Page MenuHomeVyOS Platform

Adjustment of SSTP CLI to be more consistent to the rest of VyOS
Closed, ResolvedPublicFEATURE REQUEST

Description

The current CLI feels a bit edged (see below):

vyos@vyos# show service sstp-server
authentication {
    mode radius
    protocols mschap
    radius-server 1.1.1.1 {
        fail-time 10
        req-limit 10
    }
    radius-settings {
        max-try 5
        rate-limit {
            attribute Filter-Id
            enable
            vendor /usr/share/accel-ppp/radius
        }
        timeout 20
    }
}
network-settings {
    client-ip-settings {
        gateway-address 1.1.1.1
        subnet 192.0.2.0/24
    }
    mtu 1280
}
ppp-settings {
    mppe deny
}
sstp-settings {
    ssl-certs {
        ca ca.pem
        server-cert server.pem
        server-key server.key
    }
}

Thus I propose the following changes (see description below):

vyos@vyos# show vpn sstp
authentication {
    mode radius
    protocols mschap
    radius {
        server 1.1.1.1 {
            fail-time 10
            req-limit 10
            timeout 20      
            key foobar123
        }
        server 2.2.2.2 {
            fail-time 20
            req-limit 20
            timeout 10      
            key foobar123sadlfkjshadlkfh
        }
        max-try 5
        nas-identifier foooo
        nas-ip-address 1.2.3.4
        rate-limit {
            attribute Filter-Id
            enable
            vendor /usr/share/accel-ppp/radius
        }       
    }
}
client-options {
    gateway-address 1.1.1.1
    subnet 192.0.2.0/24
    subnet 192.0.3.0/24
    dns-server 1.1.1.1
    dns-server 2.2.2.2
    mtu 1280
}
ppp-settings {
    mppe deny
}
tls {
    ca-cert-file /config/auth/sstp/ca.pem
    cert-file /config/auth/sstp/server.pem
    key-file /config/auth/sstp/server.key
}
  • Move RADIUS timeout attribute to individual RADIUS server
  • Rename RADIUS secret to key
  • Combine radius-server radius-settings under a parent radius node
  • Do we really need the max-try option? Can't we use a default of 3 - as I do not see such an option on other RADIUS CLI parts
  • Rename nas-ip-address to source-address as used in other RADIUS parts
  • Rename "service sstp-server" to "vpn sstp" as it's a VPN technique
  • Remove sstp-settings node and place ssl-certs node directly under "vpn sstp" as "tls" node (see analogy in OpenVPN).
  • Rename ceritficate nodes to OpenVPN equivalent.
  • Only have dns-server nodes - do not distinguish between primary and secondary makes overall config easier - but only allow two DNS servers via validate() as Accell only supports two servers.
  • Rename network-settings to client-options
  • Have a flat hirachy on client-options as there is only one client pool
  • Support multiple subnet pools als this is also supported by Accel
  • Path to SSL certificates should be fully specified as in all other CLI parts. Currently it is assumed that the certificates are generated unter /config/user-data/sstp. What if the user wants to store the certificates in a volatile location? e.g. /tmp which are destroyed for security reasons on reboot? We support that on other parts of the CLI

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Improvement (missing useful functionality)

Event Timeline

c-po triaged this task as Wishlist priority.
c-po created this task.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed the task status from Open to In progress.Mar 20 2020, 3:34 PM
c-po claimed this task.
c-po added a subscriber: Dmitry.
erkin set Issue type to Improvement (missing useful functionality).Aug 31 2021, 5:47 PM