SSTP client
SSTP transports PPP traffic over an SSL/TLS channel, providing transport-level security through key negotiation, encryption, and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default, the port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers, except for authenticated web proxies.
Note
VyOS includes a built-in SSTP server. For more information, see SSTP Server.
Configuration
Common interface configuration
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces sstpc sstpc0 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces sstpc sstpc0 disable
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces sstpc sstpc0 mtu 1600
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces sstpc sstpc0 vrf red
SSTP client options
Request an IP address from the SSTP server without installing a default route.
Example:
set interfaces sstpc sstpc0 no-default-route
Note
Introduced in VyOS 1.4, this command inverts the logic of the former
default-route CLI option.
Configure the distance for the default gateway provided by the SSTP server.
Example:
set interfaces sstpc sstpc0 default-route-distance 220
Disable the installation of advertised DNS nameservers on the local system.
Configure the remote SSTP server address for the client connection.
The address can be either an IP address or a FQDN.
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you instruct the remote side not to send packets larger than the specified size. This helps prevent connection issues if PMTUD fails.
The following options are available:
mss: Sets the MSS to a specific value in bytes.clamp-mss-to-pmtu: Sets the MSS to the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Note
Introduced in VyOS 1.4, this command replaces the older set firewall
options interface <name> adjust-mss <value> syntax.
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the FIB. If the interface is not the best route back to that source, validation fails, and the packet is dropped.loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as
DDoS attacks. For asymmetric or other complex routing scenarios, use loose
mode.
Operation
Show detailed information about the specified interface.
vyos@vyos:~$ show interfaces sstpc sstpc10 sstpc10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3 link/ppp inet 192.0.2.5 peer 192.0.2.254/32 scope global sstpc10 valid_lft forever preferred_lft forever inet6 fe80::fd53:c7ff:fe8b:144f/64 scope link valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 215 9 0 0 0 0 TX: bytes packets errors dropped carrier collisions 539 14 0 0 0 0