1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
|
.. _sstp:
###########
SSTP Server
###########
:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
with key negotiation, encryption and traffic integrity checking. The use of
SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
and proxy servers except for authenticated web proxies.
SSTP is available for Linux, BSD, and Windows.
VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
local and RADIUS authentication.
As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
certificates as well as a private PKI is required.
.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
certificates are not stored in the ``/config`` directory they will not be
migrated during a software update.
Certificates
============
Self Signed CA
--------------
To generate the CA, the server private key and certificates the following
commands can be used.
.. code-block:: none
vyos@vyos:~$ mkdir -p /config/user-data/sstp
vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
Generating a 4096 bit RSA private key
.........................++
...............................................................++
writing new private key to 'server.key'
[...]
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
[...]
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Configuration
=============
.. cfgcmd:: set vpn sstp authentication local-users username <user> password
<pass>
Create `<user>` for local authentication on this system. The users password
will be set to `<pass>`.
.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
Disable `<user>` account.
.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
<address>
Assign static IP address to `<user>` account.
.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
download <bandwidth>
Download bandwidth limit in kbit/s for `<user>`.
.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
upload <bandwidth>
Upload bandwidth limit in kbit/s for `<user>`.
.. cfgcmd:: set vpn sstp authentication protocols
<pap | chap | mschap | mschap-v2>
Require the peer to authenticate itself using one of the following protocols:
pap, chap, mschap, mschap-v2.
.. cfgcmd:: set vpn sstp authentication mode <local | radius>
Set authentication backend. The configured authentication backend is used
for all queries.
* **radius**: All authentication queries are handled by a configured RADIUS
server.
* **local**: All authentication queries are handled locally.
.. cfgcmd:: set vpn sstp gateway-address <gateway>
Specifies single `<gateway>` IP address to be used as local address of PPP
interfaces.
.. cfgcmd:: set vpn sstp port <port>
Specifies the port `<port>` that the SSTP port will listen on (default 443).
.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
Use this command to define the first IP address of a pool of
addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
used there is possibility to set host/netmask.
.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
Use this command to define the next address pool name.
.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
Use this command to define default address pool name.
.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
mask <number-of-bits>
Use this comand to set the IPv6 address pool from which an SSTP client
will get an IPv6 prefix of your defined length (mask) to terminate the
SSTP endpoint at their side. The mask length can be set from 48 to 128
bit long, the default value is 64.
.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
delegation-prefix <number-of-bits>
Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
SSTP. You will have to set your IPv6 pool and the length of the
delegation prefix. From the defined IPv6 pool you will be handing out
networks of the defined length (delegation-prefix). The length of the
delegation prefix can be set from 32 to 64 bit long.
.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
Use this command to define default IPv6 address pool name.
.. cfgcmd:: set vpn sstp name-server <address>
Connected client should use `<address>` as their DNS server. This
command accepts both IPv4 and IPv6 addresses. Up to two nameservers
can be configured for IPv4, up to three for IPv6.
Maximum number of IPv4 nameservers
SSL Certificates
----------------
.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
Path to `<file>` pointing to the certificate authority certificate.
.. cfgcmd:: set vpn sstp ssl cert-file <file>
Path to `<file>` pointing to the servers certificate (public portion).
PPP Settings
------------
.. cfgcmd:: set vpn sstp ppp-options disable-ccp
Disable Compression Control Protocol (CCP).
CCP is enabled by default.
.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
Specifies number of interfaces to keep in cache. It means that don’t
destroy interface after corresponding session is destroyed, instead
place it to cache and use it later for new sessions repeatedly.
This should reduce kernel-level interface creation/deletion rate lack.
Default value is **0**.
.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
Specifies IPv4 negotiation preference.
* **require** - Require IPv4 negotiation
* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
* **allow** - Negotiate IPv4 only if client requests (Default value)
* **deny** - Do not negotiate IPv4
.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
Specifies IPv6 negotiation preference.
* **require** - Require IPv6 negotiation
* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
* **allow** - Negotiate IPv6 only if client requests
* **deny** - Do not negotiate IPv6 (default value)
.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
Accept peer interface identifier. By default is not defined.
.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
Specifies fixed or random interface identifier for IPv6.
By default is fixed.
