1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
|
#################################################################
#
# PPP Sample Configuration File
#
# Originally written by Toshiharu OHNO
#
# $FreeBSD$
#
#################################################################
# This file is separated into sections. Each section is named with
# a label starting in column 0 and followed directly by a ``:''. The
# section continues until the next label. Blank lines and characters
# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\''
# or quoted with ""). All commands inside sections that do not begin
# with ``!'' (e.g., ``!include'') *must* be indented by at least one
# space or tab or they will not be recognized!
#
# Lines beginning with "!include" will ``include'' another file. You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#
# Default setup. Always executed when PPP is invoked.
# This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
#
# This is the best place to specify your modem device, its DTR rate,
# your dial script and any logging specification. Logging specs should
# be done first so that the results of subsequent commands are logged.
#
default:
set log Phase Chat LCP IPCP CCP tun command
set device /dev/cuad1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
# Client side PPP
#
# Although the PPP protocol is a peer to peer protocol, we normally
# consider the side that initiates the connection as the client and
# the side that receives the connection as the server. Authentication
# is required by the server either using a unix-style login procedure
# or by demanding PAP or CHAP authentication from the client.
#
# An on demand example where we have dynamic IP addresses and wish to
# use a unix-style login script:
#
# If the peer assigns us an arbitrary IP (most ISPs do this) and we
# can't predict what their IP will be either, take a wild guess at
# some IPs that you can't currently route to. Ppp can change this
# when the link comes up.
#
# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
# specified IP actually being correct, therefore, the other side can assign
# any IP number.
#
# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
# IP number, forcing the peer to make the decision. This is necessary
# when negotiating with some (broken) ppp implementations.
#
# This entry also works with static IP numbers or when not in -auto mode.
# The ``add'' line adds a `sticky' default route that will be updated if
# and when any of the IP numbers are changed in IPCP negotiations.
# The "set ifaddr" is required in -auto mode only.
# It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
#
# Finally, the ``enable dns'' line tells ppp to ask the peer for the
# nameserver addresses that should be used. This isn't always supported
# by the other side, but if it is, ppp will update /etc/resolv.conf with
# the correct nameserver values at connection time.
#
# The login script shown says that you're expecting ``ogin:''. If you
# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
# You *MUST* customise this login script according to your local
# requirements.
#
pmdemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# If you want to use PAP or CHAP instead of using a unix-style login
# procedure, do the following. Note, the peer suggests whether we
# should send PAP or CHAP. By default, we send whatever we're asked for.
#
# You *MUST* customise ``MyName'' and ``MyKey'' below.
#
PAPorCHAPpmdemand:
set phone 1234567
set login
set authname "MyName"
set authkey "MyKey"
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# On demand dialup example with static IP addresses:
# Here, the local side uses 192.244.185.226 and the remote side
# uses 192.244.176.44.
#
# # ppp -auto ondemand
#
# With static IP numbers, our setup is similar to dynamic:
# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
# an "ondemand" label, and finally the "MYADDR" label.
#
ondemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 192.244.185.226 192.244.176.44
add default HISADDR
enable dns
# An on-demand dialup example using an external Terminal Adapter (TA)
# that supports multi-link ppp itself.
#
# This may be specific to the AETHRA TA.
#
TA:
set phone 12345678 # Replace this with your ISPs phone number
set authname "somename" # Replace these with your login name & password.
set authkey "somepasswd" # This profile assumes you're using PAP or CHAP.
enable lqr echo
set reconnect 3 5
set redial 3 10
set lqrperiod 45
disable pred1 deflate mppe
deny pred1 deflate mppe
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \
OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set login
set logout
set hangup
set timeout 60 300 # The minimum charge period is 5 minutes, so don't
# hangup before then
set device /dev/cuad0 # Or whatever
set speed 115200 # Use as high a speed as possible
enable dns # Ask the peer what to put in resolv.conf
# Take a wild guess at an IP number and let the other side decide
set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0
add! default hisaddr
set mru 1504 # Some extra room for the MP header
set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------)
# Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete. They're provided as examples
# of how to achieve different things.
examples:
# Multi-phone example. Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed. Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
set phone 12345678|12345679:12345670|12345671
#
# Some phone numbers may include # characters - don't forget to escape
# (or quote) them:
#
set phone "12345##678"
