From ce090a4ced7fccce3fdc70142e22fa0009fae12b Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Sun, 6 Dec 2020 21:41:10 +0100
Subject: arrange examples

---
 docs/configuration/vpn/sstp.rst | 347 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 347 insertions(+)
 create mode 100644 docs/configuration/vpn/sstp.rst

(limited to 'docs/configuration/vpn/sstp.rst')

diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
new file mode 100644
index 00000000..dbaa41c0
--- /dev/null
+++ b/docs/configuration/vpn/sstp.rst
@@ -0,0 +1,347 @@
+.. _sstp:
+
+####
+SSTP
+####
+
+:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
+(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
+traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
+with key negotiation, encryption and traffic integrity checking. The use of
+SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
+and proxy servers except for authenticated web proxies.
+
+SSTP is available for Linux, BSD, and Windows.
+
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
+local and RADIUS authentication.
+
+As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
+certificates as well as a private PKI is required.
+
+.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
+  certificates are not stored in the ``/config`` directory they will not be
+  migrated during a software update.
+
+Certificates
+============
+
+Self Signed CA
+--------------
+
+To generate the CA, the server private key and certificates the following
+commands can be used.
+
+.. code-block:: none
+
+  vyos@vyos:~$ mkdir -p /config/user-data/sstp
+  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
+
+  Generating a 4096 bit RSA private key
+  .........................++
+  ...............................................................++
+  writing new private key to 'server.key'
+  [...]
+  Country Name (2 letter code) [AU]:
+  State or Province Name (full name) [Some-State]:
+  Locality Name (eg, city) []:
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+  Organizational Unit Name (eg, section) []:
+  Common Name (e.g. server FQDN or YOUR name) []:
+  Email Address []:
+
+  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
+  [...]
+  Country Name (2 letter code) [AU]:
+  State or Province Name (full name) [Some-State]:
+  Locality Name (eg, city) []:
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+  Organizational Unit Name (eg, section) []:
+  Common Name (e.g. server FQDN or YOUR name) []:
+  Email Address []:
+
+
+Configuration
+=============
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass>
+
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
+
+
+.. cfgcmd:: set vpn sstp gateway-address <gateway>
+
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
+
+
+.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
+
+  Use `<subnet>` as the IP pool for all connecting clients.
+
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an SSTP client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  SSTP endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  SSTP. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+
+.. cfgcmd:: set vpn sstp name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+Maximum number of IPv4 nameservers
+
+SSL Certificates
+----------------
+
+.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+
+  Path to `<file>` pointing to the certificate authority certificate.
+
+.. cfgcmd:: set vpn sstp ssl cert-file <file>
+
+  Path to `<file>` pointing to the servers certificate (public portion).
+
+.. cfgcmd:: set vpn sstp ssl key-file <file>
+
+  Path to `<file>` pointing to the servers certificate (private portion).
+
+PPP Settings
+------------
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used.
+
+.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+
+RADIUS
+------
+
+Server
+^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+
+  Configure RADIUS `<server>` and its required port for authentication requests.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
+
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+
+  Mark RADIUS server as offline for this given `<time>` in seconds.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
+
+  Temporary disable this RADIUS server.
+
+Options
+^^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
+
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
+
+  Port for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
+
+  Secret for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
+
+  Maximum number of tries to send Access-Request/Accounting-Request queries
+
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
+
+  Timeout to wait response from server (seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
+
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
+
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
+
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
+
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
+
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is `Filter-Id`.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+
+  Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
+
+
+Example
+=======
+
+* Use local user `foo` with password `bar`
+* Client IP addresses will be provided from pool `192.0.2.0/25`
+
+.. code-block:: none
+
+  set vpn sstp authentication local-users username vyos password vyos
+  set vpn sstp authentication mode local
+  set vpn sstp gateway-address 192.0.2.254
+  set vpn sstp client-ip-pool subnet 192.0.2.0/25
+  set vpn sstp name-server 10.0.0.1
+  set vpn sstp name-server 10.0.0.2
+  set vpn sstp ssl ca-cert-file /config/auth/ca.crt
+  set vpn sstp ssl cert-file /config/auth/server.crt
+  set vpn sstp ssl key-file /config/auth/server.key
+
+Testing SSTP
+============
+
+Once you have setup your SSTP server there comes the time to do some basic
+testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
+PPP configuration/peer file.
+
+The following PPP configuration tests MSCHAP-v2:
+
+.. code-block:: none
+
+  $ cat /etc/ppp/peers/vyos
+  usepeerdns
+  #require-mppe
+  #require-pap
+  require-mschap-v2
+  noauth
+  lock
+  refuse-pap
+  refuse-eap
+  refuse-chap
+  refuse-mschap
+  #refuse-mschap-v2
+  nobsdcomp
+  nodeflate
+  debug
+
+
+You can now "dial" the peer with the follwoing command: ``sstpc --log-level 4
+--log-stderr --user vyos --password vyos vpn.example.com -- call vyos``.
+
+A connection attempt will be shown as:
+
+.. code-block:: none
+
+  $ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos
+
+  Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1
+  Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com
+  Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message
+  Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14)
+  Mar 22 13:29:12 sstpc[12344]:   TYPE(1): CONNECT REQUEST, ATTR(1):
+  Mar 22 13:29:12 sstpc[12344]:     ENCAP PROTO(1): 6
+  Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48)
+  Mar 22 13:29:12 sstpc[12344]:   TYPE(2): CONNECT ACK, ATTR(1):
+  Mar 22 13:29:12 sstpc[12344]:     CRYPTO BIND REQ(4): 40
+  Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation
+  Mar 22 13:29:15 sstpc[12344]: Sending Connected Message
+  Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112)
+  Mar 22 13:29:15 sstpc[12344]:   TYPE(4): CONNECTED, ATTR(1):
+  Mar 22 13:29:15 sstpc[12344]:     CRYPTO BIND(3): 104
+  Mar 22 13:29:15 sstpc[12344]: Connection Established
+
+  $ ip addr show ppp0
+  164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
+       link/ppp  promiscuity 0
+       inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
+          valid_lft forever preferred_lft forever
+
+
+
+.. _sstpc: https://github.com/reliablehosting/sstp-client
+
+.. include:: /_include/common-references.txt
-- 
cgit v1.2.3