* **random** - Random interface identifier for IPv6
* **x:x:x:x** - Specify interface identifier for IPv6
.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
Specifies peer interface identifier for IPv6. By default is fixed.
* **random** - Random interface identifier for IPv6
* **x:x:x:x** - Specify interface identifier for IPv6
* **ipv4-addr** - Calculate interface identifier from IPv4 address.
* **calling-sid** - Calculate interface identifier from calling-station-id.
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
value `<number>`, the session will be reset. Default value is **3**.
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
If this option is specified and is greater than 0, then the PPP module will
send LCP pings of the echo request every `<interval>` seconds.
Default value is **30**.
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
Specifies timeout in seconds to wait for any peer activity. If this option
specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
is not used. Default value is **0**.
.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
Defines minimum acceptable MTU. If client will try to negotiate less then
specified MTU then it will be NAKed or disconnected if rejects greater MTU.
Default value is **100**.
.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
preference.
* **require** - ask client for mppe, if it rejects drop connection
* **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
* **deny** - deny mppe
Default behavior - don't ask client for mppe, but allow it if client wants.
Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
attribute.
.. cfgcmd:: set vpn sstp ppp-options mru <number>
Defines preferred MRU. By default is not defined.
RADIUS
------
Server
^^^^^^
.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
Configure RADIUS `<server>` and its required port for authentication requests.
.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
Configure RADIUS `<server>` and its required shared `<secret>` for
communicating with the RADIUS server.
.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
Mark RADIUS server as offline for this given `<time>` in seconds.
.. cfgcmd:: set vpn sstp authentication radius server <server> disable
Temporary disable this RADIUS server.
Options
^^^^^^^
.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
Timeout to wait reply for Interim-Update packets. (default 3 seconds)
.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
Port for Dynamic Authorization Extension server (DM/CoA)
.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
Secret for Dynamic Authorization Extension server (DM/CoA)
.. cfgcmd:: set vpn sstp authentication radius max-try <number>
Maximum number of tries to send Access-Request/Accounting-Request queries
.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
Timeout to wait response from server (seconds)
.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
Value to send to RADIUS server in NAS-Identifier attribute and to be matched
in DM/CoA requests.
.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
in DM/CoA requests. Also DM/CoA server will bind to that address.
.. cfgcmd:: set vpn sstp authentication radius source-address <address>
Source IPv4 address used in all RADIUS server queires.
.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
Specifies which RADIUS server attribute contains the rate limit information.
The default attribute is `Filter-Id`.
.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
Enables bandwidth shaping via RADIUS.
.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
Specifies the vendor dictionary, dictionary needs to be in
/usr/share/accel-ppp/radius.
Example
=======
* Use local user `foo` with password `bar`
* Client IP addresses will be provided from pool `192.0.2.0/25`
.. code-block:: none
set vpn sstp authentication local-users username vyos password vyos
set vpn sstp authentication mode local
set vpn sstp gateway-address 192.0.2.254
set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
set vpn sstp default-pool 'SSTP-POOL'
set vpn sstp name-server 10.0.0.1
set vpn sstp name-server 10.0.0.2
set vpn sstp ssl ca-cert-file /config/auth/ca.crt
set vpn sstp ssl cert-file /config/auth/server.crt
set vpn sstp ssl key-file /config/auth/server.key
Testing SSTP
============
Once you have setup your SSTP server there comes the time to do some basic
testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
PPP configuration/peer file.
The following PPP configuration tests MSCHAP-v2:
.. code-block:: none
$ cat /etc/ppp/peers/vyos
usepeerdns
#require-mppe
#require-pap
require-mschap-v2
noauth
lock
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
#refuse-mschap-v2
nobsdcomp
nodeflate
debug
You can now "dial" the peer with the follwoing command: ``sstpc --log-level 4
--log-stderr --user vyos --password vyos vpn.example.com -- call vyos``.
A connection attempt will be shown as:
.. code-block:: none
$ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos
Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1
Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com
Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message
Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14)
Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1):
Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6
Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48)
Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1):
Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40
Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation
Mar 22 13:29:15 sstpc[12344]: Sending Connected Message
Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112)
Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1):
Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104
Mar 22 13:29:15 sstpc[12344]: Connection Established
$ ip addr show ppp0
164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp promiscuity 0
inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever
.. _sstpc: https://github.com/reliablehosting/sstp-client
.. include:: /_include/common-references.txt
|