#
# Ppp can accept control instructions from the ``pppctl'' program.
# First, you must set up your control socket. It's safest to use
# a UNIX domain socket, and watch the permissions:
#
set server /var/run/ppp/internet MySecretPassword 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
set server 6670 MySecretpassword
#
# If you don't like ppp's builtin chat, use an external one:
#
set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging without blowing away the setting in default:
#
set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (see the man page):
#
set openmode active 5
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier, with 3 second delays between each attempt:
#
set reconnect 3 20
#
# When playing server for M$ clients, tell them who our NetBIOS name
# servers are:
#
set nbns 10.0.0.1 10.0.0.2
#
# Inform the client if they ask for our DNS IP numbers:
#
enable dns
#
# If you don't want to tell them what's in your /etc/resolv.conf file
# with `enable dns', override the values:
#
set dns 10.0.0.1 10.0.0.2
#
# Some people like to prioritize DNS packets:
#
set urgent udp +53
#
# If we're using the -nat switch, redirect ftp and http to an internal
# machine:
#
nat port tcp 10.0.0.2:ftp ftp
nat port tcp 10.0.0.2:http http
#
# or don't trust the outside at all
#
nat deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section so that only root can
# have access:
#
allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use. I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
allow user dodgy
allow mode direct
#
# We don't want certain packets to keep our connection alive
#
set filter alive 0 deny udp src eq 520 # routed
set filter alive 1 deny udp dst eq 520 # routed
set filter alive 2 deny udp src eq 513 # rwhod
set filter alive 3 deny udp src eq 525 # timed
set filter alive 4 deny udp src eq 137 # NetBIOS name service
set filter alive 5 deny udp src eq 138 # NetBIOS datagram service
set filter alive 6 deny tcp src eq 139 # NetBIOS session service
set filter alive 7 deny udp dst eq 137 # NetBIOS name service
set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service
set filter alive 9 deny tcp dst eq 139 # NetBIOS session service
set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside
set filter alive 11 permit 0/0 0/0
#
# And in auto mode, we don't want certain packets to cause a dialup
#
set filter dial 0 deny udp src eq 513 # rwhod
set filter dial 1 deny udp src eq 525 # timed
set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny tcp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
set filter dial 8 deny tcp finrst # Badly closed TCP channels
set filter dial 9 permit 0 0
#
# Once the line's up, allow these connections
#
set filter in 0 permit tcp dst eq 113 # ident
set filter out 0 permit tcp src eq 113 # ident
set filter in 1 permit tcp src eq 23 estab # telnet
set filter out 1 permit tcp dst eq 23 # telnet
set filter in 2 permit tcp src eq 21 estab # ftp
set filter out 2 permit tcp dst eq 21 # ftp
set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data
set filter out 3 permit tcp dst eq 20 # ftp-data
set filter in 4 permit udp src eq 53 # DNS
set filter out 4 permit udp dst eq 53 # DNS
set filter in 5 permit 192.244.191.0/24 0/0 # Where I work
set filter out 5 permit 0/0 192.244.191.0/24 # Where I work
set filter in 6 permit icmp # pings
set filter out 6 permit icmp # pings
set filter in 7 permit udp dst gt 33433 # traceroute
set filter out 7 permit udp dst gt 33433 # traceroute
#
# ``dodgynet'' is an example intended for an autodial configuration which
# is connecting a local network to a host on an untrusted network.
dodgynet:
set log Phase # Log link uptime
allow mode auto # For autoconnect only
set device /dev/cuad1 # Define modem device and speed
set speed 115200
deny lqr # Don't support LQR
set phone 0W1194 # Remote system phone number,
set authname "pppLogin" # login
set authkey "MyPassword" # and password
set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer
TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATE1Q0M0 OK \\dATDT\\T \
TIMEOUT 40 CONNECT"
set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system
gin:--gin: \\U word: \\P"
