SSTP Client
SSTP is a form of VTP tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default, port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.
Note
VyOS also comes with a build in SSTP server, see SSTP Server.
Configuration
Common interface configuration
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces
command or SNMP based monitoring tools.
Example:
set interfaces sstpc sstpc0 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D
) state.
Example:
set interfaces sstpc sstpc0 disable
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces sstpc sstpc0 mtu 1600
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces sstpc sstpc0 vrf red
SSTP Client Options
Only request an address from the SSTP server but do not install any default route.
Example:
set interfaces sstpc sstpc0 no-default-route
Note
This command got added in VyOS 1.4 and inverts the logic from the old
default-route
CLI option.
Set the distance for the default gateway sent by the SSTP server.
Example:
set interfaces sstpc sstpc0 default-route-distance 220
Use this command to not install advertised DNS nameservers into the local system.
SSTP remote server to connect to. Can be either an IP address or FQDN.
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
Hint
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
Operation
Show detailed information on given <interface>
vyos@vyos:~$ show interfaces sstpc sstpc10
sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
link/ppp
inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10
valid_lft forever preferred_lft forever
inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
215 9 0 0 0 0
TX: bytes packets errors dropped carrier collisions
539 14 0 0 0 0
Connect/Disconnect
Test disconnecting given connection-oriented interface. <interface> can be
sstpc0
as the example.