Rewritten the SSTP server documentation

Fully rewritten SSTP server documentation.
2025-10-26 08:41:46 +01:00 · 2024-02-29 16:21:27 +02:00 · 2024-02-29 16:21:27 +02:00 · d71c4607fa
commit d71c4607fa
parent a8d2dedab2
1 changed files with 448 additions and 237 deletions
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@ -19,81 +19,34 @@ local and RADIUS authentication.
 As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
 certificates as well as a private PKI is required.

-.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
-  certificates are not stored in the ``/config`` directory they will not be
-  migrated during a software update.
+***********************
+Configuring SSTP Server
+***********************

 Certificates
 ============

-Self Signed CA
--------------
-
-To generate the CA, the server private key and certificates the following
-commands can be used.
+Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate

 .. code-block:: none

-  vyos@vyos:~$ mkdir -p /config/user-data/sstp
-  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
+    vyos@vyos:~$ generate pki ca install CA

-  Generating a 4096 bit RSA private key
-  .........................++
-  ...............................................................++
-  writing new private key to 'server.key'
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
-
-  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
+.. code-block:: none

+    vyos@vyos:~$ generate pki certificate sign CA install Server

 Configuration
 =============
+.. code-block:: none

-.. cfgcmd:: set vpn sstp authentication local-users username <user> password
-   <pass>
-
-  Create `<user>` for local authentication on this system. The users password
-  will be set to `<pass>`.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
-
-  Disable `<user>` account.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
-   <address>
-
-  Assign static IP address to `<user>` account.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   download <bandwidth>
-
-  Download bandwidth limit in kbit/s for `<user>`.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   upload <bandwidth>
-
-  Upload bandwidth limit in kbit/s for `<user>`.
-
-.. cfgcmd:: set vpn sstp authentication protocols
-   <pap | chap | mschap | mschap-v2>
-
-  Require the peer to authenticate itself using one of the following protocols:
-  pap, chap, mschap, mschap-v2.
+    set vpn sstp authentication local-users username test password 'test'
+    set vpn sstp authentication mode 'local'
+    set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100'
+    set vpn sstp default-pool 'SSTP-POOL'
+    set vpn sstp gateway-address '10.0.0.1'
+    set vpn sstp ssl ca-certificate 'CA1'
+    set vpn sstp ssl certificate 'Server'

 .. cfgcmd:: set vpn sstp authentication mode <local | radius>

@ -104,17 +57,11 @@ Configuration
    server.
  * **local**: All authentication queries are handled locally.

+.. cfgcmd:: set vpn sstp authentication local-users username <user> password
+   <pass>

-.. cfgcmd:: set vpn sstp gateway-address <gateway>
-
-  Specifies single `<gateway>` IP address to be used as local address of PPP
-  interfaces.
-
-
-.. cfgcmd:: set vpn sstp port <port>
-
-  Specifies the port `<port>` that the SSTP port will listen on (default 443).
-
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.

 .. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>

@ -123,170 +70,75 @@ Configuration
   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
   used there is possibility to set host/netmask.

-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
-
-   Use this command to define the next address pool name.
-
 .. cfgcmd:: set vpn sstp default-pool <POOL-NAME>

   Use this command to define default address pool name.

+.. cfgcmd:: set vpn sstp gateway-address <gateway>

-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
-   mask <number-of-bits>
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.

-  Use this comand to set the IPv6 address pool from which an SSTP client
-  will get an IPv6 prefix of your defined length (mask) to terminate the
-  SSTP endpoint at their side. The mask length can be set from 48 to 128
-  bit long, the default value is 64.
+.. cfgcmd:: set vpn sstp ssl ca-certificate <file>

+  Name of installed certificate authority certificate.

-.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
-   delegation-prefix <number-of-bits>
+.. cfgcmd:: set vpn sstp ssl certificate <file>

-  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-  SSTP. You will have to set your IPv6 pool and the length of the
-  delegation prefix. From the defined IPv6 pool you will be handing out
-  networks of the defined length (delegation-prefix). The length of the
-  delegation prefix can be set from 32 to 64 bit long.
+  Name of installed server certificate.

+*********************************
+Configuring RADIUS authentication
+*********************************

-.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.

