedded - completion helper for available protocols. + completion helper when entering above command for available protocols. -.. cfgcmd:: set service dns dynamic address <interface> service <service> - server <server> +.. cfgcmd:: set service dns dynamic name <service-name> server <server> When a ``custom`` DynDNS provider is used the `<server>` where update requests are being sent to must be specified. -.. cfgcmd:: set service dns dynamic address <interface> ipv6-enable +.. cfgcmd:: set service dns dynamic name <service-name> ip-version 'ipv6' Allow explicit IPv6 address for the interface. @@ -376,14 +365,17 @@ hostnames, protocol and server. Example: ^^^^^^^^ -Use DynDNS as your preferred provider: +Use deSEC (dedyn.io) as your preferred provider: .. code-block:: none - set service dns dynamic address eth0 service dyndns - set service dns dynamic address eth0 service dyndns username my-login - set service dns dynamic address eth0 service dyndns password my-password - set service dns dynamic address eth0 service dyndns host-name my-dyndns-hostname + set service dns dynamic name dedyn description 'deSEC dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn server 'update.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' .. note:: Multiple services can be used per interface. Just specify as many services per interface as you like! @@ -393,12 +385,14 @@ Example IPv6 only: .. code-block:: none - set service dns dynamic address eth0 ipv6-enable - set service dns dynamic address eth0 service dyndns6 username my-login - set service dns dynamic address eth0 service dyndns6 password my-password - set service dns dynamic address eth0 service dyndns6 host-name my-dyndns-hostname - set service dns dynamic address eth0 service dyndns6 protocol dyndns2 - set service dns dynamic address eth0 service dyndns6 server dyndns-v6-server + set service dns dynamic name dedyn description 'deSEC ipv6 dynamic dns service' + set service dns dynamic name dedyn username 'myusername' + set service dns dynamic name dedyn password 'mypassword' + set service dns dynamic name dedyn host-name 'myhostname.dedyn.io' + set service dns dynamic name dedyn protocol 'dyndns2' + set service dns dynamic name dedyn ip-version 'ipv6' + set service dns dynamic name dedyn server 'update6.dedyn.io' + set service dns dynamic name dedyn address interface 'eth0' Running Behind NAT @@ -408,21 +402,15 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. - -This functionality is controlled by adding the following configuration: +ddclient_ has another way to determine the WAN IP address. This is controlled +by: -.. cfgcmd:: set service dns dynamic address web web-options url <url> +.. cfgcmd:: set service dns dynamic name <service-name> address web <url> Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` and tries to extract your IP address from the response. -.. cfgcmd:: set service dns dynamic address web web-options skip <pattern> +.. cfgcmd:: set service dns dynamic name <service-name> address web skip <pattern> ddclient_ will skip any address located before the string set in `<pattern>`. diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst index f179153a..ca558b6a 100644 --- a/docs/configuration/service/router-advert.rst +++ b/docs/configuration/service/router-advert.rst @@ -13,6 +13,7 @@ Supported interface types: * bonding * bridge * ethernet + * geneve * l2tpv3 * openvpn * pseudo-ethernet @@ -22,9 +23,9 @@ Supported interface types: * wireless * wwan - -Enabling Advertisments -~~~~~~~~~~~~~~~~~~~~~~~ +************* +Configuration +************* .. cfgcmd:: set service router-advert interface <interface> ... @@ -50,7 +51,7 @@ Enabling Advertisments Advertising a Prefix -'''''''''''''''''''' +-------------------- .. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask> @@ -73,30 +74,48 @@ Advertising a Prefix .. start_vyoslinter +Advertising a NAT64 Prefix +-------------------------- + +.. cfgcmd:: set service router-advert interface <interface> nat64prefix <prefix/mask> + + Enable PREF64 option as outlined in :rfc:`8781`. + + NAT64 prefix mask must be one of: /32, /40, /48, /56, /64 or 96. + + .. note:: The well known NAT64 prefix is ``64:ff9b::/96`` + +.. stop_vyoslinter + +.. csv-table:: + :header: "VyOS Field", "Description" + :widths: 10,30 + + "valid-lifetime","Time in seconds that the prefix will remain valid (default: 65528 seconds)" + +.. start_vyoslinter + Disabling Advertisements -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ To disable advertisements without deleting the configuration: .. cfgcmd:: set service router-advert interface <interface> no-send-advert -Example Configuration -~~~~~~~~~~~~~~~~~~~~~ + +******* +Example +******* + +Your LAN connected on eth0 uses prefix ``2001:db8:beef:2::/64`` with the router +beeing ``2001:db8:beef:2::1`` .. code-block:: none - interface eth0.2 { - default-preference high - hop-limit 64 - interval { - max 600 - } - name-server 2001:db8::1 - name-server 2001:db8::2 - other-config-flag - prefix 2001:db8:beef:2::/64 { - valid-lifetime 2592000 - } - reachable-time 0 - retrans-timer 0 - } + set interfaces ethernet eth0 address 2001:db8:beef:2::1/64 + + set service router-advert interface eth0 default-preference 'high' + set service router-advert interface eth0 name-server '2001:db8::1' + set service router-advert interface eth0 name-server '2001:db8::2' + set service router-advert interface eth0 