From owner-freebsd-net@FreeBSD.ORG Tue May 24 01:31:20 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF8EA16A41C for ; Tue, 24 May 2005 01:31:20 +0000 (GMT) (envelope-from Rob@the-rob.com) Received: from sohomail1.binc.net (sohomail2.binc.net [64.73.16.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0F6343D48 for ; Tue, 24 May 2005 01:31:19 +0000 (GMT) (envelope-from Rob@the-rob.com) Received: (qmail-ldap/ctrl 18909 invoked by uid 108); 24 May 2005 01:31:18 -0000 Received: from Rob@the-rob.com by sohomail2.binc.net by uid 101 with qmail-scanner-1.20 (uvscan: v4.2.40/v4100. spamassassin: 2.61. Clear:RC:1(10.0.0.26):. Processed in 0.036232 secs); 24 May 2005 01:31:19 -0000 Received: from unknown (HELO soho1.binc.net) ([10.0.0.26]) (envelope-sender ) by sohomail2 (qmail-ldap-1.03) with SMTP for ; 24 May 2005 01:31:18 -0000 Received: (qmail 15057 invoked from network); 24 May 2005 01:31:16 -0000 Received: from c24.240.40.194.mad.wi.charter.com (HELO homer) ([24.240.40.194]) (envelope-sender ) by the-rob.com (qmail-ldap-1.03) with SMTP for ; 24 May 2005 01:31:16 -0000 From: Rob Zietlow To: freebsd-net@freebsd.org Date: Mon, 23 May 2005 20:31:14 -0500 User-Agent: KMail/1.8 References: <200505231957.23014.Rob@the-rob.com> <4291D817.40407@crossthread.com> In-Reply-To: <4291D817.40407@crossthread.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505232031.15516.Rob@the-rob.com> Cc: Subject: Re: pppd pty equivilent in FBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 01:31:21 -0000 On Monday 23 May 2005 08:18 am, Tim Pushor wrote: hmm, Thanks for the response, Tim. I wouldn't personally recommend vpn over ssh for anyone either, but i'm kind of stuck with it. I'm the sole bsd user at my company, and the ppp over ssh was implemented years before I came and has worked fine for them. They're not really willing to change it at the moment and it's on a system I have zero control over within our organization. If I had the option to set this up like you have below it would have been put in place a long while ago. Tim, I thank you for your scripts and time. Here's the scripts I use. Actual bash script I call: ! /usr/local/bin/bash # # This script controls starting and stopping # the VPN run over ssh. It's functions are: # # start stop on off # # start and stop control the actuall ppp interface, # while on and off turn the routes to the VPN on and off. # In this way, you can bring up the interface, but turn # the VPN on and off without affecting the ppp connection. # # # --------- configuration ------------ # This is the other end of the VPN VPNHOST="$WORK" # This is for editing /etc/resolv.conf DOMAIN=" $DOMAIN_NAME" #DNSSERVER="10.10.X.X" DNSSERVER="10.10.X.Y" # ------------------------------------ # Defaults should be okay # ------------------------------------ CONFFILE="/etc/resolv.conf" # tempfile, needs to be writable TMP=/tmp/file.$$ # This is to give us time for the ppp # connection to come up timeout=5 # This is the command to start pppd CMD="/usr/sbin/pppd file /usr/home/rob/vpn/options.vpn" # A place for control files svcdir="$HOME/.pppssh" # A place for pids to keep track of processes rundir="$svcdir/run" # ------ end configuration ----------- # Some things to check before we begin USER=`id -u` PPPD=`find /usr/sbin -perm 4755 -name pppd` ROUTE=`find /sbin -perm 4755 -name route` IFCONFIG=`find /sbin -perm 4755 -name ifconfig` if [ \( $USER -ne 0 \) -a \( -z "$PPPD" -o -z "$ROUTE" -o -z "$IFCONFIG" \) ]; then echo "You must be root, or the following must be suid:" echo "/sbin/pppd, /sbin/route, /sbin/ifconfig" exit 1 fi case "$1" in start) # Make a