Rob, I had a cursory look through your scripts, and seems like you
handle most of the logic. I don't know anything about pppd for Linux (is
it based on the same code?). I let pppd manage retries & setting routes.
It will also drop and dry to reconnect if either side can't talk to the
other (via lqr).
It looks simple, but with rsa only authentication on the sshd, it has
proven to be solid and reasonably secure.
Good luck,
Tim
Rob Zietlow wrote:
On Monday 23 May 2005 08:18 am, Tim Pushor wrote:
hmm, Thanks for the response, Tim.
I wouldn't personally recommend vpn over ssh for anyone either, but i'm kind
of stuck with it. I'm the sole bsd user at my company, and the ppp over ssh
was implemented years before I came and has worked fine for them. They're
not really willing to change it at the moment and it's on a system I have
zero control over within our organization.
If I had the option to set this up like you have below it would have been put
in place a long while ago. Tim, I thank you for your scripts and time.
Here's the scripts I use.
Actual bash script I call:
! /usr/local/bin/bash
#
# This script controls starting and stopping
# the VPN run over ssh. It's functions are:
#
# start stop on off
#
# start and stop control the actuall ppp interface,
# while on and off turn the routes to the VPN on and off.
# In this way, you can bring up the interface, but turn
# the VPN on and off without affecting the ppp connection.
#
#
# --------- configuration ------------
# This is the other end of the VPN
VPNHOST="$WORK"
# This is for editing /etc/resolv.conf
DOMAIN=" $DOMAIN_NAME"
#DNSSERVER="10.10.X.X"
DNSSERVER="10.10.X.Y"
# ------------------------------------
# Defaults should be okay
# ------------------------------------
CONFFILE="/etc/resolv.conf"
# tempfile, needs to be writable
TMP=/tmp/file.$$
# This is to give us time for the ppp
# connection to come up
timeout=5
# This is the command to start pppd
CMD="/usr/sbin/pppd file /usr/home/rob/vpn/options.vpn"
# A place for control files
svcdir="$HOME/.pppssh"
# A place for pids to keep track of processes
rundir="$svcdir/run"
# ------ end configuration -----------
# Some things to check before we begin
USER=`id -u`
PPPD=`find /usr/sbin -perm 4755 -name pppd`
ROUTE=`find /sbin -perm 4755 -name route`
IFCONFIG=`find /sbin -perm 4755 -name ifconfig`
if [ \( $USER -ne 0 \) -a \( -z "$PPPD" -o -z "$ROUTE" -o -z "$IFCONFIG" \) ];
then
echo "You must be root, or the following must be suid:"
echo "/sbin/pppd, /sbin/route, /sbin/ifconfig"
exit 1
fi
case "$1" in
start)
# Make a control directory
if [ ! -d $svcdir ]; then
mkdir -p $svcdir
fi
if [ ! -d $rundir ]; then
mkdir -p $rundir
fi
# make sure it doesn't core dump anywhere; while this could mask
# problems with the daemon, it also closes some security problems
ulimit -c 0
echo -n $VPNHOST > "$svcdir/host"
echo Waiting for connection...
# Look for unused ppp device.
# But default to ppp0
dev=0
for i in `jot 9 0 `; do
if [ ! -f /var/run/ppp$i.pid ] ; then
echo Using interface ppp$i
dev=$i
break
fi
done
# See if we're already running
if [ ! -f $svcdir/lock ]; then
$CMD
else
echo Link appears up
echo Lock file in $svcdir
echo Use $0 restart
exit 1
fi
if [ $? -eq 0 ]; then
sleep $timeout
ifconfig ppp$dev
echo ppp$dev > $svcdir/device
echo $VPNHOST > $svcdir/host
touch $svcdir/lock
# Routes to be added for the inside network
$0 on
else
echo Connection Failed
fi
;;
stop)
# Find the pid of the pppd, kill it, remove the route
VPNIF=`head $svcdir/device`
ppppid=`head /var/run/$VPNIF.pid`
sshpid=`head $rundir/sshpppd.pid`
# Removing routes if possible
echo Removing routes...
$0 off
echo Killing processes...
kill -s SIGTERM $ppppid
kill -s SIGTERM $sshpid
echo Killed ssh[$sshpid]
echo Killed pppd[$ppppid]
# Bring down interface
echo Bringing down interface: $VPNIF
/sbin/ifconfig $VPNIF down
echo Removing control files...
# Remove control files
rm -f "$svcdir/device"
rm -f "$svcdir/host"
rm -f "$rundir/sshpppd.pid"
rm -f "$svcdir/lock"
echo Done.