# Drop the link after 15 minutes of inactivity
# Inactivity is defined by the `set filter alive' line below
set timeout 900
# Hard-code remote system to appear within local subnet and use proxy arp
# to make this system the gateway for the rest of the local network
set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
enable proxy
# Allow any TCP packet to keep the link alive
set filter alive 0 permit tcp
# Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
# private TCP ports 24 and 4000
set filter dial 0 7 0 0 tcp dst eq http
set filter dial 1 7 0 0 tcp dst eq login
set filter dial 2 7 0 0 tcp dst eq shell
set filter dial 3 7 0 0 tcp dst eq telnet
set filter dial 4 7 0 0 tcp dst eq ftp
set filter dial 5 7 0 0 tcp dst eq 24
set filter dial 6 deny ! 0 0 tcp dst eq 4000
# From hosts on a couple of local subnets to the remote peer
# If the remote host allowed IP forwarding and we wanted to use it, the
# following rules could be split into two groups to separately validate
# the source and destination addresses.
set filter dial 7 permit 172.17.16.0/20 172.17.20.248
set filter dial 8 permit 172.17.36.0/22 172.17.20.248
set filter dial 9 permit 172.17.118.0/26 172.17.20.248
set filter dial 10 permit 10.123.5.0/24 172.17.20.248
# Once the link's up, limit outgoing access to the specified hosts
set filter out 0 4 172.17.16.0/20 172.17.20.248
set filter out 1 4 172.17.36.0/22 172.17.20.248
set filter out 2 4 172.17.118.0/26 172.17.20.248
set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
# Allow established TCP connections
set filter out 4 permit 0 0 tcp estab
# And new connections to http, rlogin, rsh, telnet, ftp and ports
# 24 and 4000
set filter out 5 permit 0 0 tcp dst eq http
set filter out 6 permit 0 0 tcp dst eq login
set filter out 7 permit 0 0 tcp dst eq shell
set filter out 8 permit 0 0 tcp dst eq telnet
set filter out 9 permit 0 0 tcp dst eq ftp
set filter out 10 permit 0 0 tcp dst eq 24
set filter out 11 permit 0 0 tcp dst eq 4000
# And outgoing icmp
set filter out 12 permit 0 0 icmp
# Once the link's up, limit incoming access to the specified hosts
set filter in 0 4 172.17.20.248 172.17.16.0/20
set filter in 1 4 172.17.20.248 172.17.36.0/22
set filter in 2 4 172.17.20.248 172.17.118.0/26
set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
# Established TCP connections and non-PASV FTP
set filter in 4 permit 0/0 0/0 tcp estab
set filter in 5 permit 0/0 0/0 tcp src eq 20
# Useful ICMP messages
set filter in 6 permit 0/0 0/0 icmp src eq 3
set filter in 7 permit 0/0 0/0 icmp src eq 4
set filter in 8 permit 0/0 0/0 icmp src eq 11
set filter in 9 permit 0/0 0/0 icmp src eq 12
# Echo reply (local systems can ping the remote host)
set filter in 10 permit 0/0 0/0 icmp src eq 0
# And the remote host can ping the local gateway (only)
set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
# Server side PPP
#
# If you want the remote system to authenticate itself, you must insist
# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
# PAP are disabled by default. You may enable either or both. If both
# are enabled, CHAP is requested first. If the client doesn't agree, PAP
# will then be requested.
#
# Note: If you use the getty/login process to authenticate users, you
# don't need to enable CHAP or PAP, but the user that has logged
# in *MUST* be a member of the ``network'' group (in /etc/group).
#
# Note: Chap80 and chap81 are Microsoft variations of standard chap (05).
#
# If you wish to allow any user in the passwd database ppp access, you
# can ``enable passwdauth'', but this will only work with PAP.
#
# When the peer authenticates itself, we use ppp.secret for verification
# (although refer to the ``set radius'' command below for an alternative).
#
# Note: We may supply a third field in ppp.secret specifying the IP
# address for that user, a fourth field to specify the
# ppp.link{up,down} label to use and a fifth field to specify
# callback characteristics.
#
# The easiest way to allow transparent LAN access to your dialin users
# is to assign them a number from your local LAN and tell ppp to make a
# ``proxy'' arp entry for them. In this example, we have a local LAN
# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
# override the dynamic IP number with a static IP number specified in
# ppp.secret.
#
# Ppp is launched with:
# # ppp -direct server
#
server:
enable chap chap80 chap81 pap passwdauth
enable proxy
set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
accept dns