From 19596fd91ee067594957252768aed98579c1a4dc Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Fri, 11 Dec 2020 14:54:50 +0100
Subject: vpn: fix lint errors

---
 docs/configuration/vpn/dmvpn.rst           |   3 +-
 docs/configuration/vpn/openconnect.rst     |   4 +-
 docs/configuration/vpn/pptp.rst            |  15 ++--
 docs/configuration/vpn/site2site_ipsec.rst | 112 ++++++++++++++++++++---------
 docs/configuration/vpn/sstp.rst            |  18 +++--
 5 files changed, 106 insertions(+), 46 deletions(-)

(limited to 'docs/configuration/vpn/sstp.rst')

diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index 62c0f002..f902c388 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -11,7 +11,8 @@ technologies are actually standards based. The three technologies are:
 
 * :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332`
 * :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702`
-* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc:`4301`
+* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with
+  :rfc:`4301`
 
 NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint
 registration, and endpoint discovery/lookup), mGRE provides the tunnel
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index a409ed9d..feb0bab1 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -72,8 +72,8 @@ The Gateway IP Address must be in one of the router´s interfaces.
   set vpn openconnect authentication local-users username user4 password 'SecretPassword'
   set vpn openconnect authentication mode 'local'
   set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
-  set vpn openconnect network-settings name-server '1.1.1.1'
-  set vpn openconnect network-settings name-server '8.8.8.8'
+  set vpn openconnect network-settings name-server '10.1.1.1'
+  set vpn openconnect network-settings name-server '10.1.1.2'
   set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
   set vpn openconnect ssl cert-file '/config/auth/cert.pem'
   set vpn openconnect ssl key-file '/config/auth/privkey.pem'
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
index 72b3feb0..12364acb 100644
--- a/docs/configuration/vpn/pptp.rst
+++ b/docs/configuration/vpn/pptp.rst
@@ -3,11 +3,15 @@
 PPTP-Server
 -----------
 
-The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility.
-PPTP has many well known security issues and you should use one of the many other new VPN implementations.
+The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only
+for backwards compatibility. PPTP has many well known security issues and you 
+should use one of the many other new VPN implementations.
 
