Ppp
From blag.wiki.aktivix.org
Contents |
INTRO
This is a brief guide on using the ppp daemon to connect to a VPN. The connection was established and tested over a domestic ADSL ethernet connection into an office's VPN successfully.
OBJECTIVE
To use ppp and the pppd daemon to connect to a vpn server, login and do some work, presumably connect to boxes in your office.
BACKGROUND
Most of these notes were taken directly from man pppd. There's over 1000 lines in that man page so it can be a lot to take in. DSL, modems, vpns and then some, point to point protocol can handle and manage many connections types. you need stuff in your kernel. Actually, it's a daemon....
REQUIREMENTS
- Driver(s) in the kernel
Running the one-liner as shown should give output such as;
ls /lib/modules/`uname -r`/kernel/drivers/net/ppp* /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/ppp_async.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/ppp_deflate.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/ppp_generic.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/ppp_mppe.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/pppoe.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/pppox.ko /lib/modules/2.6.22.9-91.fc7/kernel/drivers/net/ppp_synctty.ko
- Packages
I checked my BLAGGED laptop with;
rpm -qa | grep ppp ppp-2.4.4-2 rp-pppoe-3.8-1.fc7
also one can use;
yum list installed | grep ppp ppp.i386 2.4.4-2 installed rp-pppoe.i386 3.8-1.fc7 installed
Good to go!
- root access on the local box. AKA, the client. One must be able to su and sudo, that sort of thing.
- A decent text editor and some shells. xterm, emacs, mrxvt - what-eveerrrrrr!
- Details of the VPN that you want to log into; Username and passwd, domain, an IP address and any other info that your friendly sys admin gives you.
BEFORE WE GET STARTED
As a non-root user, we want to keep a copy of the contents of this dir so that we can return it to it's original condition if we need to.
cp -R /etc/ppp /somewhere/safe
Something like;
[jayeola@acid ~]$ whoami jayeola [jayeola@acid ~]$ cp -R /etc/ppp/ ~/sys/net cp: cannot open `/etc/ppp/chap-secrets' for reading: Permission denied cp: cannot open `/etc/ppp/chap-secrets~' for reading: Permission denied cp: cannot open `/etc/ppp/pap-secrets' for reading: Permission denied
Don't worry about the secrets files not being copied over as they contain no data. Main thing is that we've made a copy for saftey ;-)
TESTING ENVIRONMENT
In short you want at least three shells and you want root owning all three of them.
- Terminal one:- Used to see output from the local system. I will call this shell tail.
- Terminal two:- Edit some files I will call this shell edit.
- Terminal three:- Run or kill some processes. I will call this shell root.
- Terminal four (optional):- For analysing the network. we use tcpdump here, call this shell net.
terminal tail (testing)
sudo su - (you do use sudo, right?). Become root and run;
tail -f /var/log/messages
All we do with this shell is watch any messages that result from the ppp connections that we attempt.
terminal edit
$editor /etc/ppp/chap-secrets
The second line gives enough clues as to what to specify. So I will add some details here...
name_of_domain name_of_connection passwd ip_address
where;
- name_of_domain: (string)
- name_of_connection: (string) i think that you can call it anything you like
- passwd your passwd: (string)
- ip_address: (string or IP address)
save the file.
chmod 600 /etc/ppp/chap-secrets
You do not want this file to be readable by anyone other than root. You'll see warnings in the __tail__ shell if the permissions of this file are to lenient.
Next specify a peer to connect to. The syntax appears to be one parameter per line.
$editor /etc/ppp/peers/name_of_connection
- remotename name_of_connection
- linkname name_of_connection
- ipparam name_of_connection
- pty "pptp --loglevel 1 insert_hostname_or_IP_address_here --nolaunchpppd"
- name your_username
- usepeerdns
- require-mppe
- require-mppe-128
- nomppe-40
- noauth
- debug
- kdebug 1
- nodetach
- lock
- bsdcomp 9,15
- deflate 9,15
- mtu 1300
- mru 1300
- file /etc/ppp/options
Save the file.