control directory if [ ! -d $svcdir ]; then mkdir -p $svcdir fi if [ ! -d $rundir ]; then mkdir -p $rundir fi # make sure it doesn't core dump anywhere; while this could mask # problems with the daemon, it also closes some security problems ulimit -c 0 echo -n $VPNHOST > "$svcdir/host" echo Waiting for connection... # Look for unused ppp device. # But default to ppp0 dev=0 for i in `jot 9 0 `; do if [ ! -f /var/run/ppp$i.pid ] ; then echo Using interface ppp$i dev=$i break fi done # See if we're already running if [ ! -f $svcdir/lock ]; then $CMD else echo Link appears up echo Lock file in $svcdir echo Use $0 restart exit 1 fi if [ $? -eq 0 ]; then sleep $timeout ifconfig ppp$dev echo ppp$dev > $svcdir/device echo $VPNHOST > $svcdir/host touch $svcdir/lock # Routes to be added for the inside network $0 on else echo Connection Failed fi ;; stop) # Find the pid of the pppd, kill it, remove the route VPNIF=`head $svcdir/device` ppppid=`head /var/run/$VPNIF.pid` sshpid=`head $rundir/sshpppd.pid` # Removing routes if possible echo Removing routes... $0 off echo Killing processes... kill -s SIGTERM $ppppid kill -s SIGTERM $sshpid echo Killed ssh[$sshpid] echo Killed pppd[$ppppid] # Bring down interface echo Bringing down interface: $VPNIF /sbin/ifconfig $VPNIF down echo Removing control files... # Remove control files rm -f "$svcdir/device" rm -f "$svcdir/host" rm -f "$rundir/sshpppd.pid" rm -f "$svcdir/lock" echo Done. ;; on) if [ ! -f "$svcdir/lock" ]; then echo VPN does not appear to be up exit 1 elif [ -f "$svcdir/on" ]; then echo VPN looks like it is already active exit 1 else # Routes are specified in /etc/ppp/routes.vpn grep -v '^#' /etc/ppp/routes.vpn |\ while read NET NETMASK GATEWAY ; do /sbin/route add -net $NET netmask $NETMASK gw $GATEWAY done # Make changes to the resolv.conf file # We may not want this to be standard equipment # if [ $USER -eq 0 ]; then # insert search domain MATCH=$( grep -cq "search" $CONFFILE ) #if [ "$MATCH" = "0" ]; then # # Add one if there isn't one # { echo "search $DOMAIN" ; cat $CONFFILE } > $TMP # mv -f $TMP $CONFFILE #else # # Edit one if needed # grep -q "search.*$DOMAIN" $CONFFILE # if [ "$?" != "0" ]; then # perl -pi -e "s/(search.+)\s+/\$1 $DOMAIN\n/" $CONFFILE # fi # fi # # # insert server if needed # # it needs to be first in the list # MATCH=$( grep -cq "nameserver.*$DNSSERVER" $CONFFILE ) # if [ "$MATCH" = "0" ]; then # perl -pi -e "s/(search.+)\s+/\$1\nnameserver $DNSSERVER\n/" $CONFFILE # fi #touch $svcdir/resolver # fi touch $svcdir/on; fi ;; off) if [ ! -f $svcdir/lock ]; then echo VPN does not appear to be up exit 1 elif [ ! -f "$svcdir/on" ]; then echo VPN does not appear to be active exit 1 else grep -v '^#' /etc/ppp/routes.vpn |\ while read NET NETMASK GATEWAY ; do /sbin/route del -net $NET netmask $NETMASK gw $GATEWAY done fi ## Remove changes made to /etc/resolv.conf if [ $USER -eq 0 ]; then if [ -f $svcdir/resolver ]; then perl -pi -e "s/(search.+?)\s+$DOMAIN\s+/\$1\n/" $CONFFILE perl -pi -e "s/^nameserver\s+$DNSSERVER\s+//" $CONFFILE rm -f $svcdir/resolver fi fi rm -f $svcdir/on ;; restart) $0 stop $0 start ;; *) echo "usage: telnetd {start|stop|on|off}" ;; esac options.vpn: lock noipdefault defaultroute updetach lcp-echo-interval 5 lcp-echo-failure 10 pty /home/rob/vpn/pppssh call server.vpn !