1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
|
#################################################################
#
# PPP Sample Configuration File
#
# Originally written by Toshiharu OHNO
#
# $Id: ppp.conf.sample,v 1.3 1999/03/28 00:22:44 brian Exp $
#
#################################################################
# This file is separated into sections. Each section is named with
# a label starting in column 0 and followed directly by a ``:''. The
# section continues until the next section. Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file. You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#
# Default setup. Always executed when PPP is invoked.
# This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
#
# This is the best place to specify your modem device, it's DTR rate,
# your dial script and any logging specification. Logging specs should
# be done first so that the results of subsequent commands are logged.
#
default:
set log Phase Chat LCP IPCP CCP tun command
set device /dev/cuaa1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
# Client side PPP
#
# Although the PPP protocol is a peer to peer protocol, we normally
# consider the side that initiates the connection as the client and
# the side that receives the connection as the server. Authentication
# is required by the server either using a unix-style login proceedure
# or by demanding PAP or CHAP authentication from the client.
#
# An on demand example where we have dynamic IP addresses and wish to
# use a unix-style login script:
#
# If the peer assigns us an arbitrary IP (most ISPs do this) and we
# can't predict what their IP will be either, take a wild guess at
# some IPs that you can't currently route to. Ppp can change this
# when the link comes up.
#
# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
# specified IP actually being correct, therefore, the other side can assign
# any IP number.
#
# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
# IP number, forcing the peer to make the decision. This is necessary
# when negotiating with some (broken) ppp implementations.
#
# This entry also works with static IP numbers or when not in -auto mode.
# The ``add'' line adds a `sticky' default route that will be updated if
# and when any of the IP numbers are changed in IPCP negotiations.
# The "set ifaddr" is required in -auto mode.
#
# Finally, the ``enable dns'' line tells ppp to ask the peer for the
# nameserver addresses that should be used. This isn't always supported
# by the other side, but if it is, ppp will update /etc/resolv.conf with
# the correct nameserver values at connection time.
#
# The login script shown says that you're expecting ``ogin:''. If you
# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
# You *MUST* customise this login script according to your local
# requirements.
#
pmdemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# If you want to use PAP or CHAP instead of using a unix-style login
# proceedure, do the following. Note, the peer suggests whether we
# should send PAP or CHAP. By default, we send whatever we're asked for.
#
# You *MUST* customise ``MyName'' and ``MyKey'' below.
#
PAPorCHAPpmdemand:
set phone 1234567
set login
set authname MyName
set authkey MyKey
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# On demand dialup example with static IP addresses:
# Here, the local side uses 192.244.185.226 and the remote side
# uses 192.244.176.44.
#
# # ppp -auto ondemand
#
# With static IP numbers, our setup is similar to dynamic:
# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
# a "ondemand" label, and finally the "MYADDR" label.
#
ondemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 192.244.185.226 192.244.176.44
add default HISADDR
enable dns
# Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete. They're provided as examples
# of how to achieve different things.
examples:
# Multi-phone example. Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed. Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
