Date: Fri, 26 Apr 1996 14:46:31 +0100 (BST) From: Nik Clayton <nik@blueberry.co.uk> To: questions@freebsd.org Subject: Server PPP: Opinions before handbook submission Message-ID: <199604261346.OAA01205@plum.blueberry.co.uk>
next in thread | raw e-mail | index | archive | help
Hi,
After my previous message, and thanks to some enlightenment from Nate
Williams, I now have server ppp working quite nicely.
As promised, I've written it up for the handbook. I'd appreciate anyone
who's knowledgable in these areas to take a quick look over the included
text in case I've made any glaring errors.
Also, if anyone's about to try and setup server ppp, perhaps they could
look through this and suggest improvements about anything that's not clear?
I'll give it until Wednesday next week, then submit it to doc.
N
Configuring FreeBSD to act as a PPP server.
By Nik Clayton (nik@blueberry.co.uk), based on additional information supplied
by Nate Williams (nate@sri.mt.net)
The Theory
Consider two machines, 'A' and 'B'. 'A' is the server. It has it's own
connection to the Internet (or an intranet), runs FreeBSD, and has at
least one modem attached. 'B' is the client, running some form of PPP
client software.
'B' will dial into 'A'. At which point it is presented with some form of
login and password prompt. After succesfully authenticating 'B', the ppp
server is started on 'A'. A route is added on 'A' to allow packets to flow
from 'A' to 'B' and back again and (optionally) 'A' proxies ARP (address
resolution protocol) requests for 'B' so that 'B' can get off the local
network and on to the wider Internet.
The Implementation
1. Configure 'A' to allow dial-up access. See section 10.4 in this
handbook for information on how to do this. You must be able to
successfully dial in to 'A', type in the username and password of
someone on the system and be allowed in before you can proceed any
further.
Don't forget to configure the modem to autoanswer.
2. Include the 'ppp' device on A.
While it is possible to use the 'user-mode' PPP program (iijppp) to act
as a server, received wisdom does not recommend this, particularly if
'A' will be spending a large portion of it's time as a server. This
document does not address using 'iijppp' as the server.
pppd requires a kernel interface, 'ppp0' to work. At the very least,
add the line
pseudo-device ppp 1
to your kernel config file (something similar to this, but commented
out, may already be there). This will create one ppp interface (called
ppp0) if you plan on allowing more than one connection then replace '1'
with the number of active connections you want.
Rebuild and re-install the kernel. Section 5 has more information on
the steps necessary. Note that on rebooting the pppn devices are not
shown at boot time. To confirm the device has been installed, login,
and as root type
ifconfig ppp0
which should return text similar to
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
3. Configure the pppd software.
The interface is only half the story. The PPP daemon 'pppd' must be run
on each succesfull connection to provide PPP services.
pppd's configuration file is /etc/ppp/options. Create this file if it
doesn't already exist. It should look like this:
proxyarp
crtscts
w.x.y.z:
auth
+pap
login
modem
netmask 255.255.255.0
domain foo.bar
passive
You can alter some of these options depending on your local
requirements. In order, these options mean:
proxyarp - pppd will add an entry in the system ARP table for the host
that has connected (B). This is essential to allow traffic from 'B' to
get off the local network.
crtscts - Use hardware flow control
w.x.y.z: - replace this with the IP address of 'A'
auth - 'B' *must* authenticate itself before network packets will be
sent or received.
+pap - 'B' *must* use PAP (Password Authentication Protocol) to do the
authentication. This is a fairly common method of authentication. You
can also +chap, to use CHAP authentication. Or you can turn these
options off. 'man pppd' has more information.
login - Use the passwd file as the 'secrets' file for PAP or CHAP
authentication. This allows users to authenticate themselves using
their existing user IDs and passwords. If you do not do this then you
can create a file (called a 'secrets' file) which contains equivalent
information. Again, 'man pppd' goes into more detail on this topic.
modem - Use the modem control lines. I'm unsure of the effect this has,
but it doesn't seem to hurt. Perhaps someone could provide more
information for this.
netmask 255.255.255.0 - This is the netmask for the connection. Use
whatever netmask you already use for the local network.
domain foo.bar - Replace 'foo.bar' with your domain name
passive - pppd will try and initiate the conversation with 'B'. If no
reply is received then pppd will wait, rather than immediately
quitting. This useful for noisy lines, or where 'B' is slow in
responding.
4. Test the above
Pick a modem line on which you are not running a getty. If you don't
have any free then turn off one of the gettys in /etc/ttys, send a HUP
signal to init to do so.
Assume this is the first modem line on the system. Then run
pppd speed /dev/ttyd0 -detach
replace 'speed' in the above with the port speed you use. Use whatever
speed you have in the getty line in /etc/ttys. For example, if you
normally start a getty on /dev/ttyd0 with the std.115200 profile then
run
pppd 115200 /dev/ttyd0 -detach
This will run pppd, and it won't detach from the terminal. This is
good.