/usr/bin/perl -w # Taken from Olaf Titz's ppp over ssh script. # pppd starts up ppp connection, but ssh hangs # and prevents pppd from taking over the terminal # this script gives ssh a little kick. #use strict # ---- configuration ----- # # Your user login here $user="$USER_NAME"; # ------------------------ # # Customize if necessary $home=$ENV{HOME}; $svcdir="$home/.pppssh"; $rundir="$svcdir/run"; $ssh="/usr/bin/ssh"; $timeout=10; $host=`head $svcdir/host`; # ------------------------ # if ( ! defined($host)) { print "No host given\n"; exit 1; } # subroutine to handle sshd hang bug. &bugdaemon($timeout) if ($timeout); # Write pid to control file open FD, ">$rundir/sshpppd.pid" or die $!; printf FD $$; close FD; # exec ssh to start pppd on remote host exec $ssh, "-t", "-l$user", $host, "-p 24"; die "exec $ssh: $!"; # -------------------------------------------- # # This cures a "hang" of the local ssh process sub bugdaemon { local($secs)=@_; local($p)=fork; # fork returns 0 to child, pid to parent, and undefined to parent if failed. if (!defined($p)) { warn "can't fork, no bug daemon"; return; } # Return if I'm the child to execute ssh return if (!$p); # returning the child avoids a zombie # Parent sleeps to allow the child to exec ssh if ($secs) { sleep $secs; } else { sleep 10; } # If I'm the parent, give ssh a kick kill "STOP", $p; sleep 1; kill "CONT", $p; exit 0; } > You don't need the pty. I don't recommend vpn over ssh, unless its > absolutely necessary. OpenVPN is much better ... > > I've set it up (as it was absolutely necessary :-), and here is a config > from the 'client'. > > default: > set timeout 0 > set log phase chat connect lcp ipcp > set dial > set login > > cli: > set device "!ssh -l cli -i /etc/ppp/ppp.key server.domain.com > /usr/sbin/ppp -direct srv" > set ifaddr 10.0.4.4 10.0.4.3 255.255.255.255 > add! 192.168.x.0/24 HISADDR > set lqrperiod 60 > enable lqr > > 'client' is enabled by running ppp -ddial cli from rc script. > > Then the 'Server' - of course, 'cli' needs a user account on the system, > and all the ssh stuff setup (authorized keys, etc). > > default: > > set log Phase Chat LCP IPCP CCP tun command > > srv: > > allow user cli > set ifaddr 10.0.4.3 10.0.4.4 255.255.255.255 > set timeout 0 > add! 192.168.y.0/24 HISADDR > set lqrperiod 60 > enable lqr > accept lqr > > Rob Zietlow wrote: > >Good day List, > > > >I have a question about pppd. We use ppp over ssh for a VPN solution into > >work. The script works on linux, but not in freebsd because the > >implementation of pppd that comes with freebsd does not recognize the pty > >command. When I attempt to connect up I get the following. > > > >testee# bash bin/vpn.init start > >Waiting for connection... > >Using interface ppp0 > >/usr/sbin/pppd: In file /usr/home/rob/vpn/options.vpn: unrecognized option > >'pty' > >Connection Failed > > > >This appears to be the last piece of the puzzle for me in order to get > > this to work. So it leaves me to ask Is there an equivalent in Freebsd? > > > >From the pppd man page on a linux machine. > > > > pty script > > Specifies that the command script is to be used to > > communicate rather than a specific terminal device. Pppd will > > allocate itself a pseudo-tty master/slave pair and use the slave as its > > terminal device. The script will be run in a child process with > > the pseudo-tty master as its standard input and output. An explicit > > device name may not be given if this option is used. (Note: if the > > record option is used in conjuction with the pty option, the child > > process will have pipes on its standard input and output.) > > > >The fbsd pppd's man page doesn't list anything for pty, and a google > > doesn't turn up much. > > > >Thanks for your time. > > > >Rob > >_______________________________________________ > >freebsd-net@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-net > >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"