d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c32e8ac670
freebsd-dev/etc/ppp/ppp.conf.sample
Brian Somers 8842b72734 Show how to create a secure (ssh) VPN
1998-10-03 13:12:14 +00:00

431 lines
13 KiB
Plaintext
Raw Blame History

#################################################################
#
# PPP Sample Configuration File
#
# Originally written by Toshiharu OHNO
#
# $Id: ppp.conf.sample,v 1.32 1998/09/06 13:55:51 brian Exp $
#
#################################################################
# This file is separated into sections. Each section is named with
# a label starting in column 0 and followed directly by a ``:''. The
# section continues until the next section. Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file. You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#
# Default setup. Always executed when PPP is invoked.
# This section is *not* loaded by the ``load'' or ``dial'' commands.
#
# This is the best place to specify your modem device, it's DTR rate,
# and any logging specification. Logging specs should be done first
# so that subsequent commands are logged.
#
default:
set log Phase Chat LCP IPCP CCP tun command
set device /dev/cuaa1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
# Client side PPP
#
# Although the PPP protocol is a peer to peer protocol, we normally
# consider the side that makes the connection as the client and the
# side that receives the connection as the server. Authentication
# is required by the server either using a unix-style login proceedure
# or by demanding PAP or CHAP authentication from the client.
#
# An on demand example where we have dynamic IP addresses:
# If the peer assigns us an arbitrary IP (most ISPs do this) and we
# can't predict what their IP will be either, take a wild guess at
# some IPs that you can't currently route to.
#
# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
# specified IP actually being correct, therefore, the other side can assign
# any IP numbers.
#
# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
# IP number, forcing the peer to make the decision.
#
# This entry also works with static IP numbers or when not in -auto mode.
# The ``add'' line adds a `sticky' default route that will be updated if
# and when any of the IP numbers are changed in IPCP negotiations.
# The "set ifaddr" is required in -auto mode.
#
# Finally, the ``enable dns'' bit tells ppp to ask the peer for the
# nameserver addresses that should be used. This isn't always supported
# by the other side, but if it is, /etc/resolv.conf will automatically be
# updated.
#
pmdemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# When we want to use PAP or CHAP instead of using a unix-style login
# proceedure, we do the following. Note, the peer suggests whether we
# should send PAP or CHAP. By default, we send whatever we're asked for.
#
PAPorCHAPpmdemand:
set phone 1234567
set login
set authname MyName
set authkey MyKey
set timeout 120
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
# On demand dialup example with static IP addresses:
# Here, the local side uses 192.244.185.226 and the remote side
# uses 192.244.176.44.
#
# # ppp -auto ondemand
#
# With static IP numbers, our setup is similar to dynamic:
# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
# a "ondemand" label, and finally the "MYADDR" label.
#
ondemand:
set phone 1234567
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
set timeout 120
set ifaddr 192.244.185.226 192.244.176.44
add default HISADDR
enable dns
# Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete. They're provided as examples
# of how to achieve different things.
examples:
# Multi-phone example. Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed. Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
set phone 12345678|12345679:12345670|12345671
#
# Ppp can accept control instructions from the ``pppctl'' program.
# First, you must set up your control socket. It's safest to use
# a UNIX domain socket, and watch the permissions:
#
set server /var/tmp/internet MySecretPassword 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
set server 6670 MySecretpassword
#
# If you don't like ppp's builtin chat, use an external one:
#
set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (see the man page):
#
set openmode active 5
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier, with 3 second delays between each attempt:
#
set reconnect 3 20
#
# When playing server for M$ clients, tell them who our NetBIOS name
# servers are:
#
set nbns 10.0.0.1 10.0.0.2
#
# Inform the client if they ask for our DNS IP numbers:
#
enable dns
#
# If you don't want to tell them what's in your /etc/resolf.conf file
# with `enable dns', override the values:
#
set dns 10.0.0.1 10.0.0.2
#
# If we're using the -alias switch, redirect ftp and http to an internal
# machine:
#
alias port 10.0.0.2:ftp ftp
alias port 10.0.0.2:http http
#
# or don't trust the outside at all
#
alias deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section so that only root can
# have access:
#
allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use. I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
allow user dodgy
allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 permit 0 0
#
# And we don't want ICMPs to cause a dialup:
#
set filter dial 0 deny icmp
set filter dial 1 permit 0 0
#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
set filter dial 2 deny 0 0 tcp syn finrst
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
set filter in 0 permit tcp dst eq 113
set filter out 0 permit tcp src eq 113
set filter in 1 permit tcp src eq 23 estab
set filter out 1 permit tcp dst eq 23
set filter in 2 permit tcp src eq 21 estab
set filter out 2 permit tcp dst eq 21
set filter in 3 permit tcp src eq 20 dst gt 1023
set filter out 3 permit tcp dst eq 20
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 5 permit 192.244.191.0/24 0/0