-As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption.
-If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1.
+As per default and if not otherwise defined, mschap-v2 is being used for
+authentication and mppe 128-bit (stateless) for encryption. If no
+gateway-address is set within the configuration, the lowest IP out of the /24
+client-ip-pool is being used. For instance, in the example below it would be
+192.168.0.1.
 
 server example
 ^^^^^^^^^^^^^^
@@ -25,7 +29,8 @@ server example
 client example (debian 9)
 ^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Install the client software via apt and execute pptpsetup to generate the configuration.
+Install the client software via apt and execute pptpsetup to generate the
+configuration.
 
 
 .. code-block:: none
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 97f27b43..e81c5c3b 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -3,103 +3,151 @@
 Site-to-Site
 ============
 
-Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information between them and VyOS itself or connected/routed networks.
+Site-to-site mode provides a way to add remote peers, which could be configured
+to exchange encrypted information between them and VyOS itself or
+connected/routed networks.
 
-To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site`` command.
+To configure site-to-site connection you need to add peers with the
+``set vpn ipsec site-to-site`` command.
 
 You can identify a remote peer with:
 
-* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP address;
-* Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time;
-* Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode is useful when a peer doesn't have a publicly available IP address (NAT between it and VyOS), or IP address could be changed.
+* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used
+  when a peer has a public static IP address;
+* Hostname. This mode is similar to IP address, only you define DNS name instead
+  of an IP. Could be used when a peer has a public IP address and DNS name, but
+  an IP address could be changed from time to time;
+* Remote ID of the peer. In this mode, there is no predefined remote address
+  nor DNS name of the peer. This mode is useful when a peer doesn't have a
+  publicly available IP address (NAT between it and VyOS), or IP address could
+  be changed.
 
 Each site-to-site peer has the next options:
 
-* ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions:
+* ``authentication`` - configure authentication between VyOS and a remote peer.
+  Suboptions:
 
- * ``id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer;
+ * ``id`` - ID for the local VyOS router. If defined, during the authentication
+   it will be send to remote peer;
 
  * ``mode`` - mode for authentication between VyOS and remote peer:
 
-  * ``pre-shared-secret`` - use predefined shared secret phrase, must be the same for local and remote side;
+  * ``pre-shared-secret`` - use predefined shared secret phrase, must be the
+    same for local and remote side;
 
-  * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section;
+  * ``rsa`` - use simple shared RSA key. The key must be defined in the
+    ``set vpn rsa-keys`` section;
 
   * ``x509`` - use certificates infrastructure for authentication.
 
- * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode pre-shared-secret``;
+ * ``pre-shared-secret`` - predefined shared secret. Used if configured
+   ``mode pre-shared-secret``;
 
- * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used;
+ * ``remote-id`` - define an ID for remote peer, instead of using peer name or
+   address. Useful in case if the remote peer is behind NAT or if ``mode x509``
+   is used;
 
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined in the ``set vpn rsa-keys`` section;
+ * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
+   in the ``set vpn rsa-keys`` section;
 
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+   ``id`` is defined;
 
  * ``x509`` - options for x509 authentication mode:
 
-  * ``ca-cert-file`` - CA certificate file. Using for authenticating remote peer;
+  * ``ca-cert-file`` - CA certificate file. Using for authenticating
+    remote peer;
 
-  * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer;
+  * ``cert-file`` - certificate file, which will be used for authenticating
+    local router on remote peer;
 
-  * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked;
+  * ``crl-file`` - file with the Certificate Revocation List. Using to check if
+    a certificate for the remote peer is valid or revoked;
 
-  * ``key`` - a private key, which will be used for authenticating local router on remote peer:
+  * ``key`` - a private key, which will be used for authenticating local router
+    on remote peer:
 
    * ``file`` - path to the key file;
 
    * ``password`` - passphrase private key, if needed.
 
