The current CLI feels a bit edged (see below):
vyos@vyos# show service sstp-server authentication { mode radius protocols mschap radius-server 1.1.1.1 { fail-time 10 req-limit 10 } radius-settings { max-try 5 rate-limit { attribute Filter-Id enable vendor /usr/share/accel-ppp/radius } timeout 20 } } network-settings { client-ip-settings { gateway-address 1.1.1.1 subnet 192.0.2.0/24 } mtu 1280 } ppp-settings { mppe deny } sstp-settings { ssl-certs { ca ca.pem server-cert server.pem server-key server.key } }
Thus I propose the following changes (see description below):
vyos@vyos# show vpn sstp authentication { mode radius protocols mschap radius { server 1.1.1.1 { fail-time 10 req-limit 10 timeout 20 key foobar123 } server 2.2.2.2 { fail-time 20 req-limit 20 timeout 10 key foobar123sadlfkjshadlkfh } max-try 5 nas-identifier foooo nas-ip-address 1.2.3.4 rate-limit { attribute Filter-Id enable vendor /usr/share/accel-ppp/radius } } } client-options { gateway-address 1.1.1.1 subnet 192.0.2.0/24 subnet 192.0.3.0/24 dns-server 1.1.1.1 dns-server 2.2.2.2 mtu 1280 } ppp-settings { mppe deny } tls { ca-cert-file /config/auth/sstp/ca.pem cert-file /config/auth/sstp/server.pem key-file /config/auth/sstp/server.key }
- Move RADIUS timeout attribute to individual RADIUS server
- Rename RADIUS secret to key
- Combine radius-server radius-settings under a parent radius node
- Do we really need the max-try option? Can't we use a default of 3 - as I do not see such an option on other RADIUS CLI parts
- Rename nas-ip-address to source-address as used in other RADIUS parts
- Rename "service sstp-server" to "vpn sstp" as it's a VPN technique
- Remove sstp-settings node and place ssl-certs node directly under "vpn sstp" as "tls" node (see analogy in OpenVPN).
- Rename ceritficate nodes to OpenVPN equivalent.
- Only have dns-server nodes - do not distinguish between primary and secondary makes overall config easier - but only allow two DNS servers via validate() as Accell only supports two servers.
- Rename network-settings to client-options
- Have a flat hirachy on client-options as there is only one client pool
- Support multiple subnet pools als this is also supported by Accel
- Path to SSL certificates should be fully specified as in all other CLI parts. Currently it is assumed that the certificates are generated unter /config/user-data/sstp. What if the user wants to store the certificates in a volatile location? e.g. /tmp which are destroyed for security reasons on reboot? We support that on other parts of the CLI