other-config-flag + set service router-advert interface eth0 prefix 2001:db8:beef:2::/64 diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index fe536eec..2a5e7731 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -1,52 +1,552 @@ .. _pptp: +########### PPTP-Server ------------ +########### The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. PPTP has many well known security issues and you should use one of the many other new VPN implementations. -As per default and if not otherwise defined, mschap-v2 is being used for -authentication and mppe 128-bit (stateless) for encryption. If no -gateway-address is set within the configuration, the lowest IP out of the /24 -client-ip-pool is being used. For instance, in the example below it would be -192.168.0.1. - -server example -^^^^^^^^^^^^^^ +*********************** +Configuring PPTP Server +*********************** .. code-block:: none + set vpn pptp remote-access authentication mode local set vpn pptp remote-access authentication local-users username test password 'test' - set vpn pptp remote-access authentication mode 'local' - set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 + set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 set vpn pptp remote-access default-pool 'PPTP-POOL' - set vpn pptp remote-access gateway-address '10.100.100.1' - set vpn pptp remote-access outside-address '10.1.1.120' + set vpn pptp remote-access outside-address 192.0.2.2 + set vpn pptp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn pptp remote-access authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + * **noauth**: Authentication disabled. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> password + <pass> + + Create `<user>` for local authentication on this system. The users password + will be set to `<pass>`. + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> + + Use this command to define the first IP address of a pool of + addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn pptp remote-access default-pool <POOL-NAME> + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn pptp remote-access gateway-address <gateway> + + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. + +********************************* +Configuring RADIUS authentication +********************************* + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +.. code-block:: none + + set vpn pptp remote-access authentication mode radius + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> key <secret> + + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +.. code-block:: none + + set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' + +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. + +RADIUS source address +===================== + +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. + +RADIUS advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> port <port> + + Configure RADIUS `<server>` and its required port for authentication requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> fail-time <time> + + Mark RADIUS server as offline for this given `<time>` in seconds. + +.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> disable + + Temporary disable this RADIUS server. + +.. cfgcmd:: set vpn pptp remote-access authentication radius acct-timeout <timeout> + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author server <address> + + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author port <port> + + Port for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author key <secret> + + Secret for Dynamic Authorization Extension server (DM/CoA) + +.. cfgcmd:: set vpn pptp remote-access authentication radius max-try <number> + + Maximum number of tries to send Access-Request/Accounting-Request queries + +.. cfgcmd:: set vpn pptp remote-access authentication radius timeout <timeout> + + Timeout to wait response from server (seconds) + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-identifier <identifier> + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. + +.. cfgcmd:: set vpn pptp remote-access authentication radius nas-ip-address <address> + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. + +.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address> + + Source IPv4 address used in all RADIUS server queires. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit attribute <attribute> + + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + +**** +IPv6 +**** +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6 <require | prefer | allow | deny> + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an PPTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + PPTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + PPTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn pptp remote-access default-ipv6-pool <IPv6-POOL-NAME> + Use this command to define default IPv6 address pool name. -client example (debian 9) -^^^^^^^^^^^^^^^^^^^^^^^^^ +.. code-block:: none + + set vpn pptp remote-access ppp-options ipv6 allow + set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn pptp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn pptp remote-access default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x> + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + +********* +Scripting +********* + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn pptp remote-access extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn pptp remote-access authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn pptp remote-access ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn pptp remote-access ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. -Install the client software via apt and execute pptpsetup to generate the -configuration. + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-failure <number> + + Defines the maximum `<number>` of unanswered echo requests. Upon reaching the + value `<number>`, the session will be reset. Default value is **3**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-interval <interval> + + If this option is specified and is greater than 0, then the PPP module will + send LCP pings of the echo request every `<interval>` seconds. + Default value is **30**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-timeout + + Specifies timeout in seconds to wait for any peer activity. If this option + specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" + is not used. Default value is **0**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options min-mtu <number> + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mppe <require | prefer | deny> + + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation + preference. + + * **require** - ask client for mppe, if it rejects drop connection + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) + * **deny** - deny mppe + + Default behavior - don't ask client for mppe, but allow it if client wants. + Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy + attribute. + +.. cfgcmd:: set vpn pptp remote-access ppp-options mru <number> + + Defines preferred MRU. By default is not defined. + +Global Advanced options +======================= + +.. cfgcmd:: set vpn pptp remote-access description <description> + + Set description. + +.. cfgcmd:: set vpn pptp remote-access limits burst <value> + + Burst count + +.. cfgcmd:: set vpn pptp remote-access limits connection-limit <value> + + Acceptable rate of connections (e.g. 1/min, 60/sec) + +.. cfgcmd:: set vpn pptp remote-access limits timeout <value> + + Timeout in seconds + +.. cfgcmd:: set vpn pptp remote-access mtu + + Maximum Transmission Unit (MTU) (default: **1436**) + +.. cfgcmd:: set vpn pptp remote-access max-concurrent-sessions + + Maximum number of concurrent session start attempts + +.. cfgcmd:: set vpn pptp remote-access name-server <address> + + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. + +.. cfgcmd:: set vpn pptp remote-access shaper fwmark <1-2147483647> + + Match firewall mark value + +.. cfgcmd:: set vpn pptp remote-access snmp master-agent + + Enable SNMP + +.. cfgcmd:: set vpn pptp remote-access wins-server <address> + + Windows Internet Name Service (WINS) servers propagated to client + +********** +Monitoring +********** + +.. opcmd:: show pptp-server sessions + + Use this command to locally check the active sessions in the PPTP + server. .. code-block:: none - apt-get install pptp-linux - pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt - pon TESTTUNNEL + vyos@vyos:~$ show pptp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B -The command pon TESTUNNEL establishes the PPTP tunnel to the remote system. +.. code-block:: none + vyos@vyos:~$ show pptp-server statistics + uptime: 0.00:04:52 + cpu: 0% + mem(rss/virt): 5504/100176 kB + core: + mempool_allocated: 152007 + mempool_available: 149007 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + pptp: + starting: 0 + active: 1 -All tunnel sessions can be checked via: +*************** +Troubleshooting +*************** .. code-block:: none - run sh pptp-server sessions - ifname | username | calling-sid | ip | type | comp | state | uptime - --------+----------+-------------+--------------+------+------+--------+---------- - ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58 + vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0 + + Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100 + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init + Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing + Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>] + Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9 + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>] + Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] + Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100) + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9] + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started + Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0' + Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started + +.. _accel-ppp: https://accel-ppp.org/ +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 78cadfb5..ab0f623f 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -16,7 +16,8 @@ special characters. It is purely informational. Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. - Suboptions: + If pre-shared-secret mode is used, the secret key must be defined in + ``set vpn ipsec authentication`` and suboptions: * ``psk`` - Preshared secret key name: @@ -36,8 +37,7 @@ Each site-to-site peer has the next options: * ``pre-shared-secret`` - use predefined shared secret phrase; - * ``rsa`` - use simple shared RSA key. The key must be defined in the - ``set vpn rsa-keys`` section; + * ``rsa`` - use simple shared RSA key. * ``x509`` - use certificates infrastructure for authentication. @@ -45,29 +45,26 @@ Each site-to-site peer has the next options: address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined - in the ``set vpn rsa-keys`` section; + * ``rsa`` - options for RSA authentication mode: - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when - ``id`` is defined; + * ``local-key`` - name of PKI key-pair with local private key - * ``x509`` - options for x509 authentication mode: + * ``remote-key`` - name of PKI key-pair with remote public key - * ``ca-cert-file`` - CA certificate file. Using for authenticating - remote peer; + * ``passphrase`` - local private key passphrase - * ``cert-file`` - certificate file, which will be used for authenticating - local router on remote peer; + * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when + ``id`` is defined; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if - a certificate for the remote peer is valid or revoked; + * ``x509`` - options for x509 authentication mode: - * ``key`` - a private key, which will be used for authenticating local router - on remote peer: + * ``ca-certificate`` - CA certificate in PKI configuration. Using for + authenticating remote peer; - * ``file`` - path to the key file; + * ``certificate`` - certificate file in PKI configuration, which will be used + for authenticating local router on remote peer; - * ``password`` - passphrase private key, if needed. + * ``passphrase`` - private key passphrase, if needed. * ``connection-type`` - how to handle this connection process. Possible variants: @@ -113,6 +110,9 @@ Each site-to-site peer has the next options: Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. +* ``replay-window`` - IPsec replay window to configure for this CHILD_SA + (default: 32), a value of 0 disables IPsec replay protection + * ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: @@ -127,6 +127,9 @@ Each site-to-site peer has the next options: * ``prefix`` - IP network at local side. + * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value + more preferable) + * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index a9def827..3749eb7b 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -19,50 +19,43 @@ local and RADIUS authentication. As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is required. -.. note:: All certificates should be stored on VyOS under ``/config/auth``. If - certificates are not stored in the ``/config`` directory they will not be - migrated during a software update. +*********************** +Configuring SSTP Server +*********************** Certificates ============ -Self Signed CA --------------- - -To generate the CA, the server private key and certificates the following -commands can be used. +Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate .. code-block:: none - vyos@vyos:~$ mkdir -p /config/user-data/sstp - vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt - - Generating a 4096 bit RSA private key - .........................++ - ...............................................................++ - writing new private key to 'server.key' - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: - - vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt - [...] - Country Name (2 letter code) [AU]: - State or Province Name (full name) [Some-State]: - Locality Name (eg, city) []: - Organization Name (eg, company) [Internet Widgits Pty Ltd]: - Organizational Unit Name (eg, section) []: - Common Name (e.g. server FQDN or YOUR name) []: - Email Address []: + vyos@vyos:~$ generate pki ca install CA + +.. code-block:: none + vyos@vyos:~$ generate pki certificate sign CA install Server Configuration ============= +.. code-block:: none + + set vpn sstp authentication local-users username test password 'test' + set vpn sstp authentication mode 'local' + set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' + set vpn sstp default-pool 'SSTP-POOL' + set vpn sstp gateway-address '10.0.0.1' + set vpn sstp ssl ca-certificate 'CA1' + set vpn sstp ssl certificate 'Server' + +.. cfgcmd:: set vpn sstp authentication mode <local | radius> + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. .. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass> @@ -70,137 +63,185 @@ Configuration Create `<user>` for local authentication on this system. The users password will be set to `<pass>`. -.. cfgcmd:: set vpn sstp authentication local-users username <user> disable +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> - Disable `<user>` account. + Use this command to define the first IP address of a pool of + addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. -.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip - <address> +.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> - Assign static IP address to `<user>` account. + Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - download <bandwidth> +.. cfgcmd:: set vpn sstp gateway-address <gateway> - Download bandwidth limit in kbit/s for `<user>`. + Specifies single `<gateway>` IP address to be used as local address of PPP + interfaces. -.