-   Use this command to define default IPv6 address pool name.
+.. code-block:: none

-
-.. cfgcmd:: set vpn sstp name-server <address>
-
-  Connected client should use `<address>` as their DNS server. This
-  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
-  can be configured for IPv4, up to three for IPv6.
-
-Maximum number of IPv4 nameservers
-
-SSL Certificates
----------------
-
-.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
-
-  Path to `<file>` pointing to the certificate authority certificate.
-
-.. cfgcmd:: set vpn sstp ssl cert-file <file>
-
-  Path to `<file>` pointing to the servers certificate (public portion).
-
-
-PPP Settings
------------
-
-.. cfgcmd:: set vpn sstp ppp-options disable-ccp
-
-  Disable Compression Control Protocol (CCP).
-  CCP is enabled by default.
-
-.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
-
-  Specifies number of interfaces to keep in cache. It means that don’t
-  destroy interface after corresponding session is destroyed, instead
-  place it to cache and use it later for new sessions repeatedly.
-  This should reduce kernel-level interface creation/deletion rate lack.
-  Default value is **0**.
-
-.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
-
-  Specifies IPv4 negotiation preference.
-
-  * **require** - Require IPv4 negotiation
-  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
-  * **allow** - Negotiate IPv4 only if client requests (Default value)
-  * **deny** - Do not negotiate IPv4
-
-.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
-
-  Specifies IPv6 negotiation preference.
-
-  * **require** - Require IPv6 negotiation
-  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
-  * **allow** - Negotiate IPv6 only if client requests
-  * **deny** - Do not negotiate IPv6 (default value)
-
-.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
-
-  Accept peer interface identifier. By default is not defined.
-
-.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
-
-  Specifies fixed or random interface identifier for IPv6.
-  By default is fixed.
-
-  * **random** - Random interface identifier for IPv6
-  * **x:x:x:x** - Specify interface identifier for IPv6
-
-.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
-
-  Specifies peer interface identifier for IPv6. By default is fixed.
-
-  * **random** - Random interface identifier for IPv6
-  * **x:x:x:x** - Specify interface identifier for IPv6
-  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
-  * **calling-sid** - Calculate interface identifier from calling-station-id.
-
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
-
-  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-  value `<number>`, the session will be reset. Default value is **3**.
-
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
-
-  If this option is specified and is greater than 0, then the PPP module will
-  send LCP pings of the echo request every `<interval>` seconds.
-  Default value is **30**.
-
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
-
-  Specifies timeout in seconds to wait for any peer activity. If this option
-  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-  is not used. Default value is **0**.
-
-.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
-
-  Defines minimum acceptable MTU. If client will try to negotiate less then
-  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
-  Default value is **100**.
-
-.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
-
-  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
-  preference.
-
-  * **require** - ask client for mppe, if it rejects drop connection
-  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
-  * **deny** - deny mppe
-
-  Default behavior - don't ask client for mppe, but allow it if client wants.
-  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
-  attribute.
-
-.. cfgcmd:: set vpn sstp ppp-options mru <number>
-
-  Defines preferred MRU. By default is not defined.
-
-
-RADIUS
------
-
-Server
-^^^^^^
-
-.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
-
-  Configure RADIUS `<server>` and its required port for authentication requests.
+  set vpn sstp authentication mode radius

 .. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>

  Configure RADIUS `<server>` and its required shared `<secret>` for
  communicating with the RADIUS server.

+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
+
+.. code-block:: none
+
+  set vpn sstp authentication radius server 10.0.0.1 key 'foo'
+  set vpn sstp authentication radius server 10.0.0.2 key 'foo'
+
+.. note:: Some RADIUS severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
+
+RADIUS source address
+=====================
+
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. You can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
+
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
+
+RADIUS advanced options
+=======================
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+
+  Configure RADIUS `<server>` and its required port for authentication requests.
+
 .. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>

  Mark RADIUS server as offline for this given `<time>` in seconds.
@ -295,9 +147,6 @@ Server

  Temporary disable this RADIUS server.

-Options
-^^^^^^^
-
 .. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>

  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
@ -341,6 +190,9 @@ Options
  Specifies which RADIUS server attribute contains the rate limit information.
  The default attribute is `Filter-Id`.

