mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
151 lines
4.8 KiB
ReStructuredText
151 lines
4.8 KiB
ReStructuredText
:lastproofread: 2022-12-11
|
|
|
|
.. _sstp-client-interface:
|
|
|
|
###########
|
|
SSTP Client
|
|
###########
|
|
|
|
:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VTP (Virtual
|
|
Private Network)` tunnel that provides a mechanism to transport PPP traffic
|
|
through an SSL/TLS channel. SSL/TLS provides transport-level security with key
|
|
negotiation, encryption and traffic integrity checking. The use of SSL/TLS over
|
|
TCP port 443 (by default, port can be changed) allows SSTP to pass through
|
|
virtually all firewalls and proxy servers except for authenticated web proxies.
|
|
|
|
.. note:: VyOS also comes with a build in SSTP server, see :ref:`sstp`.
|
|
|
|
*************
|
|
Configuration
|
|
*************
|
|
|
|
Common interface configuration
|
|
==============================
|
|
|
|
.. cmdinclude:: /_include/interface-description.txt
|
|
:var0: sstpc
|
|
:var1: sstpc0
|
|
|
|
.. cmdinclude:: /_include/interface-disable.txt
|
|
:var0: sstpc
|
|
:var1: sstpc0
|
|
|
|
.. cmdinclude:: /_include/interface-mtu.txt
|
|
:var0: sstpc
|
|
:var1: sstpc0
|
|
|
|
.. cmdinclude:: /_include/interface-vrf.txt
|
|
:var0: sstpc
|
|
:var1: sstpc0
|
|
|
|
SSTP Client Options
|
|
===================
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> no-default-route
|
|
|
|
Only request an address from the SSTP server but do not install any default
|
|
route.
|
|
|
|
Example:
|
|
|
|
.. code-block:: none
|
|
|
|
set interfaces sstpc sstpc0 no-default-route
|
|
|
|
.. note:: This command got added in VyOS 1.4 and inverts the logic from the old
|
|
``default-route`` CLI option.
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> default-route-distance <distance>
|
|
|
|
Set the distance for the default gateway sent by the SSTP server.
|
|
|
|
Example:
|
|
|
|
.. code-block:: none
|
|
|
|
set interfaces sstpc sstpc0 default-route-distance 220
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> no-peer-dns
|
|
|
|
Use this command to not install advertised DNS nameservers into the local
|
|
system.
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> server <address>
|
|
|
|
SSTP remote server to connect to. Can be either an IP address or FQDN.
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> ip adjust-mss <mss | clamp-mss-to-pmtu>
|
|
|
|
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our
|
|
TCP MSS value to a specific value. This is a field in the TCP options part of
|
|
a SYN packet. By setting the MSS value, you are telling the remote side
|
|
unequivocally 'do not try to send me packets bigger than this value'.
|
|
|
|
.. note:: This command was introduced in VyOS 1.4 - it was previously called:
|
|
``set firewall options interface <name> adjust-mss <value>``
|
|
|
|
.. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
|
|
1452 bytes on a 1492 byte MTU.
|
|
|
|
Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
|
|
automatically set the proper value.
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> ip disable-forwarding
|
|
|
|
Configure interface-specific Host/Router behaviour. If set, the interface will
|
|
switch to host mode and IPv6 forwarding will be disabled on this interface.
|
|
|
|
.. cfgcmd:: set interfaces sstpc <interface> ip source-validation <strict | loose | disable>
|
|
|
|
Enable policy for source validation by reversed path, as specified in
|
|
:rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict
|
|
mode to prevent IP spoofing from DDos attacks. If using asymmetric routing
|
|
or other complicated routing, then loose mode is recommended.
|
|
|
|
- strict: Each incoming packet is tested against the FIB and if the interface
|
|
is not the best reverse path the packet check will fail. By default failed
|
|
packets are discarded.
|
|
|
|
- loose: Each incoming packet's source address is also tested against the FIB
|
|
and if the source address is not reachable via any interface the packet
|
|
check will fail.
|
|
|
|
- disable: No source validation
|
|
|
|
*********
|
|
Operation
|
|
*********
|
|
|
|
.. opcmd:: show interfaces sstpc <interface>
|
|
|
|
Show detailed information on given `<interface>`
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show interfaces sstpc sstpc10
|
|
sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
|
|
link/ppp
|
|
inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10
|
|
valid_lft forever preferred_lft forever
|
|
inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link
|
|
valid_lft forever preferred_lft forever
|
|
|
|
RX: bytes packets errors dropped overrun mcast
|
|
215 9 0 0 0 0
|
|
TX: bytes packets errors dropped carrier collisions
|
|
539 14 0 0 0 0
|
|
|
|
|
|
Connect/Disconnect
|
|
==================
|
|
|
|
.. opcmd:: disconnect interface <interface>
|
|
|
|
Test disconnecting given connection-oriented interface. `<interface>` can be
|
|
``sstpc0`` as the example.
|
|
|
|
.. opcmd:: connect interface <interface>
|
|
|
|
Test connecting given connection-oriented interface. `<interface>` can be
|
|
``sstpc0`` as the example.
|