# Example of a RADIUS configuration:
# If there are one or more radius servers available, we can use them
# instead of the ppp.secret file. Simply put then in a radius
# configuration file (usually /etc/radius.conf) and give ppp the
# file name.
# Ppp will use the FRAMED characteristics supplied by the radius server
# to configure the link.
radius-server:
load server # load in the server config from above
set radius /etc/radius.conf
# Example to connect using a null-modem cable:
# The important thing here is to allow the lqr packets on both sides.
# Without them enabled, we can't tell if the line's dropped - there
# should always be carrier on a direct connection.
# Here, the server sends lqr's every 10 seconds and quits if five in a
# row fail.
#
# Make sure you don't have "deny lqr" in your default: on the client !
# If the peer denies LQR, we still send ECHO LQR packets at the given
# lqrperiod interval (ppp-style-pings).
#
direct-client:
set dial
set device /dev/cuad0
set sp 115200
set timeout 900
set lqrperiod 10
set log Phase Chat LQM
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
set ifaddr 10.0.4.2 10.0.4.1
enable lqr echo
accept lqr
direct-server:
set timeout 0
set lqrperiod 10
set log Phase LQM
set ifaddr 10.0.4.1 10.0.4.2
enable lqr echo
accept lqr
# Example to connect via compuserve
# Compuserve insists on 7 bits even parity during the chat phase. Modem
# parity is always reset to ``none'' after the link has been established.
#
compuserve:
set phone 1234567
set parity even
set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
word: XXXXXXXX PPP"
set timeout 300
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
delete ALL
add default HISADDR
# Example for PPP over TCP.
# We assume that inetd on tcpsrv.mynet has been
# configured to run "ppp -direct tcp-server" when it gets a connection on
# port 1234 with an entry something like this in /etc/inetd.conf.:
#
# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
#
# with this in /etc/services:
#
# ppp 6671/tcp
#
# Read the man page for further details.
#
# Note, we assume we're using a binary-clean connection. If something
# such as `rlogin' is involved, you may need to ``set escape 0xff''
#
tcp-client:
set device tcpsrv.mynet:1234
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
tcp-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
# Using UDP is also possible with this in /etc/inetd.conf:
#
# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
#
# and this in /etc/services:
#
# ppp 6671/tcp
#
udp-client:
set device udpsrv.mynet:1234/udp
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
udp-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
# Example for PPP testing.
# If you want to test ppp, do it through the loopback interface:
#
# Requires a line in /etc/services:
# ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in
#
inet-loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:ppploop
set dial
set login
set ifaddr 127.0.0.2 127.0.0.3
set server /var/run/ppp/loop "" 0177
inet-loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
# Example of a VPN.
# If you're going to create a tunnel through a public network, your VPN
# should be set up something like this:
#
# You should already have set up ssh using ssh-agent & ssh-add.
#
sloop:
load inet-loop
# Passive mode allows ssh plenty of time to establish the connection
set openmode passive
set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in"
# or a better VPN solution (which doesn't run IP over a reliable
# protocol like tcp) may be:
#
vpn-client:
set device udpsrv.mynet:1234/udp # PPP over UDP
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
disable deflate pred1
deny deflate pred1
enable MPPE # With encryption
accept MPPE
vpn-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
disable deflate pred1
deny deflate pred1
enable MPPE
accept MPPE
enable chap81 # Required for MPPE
# Example of non-PPP callback.
# If you wish to connect to a server that will dial back *without* using
# the ppp callback facility (rfc1570), take advantage of the fact that
# ppp doesn't look for carrier 'till `set login' is complete:
#
# Here, we expect the server to say DIALBACK then disconnect after
# we've authenticated ourselves. When this has happened, we wait
# 60 seconds for a RING.
#
# Note, it's important that we tell ppp not to expect carrier, otherwise
# we'll drop out at the ``NO CARRIER'' stage.
#
dialback:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATDT\\T TIMEOUT 60 CONNECT"
