SSTP is a form of VTP tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default, port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.
VyOS also comes with a build in SSTP server, see SSTP Server.
Common interface configuration
Set a human readable, descriptive alias for this connection. Alias is used by
show interfaces command or SNMP based monitoring tools.
set interfaces sstpc sstpc0 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
set interfaces sstpc sstpc0 disable
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
set interfaces sstpc sstpc0 mtu 1600
Place interface in given VRF instance.
There is an entire chapter about how to configure a VRF, please check this for additional information.
set interfaces sstpc sstpc0 vrf red
SSTP Client Options
Only request an address from the SSTP server but do not install any default route.
set interfaces sstpc sstpc0 no-default-route
This command got added in VyOS 1.4 and inverts the logic from the old
default-route CLI option.
Set the distance for the default gateway sent by the SSTP server.
set interfaces sstpc sstpc0 default-route-distance 220
Use this command to not install advertised DNS nameservers into the local system.
SSTP remote server to connect to. Can be either an IP address or FQDN.
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
Show detailed information on given <interface>
vyos@vyos:~$ show interfaces sstpc sstpc10 sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 link/ppp inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 valid_lft forever preferred_lft forever inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 215 9 0 0 0 0 TX: bytes packets errors dropped carrier collisions 539 14 0 0 0 0
Test disconnecting given connection-oriented interface. <interface> can be
sstpc0 as the example.