Note that I've slipped in some values for variables in here. Some of them are explained below. That should be all you need and you can probably get away with even fewer parameters so long as you are prepared to experiment or cheat and get the values from a sys admin. Now we are going to test the connection.
shell root
pppd dryrun call name_of_your_connection
you should see something like the following in the shell;
pppd options in effect:
debug debug debug # (from /etc/ppp/options)
kdebug 1 # (from /etc/ppp/options)
nodetach # (from /etc/ppp/options)
linkname hbx # (from /etc/ppp/peers/hbx)
dump # (from command line)
dryrun # (from command line)
noauth # (from /etc/ppp/options)
name john.maclean # (from /etc/ppp/peers/hbx)
remotename hbx # (from /etc/ppp/peers/hbx)
# (from /etc/ppp/options)
pty pptp --loglevel 1 A.B.C.D --nolaunchpppd # (from /etc/ppp/peers/hbx)
mru 1300 # (from /etc/ppp/options)
mtu 1300 # (from /etc/ppp/options)
ipparam hbx # (from /etc/ppp/peers/hbx)
defaultroute # (from /etc/ppp/options)
usepeerdns # (from /etc/ppp/options)
bsdcomp 9,15 # (from /etc/ppp/options)
deflate 9,15 # (from /etc/ppp/options)
# (from /etc/ppp/options)
nomppe-40 # (from /etc/ppp/options)
# (from /etc/ppp/options)
... and something similar in the tail shell;
Aug 19 19:06:04 acid pppd[844]: pppd options in effect: Aug 19 19:06:04 acid pppd[844]: debug # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: kdebug 1 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: nodetach # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: dryrun # (from command line) Aug 19 19:06:04 acid pppd[844]: noauth # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: lock # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: mru 1300 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: mtu 1300 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: defaultroute # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: usepeerdns # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: bsdcomp 9,15 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: deflate 9,15 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: nomppe-40 # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: # (from /etc/ppp/options) Aug 19 19:06:04 acid pppd[844]: Exit.
If you see any warnings such as
Warning - secret file /etc/ppp/chap-secrets has world and/or group access
chmod 600 /etc/ppp/chap-secrets
should do the trick.
READY TO CONNECT
Finally to connect use;
pppd call name_of_connection
You should see output such as the following in the same shell. Note that I have hidden IP addresses and other important information! Replace A.B.C.foo was the network that I was connecting to.
using channel 44 Using interface ppp0 Connect: ppp0 <--> /dev/pts/4 sent [LCP ConfReq id=0x1 <mru 1300> <asyncmap 0x0> <magic 0x000> <pcomp> <accomp>] rcvd [LCP ConfReq id=0x0 <mru 1400> <auth chap MS-v2> sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614> < 17 04 00 be>] rcvd [LCP ConfAck id=0x1 <mru 1300> <asyncmap 0x0> <magic 0x00> <pcomp> <accomp>] rcvd [LCP ConfReq id=0x1 <mru 1400> <auth chap MS-v2> <magic 0x00> sent [LCP ConfAck id=0x1 <mru 1400> <auth chap MS-v2> sent [CHAP Response id=0x0 <-x000>, name = "john.maclean"] rcvd [CHAP Success id=0x0 "S=-x000"] CHAP authentication succeeded sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>] rcvd [CCP ConfReq id=0x3 <mppe +H +M +S +L -D +C>] sent [CCP ConfNak id=0x3 <mppe +H -M +S -L -D -C>] rcvd [IPCP ConfReq id=0x4 <addr A.B.C.131>] sent [IPCP TermAck id=0x4] rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>] rcvd [CCP ConfReq id=0x5 <mppe +H -M +S -L -D -C>] sent [CCP ConfAck id=0x5 <mppe +H -M +S -L -D -C>] MPPE 128-bit stateless compression enabled sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>] sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>] rcvd [IPCP ConfNak id=0x2 <addr A.B.C.116> <ms-dns1 A.B.C.20> <ms-dns3 A.B.C.21>] sent [IPCP ConfReq id=0x3 <addr A.B.C.116> <ms-dns1 A.B.C.20> <ms-dns3 A.B.C.21>] rcvd [IPCP ConfAck id=0x3 <addr A.B.C.116> <ms-dns1 A.B.C.20> <ms-dns3 A.B.C.21>] rcvd [IPCP ConfReq id=0x6 <addr A.B.C.131>] sent [IPCP ConfAck id=0x6 <addr A.B.C.131>] not replacing existing default route via 192.168.1.1 local IP address A.B.C.116 remote IP address A.B.C.131 primary DNS address A.B.C.20 secondary DNS address A.B.C.21 Script /etc/ppp/ip-up started (pid 13385) Script /etc/ppp/ip-up finished (pid 13385), status = 0x0 C-c C-cTerminating on signal 2 Script pptp --loglevel 1 A.B.C.116 --nolaunchpppd finished (pid 13374), status = 0x0 Modem hangup Connect time 0.2 minutes. Sent 0 bytes, received 0 bytes. Script /etc/ppp/ip-down started (pid 13397) MPPE disabled sent [LCP TermReq id=0x2 "MPPE disabled"] Connection terminated. Waiting for 1 child processes... script /etc/ppp/ip-down, pid 13397 Script /etc/ppp/ip-down finished (pid 13397), status = 0x0 [root@acid ~]#
ROUTING
You may need to add a route to your routing table in order actually access resources within your vpn/office.
route add -net A.B.C.D netmask 255.255.255.255 gw A.B.C.D
brief list of options
- [ttyname] e.g foo: This points the serial port device "foo" to /dev/foo and is used to connect to the remote peer. When no device name is given output is sent to STDOUT. Was not required when testing connection over ethernet.