+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
+
 .. cfgcmd:: set vpn sstp authentication radius rate-limit enable

  Enables bandwidth shaping via RADIUS.
@ -350,33 +202,285 @@ Options
  Specifies the vendor dictionary, dictionary needs to be in
  /usr/share/accel-ppp/radius.

+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.

-Example
-=======
+Allocation clients ip addresses by RADIUS
+=========================================

-* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/25`
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
+
+
+****
+IPv6
+****
+.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an SSTP client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  SSTP endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  SSTP. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.

 .. code-block:: none

-  set vpn sstp authentication local-users username vyos password vyos
-  set vpn sstp authentication mode local
-  set vpn sstp gateway-address 192.0.2.254
-  set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
-  set vpn sstp default-pool 'SSTP-POOL'
-  set vpn sstp name-server 10.0.0.1
-  set vpn sstp name-server 10.0.0.2
-  set vpn sstp ssl ca-cert-file /config/auth/ca.crt
-  set vpn sstp ssl cert-file /config/auth/server.crt
-  set vpn sstp ssl key-file /config/auth/server.key
+  set vpn sstp ppp-options ipv6 allow
+  set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set vpn sstp default-ipv6-pool IPv6-POOL

-Testing SSTP
-============
+IPv6 Advanced Options
+=====================
+.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset. Default value is **3**.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
+
+.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+.. cfgcmd:: set vpn sstp ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
+Global Advanced options
+=======================
+
+.. cfgcmd:: set vpn sstp description <description>
+
+  Set description.
+
+.. cfgcmd::  set vpn sstp limits burst <value>
+
+  Burst count
+
+.. cfgcmd:: set vpn sstp limits connection-limit <value>
+
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
+
+.. cfgcmd:: set vpn sstp limits timeout <value>
+
+  Timeout in seconds
+
+.. cfgcmd:: set vpn sstp mtu
+
+  Maximum Transmission Unit (MTU) (default: **1500**)
+
+.. cfgcmd:: set vpn sstp max-concurrent-sessions
+
+  Maximum number of concurrent session start attempts
+
+.. cfgcmd:: set vpn sstp name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647>
+
+  Match firewall mark value
+
+.. cfgcmd:: set vpn sstp snmp master-agent
+
+  Enable SNMP
+
+.. cfgcmd:: set vpn sstp wins-server <address>
+
+  Windows Internet Name Service (WINS) servers propagated to client
+
+***********************
+Configuring SSTP client
+***********************

 Once you have setup your SSTP server there comes the time to do some basic
 testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
 PPP configuration/peer file.

+If you use a self-signed certificate, do not forget to install CA on the client side.
+
 The following PPP configuration tests MSCHAP-v2:

 .. code-block:: none
@ -429,8 +533,115 @@ A connection attempt will be shown as:
       inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
          valid_lft forever preferred_lft forever

+**********
+Monitoring
+**********

+.. opcmd:: show sstp-server sessions
+
+   Use this command to locally check the active sessions in the SSTP
+   server.
+
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server sessions
+     ifname | username |    ip    | ip6 | ip6-dp |   calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+    --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
+     sstp0  | test     | 10.0.0.2 |     |        | 192.168.10.100 |            | active | 00:15:46 | 16.3 KiB | 210 B
+
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server statistics
+     uptime: 0.01:21:54
+    cpu: 0%
+    mem(rss/virt): 6688/100464 kB
+    core:
+      mempool_allocated: 149420
+      mempool_available: 146092
+      thread_count: 1
+      thread_active: 1
+      context_count: 6
+      context_sleeping: 0
+      context_pending: 0
+      md_handler_count: 7
+      md_handler_pending: 0
+      timer_count: 2
+      timer_pending: 0
+    sessions:
+      starting: 0
+      active: 1
+      finishing: 0
+    sstp:
+      starting: 0
+      active: 1
+
+***************
+Troubleshooting
+***************
+
+.. code-block:: none
+
+    vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0
+
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852)
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0'
+    Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started

 .. _sstpc: https://github.com/reliablehosting/sstp-client
-
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
 .. include:: /_include/common-references.txt