;;
on)
if [ ! -f "$svcdir/lock" ]; then
echo VPN does not appear to be up
exit 1
elif [ -f "$svcdir/on" ]; then
echo VPN looks like it is already active
exit 1
else
# Routes are specified in /etc/ppp/routes.vpn
grep -v '^#' /etc/ppp/routes.vpn |\
while read NET NETMASK GATEWAY ; do
/sbin/route add -net $NET netmask $NETMASK gw $GATEWAY
done
# Make changes to the resolv.conf file
# We may not want this to be standard equipment
# if [ $USER -eq 0 ]; then
# insert search domain
MATCH=$( grep -cq "search" $CONFFILE )
#if [ "$MATCH" = "0" ]; then
# # Add one if there isn't one
# { echo "search $DOMAIN" ; cat $CONFFILE } > $TMP
# mv -f $TMP $CONFFILE
#else
# # Edit one if needed
# grep -q "search.*$DOMAIN" $CONFFILE
# if [ "$?" != "0" ]; then
# perl -pi -e "s/(search.+)\s+/\$1 $DOMAIN\n/" $CONFFILE
# fi
# fi
#
# # insert server if needed
# # it needs to be first in the list
# MATCH=$( grep -cq "nameserver.*$DNSSERVER" $CONFFILE )
# if [ "$MATCH" = "0" ]; then
# perl -pi -e "s/(search.+)\s+/\$1\nnameserver
$DNSSERVER\n/" $CONFFILE
# fi
#touch $svcdir/resolver
# fi
touch $svcdir/on;
fi
;;
off)
if [ ! -f $svcdir/lock ]; then
echo VPN does not appear to be up
exit 1
elif [ ! -f "$svcdir/on" ]; then
echo VPN does not appear to be active
exit 1
else
grep -v '^#' /etc/ppp/routes.vpn |\
while read NET NETMASK GATEWAY ; do
/sbin/route del -net $NET netmask $NETMASK gw $GATEWAY
done
fi
## Remove changes made to /etc/resolv.conf
if [ $USER -eq 0 ]; then
if [ -f $svcdir/resolver ]; then
perl -pi -e "s/(search.+?)\s+$DOMAIN\s+/\$1\n/" $CONFFILE
perl -pi -e "s/^nameserver\s+$DNSSERVER\s+//" $CONFFILE
rm -f $svcdir/resolver
fi
fi
rm -f $svcdir/on
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: telnetd {start|stop|on|off}"
;;
esac
options.vpn:
lock
noipdefault
defaultroute
updetach
lcp-echo-interval 5
lcp-echo-failure 10
pty /home/rob/vpn/pppssh
call server.vpn
!/usr/bin/perl -w
# Taken from Olaf Titz's ppp over ssh script.
# pppd starts up ppp connection, but ssh hangs
# and prevents pppd from taking over the terminal
# this script gives ssh a little kick.
#use strict
# ---- configuration ----- #
# Your user login here
$user="$USER_NAME";
# ------------------------ #
# Customize if necessary
$home=$ENV{HOME};
$svcdir="$home/.pppssh";
$rundir="$svcdir/run";
$ssh="/usr/bin/ssh";
$timeout=10;
$host=`head $svcdir/host`;
# ------------------------ #
if ( ! defined($host)) {
print "No host given\n";
exit 1;
}
# subroutine to handle sshd hang bug.
&bugdaemon($timeout) if ($timeout);
# Write pid to control file
open FD, ">$rundir/sshpppd.pid" or die $!;
printf FD $$;
close FD;
# exec ssh to start pppd on remote host
exec $ssh, "-t", "-l$user", $host, "-p 24";
die "exec $ssh: $!";
# -------------------------------------------- #
# This cures a "hang" of the local ssh process
sub bugdaemon
{
local($secs)[EMAIL PROTECTED];
local($p)=fork;
# fork returns 0 to child, pid to parent, and undefined to parent if
failed.
if (!defined($p)) {
warn "can't fork, no bug daemon";
return;
}
# Return if I'm the child to execute ssh
return if (!$p);
# returning the child avoids a zombie
# Parent sleeps to allow the child to exec ssh
if ($secs) {
sleep $secs;
} else {
sleep 10;
}
# If I'm the parent, give ssh a kick
kill "STOP", $p;
sleep 1;
kill "CONT", $p;
exit 0;
}
You don't need the pty. I don't recommend vpn over ssh, unless its
absolutely necessary. OpenVPN is much better ...
I've set it up (as it was absolutely necessary :-), and here is a config
from the 'client'.
default:
set timeout 0
set log phase chat connect lcp ipcp
set dial
set login
cli:
set device "!ssh -l cli -i /etc/ppp/ppp.key server.domain.com
/usr/sbin/ppp -direct srv"
set ifaddr 10.0.4.4 10.0.4.3 255.255.255.255
add! 192.168.x.0/24 HISADDR
set lqrperiod 60
enable lqr
'client' is enabled by running ppp -ddial cli from rc script.
Then the 'Server' - of course, 'cli' needs a user account on the system,
and all the ssh stuff setup (authorized keys, etc).
default:
set log Phase Chat LCP IPCP CCP tun command
srv:
allow user cli
set ifaddr 10.0.4.3 10.0.4.4 255.255.255.255
set timeout 0
add! 192.168.y.0/24 HISADDR
set lqrperiod 60
enable lqr
accept lqr
Rob Zietlow wrote:
Good day List,
I have a question about pppd. We use ppp over ssh for a VPN solution into
work. The script works on linux, but not in freebsd because the
implementation of pppd that comes with freebsd does not recognize the pty
command. When I attempt to connect up I get the following.
testee# bash bin/vpn.init start
Waiting for connection...
Using interface ppp0
/usr/sbin/pppd: In file /usr/home/rob/vpn/options.vpn: unrecognized option
'pty'
Connection Failed
This appears to be the last piece of the puzzle for me in order to get
this to work. So it leaves me to ask Is there an equivalent in Freebsd?
From the pppd man page on a linux machine.
pty script
Specifies that the command script is to be used to
communicate rather than a specific terminal device. Pppd will
allocate itself a pseudo-tty master/slave pair and use the slave as its
terminal device. The script will be run in a child process with
the pseudo-tty master as its standard input and output. An explicit
device name may not be given if this option is used. (Note: if the
record option is used in conjuction with the pty option, the child
process will have pipes on its standard input and output.)
The fbsd pppd's man page doesn't list anything for pty, and a google
doesn't turn up much.
Thanks for your time.
Rob
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