- [speed] e.g 9600: Use this speed in decimal number format for the connection. Depends on device and OS.
- [Async-Control-Character-Map map]: Specicy what control character to use. Related to ASCII control characters and escaping characters. Not required for my VPN to not tested.
- [auth]: The remote peer __must__ authentictate itself before the transfer of data can begin and it's the default when the client, (i.e., the local machine), has a default route. See [naoauth] below.
- [call name_of_connection]: for the connection "name_of_connection" read the file /etc/ppp/name_of_connection and use the options therein.
- [connect name_of_script]: Run the script name_of_script before actually starting the connection. There may be stuff that you have to prepare before the connection is started, like set your modem, phone etc before you can call your ISP.
- [crtscts]: don't need to bother with this one. hardware flow control and rs-232
stuff. the defaults will be used if none are specified. also related to [nocrtscts]. prolly required if your hardware/modem/serial interface don't work
- [defaultroute]: A route will be added to the client's routing table. It's only as permanent as the ppp connection so it is lost with the session.
- [disconnect name_of_script]: Use to cleanly hang up any devices when a connection should be closed.
- [escape char1, char2...]: Provide a list of characters to be used for escaping during the transmission, (vpn session). It's all about the hexes, baby!
- [file file_for_options]:Read options from this file. the caller of this option must be able to have read privs
- [init name_of_init_script]: another bunch of options to pass to the pppd thingie
- [lock]: ensure that no other process is going to use the serial device during the connection. not locked by default
- [mru X] default 15000: set the maximum size of packets to X receivable bytes during the transmission. where echo $((2**7)) >> X << echo $((2**14))
- [mtu Y]: set the maximum size of packets to Y sendable bytes during the transmission. can be overidden by teh remote peer
- [allow ip1 ip2]: peers will use ip addys or subnet that you tell me to. these peers dont need to authenticate. use the right syntax! just like the one that you are suppsed to use in the secrets file
- [nobsdcomp]: disables bsd packet compression
- [bsdcomp nr,nt]: option for bsd compression of data during the session.
nr - size of max code nt - compress packets to be sent to peer with max code size between 9 and 15 any thing larger just uses more kernel memory
- [chap-interval n]: the peer is rechallenged this number of seconds
- [chap-max-challenge n]: Set the maximum number of CHAP challenge transmissions to n (default 10).
- [chap-restart n]: Set the CHAP restart interval (retransmission timeout for challenges) to n seconds (default 3).
- [debug]: Enables connection debugging facilities. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. The packets are logged through syslog with facility daemon and level debug. This information can be directed to a file by setting up /etc/syslog.conf appropriately (see syslog.conf(5)).
- [default-mru]: the default max recive unit of 1500 will be used for packaets going in and out
- [local_IP_address]:[remote_IP_address]: [localhostname:remotehostname]: gotta specify one of 'em. use hostnames or IP addys. Most vpn servers should give you an IP when once you have authenticated so this option should not be required.
- [bsdcomp nr,nt]: option for bsd compression of data during the session.
nr - size of max code nt - compress packets to be sent to peer with max code size between 9 and 15 any thing larger just uses more kernel memory
- [nobsdcomp]: disables bsd packet compression
- [chap-interval X]: the peer is rechallenged every X seconds.
PACKAGE DETAILS
Name : ppp Relocations: (not relocatable)
Version : 2.4.2 Vendor: Red Hat, Inc. Release : 6.4.FC3 Build Date: Tue 02 Nov 2004 08:02:02 AM MST Install Date: Thu 19 May 2005 03:32:47 PM MDT Build Host: tweety.build.redhat.com Group : System Environment/Daemons Source RPM: ppp-2.4.2-6.4.FC3.src.rpm Size : 651720 License: distributable Signature : DSA/SHA1, Tue 02 Nov 2004 09:37:27 AM MST, Key ID b44269d04f2a6fd2 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : The PPP (Point-to-Point Protocol) daemon. Description : The ppp package contains the PPP (Point-to-Point Protocol) daemon and documentation for PPP support. The PPP protocol provides a method for transmitting datagrams over serial point-to-point links. PPP is usually used to dial in to an ISP (Internet Service Provider) or other organization over a modem and phone line.