-* ``connection-type`` - how to handle this connection process. Possible variants:
+* ``connection-type`` - how to handle this connection process. Possible
+  variants:
 
- * ``initiate`` - do initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods;
+ * ``initiate`` - do initial connection to remote peer immediately after
+   configuring and after boot. In this mode the connection will not be restarted
+   in case of disconnection, therefore should be used only together with DPD or
+   another session tracking methods;
 
- * ``respond`` - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side.
+ * ``respond`` - do not try to initiate a connection to a remote peer. In this
+   mode, the IPSec session will be established only after initiation from a
+   remote peer. Could be useful when there is no direct connectivity to the
+   peer due to firewall or NAT in the middle of the local and remote side.
 
-* ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding;
+* ``default-esp-group`` - ESP group to use by default for traffic encryption.
+  Might be overwritten by individual settings for tunnel or VTI interface
+  binding;
 
 * ``description`` - description for this peer;
 
-* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``;
+* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
+  connection with this peer, instead of ``local-address``;
 
-* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;
+* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams.
+  Useful in case if between local and remote side is firewall or NAT, which not
+  allows passing plain ESP packets between them;
 
 * ``ike-group`` - IKE group to use for key exchanges;
 
-* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2:
+* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
+  Can be used only with IKEv2:
 
- * ``yes`` - create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
+ * ``yes`` - create a new IKE_SA from the scratch and try to recreate all
+   IPsec SAs;
 
  * ``no`` - rekey without uninstalling the IPsec SAs;
 
  * ``inherit`` - use default behavior for the used IKE group.
 
-* ``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used;
+* ``local-address`` - local IP address for IPSec connection with this peer.
+  If defined ``any``, then an IP address which configured on interface with
+  default route will be used;
 
-* ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer:
+* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
+  it to a peer:
 
  * ``disable`` - disable this tunnel;
 
  * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
 
- * ``local`` - define a local source for match traffic, which should be encrypted and send to this peer:
+ * ``local`` - define a local source for match traffic, which should be
+   encrypted and send to this peer:
 
   * ``port`` - define port. Have effect only when used together with ``prefix``;
 
   * ``prefix`` - IP network at local side.
 
- * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer;
+ * ``protocol`` - define the protocol for match traffic, which should be
+   encrypted and send to this peer;
 
- * ``remote`` - define the remote destination for match traffic, which should be encrypted and send to this peer:
+ * ``remote`` - define the remote destination for match traffic, which should be
+   encrypted and send to this peer:
 
   * ``port`` - define port. Have effect only when used together with ``prefix``;
 
   * ``prefix`` - IP network at remote side.
 
-* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don't need to create additional SA/policy for each remote network:
+* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
+  be send to VTI interface will be encrypted and send to this peer. Using VTI
+  makes IPSec configuration much flexible and easier in complex situation, and
+  allows to dynamically add/delete remote networks, reachable via a peer, as in
+  this mode router don't need to create additional SA/policy for each remote
+  network:
 
  * ``bind`` - select a VTI interface to bind to this peer;
 
- * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface.
+ * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
+   interface.
 
 Examples:
 ------------------
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index dbaa41c0..3600681f 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -64,7 +64,8 @@ commands can be used.
 Configuration
 =============
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> password <pass>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password
+   <pass>
 
   Create `<user>` for local authentication on this system. The users password
   will be set to `<pass>`.
@@ -73,19 +74,23 @@ Configuration
 
   Disable `<user>` account.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip <address>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+   <address>
 
   Assign static IP address to `<user>` account.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit download <bandwidth>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   download <bandwidth>
 
   Download bandwidth limit in kbit/s for `<user>`.
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit upload <bandwidth>
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   upload <bandwidth>
 
   Upload bandwidth limit in kbit/s for `<user>`.
 
-.. cfgcmd:: set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2>
+.. cfgcmd:: set vpn sstp authentication protocols
+   <pap | chap | mschap | mschap-v2>
 
   Require the peer to authenticate itself using one of the following protocols:
   pap, chap, mschap, mschap-v2.
@@ -119,7 +124,8 @@ Configuration
   bit long, the default value is 64.
 
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix <number-of-bits>
+.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix
+   <number-of-bits>
 
   Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
   SSTP. You will have to set your IPv6 pool and the length of the
-- 
cgit v1.2.3