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit - upload <bandwidth> +.. cfgcmd:: set vpn sstp ssl ca-certificate <file> - Upload bandwidth limit in kbit/s for `<user>`. + Name of installed certificate authority certificate. -.. cfgcmd:: set vpn sstp authentication protocols - <pap | chap | mschap | mschap-v2> +.. cfgcmd:: set vpn sstp ssl certificate <file> - Require the peer to authenticate itself using one of the following protocols: - pap, chap, mschap, mschap-v2. + Name of installed server certificate. -.. cfgcmd:: set vpn sstp authentication mode <local | radius> +********************************* +Configuring RADIUS authentication +********************************* - Set authentication backend. The configured authentication backend is used - for all queries. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. - * **radius**: All authentication queries are handled by a configured RADIUS - server. - * **local**: All authentication queries are handled locally. +.. code-block:: none + set vpn sstp authentication mode radius -.. cfgcmd:: set vpn sstp gateway-address <gateway> +.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - Specifies single `<gateway>` IP address to be used as local address of PPP - interfaces. + Configure RADIUS `<server>` and its required shared `<secret>` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: -.. cfgcmd:: set vpn sstp port <port> +.. code-block:: none - Specifies the port `<port>` that the SSTP port will listen on (default 443). + set vpn sstp authentication radius server 10.0.0.1 key 'foo' + set vpn sstp authentication radius server 10.0.0.2 key 'foo' +.. note:: Some RADIUS severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> +RADIUS source address +===================== - Use this command to define the first IP address of a pool of - addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, - it must be within a /24 subnet. If notation ``x.x.x.x/x`` is - used there is possibility to set host/netmask. +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. -.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Use this command to define the next address pool name. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. - Use this command to define default address pool name. +RADIUS advanced options +======================= +.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> - mask <number-of-bits> + Configure RADIUS `<server>` and its required port for authentication requests. - Use this comand to set the IPv6 address pool from which an SSTP client - will get an IPv6 prefix of your defined length (mask) to terminate the - SSTP endpoint at their side. The mask length can be set from 48 to 128 - bit long, the default value is 64. +.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> + Mark RADIUS server as offline for this given `<time>` in seconds. -.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> - delegation-prefix <number-of-bits> +.. cfgcmd:: set vpn sstp authentication radius server <server> disable - Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on - SSTP. You will have to set your IPv6 pool and the length of the - delegation prefix. From the defined IPv6 pool you will be handing out - networks of the defined length (delegation-prefix). The length of the - delegation prefix can be set from 32 to 64 bit long. + Temporary disable this RADIUS server. +.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> -.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + Timeout to wait reply for Interim-Update packets. (default 3 seconds) - Use this command to define default IPv6 address pool name. +.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> + Specifies IP address for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp name-server <address> +.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - Connected client should use `<address>` as their DNS server. This - command accepts both IPv4 and IPv6 addresses. Up to two nameservers - can be configured for IPv4, up to three for IPv6. + Port for Dynamic Authorization Extension server (DM/CoA) -Maximum number of IPv4 nameservers +.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> -SSL Certificates ----------------- + Secret for Dynamic Authorization Extension server (DM/CoA) -.. cfgcmd:: set vpn sstp ssl ca-cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius max-try <number> - Path to `<file>` pointing to the certificate authority certificate. + Maximum number of tries to send Access-Request/Accounting-Request queries -.. cfgcmd:: set vpn sstp ssl cert-file <file> +.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - Path to `<file>` pointing to the servers certificate (public portion). + Timeout to wait response from server (seconds) +.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> -PPP Settings ------------- + Value to send to RADIUS server in NAS-Identifier attribute and to be matched + in DM/CoA requests. -.. cfgcmd:: set vpn sstp ppp-options disable-ccp +.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - Disable Compression Control Protocol (CCP). - CCP is enabled by default. + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched + in DM/CoA requests. Also DM/CoA server will bind to that address. -.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> +.. cfgcmd:: set vpn sstp authentication radius source-address <address> - Specifies number of interfaces to keep in cache. It means that don’t - destroy interface after corresponding session is destroyed, instead - place it to cache and use it later for new sessions repeatedly. - This should reduce kernel-level interface creation/deletion rate lack. - Default value is **0**. + Source IPv4 address used in all RADIUS server queires. -.