set cd off
set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
\"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
# Example of PPP callback.
# Alternatively, if the peer is using the PPP callback protocol, we're
# happy either with ``auth'' style callback where the server dials us
# back based on what we authenticate ourselves with, ``cbcp'' style
# callback (invented by Microsoft but not agreed by the IETF) where
# we negotiate callback *after* authentication or E.164 callback where
# we specify only a phone number. I would recommend only ``auth'' and/or
# ``cbcp'' callback methods.
# For ``cbcp'', we insist that we choose ``1234567'' as the number that
# the server must call back.
#
callback:
load pmdemand # load in the pmdemand config
set callback auth cbcp e.164 1234567
set cbcp 1234567
# If we're running a ppp server that wants to only call back microsoft
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
#
callback-server:
load server
set callback cbcp
set cbcp
set log +cbcp
set redial 3 1
set device /dev/cuad0
set speed 115200
set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
# Or if we want to allow authenticated clients to specify their own
# callback number:
#
callback-server-client-decides:
load callback-server
set cbcp *
# Multilink mode is available (rfc1990).
# To enable multi-link capabilities, you must specify a MRRU. 1500 is
# a reasonable value. To create new links, use the ``clone'' command
# to duplicate an existing link. If you already have more than one
# link, you must specify which link you wish to run the command on via
# the ``link'' command.
#
# It's worth increasing your MTU and MRU slightly in multi-link mode to
# prevent full packets from being fragmented.
#
# You can now ``dial'' specific links, or even dial all links at the
# same time. The `dial' command may also be prefixed with a specific
# link that should do the dialing.
#
mloop:
load loop
set device /dev/cuad0 /dev/cuad1 /dev/cuad2 # Use any of these devices
set mode interactive
set mrru 1500
set mru 1504 # Room for the MP header
clone 1 2 3
link deflink remove
# dial
# link 2 dial
# link 3 dial
mloop-in:
set timeout 0 # No idle timer
set log tun phase
allow mode direct
set mrru 1500
set mru 1504 # Room for the MP header
# User supplied authentication:
# It's possible to run ppp in the background while specifying a
# program to use to obtain authentication details on demand.
# This program would usually be a simple GUI that presents a
# prompt to a known user. The ``chap-auth'' program is supplied
# as an example (and requires tcl version 8.0).
#
CHAPprompt:
load PAPorCHAPpmdemand
set authkey !/usr/share/examples/ppp/chap-auth
# It's possible to do the same sort of thing at the login prompt.
# Here, after sending ``brian'' in response to the ``name'' prompt,
# we're prompted with ``code:''. A window is then displayed on the
# ``keep:0.0'' display and the typed response is sent to the peer
# as the password. We then expect to see ``MTU'' and ``.'' in the
# servers response.
#
loginprompt:
load pmdemand
set authname "brian"
set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
AUTHNAME\" MTU \\c ."
# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache
# the MAC address that connects to them, making it impossible to switch
# your PPPoE connection between machines.
#
# The current implementation requires Netgraph, so it doesn't work with
# OpenBSD or NetBSD.
#
# The client should be something like this:
#
pppoe:
set device PPPoE:de0:pppoe-in
enable lqr echo
set cd 5
set dial
set login
set redial 0 0
# And the server should be running
#
# /usr/libexec/pppoed -p pppoe-in fxp0
#
# See rc.conf(5)
#
pppoe-in:
allow mode direct # Only for use on server-side
enable lqr echo proxy # Enable LQR and proxy-arp
enable chap pap passwdauth # Force client authentication
set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers
accept dns # Allow DNS negotiation
# It's possible to run ppp back-to-back with itself. This is useful
# for testing.
#
# When testing scalability and concurrency, the following profile might
# be used.
#
# Note, you'll have to make some other machine adjustments:
#
# o Bump maxusers in your kernel configuration to about 256 so that there
# are enough process table slots.
# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll
# need 3 descriptors per ppp process (assuming no server socket).
#
# You can now create 2000 processes (1000 pairs) with:
#
# n=0
# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done
#
# If you want to test concurrency, try using ``ppp -dd loop'' instead.
#
loop:
set timeout 0
set log
set device "!ppp -direct loop-in"
set dial
set login
set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255
disable deflate pred1 mppe
deny deflate pred1 mppe
loop-in:
set timeout 0
set log
allow mode direct
set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255
disable deflate pred1 mppe
deny deflate pred1 mppe
|