From 80559981e676cd6a22c87523766e8d0d2a9727ee Mon Sep 17 00:00:00 2001 From: grunk Date: Tue, 3 Oct 2006 12:53:50 +0000 Subject: [PATCH] detailed explanation how to use pptp on OpenBSD, with example another fine input from Stefan Sperling maintainer timeout, ok sturm@ --- net/pptp/Makefile | 5 +- net/pptp/patches/patch-USING | 94 ++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 net/pptp/patches/patch-USING diff --git a/net/pptp/Makefile b/net/pptp/Makefile index a9761a0e77a..0fc6e1b0aae 100644 --- a/net/pptp/Makefile +++ b/net/pptp/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.14 2006/09/30 20:40:10 grunk Exp $ +# $OpenBSD: Makefile,v 1.15 2006/10/03 12:53:50 grunk Exp $ # $NetBSD: Makefile,v 1.1.1.1 2000/04/10 01:14:01 jtk Exp $ COMMENT= 'PPTP client package for Microsoft VPN servers' DISTNAME= pptp-1.7.0 -PKGNAME= ${DISTNAME}p0 +PKGNAME= ${DISTNAME}p1 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pptpclient/} @@ -31,6 +31,7 @@ post-patch: ${FILESDIR}/pptp_8 > pptp.8 @cd ${WRKSRC}; sed -e s,PREFIX,${PREFIX}, < \ ${FILESDIR}/pptp_reconnect > pptp-reconnect + @perl -pi -e "s,PREFIX,${PREFIX}," ${WRKSRC}/USING do-install: ${INSTALL_PROGRAM} ${WRKSRC}/pptp ${PREFIX}/sbin diff --git a/net/pptp/patches/patch-USING b/net/pptp/patches/patch-USING new file mode 100644 index 00000000000..c375d82b736 --- /dev/null +++ b/net/pptp/patches/patch-USING @@ -0,0 +1,94 @@ +$OpenBSD: patch-USING,v 1.1 2006/10/03 12:53:50 grunk Exp $ +--- USING.orig Sat Sep 30 22:51:56 2006 ++++ USING Sat Sep 30 22:51:58 2006 +@@ -95,4 +95,90 @@ See also the following test scripts; + test-multiple-tunnels-1.sh creates multiple source interfaces + test-multiple-tunnels-2.sh creates multiple tunnels + ++ ++EXAMPLE CONFIGURATION FOR OPENBSD: ++ ++On OpenBSD, pptp uses the userspace ppp(8) implementation ++instead of pppd(8). This is a compile-time option. ++ ++Having ppp start pptp seems to be working much better ++than the other way round. ++ ++This example assumes that we want to configure a gateway running ++OpenBSD to provide PPTP VPN access to a remote network for all hosts ++on our internal LAN. ++ ++Let us assume that the VPN server is called vpn-gateway.net, ++and that the default route of our OpenBSD box is 42.42.42.42. ++The remote network is 10.42.0/16; all traffic to this network ++should go through the VPN tunnel. ++ ++First, put something like this into /etc/ppp/ppp.conf so we ++can connect to the vpn gateway: ++ ++ default: ++ set log Phase Chat LCP IPCP CCP tun command ++ vpn: ++ set device "!PREFIX/sbin/pptp --nolaunchpppd vpn-gateway.net" ++ set authname User ++ set authkey MySecret ++ set mtu max 1490 ++ set mru max 1490 ++ set mppe 128 stateless ++ ++Next, we need to configure routing in /etc/ppp/ppp.linkup. ++Assuming vpn-gateway.net resides inside 10.42.0/16, we have to add a host ++route pointing to vpn-gateway.net in order to avoid a chicken-and-egg ++problem once packets to 10.42.0/16 are routed through the tunnel. ++We also load packet filter anchors for the vpn interface here. ++More on that later. ++ ++/etc/ppp/ppp.linkup: ++ ++ MYADDR: ++ ! sh -c "/sbin/route add -host vpn-gateway.net 42.42.42.42" ++ ! sh -c "/sbin/route add -net 10.42.0.0 -netmask 255.255.0.0 HISADDR" ++ ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn" ++ ++Commands in ppp.linkdown simply undo changes made in ppp.linkup. ++ ++/etc/ppp/ppp.linkdown: ++ ++ MYADDR: ++ ! sh -c "/sbin/pfctl -a vpn -F all" ++ ! sh -c "/sbin/route delete -net 10.42.0.0 -netmask 255.255.0.0 HISADDR" ++ ! sh -c "/sbin/route delete -host vpn-gateway.net 42.42.42.42" ++ ++To make pf aware of the vpn anchors, put these lines into the ++nat and filter sections of /etc/pf.conf, respectively: ++ ++ nat-anchor "vpn" ++ anchor "vpn" ++ ++Now define vpn anchor rules in /etc/pf.conf.vpn: ++ ++ int_if=xl0 ++ vpn_if=tun0 ++ ++ nat on $vpn_if from $int_if:network to any -> ($vpn_if) ++ ++ pass out on $vpn_if keep state ++ ++ # Allow ping from remote, and explicitly make sure our replies are ++ # routed back through the tunnel. ++ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \ ++ inet proto icmp icmp-type echoreq keep state ++ ++ # Same for ssh. ++ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \ ++ from any to ($vpn_if) port ssh flags S/SA keep state ++ ++ ++Connect by running: ++ ++ ppp -ddial vpn ++ ++To terminate the connection, kill the ppp process. It creates a PID ++file in /var/run/tunX.pid, where X is the number of the tun device used. ++ + $Id: patch-USING,v 1.1 2006/10/03 12:53:50 grunk Exp $