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> +.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - Specifies IPv4 negotiation preference. + Specifies which RADIUS server attribute contains the rate limit information. + The default attribute is `Filter-Id`. - * **require** - Require IPv4 negotiation - * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects - * **allow** - Negotiate IPv4 only if client requests (Default value) - * **deny** - Do not negotiate IPv4 +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit enable + + Enables bandwidth shaping via RADIUS. + +.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor + + Specifies the vendor dictionary, dictionary needs to be in + /usr/share/accel-ppp/radius. +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +========================================= + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ``default-pool`` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address +will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value. + +If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool ``delegate`` +whose name equals the attribute value. + +.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in + RFC6911. If they are not defined in your RADIUS server, add new dictionary_. + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_. +Define it in your RADIUS server. + +Renaming clients interfaces by RADIUS +===================================== + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +**** +IPv6 +**** .. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny> Specifies IPv6 negotiation preference. @@ -210,6 +251,36 @@ PPP Settings * **allow** - Negotiate IPv6 only if client requests * **deny** - Do not negotiate IPv6 (default value) +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> + + Use this comand to set the IPv6 address pool from which an SSTP client + will get an IPv6 prefix of your defined length (mask) to terminate the + SSTP endpoint at their side. The mask length can be set from 48 to 128 + bit long, the default value is 64. + +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> + + Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on + SSTP. You will have to set your IPv6 pool and the length of the + delegation prefix. From the defined IPv6 pool you will be handing out + networks of the defined length (delegation-prefix). The length of the + delegation prefix can be set from 32 to 64 bit long. + +.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. + +.. code-block:: none + + set vpn sstp ppp-options ipv6 allow + set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set vpn sstp default-ipv6-pool IPv6-POOL + +IPv6 Advanced Options +===================== .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id Accept peer interface identifier. By default is not defined. @@ -231,6 +302,90 @@ PPP Settings * **ipv4-addr** - Calculate interface identifier from IPv4 address. * **calling-sid** - Calculate interface identifier from calling-station-id. +********* +Scripting +********* + +.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script> + + Script to run when session interface changed by RADIUS CoA handling + +.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script> + + Script to run when session interface going to terminate + +.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script> + + Script to run before session interface comes up + +.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script> + + Script to run when session interface is completely configured and started + +**************** +Advanced Options +**************** + +Authentication Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp authentication local-users username <user> disable + + Disable `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip + <address> + + Assign static IP address to `<user>` account. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + download <bandwidth> + + Download bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit + upload <bandwidth> + + Upload bandwidth limit in kbit/s for `<user>`. + +.. cfgcmd:: set vpn sstp authentication protocols + <pap | chap | mschap | mschap-v2> + + Require the peer to authenticate itself using one of the following protocols: + pap, chap, mschap, mschap-v2. + +Client IP Pool Advanced Options +=============================== + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + + Use this command to define the next address pool name. + +PPP Advanced Options +==================== + +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number> Defines the maximum `<number>` of unanswered echo requests. Upon reaching the @@ -271,112 +426,61 @@ PPP Settings Defines preferred MRU. By default is not defined. +Global Advanced options +======================= -RADIUS ------- - -Server -^^^^^^ - -.. cfgcmd:: set vpn sstp authentication radius server <server> port <port> +.. cfgcmd:: set vpn sstp description <description> - Configure RADIUS `<server>` and its required port for authentication requests. + Set description. -.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret> - - Configure RADIUS `<server>` and its required shared `<secret>` for - communicating with the RADIUS server. +.. cfgcmd:: set vpn sstp limits burst <value> -.