The current CLI feels a bit edged (see below):
vyos@vyos# show service sstp-server
authentication {
mode radius
protocols mschap
radius-server 1.1.1.1 {
fail-time 10
req-limit 10
}
radius-settings {
max-try 5
rate-limit {
attribute Filter-Id
enable
vendor /usr/share/accel-ppp/radius
}
timeout 20
}
}
network-settings {
client-ip-settings {
gateway-address 1.1.1.1
subnet 192.0.2.0/24
}
mtu 1280
}
ppp-settings {
mppe deny
}
sstp-settings {
ssl-certs {
ca ca.pem
server-cert server.pem
server-key server.key
}
}Thus I propose the following changes (see description below):
vyos@vyos# show vpn sstp
authentication {
mode radius
protocols mschap
radius {
server 1.1.1.1 {
fail-time 10
req-limit 10
timeout 20
key foobar123
}
server 2.2.2.2 {
fail-time 20
req-limit 20
timeout 10
key foobar123sadlfkjshadlkfh
}
max-try 5
nas-identifier foooo
nas-ip-address 1.2.3.4
rate-limit {
attribute Filter-Id
enable
vendor /usr/share/accel-ppp/radius
}
}
}
client-options {
gateway-address 1.1.1.1
subnet 192.0.2.0/24
subnet 192.0.3.0/24
dns-server 1.1.1.1
dns-server 2.2.2.2
mtu 1280
}
ppp-settings {
mppe deny
}
tls {
ca-cert-file /config/auth/sstp/ca.pem
cert-file /config/auth/sstp/server.pem
key-file /config/auth/sstp/server.key
}- Move RADIUS timeout attribute to individual RADIUS server
- Rename RADIUS secret to key
- Combine radius-server radius-settings under a parent radius node
- Do we really need the max-try option? Can't we use a default of 3 - as I do not see such an option on other RADIUS CLI parts
- Rename nas-ip-address to source-address as used in other RADIUS parts
- Rename "service sstp-server" to "vpn sstp" as it's a VPN technique
- Remove sstp-settings node and place ssl-certs node directly under "vpn sstp" as "tls" node (see analogy in OpenVPN).
- Rename ceritficate nodes to OpenVPN equivalent.
- Only have dns-server nodes - do not distinguish between primary and secondary makes overall config easier - but only allow two DNS servers via validate() as Accell only supports two servers.
- Rename network-settings to client-options
- Have a flat hirachy on client-options as there is only one client pool
- Support multiple subnet pools als this is also supported by Accel
- Path to SSL certificates should be fully specified as in all other CLI parts. Currently it is assumed that the certificates are generated unter /config/user-data/sstp. What if the user wants to store the certificates in a volatile location? e.g. /tmp which are destroyed for security reasons on reboot? We support that on other parts of the CLI