7e7d5a25cb
the peer demands authentication, and add some more detail to the example configurations. This is the first time I've written any TCL, so I'd appreciate it if someone eyeballed the *-auth stuff and fixed any glaring problems.
509 lines
16 KiB
Plaintext
509 lines
16 KiB
Plaintext
#################################################################
|
|
#
|
|
# PPP Sample Configuration File
|
|
#
|
|
# Originally written by Toshiharu OHNO
|
|
#
|
|
# $Id: ppp.conf.sample,v 1.1 1999/02/11 16:33:14 brian Exp $
|
|
#
|
|
#################################################################
|
|
|
|
# This file is separated into sections. Each section is named with
|
|
# a label starting in column 0 and followed directly by a ``:''. The
|
|
# section continues until the next section. Blank lines and lines
|
|
# beginning with ``#'' are ignored.
|
|
#
|
|
# Lines beginning with "!include" will ``include'' another file. You
|
|
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
|
|
#
|
|
|
|
# Default setup. Always executed when PPP is invoked.
|
|
# This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
|
|
#
|
|
# This is the best place to specify your modem device, it's DTR rate,
|
|
# your dial script and any logging specification. Logging specs should
|
|
# be done first so that the results of subsequent commands are logged.
|
|
#
|
|
default:
|
|
set log Phase Chat LCP IPCP CCP tun command
|
|
set device /dev/cuaa1
|
|
set speed 115200
|
|
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
|
|
OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
|
|
|
|
# Client side PPP
|
|
#
|
|
# Although the PPP protocol is a peer to peer protocol, we normally
|
|
# consider the side that initiates the connection as the client and
|
|
# the side that receives the connection as the server. Authentication
|
|
# is required by the server either using a unix-style login proceedure
|
|
# or by demanding PAP or CHAP authentication from the client.
|
|
#
|
|
|
|
# An on demand example where we have dynamic IP addresses and wish to
|
|
# use a unix-style login script:
|
|
#
|
|
# If the peer assigns us an arbitrary IP (most ISPs do this) and we
|
|
# can't predict what their IP will be either, take a wild guess at
|
|
# some IPs that you can't currently route to. Ppp can change this
|
|
# when the link comes up.
|
|
#
|
|
# The /0 bit in "set ifaddr" says that we insist on 0 bits of the
|
|
# specified IP actually being correct, therefore, the other side can assign
|
|
# any IP number.
|
|
#
|
|
# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
|
|
# IP number, forcing the peer to make the decision. This is necessary
|
|
# when negotiating with some (broken) ppp implementations.
|
|
#
|
|
# This entry also works with static IP numbers or when not in -auto mode.
|
|
# The ``add'' line adds a `sticky' default route that will be updated if
|
|
# and when any of the IP numbers are changed in IPCP negotiations.
|
|
# The "set ifaddr" is required in -auto mode.
|
|
#
|
|
# Finally, the ``enable dns'' line tells ppp to ask the peer for the
|
|
# nameserver addresses that should be used. This isn't always supported
|
|
# by the other side, but if it is, ppp will update /etc/resolv.conf with
|
|
# the correct nameserver values at connection time.
|
|
#
|
|
# The login script shown says that you're expecting ``ogin:''. If you
|
|
# don't receive that, send a ``\n'' and expect ``ogin:'' again. When
|
|
# it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
|
|
# You *MUST* customise this login script according to your local
|
|
# requirements.
|
|
#
|
|
pmdemand:
|
|
set phone 1234567
|
|
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
|
|
set timeout 120
|
|
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
|
|
add default HISADDR
|
|
enable dns
|
|
|
|
# If you want to use PAP or CHAP instead of using a unix-style login
|
|
# proceedure, do the following. Note, the peer suggests whether we
|
|
# should send PAP or CHAP. By default, we send whatever we're asked for.
|
|
#
|
|
# You *MUST* customise ``MyName'' and ``MyKey'' below.
|
|
#
|
|
PAPorCHAPpmdemand:
|
|
set phone 1234567
|
|
set login
|
|
set authname MyName
|
|
set authkey MyKey
|
|
set timeout 120
|
|
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
|
|
add default HISADDR
|
|
enable dns
|
|
|
|
# On demand dialup example with static IP addresses:
|
|
# Here, the local side uses 192.244.185.226 and the remote side
|
|
# uses 192.244.176.44.
|
|
#
|
|
# # ppp -auto ondemand
|
|
#
|
|
# With static IP numbers, our setup is similar to dynamic:
|
|
# Remember, ppp.linkup is searched for a "192.244.176.44" label, then
|
|
# a "ondemand" label, and finally the "MYADDR" label.
|
|
#
|
|
ondemand:
|
|
set phone 1234567
|
|
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
|
|
set timeout 120
|
|
set ifaddr 192.244.185.226 192.244.176.44
|
|
add default HISADDR
|
|
enable dns
|
|
|
|
# Example segments
|
|
#
|
|
# The following lines may be included as part of your configuration
|
|
# section and aren't themselves complete. They're provided as examples
|
|
# of how to achieve different things.
|
|
|
|
examples:
|
|
# Multi-phone example. Numbers separated by a : are used sequentially.
|
|
# Numbers separated by a | are used if the previous dial or login script
|
|
# failed. Usually, you will prefer to use only one of | or :, but both
|
|
# are allowed.
|
|
#
|
|
set phone 12345678|12345679:12345670|12345671
|
|
#
|
|
# Ppp can accept control instructions from the ``pppctl'' program.
|
|
# First, you must set up your control socket. It's safest to use
|
|
# a UNIX domain socket, and watch the permissions:
|
|
#
|
|
set server /var/tmp/internet MySecretPassword 0177
|
|
#
|
|
# Although a TCP port may be used if you want to allow control
|
|
# connections from other machines:
|
|
#
|
|
set server 6670 MySecretpassword
|
|
#
|
|
# If you don't like ppp's builtin chat, use an external one:
|
|
#
|
|
set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
|
|
#
|
|
# If we have a ``strange'' modem that must be re-initialized when we
|
|
# hangup:
|
|
#
|
|
set hangup "\"\" AT OK-AT-OK ATZ OK"
|
|
#
|
|
# To adjust logging withouth blasting the setting in default:
|
|
#
|
|
set log -command +tcp/ip
|
|
#
|
|
# To see log messages on the screen in interactive mode:
|
|
#
|
|
set log local LCP IPCP CCP
|
|
#
|
|
# If you're seeing a lot of magic number problems and failed connections,
|
|
# try this (see the man page):
|
|
#
|
|
set openmode active 5
|
|
#
|
|
# For noisy lines, we may want to reconnect (up to 20 times) after loss
|
|
# of carrier, with 3 second delays between each attempt:
|
|
#
|
|
set reconnect 3 20
|
|
#
|
|
# When playing server for M$ clients, tell them who our NetBIOS name
|
|
# servers are:
|
|
#
|
|
set nbns 10.0.0.1 10.0.0.2
|
|
#
|
|
# Inform the client if they ask for our DNS IP numbers:
|
|
#
|
|
enable dns
|
|
#
|
|
# If you don't want to tell them what's in your /etc/resolf.conf file
|
|
# with `enable dns', override the values:
|
|
#
|
|
set dns 10.0.0.1 10.0.0.2
|
|
#
|
|
# If we're using the -alias switch, redirect ftp and http to an internal
|
|
# machine:
|
|
#
|
|
alias port 10.0.0.2:ftp ftp
|
|
alias port 10.0.0.2:http http
|
|
#
|
|
# or don't trust the outside at all
|
|
#
|
|
alias deny_incoming yes
|
|
#
|
|
# I trust user brian to run ppp, so this goes in the `default' section:
|
|
#
|
|
allow user brian
|
|
#
|
|
# But label `internet' contains passwords that even brian can't have, so
|
|
# I empty out the user access list in that section so that only root can
|
|
# have access:
|
|
#
|
|
allow users
|
|
#
|
|
# I also may wish to set up my ppp login script so that it asks the client
|
|
# for the label they wish to use. I may only want user ``dodgy'' to access
|
|
# their own label in direct mode:
|
|
#
|
|
dodgy:
|
|
allow user dodgy
|
|
allow mode direct
|
|
#
|
|
# If we don't want ICMP and DNS packets to keep the connection alive:
|
|
#
|
|
set filter alive 0 deny icmp
|
|
set filter alive 1 deny udp src eq 53
|
|
set filter alive 2 deny udp dst eq 53
|
|
set filter alive 3 permit 0 0
|
|
#
|
|
# And we don't want ICMPs to cause a dialup:
|
|
#
|
|
set filter dial 0 deny icmp
|
|
set filter dial 1 permit 0 0
|
|
#
|
|
# or any TCP SYN or RST packets (badly closed TCP channels):
|
|
#
|
|
set filter dial 2 deny 0 0 tcp syn finrst
|
|
#
|
|
# Once the line's up, allow connections for ident (113), telnet (23),
|
|
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
|
|
# ICMP (ping) and traceroute (>33433).
|
|
#
|
|
# Anything else is blocked by default
|
|
#
|
|
set filter in 0 permit tcp dst eq 113
|
|
set filter out 0 permit tcp src eq 113
|
|
set filter in 1 permit tcp src eq 23 estab
|
|
set filter out 1 permit tcp dst eq 23
|
|
set filter in 2 permit tcp src eq 21 estab
|
|
set filter out 2 permit tcp dst eq 21
|
|
set filter in 3 permit tcp src eq 20 dst gt 1023
|
|
set filter out 3 permit tcp dst eq 20
|
|
set filter in 4 permit udp src eq 53
|
|
set filter out 4 permit udp dst eq 53
|
|
set filter in 5 permit 192.244.191.0/24 0/0
|
|
set filter out 5 permit 0/0 192.244.191.0/24
|
|
set filter in 6 permit icmp
|
|
set filter out 6 permit icmp
|
|
set filter in 7 permit udp dst gt 33433
|
|
set filter out 7 permit udp dst gt 33433
|
|
|
|
|
|
# Server side PPP
|
|
#
|
|
# If you want the remote system to authenticate itself, you must insist
|
|
# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
|
|
# PAP are disabled by default. You may enable either or both. If both
|
|
# are enabled, CHAP is requested first. If the client doesn't agree, PAP
|
|
# will then be requested.
|
|
#
|
|
# Note: If you use the getty/login process to authenticate users, you
|
|
# don't need to enable CHAP or PAP, but the user that has logged
|
|
# in *MUST* be a member of the ``network'' group (in /etc/group).
|
|
#
|
|
# If you wish to allow any user in the passwd database ppp access, you
|
|
# can ``enable passwdauth''.
|
|
#
|
|
# When the peer authenticates itself, we use ppp.secret for verification
|
|
# (although refer to the ``set radius'' command below for an alternative).
|
|
#
|
|
# Note: We may supply a third field in ppp.secret specifying the IP
|
|
# address for that user, a forth field to specify the
|
|
# ppp.link{up,down} label to use and a fifth field to specify
|
|
# callback characteristics.
|
|
#
|
|
# The easiest way to allow transparent LAN access to your dialin users
|
|
# is to assign them a number from your local LAN and tell ppp to make a
|
|
# ``proxy'' arp entry for them. In this example, we have a local LAN
|
|
# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
|
|
# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
|
|
# override the dynamic IP number with a static IP number specified in
|
|
# ppp.secret.
|
|
#
|
|
# Ppp is launched with:
|
|
# # ppp -direct server
|
|
#
|
|
server:
|
|
enable chap
|
|
enable pap
|
|
enable passwdauth
|
|
enable proxy
|
|
set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
|
|
accept dns
|
|
|
|
# Example of a RADIUS configuration:
|
|
# If there are one or more radius servers available, we can use them
|
|
# instead of the ppp.secret file. Simply put then in a radius
|
|
# configuration file (usually /etc/radius.conf) and give ppp the
|
|
# file name.
|
|
# Ppp will use the FRAMED characteristics supplied by the radius server
|
|
# to configure the link.
|
|
|
|
radius-server:
|
|
load server
|
|
set radius /etc/radius.conf
|
|
|
|
|
|
# Example to connect using a null-modem cable:
|
|
# The important thing here is to allow the lqr packets on both sides.
|
|
# Without them enabled, we can't tell if the line's dropped - there
|
|
# should always be carrier on a direct connection.
|
|
# Here, the server sends lqr's every 10 seconds and quits if five in a
|
|
# row fail.
|
|
#
|
|
# Make sure you don't have "deny lqr" in your default: on the client !
|
|
# If the peer denies LQR, we still send ECHO LQR packets at the given
|
|
# lqrperiod interval (ppp-style-pings).
|
|
#
|
|
direct-client:
|
|
set dial ""
|
|
set line /dev/cuaa0
|
|
set sp 115200
|
|
set timeout 900
|
|
set lqrperiod 10
|
|
set log Phase Chat LQM
|
|
set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
|
|
set ifaddr 10.0.4.2 10.0.4.1
|
|
enable lqr
|
|
accept lqr
|
|
|
|
direct-server:
|
|
set timeout 0
|
|
set lqrperiod 10
|
|
set log Phase LQM
|
|
set ifaddr 10.0.4.1 10.0.4.2
|
|
enable lqr
|
|
accept lqr
|
|
|
|
|
|
# Example to connect via compuserve
|
|
# Compuserve insists on 7 bits even parity during the chat phase. Modem
|
|
# parity is always reset to ``none'' after the link has been established.
|
|
#
|
|
compuserve:
|
|
set phone 1234567
|
|
set parity even
|
|
set login "TIMEOUT 10 \"\" \"\" Name: CIS ID: 99999,9999/go:pppconnect \
|
|
word: XXXXXXXX"
|
|
set timeout 300
|
|
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
|
|
delete ALL
|
|
add default HISADDR
|
|
|
|
|
|
# Example for PPP over TCP.
|
|
# We assume that inetd on tcpsrv.mynet has been
|
|
# configured to run "ppp -direct tcp-server" when it gets a connection on
|
|
# port 1234. Read the man page for further details
|
|
#
|
|
# Note, we assume we're using a binary-clean connection. If something
|
|
# such as `rlogin' is involved, you may need to ``set escape 0xff''
|
|
#
|
|
tcp-client:
|
|
set device tcpsrv.mynet:1234
|
|
set dial
|
|
set login
|
|
set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
|
|
|
|
tcp-server:
|
|
set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
|
|
|
|
# Example for PPP testing.
|
|
# If you want to test ppp, do it through the loopback interface:
|
|
#
|
|
# Requires a line in /etc/services:
|
|
# ppploop 6671/tcp # loopback ppp daemon
|
|
#
|
|
# and a line in /etc/inetd.conf:
|
|
# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
|
|
#
|
|
loop:
|
|
set timeout 0
|
|
set log phase chat connect lcp ipcp command
|
|
set device localhost:ppploop
|
|
set dial
|
|
set login
|
|
set ifaddr 127.0.0.2 127.0.0.3
|
|
set server /var/tmp/loop "" 0177
|
|
|
|
loop-in:
|
|
set timeout 0
|
|
set log phase lcp ipcp command
|
|
allow mode direct
|
|
|
|
# Example of a VPN.
|
|
# If you're going to create a tunnel through a public network, your VPN
|
|
# should be set up something like this:
|
|
#
|
|
# /etc/ppp/secure (which should be executable) says:
|
|
# #! /bin/sh
|
|
# exec ssh whatevermachine /usr/sbin/ppp -direct loop-in
|
|
#
|
|
# You should already have set up ssh using ssh-agent & ssh-add.
|
|
#
|
|
sloop:
|
|
load loop
|
|
set device !/etc/ppp/secure
|
|
|
|
# Example of non-PPP callback.
|
|
# If you wish to connect to a server that will dial back *without* using
|
|
# the ppp callback facility (rfc1570), take advantage of the fact that
|
|
# ppp doesn't look for carrier 'till `set login' is complete:
|
|
#
|
|
# Here, we expect the server to say DIALBACK then disconnect after
|
|
# we've authenticated ourselves. When this has happened, we wait
|
|
# 60 seconds for a RING.
|
|
#
|
|
dialback:
|
|
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
|
|
ATDT\\T TIMEOUT 60 CONNECT"
|
|
set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
|
|
\"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
|
|
|
|
# Example of PPP callback.
|
|
# Alternatively, if the peer is using the PPP callback protocol, we're
|
|
# happy either with ``auth'' style callback where the server dials us
|
|
# back based on what we authenticate ourselves with, ``cbcp'' style
|
|
# callback (invented by Microsoft but not agreed by the IETF) where
|
|
# we negotiate callback *after* authentication or E.164 callback where
|
|
# we specify only a phone number. I would recommend only ``auth'' and/or
|
|
# ``cbcp'' callback methods.
|
|
# For ``cbcp'', we insist that we choose ``1234567'' as the number that
|
|
# the server must call back.
|
|
#
|
|
callback:
|
|
load pmdemand
|
|
set callback auth cbcp e.164 1234567
|
|
set cbcp 1234567
|
|
|
|
# If we're running a ppp server that wants to only call back microsoft
|
|
# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
|
|
#
|
|
callback-server:
|
|
load server
|
|
set callback cbcp
|
|
set cbcp
|
|
set log +cbcp
|
|
set redial 3 1
|
|
set device /dev/cuaa0
|
|
set speed 115200
|
|
set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
|
|
|
|
# Or if we want to allow authenticated clients to specify their own
|
|
# callback number:
|
|
#
|
|
callback-server-client-decides:
|
|
load callback-server
|
|
set cbcp *
|
|
|
|
# Multilink mode is available (rfc1990).
|
|
# To enable multilink capabilities, you must specify a MRRU. 1500 is
|
|
# a reasonable value. To create new links, use the ``clone'' command
|
|
# to duplicate an existing link. If you already have more than one
|
|
# link, you must specify which link you wish to run the command on via
|
|
# the ``link'' command.
|
|
#
|
|
# You can now ``dial'' specific links, or even dial all links at the
|
|
# same time. The `dial' command may also be prefixed with a specific
|
|
# link that should do the dialing.
|
|
#
|
|
mloop:
|
|
load loop
|
|
set mode interactive
|
|
set mrru 1500
|
|
clone 1 2 3
|
|
link deflink remove
|
|
# dial
|
|
# link 2 dial
|
|
# link 3 dial
|
|
|
|
mloop-in:
|
|
set timeout 0
|
|
set log tun phase
|
|
allow mode direct
|
|
set mrru 1500
|
|
|
|
# User supplied authentication:
|
|
# It's possible to run ppp in the background while specifying a
|
|
# program to use to obtain authentication details on demand.
|
|
# This program would usually be a simple GUI that presents a
|
|
# prompt to a known user. The ``chap-auth'' program is supplied
|
|
# as an example (and requires tcl version 8.0).
|
|
#
|
|
CHAPprompt:
|
|
load PAPorCHAPpmdemand
|
|
set authkey !/usr/share/examples/ppp/chap-auth
|
|
|
|
# It's possible to do the same sort of thing at the login prompt.
|
|
# Here, after sending ``brian'' in response to the ``name'' prompt,
|
|
# we're prompted with ``code:''. A window is then displayed on the
|
|
# ``keep:0.0'' display and the typed response is sent to the peer
|
|
# as the password. We then expect to see ``MTU'' and ``.'' in the
|
|
# servers response.
|
|
#
|
|
loginprompt:
|
|
load pmdemand
|
|
set authname brian
|
|
set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
|
|
code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
|
|
AUTHNAME\" MTU \\c ."
|