set phone 12345678|12345679:12345670|12345671
#
# Ppp can accept control instructions from the ``pppctl'' program.
# First, you must set up your control socket. It's safest to use
# a UNIX domain socket, and watch the permissions:
#
set server /var/tmp/internet MySecretPassword 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
set server 6670 MySecretpassword
#
# If you don't like ppp's builtin chat, use an external one:
#
set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (see the man page):
#
set openmode active 5
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier, with 3 second delays between each attempt:
#
set reconnect 3 20
#
# When playing server for M$ clients, tell them who our NetBIOS name
# servers are:
#
set nbns 10.0.0.1 10.0.0.2
#
# Inform the client if they ask for our DNS IP numbers:
#
enable dns
#
# If you don't want to tell them what's in your /etc/resolf.conf file
# with `enable dns', override the values:
#
set dns 10.0.0.1 10.0.0.2
#
# If we're using the -alias switch, redirect ftp and http to an internal
# machine:
#
alias port 10.0.0.2:ftp ftp
alias port 10.0.0.2:http http
#
# or don't trust the outside at all
#
alias deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section so that only root can
# have access:
#
allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use. I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
allow user dodgy
allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 permit 0 0
#
# And we don't want ICMPs to cause a dialup:
#
set filter dial 0 deny icmp
set filter dial 1 permit 0 0
#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
set filter dial 2 deny 0 0 tcp syn finrst
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
set filter in 0 permit tcp dst eq 113
set filter out 0 permit tcp src eq 113
set filter in 1 permit tcp src eq 23 estab
set filter out 1 permit tcp dst eq 23
set filter in 2 permit tcp src eq 21 estab
set filter out 2 permit tcp dst eq 21
set filter in 3 permit tcp src eq 20 dst gt 1023
set filter out 3 permit tcp dst eq 20
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 5 permit 192.244.191.0/24 0/0
set filter out 5 permit 0/0 192.244.191.0/24
set filter in 6 permit icmp
set filter out 6 permit icmp
set filter in 7 permit udp dst gt 33433
set filter out 7 permit udp dst gt 33433
# Server side PPP
#
# If you want the remote system to authenticate itself, you must insist
# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
# PAP are disabled by default. You may enable either or both. If both
# are enabled, CHAP is requested first. If the client doesn't agree, PAP
# will then be requested.
#
# Note: If you use the getty/login process to authenticate users, you
# don't need to enable CHAP or PAP, but the user that has logged
# in *MUST* be a member of the ``network'' group (in /etc/group).
#
# If you wish to allow any user in the passwd database ppp access, you
# can ``enable passwdauth''.
#
# When the peer authenticates itself, we use ppp.secret for verification
# (although refer to the ``set radius'' command below for an alternative).
#
# Note: We may supply a third field in ppp.secret specifying the IP
# address for that user, a forth field to specify the
# ppp.link{up,down} label to use and a fifth field to specify
# callback characteristics.
#
# The easiest way to allow transparent LAN access to your dialin users
# is to assign them a number from your local LAN and tell ppp to make a
# ``proxy'' arp entry for them. In this example, we have a local LAN
# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
# override the dynamic IP number with a static IP number specified in
# ppp.secret.
#
# Ppp is launched with:
# # ppp -direct server
#
server:
enable chap
enable pap
enable passwdauth
enable proxy
set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
accept dns
# Example of a RADIUS configuration:
# If there are one or more radius servers available, we can use them
# instead of the ppp.secret file. Simply put then in a radius
# configuration file (usually /etc/radius.conf) and give ppp the
# file name.
# Ppp will use the FRAMED characteristics supplied by the radius server
# to configure the link.
radius-server:
load server
set radius /etc/radius.conf
# Example to connect using a null-modem cable:
# The important thing here is to allow the lqr packets on both sides.
# Without them enabled, we can't tell if the line's dropped - there
# should always be carrier on a direct connection.
# Here, the server sends lqr's every 10 seconds and quits if five in a
# row fail.
#
# Make sure you don't have "deny lqr" in your default: on the client !
# If the peer denies LQR, we still send ECHO LQR packets at the given
# lqrperiod interval (ppp-style-pings).
#
direct-client:
set dial ""
set device /dev/cuaa0
set sp 115200
set timeout 900
set lqrperiod 10
set log Phase Chat LQM
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
set ifaddr 10.0.4.2 10.0.4.1
enable lqr
accept lqr
direct-server:
set timeout 0
set lqrperiod 10
set log Phase LQM
set ifaddr 10.0.4.1 10.0.4.2
enable lqr
accept lqr
# Example to connect via compuserve
# Compuserve insists on 7 bits even parity during the chat phase. Modem
# parity is always reset to ``none'' after the link has been established.
#
compuserve:
set phone 1234567
set parity even
set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
word: XXXXXXXX PPP"
set timeout 300
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
delete ALL
add default HISADDR
# Example for PPP over TCP.
# We assume that inetd on tcpsrv.mynet has been
# configured to run "ppp -direct tcp-server" when it gets a connection on
# port 1234. Read the man page for further details
#
# Note, we assume we're using a binary-clean connection. If something
# such as `rlogin' is involved, you may need to ``set escape 0xff''
#
tcp-client:
set device tcpsrv.mynet:1234
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
tcp-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
# Example for PPP testing.
# If you want to test ppp, do it through the loopback interface:
#
# Requires a line in /etc/services:
# ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:ppploop
set dial
set login
set ifaddr 127.0.0.2 127.0.0.3
set server /var/tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
# Example of a VPN.
# If you're going to create a tunnel through a public network, your VPN
# should be set up something like this:
#
# You should already have set up ssh using ssh-agent & ssh-add.
#
sloop:
load loop
set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
# Example of non-PPP callback.
# If you wish to connect to a server that will dial back *without* using
# the ppp callback facility (rfc1570), take advantage of the fact that
# ppp doesn't look for carrier 'till `set login' is complete:
#
# Here, we expect the server to say DIALBACK then disconnect after
# we've authenticated ourselves. When this has happened, we wait
# 60 seconds for a RING.
#
dialback:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATDT\\T TIMEOUT 60 CONNECT"
set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
\"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
# Example of PPP callback.
# Alternatively, if the peer is using the PPP callback protocol, we're
# happy either with ``auth'' style callback where the server dials us
# back based on what we authenticate ourselves with, ``cbcp'' style
# callback (invented by Microsoft but not agreed by the IETF) where
# we negotiate callback *after* authentication or E.164 callback where
# we specify only a phone number. I would recommend only ``auth'' and/or
# ``cbcp'' callback methods.
# For ``cbcp'', we insist that we choose ``1234567'' as the number that
# the server must call back.
#
callback:
load pmdemand
set callback auth cbcp e.164 1234567
set cbcp 1234567
# If we're running a ppp server that wants to only call back microsoft
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
#
callback-server:
load server
set callback cbcp
set cbcp
set log +cbcp
set redial 3 1
set device /dev/cuaa0
set speed 115200
set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
# Or if we want to allow authenticated clients to specify their own
# callback number:
#
callback-server-client-decides:
load callback-server
set cbcp *
# Multilink mode is available (rfc1990).
# To enable multilink capabilities, you must specify a MRRU. 1500 is
# a reasonable value. To create new links, use the ``clone'' command
# to duplicate an existing link. If you already have more than one
# link, you must specify which link you wish to run the command on via
# the ``link'' command.
#
# You can now ``dial'' specific links, or even dial all links at the
# same time. The `dial' command may also be prefixed with a specific
# link that should do the dialing.
#
mloop:
load loop
set mode interactive
set mrru 1500
clone 1 2 3
link deflink remove
# dial
# link 2 dial
# link 3 dial
mloop-in:
set timeout 0
set log tun phase
allow mode direct
set mrru 1500
# User supplied authentication:
# It's possible to run ppp in the background while specifying a
# program to use to obtain authentication details on demand.
# This program would usually be a simple GUI that presents a
# prompt to a known user. The ``chap-auth'' program is supplied
# as an example (and requires tcl version 8.0).
#
CHAPprompt:
load PAPorCHAPpmdemand
set authkey !/usr/share/examples/ppp/chap-auth
# It's possible to do the same sort of thing at the login prompt.
# Here, after sending ``brian'' in response to the ``name'' prompt,
# we're prompted with ``code:''. A window is then displayed on the
# ``keep:0.0'' display and the typed response is sent to the peer
# as the password. We then expect to see ``MTU'' and ``.'' in the
# servers response.
#
loginprompt:
load pmdemand
set authname brian
set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
AUTHNAME\" MTU \\c ."
|