detailed explanation how to use pptp on OpenBSD, with example

another fine input from Stefan Sperling <stsp at stsp dot in-berlin dot de>

maintainer timeout, ok sturm@

net/pptp/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.14 2006/09/30 20:40:10 grunk Exp $
+# $OpenBSD: Makefile,v 1.15 2006/10/03 12:53:50 grunk Exp $
 # $NetBSD: Makefile,v 1.1.1.1 2000/04/10 01:14:01 jtk Exp $
 
 COMMENT=	'PPTP client package for Microsoft VPN servers'
 
 DISTNAME=	pptp-1.7.0
-PKGNAME=	${DISTNAME}p0
+PKGNAME=	${DISTNAME}p1
 CATEGORIES=	net
 MASTER_SITES= 	${MASTER_SITE_SOURCEFORGE:=pptpclient/}
 
@@ -31,6 +31,7 @@ post-patch:
 		${FILESDIR}/pptp_8 > pptp.8
 	@cd ${WRKSRC}; sed -e s,PREFIX,${PREFIX}, < \
 		${FILESDIR}/pptp_reconnect > pptp-reconnect
+	@perl -pi -e "s,PREFIX,${PREFIX}," ${WRKSRC}/USING
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/pptp ${PREFIX}/sbin

net/pptp/patches/patch-USING

@@ -0,0 +1,94 @@
+$OpenBSD: patch-USING,v 1.1 2006/10/03 12:53:50 grunk Exp $
+--- USING.orig	Sat Sep 30 22:51:56 2006
++++ USING	Sat Sep 30 22:51:58 2006
+@@ -95,4 +95,90 @@ See also the following test scripts;
+ test-multiple-tunnels-1.sh  creates multiple source interfaces
+ test-multiple-tunnels-2.sh  creates multiple tunnels
+ 
++
++EXAMPLE CONFIGURATION FOR OPENBSD:
++
++On OpenBSD, pptp uses the userspace ppp(8) implementation
++instead of pppd(8). This is a compile-time option.
++
++Having ppp start pptp seems to be working much better
++than the other way round.
++
++This example assumes that we want to configure a gateway running
++OpenBSD to provide PPTP VPN access to a remote network for all hosts
++on our internal LAN.
++
++Let us assume that the VPN server is called vpn-gateway.net,
++and that the default route of our OpenBSD box is 42.42.42.42.
++The remote network is 10.42.0/16; all traffic to this network
++should go through the VPN tunnel.
++
++First, put something like this into /etc/ppp/ppp.conf so we
++can connect to the vpn gateway:
++
++  default:
++	set log Phase Chat LCP IPCP CCP tun command
++  vpn:
++	set device "!PREFIX/sbin/pptp --nolaunchpppd vpn-gateway.net"
++	set authname User
++	set authkey MySecret
++	set mtu max 1490
++	set mru max 1490
++	set mppe 128 stateless
++
++Next, we need to configure routing in /etc/ppp/ppp.linkup.
++Assuming vpn-gateway.net resides inside 10.42.0/16, we have to add a host
++route pointing to vpn-gateway.net in order to avoid a chicken-and-egg
++problem once packets to 10.42.0/16 are routed through the tunnel.
++We also load packet filter anchors for the vpn interface here.
++More on that later.
++
++/etc/ppp/ppp.linkup:
++
++  MYADDR:
++    ! sh -c "/sbin/route add -host vpn-gateway.net 42.42.42.42"
++    ! sh -c "/sbin/route add -net 10.42.0.0 -netmask 255.255.0.0 HISADDR"
++    ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn"
++
++Commands in ppp.linkdown simply undo changes made in ppp.linkup.
++
++/etc/ppp/ppp.linkdown:
++
++  MYADDR:
++    ! sh -c "/sbin/pfctl -a vpn -F all"
++    ! sh -c "/sbin/route delete -net 10.42.0.0 -netmask 255.255.0.0 HISADDR"
++    ! sh -c "/sbin/route delete -host vpn-gateway.net 42.42.42.42"
++
++To make pf aware of the vpn anchors, put these lines into the
++nat and filter sections of /etc/pf.conf, respectively:
++
++  nat-anchor	"vpn"
++  anchor	"vpn"
++
++Now define vpn anchor rules in /etc/pf.conf.vpn:
++
++  int_if=xl0
++  vpn_if=tun0
++
++  nat on $vpn_if from $int_if:network to any -> ($vpn_if)
++
++  pass out on $vpn_if keep state
++
++  # Allow ping from remote, and explicitly make sure our replies are
++  # routed back through the tunnel.
++  pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \
++	inet proto icmp icmp-type echoreq keep state
++
++  # Same for ssh.
++  pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \
++	from any to ($vpn_if) port ssh flags S/SA keep state
++
++
++Connect by running:
++
++	ppp -ddial vpn
++
++To terminate the connection, kill the ppp process. It creates a PID
++file in /var/run/tunX.pid, where X is the number of the tun device used.
++
+ $Id: patch-USING,v 1.1 2006/10/03 12:53:50 grunk Exp $