Now configure your client software on 'B'. Things to watch for with
this configuration involve how much information the client program is
expecting to receive.
Specifically, the client should be configured with it's own IP
address. It should not rely on the server to send it down. The client
should be told 'A's IP address (w.x.y.z in the config file above).
'B' should now attempt to dial into 'A'. When the line is answered pppd
should notice this. If you are watching this on 'B' you'll see data
that looks like random garbage (with lots of '}' characters in it)
coming down the line. This is 'A' asking 'B' to authenticate itself.
The software on 'B' will probably prompt for a username and password
pair. Recall that we are using PAP to authenticate the connection, and
that the /etc/passwd file is being used, so you must enter the username
and password of someone on your system.
If it is accepted then the PPP connection should come fully up. You
should be able to telnet from 'B' to 'A'. In fact, you should be able
to do anything on 'B' that you could do on 'A'. If you could telnet to
other hosts on your network from 'A' then try doing that from 'B'. If
you could browse the Web from 'A' then get some browser software onto
'B' and try that as well. This should all work.
If it's working correctly, then hang up the line from 'B'.
You should notice back on 'A' that pppd has returned to the shell
prompt. pppd exits once the connection is finished. This is normal.
5. Final configuration
All that remains now is to setup things up so that pppd runs on
connection, and is restarted when a connection is dropped.
To do this, you need to create a ppp user. The username is unimportant,
but the shell is very important.
Edit the password file on 'A', and create a line something like this:
ppp::1020:1000::0:0:PPP login:/etc/ppp:/etc/ppp/ppp-login
Obviously set the UID and GID to whatever is appropriate on your
system. Also, give it a password if that's what you want.
Notice that this accounts home directory is set to /etc/ppp
(which doesn't really matter, the home directory is never used) and the
login shell for this account is /etc/ppp/ppp-login.
You need to create this program. Create the file /etc/ppp/ppp-login,
and place the following commands into it
#!/bin/sh
#
# PPP login script
PATH=:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
export PATH
mesg n
stty -tostop
exec pppd 115200 debug
Don't forget to make this shell script executable.
Essentially, whenever anyone logs in with the 'ppp' username, messaging
is turned off, SIGTTOU is turned off for background output (see
stty(1)) and then the pppd program is executed over the top of it. We
specify the speed of the connection (make sure this matches the other
speeds you've set earlier on) and debugging is turned on, allowing
connection information to be logged.
Don't forget to turn the getty on /dev/ttyd? back on (if you turned it
off for testing earlier).
6. Final configuration and testing
Go back to 'B'. Edit the client software configuration so that on
connection it waits for the string 'ogin:', and sends the string
'ppp'. It should then wait for the string 'assword:', and send back
whatever password you set for the 'ppp' account.
Make the connection to 'A'. If all goes well then the client software
will dial up 'A'. The 'getty' running on 'A' will then send the
'login:' and 'Password:' prompts. In response to these the client will
then send the username 'ppp' and the password you've set.
If this validates then /etc/ppp/ppp-login will then be run. This runs
the pppd daemon, completing the connection.
Congratulations, you should now have a working PPP connection.
When 'B' drops the connection, pppd on 'A' will die. 'init' will notice
this, and another getty will be spawned to watch for incoming
connections. At which point another client can log in.
And so on.
Common problems
I get "pppd [pid]: ioctl(TIOCSCTTY): Operation not permitted" errors when
pppd starts up.
pppd and getty have different ideas about the options on the
communications port, probably the speed is different. Double check that
the speed assigned to the port is the same in /etc/rc.serial, /etc/ttys
and /etc/ppp/ppp-login.
When testing pppd (without getty, i.e., step 4 above) I can connect OK,
but pppd just sends down repeated '`' (backtick) characters.
Again, a speed problem. Double check that they match.
Things you might want to experiment with
The setup outlined above assumes that you have IP addresses permanently
assigned to machines. It's possible to have pppd assign IP addresses on
demand. Or you might want an IP address to be assigned depending on which
user authenticates themself. All sorts of clever bits and pieces can be
done.
Unfortunately, I don't know how, since it's fairly simple environment in
which I use pppd. However, if you've got some examples that you want to
share then send them on and I'll include (with appropriate credit of
course).
--
--+=[ Blueberry Hill Blueberry Design ]=+--
--+=[ http://www.blueberry.co.uk/ 1/9 Chelsea Harbour Design Centre, ]=+--
--+=[ WebMaster@blueberry.co.uk London, England, SW10 0XE ]=+--
--+=[ Don't anthropomorphize computers. They don't like it. ]ENTP
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604261346.OAA01205>