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time> + Burst count - Mark RADIUS server as offline for this given `<time>` in seconds. +.. cfgcmd:: set vpn sstp limits connection-limit <value> -.. cfgcmd:: set vpn sstp authentication radius server <server> disable + Acceptable rate of connections (e.g. 1/min, 60/sec) - Temporary disable this RADIUS server. +.. cfgcmd:: set vpn sstp limits timeout <value> -Options -^^^^^^^ + Timeout in seconds -.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout> +.. cfgcmd:: set vpn sstp mtu - Timeout to wait reply for Interim-Update packets. (default 3 seconds) + Maximum Transmission Unit (MTU) (default: **1500**) -.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address> +.. cfgcmd:: set vpn sstp max-concurrent-sessions - Specifies IP address for Dynamic Authorization Extension server (DM/CoA) + Maximum number of concurrent session start attempts -.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port> - - Port for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret> - - Secret for Dynamic Authorization Extension server (DM/CoA) - -.. cfgcmd:: set vpn sstp authentication radius max-try <number> - - Maximum number of tries to send Access-Request/Accounting-Request queries - -.. cfgcmd:: set vpn sstp authentication radius timeout <timeout> - - Timeout to wait response from server (seconds) - -.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier> - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched - in DM/CoA requests. - -.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address> - - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched - in DM/CoA requests. Also DM/CoA server will bind to that address. - -.. cfgcmd:: set vpn sstp authentication radius source-address <address> - - Source IPv4 address used in all RADIUS server queires. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute> - - Specifies which RADIUS server attribute contains the rate limit information. - The default attribute is `Filter-Id`. - -.. cfgcmd:: set vpn sstp authentication radius rate-limit enable +.. cfgcmd:: set vpn sstp name-server <address> - Enables bandwidth shaping via RADIUS. + Connected client should use `<address>` as their DNS server. This + command accepts both IPv4 and IPv6 addresses. Up to two nameservers + can be configured for IPv4, up to three for IPv6. -.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor +.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647> - Specifies the vendor dictionary, dictionary needs to be in - /usr/share/accel-ppp/radius. + Match firewall mark value +.. cfgcmd:: set vpn sstp snmp master-agent -Example -======= + Enable SNMP -* Use local user `foo` with password `bar` -* Client IP addresses will be provided from pool `192.0.2.0/25` +.. cfgcmd:: set vpn sstp wins-server <address> -.. code-block:: none + Windows Internet Name Service (WINS) servers propagated to client - set vpn sstp authentication local-users username vyos password vyos - set vpn sstp authentication mode local - set vpn sstp gateway-address 192.0.2.254 - set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 - set vpn sstp default-pool 'SSTP-POOL' - set vpn sstp name-server 10.0.0.1 - set vpn sstp name-server 10.0.0.2 - set vpn sstp ssl ca-cert-file /config/auth/ca.crt - set vpn sstp ssl cert-file /config/auth/server.crt - set vpn sstp ssl key-file /config/auth/server.key - -Testing SSTP -============ +*********************** +Configuring SSTP client +*********************** Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing is called sstpc_. sstpc_ requires a PPP configuration/peer file. +If you use a self-signed certificate, do not forget to install CA on the client side. + The following PPP configuration tests MSCHAP-v2: .. code-block:: none @@ -429,8 +533,115 @@ A connection attempt will be shown as: inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 valid_lft forever preferred_lft forever +********** +Monitoring +********** +.. opcmd:: show sstp-server sessions -.. _sstpc: https://github.com/reliablehosting/sstp-client + Use this command to locally check the active sessions in the SSTP + server. +.. code-block:: none + + vyos@vyos:~$ show sstp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B + +.. code-block:: none + + vyos@vyos:~$ show sstp-server statistics + uptime: 0.01:21:54 + cpu: 0% + mem(rss/virt): 6688/100464 kB + core: + mempool_allocated: 149420 + mempool_available: 146092 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 7 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 + sessions: + starting: 0 + active: 1 + finishing: 0 + sstp: + starting: 0 + active: 1 + +*************** +Troubleshooting +*************** + +.. code-block:: none + + vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 + + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting + Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init + Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing + Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] + Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 + Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] + Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] + Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started + Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' + Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started + +.. _sstpc: https://github.com/reliablehosting/sstp-client +.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel .. include:: /_include/common-references.txt |