set filter out 5 permit 0/0 192.244.191.0/24
set filter in 6 permit icmp
set filter out 6 permit icmp
set filter in 7 permit udp dst gt 33433
set filter out 7 permit udp dst gt 33433
# Server side PPP
# If you want the remote system to authenticate itself, you insist
# that the peer uses CHAP (or PAP) with the "enable" keyword. Both CHAP and
# PAP are disabled by default (we usually only "enable" one of them if the
# other side is dialing into our server).
# When the peer authenticates itself, we use ppp.secret for verification.
#
# Ppp is launched with:
# # ppp -direct CHAPserver
#
# Note: We can supply a third field in ppp.secret specifying the IP address
# for that user. We can even specify a forth field to specify the
# ppp.link{up,down} label to use.
#
CHAPserver:
enable chap
enable proxy
set ifaddr 192.244.176.44 292.244.184.31
accept dns
# If we wish to act as a server, allowing PAP access according to
# accounts in /etc/passwd, we do this (Without `enable passwdauth',
# you may still enter ``*'' as the users password in ppp.secret and
# ppp will look it up in the passwd database. This is useful if you
# need to assign a special label or IP number or range):
#
PAPServerwithPASSWD:
enable pap
enable passwdauth
enable proxy
set ifaddr 192.244.176.44 292.244.184.31
accept dns
# Example to connect using a null-modem cable:
# The important thing here is to allow the lqr packets on both sides.
# Without them enabled, we can't tell if the line's dropped - there
# should always be carrier on a direct connection.
# Here, the server sends lqr's every 10 seconds and quits if five in a
# row fail.
#
# Make sure you don't have "deny lqr" in your default: on the client !
# If the peer denies LQR, we still send ECHO LQR packets at the given
# lqrperiod interval (ppp-style-pings).
#
direct-client:
set dial ""
set line /dev/cuaa0
set sp 115200
set timeout 900
set lqrperiod 10
set log Phase Chat LQM
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
set ifaddr 10.0.4.2 10.0.4.1
enable lqr
accept lqr
direct-server:
set timeout 0
set lqrperiod 10
set log Phase LQM
set ifaddr 10.0.4.1 10.0.4.2
enable lqr
accept lqr
# Example to connect via compuserve (who insist on 7 bits even parity
# during the chat phase).
#
compuserve:
set phone 1234567
set parity even
set login "TIMEOUT 10 \"\" \"\" Name: CIS ID: 99999,9999/go:pppconnect \
word: XXXXXXXX"
set timeout 300
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
delete ALL
add default HISADDR
# Example for PPP over TCP.
# We assume that inetd on tcpsrv.mynet has been
# configured to run "ppp -direct tcp-server" when it gets a connection on
# port 1234. Read the man page for further details
#
# Note, we assume we're using a binary-clean connection. If something
# such as `rlogin' is involved, you may need to ``set escape 0xff''
#
tcp-client:
set device tcpsrv.mynet:1234
set dial
set login
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
tcp-server:
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
# If you want to test ppp, do it through a loopback:
#
# Requires a line in /etc/services:
# ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:ppploop
set dial
set login
set ifaddr 127.0.0.2 127.0.0.3
set server /var/tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
# If you're going to create a tunnel through a public network, your VPN
# should be set up something like this:
#
# /etc/ppp/secure (which should be executable) says:
# #! /bin/sh
# exec ssh whatevermachine /usr/sbin/ppp -direct loop-in
#
sloop:
load loop
set device !/etc/ppp/secure
# If you wish to connect to a server that will dial back *without* using
# the ppp callback facility (rfc1570), take advantage of the fact that
# ppp doesn't look for carrier 'till `set login' is complete:
#
# Here, we expect the server to say DIALBACK then disconnect after
# we've authenticated ourselves. When this has happened, we wait
# 60 seconds for a RING.
#
dialback:
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
ATDT\\T TIMEOUT 60 CONNECT"
set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
\"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
# Alternatively, if the peer is using the PPP callback protocol, use
# normal dial and login scripts and add
#
set callback auth cbcp e.164 1234567
set cbcp 1234567
# If we're running a ppp server that wants to only call back microsoft
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
#
set callback cbcp
set cbcp
set log +cbcp
set redial 3 1
set device /dev/cuaa0
set speed 115200
set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
# Or if we want to allow authenticated clients to specify their own
# callback number, use this ``set cbcp'' line instead:
#
set cbcp *
# Multilink mode is available (rfc1990).
# To enable multilink capabilities, you must specify a MRRU. 1500 is
# a reasonable value. To create new links, use the ``clone'' command
# to duplicate an existing link. If you already have more than one
# link, you must specify which link you wish to run the command on via
# the ``link'' command.
#
# You can now ``dial'' specific links, or even dial all links at the
# same time. The `dial' command may also be prefixed with a specific
# link that should do the dialing.
#
mloop:
load loop
set mode interactive
set mrru 1500
clone 1 2 3
link deflink remove
# dial
# link 2 dial
# link 3 dial
mloop-in:
set timeout 0
set log tun phase
allow mode direct
set mrru 1500
Reference in New Issue View Git Blame Copy Permalink