Date: Mon, 23 May 2005 20:31:14 -0500 From: Rob Zietlow <Rob@the-rob.com> To: freebsd-net@freebsd.org Subject: Re: pppd pty equivilent in FBSD Message-ID: <200505232031.15516.Rob@the-rob.com> In-Reply-To: <4291D817.40407@crossthread.com> References: <200505231957.23014.Rob@the-rob.com> <4291D817.40407@crossthread.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 23 May 2005 08:18 am, Tim Pushor wrote:
hmm, Thanks for the response, Tim.
I wouldn't personally recommend vpn over ssh for anyone either, but i'm kind
of stuck with it. I'm the sole bsd user at my company, and the ppp over ssh
was implemented years before I came and has worked fine for them. They're
not really willing to change it at the moment and it's on a system I have
zero control over within our organization.
If I had the option to set this up like you have below it would have been put
in place a long while ago. Tim, I thank you for your scripts and time.
Here's the scripts I use.
Actual bash script I call:
! /usr/local/bin/bash
#
# This script controls starting and stopping
# the VPN run over ssh. It's functions are:
#
# start stop on off
#
# start and stop control the actuall ppp interface,
# while on and off turn the routes to the VPN on and off.
# In this way, you can bring up the interface, but turn
# the VPN on and off without affecting the ppp connection.
#
#
# --------- configuration ------------
# This is the other end of the VPN
VPNHOST="$WORK"
# This is for editing /etc/resolv.conf
DOMAIN=" $DOMAIN_NAME"
#DNSSERVER="10.10.X.X"
DNSSERVER="10.10.X.Y"
# ------------------------------------
# Defaults should be okay
# ------------------------------------
CONFFILE="/etc/resolv.conf"
# tempfile, needs to be writable
TMP=/tmp/file.$$
# This is to give us time for the ppp
# connection to come up
timeout=5
# This is the command to start pppd
CMD="/usr/sbin/pppd file /usr/home/rob/vpn/options.vpn"
# A place for control files
svcdir="$HOME/.pppssh"
# A place for pids to keep track of processes
rundir="$svcdir/run"
# ------ end configuration -----------
# Some things to check before we begin
USER=`id -u`
PPPD=`find /usr/sbin -perm 4755 -name pppd`
ROUTE=`find /sbin -perm 4755 -name route`
IFCONFIG=`find /sbin -perm 4755 -name ifconfig`
if [ \( $USER -ne 0 \) -a \( -z "$PPPD" -o -z "$ROUTE" -o -z "$IFCONFIG" \) ];
then
echo "You must be root, or the following must be suid:"
echo "/sbin/pppd, /sbin/route, /sbin/ifconfig"
exit 1
fi
case "$1" in
start)
# Make a control directory
if [ ! -d $svcdir ]; then
mkdir -p $svcdir
fi
if [ ! -d $rundir ]; then
mkdir -p $rundir
fi
# make sure it doesn't core dump anywhere; while this could mask
# problems with the daemon, it also closes some security problems
ulimit -c 0
echo -n $VPNHOST > "$svcdir/host"
echo Waiting for connection...
# Look for unused ppp device.
# But default to ppp0
dev=0
for i in `jot 9 0 `; do
if [ ! -f /var/run/ppp$i.pid ] ; then
echo Using interface ppp$i
dev=$i
break
fi
done
# See if we're already running
if [ ! -f $svcdir/lock ]; then
$CMD
else
echo Link appears up
echo Lock file in $svcdir
echo Use $0 restart
exit 1
fi
if [ $? -eq 0 ]; then
sleep $timeout
ifconfig ppp$dev
echo ppp$dev > $svcdir/device
echo $VPNHOST > $svcdir/host
touch $svcdir/lock
# Routes to be added for the inside network
$0 on
else
echo Connection Failed
fi
;;
stop)
# Find the pid of the pppd, kill it, remove the route
VPNIF=`head $svcdir/device`
ppppid=`head /var/run/$VPNIF.pid`
sshpid=`head $rundir/sshpppd.pid`
# Removing routes if possible
echo Removing routes...
$0 off
echo Killing processes...
kill -s SIGTERM $ppppid
kill -s SIGTERM $sshpid
echo Killed ssh[$sshpid]
echo Killed pppd[$ppppid]
# Bring down interface
echo Bringing down interface: $VPNIF
/sbin/ifconfig $VPNIF down
echo Removing control files...
# Remove control files
rm -f "$svcdir/device"
rm -f "$svcdir/host"
rm -f "$rundir/sshpppd.pid"
rm -f "$svcdir/lock"
echo Done.
;;
on)
if [ ! -f "$svcdir/lock" ]; then
echo VPN does not appear to be up
exit 1
elif [ -f "$svcdir/on" ]; then
echo VPN looks like it is already active
exit 1
else
# Routes are specified in /etc/ppp/routes.vpn
grep -v '^#' /etc/ppp/routes.vpn |\
while read NET NETMASK GATEWAY ; do
/sbin/route add -net $NET netmask $NETMASK gw $GATEWAY
done
# Make changes to the resolv.conf file
# We may not want this to be standard equipment
# if [ $USER -eq 0 ]; then
# insert search domain
MATCH=$( grep -cq "search" $CONFFILE )
#if [ "$MATCH" = "0" ]; then
# # Add one if there isn't one
# { echo "search $DOMAIN" ; cat $CONFFILE } > $TMP
# mv -f $TMP $CONFFILE
#else
# # Edit one if needed
# grep -q "search.*$DOMAIN" $CONFFILE
# if [ "$?" != "0" ]; then
# perl -pi -e "s/(search.+)\s+/\$1 $DOMAIN\n/" $CONFFILE
# fi
# fi
#
# # insert server if needed
# # it needs to be first in the list
# MATCH=$( grep -cq "nameserver.*$DNSSERVER" $CONFFILE )
# if [ "$MATCH" = "0" ]; then
# perl -pi -e "s/(search.+)\s+/\$1\nnameserver
$DNSSERVER\n/" $CONFFILE
# fi
#touch $svcdir/resolver
# fi
touch $svcdir/on;
fi
;;
off)
if [ ! -f $svcdir/lock ]; then
echo VPN does not appear to be up
exit 1
elif [ ! -f "$svcdir/on" ]; then
echo VPN does not appear to be active
exit 1
else
grep -v '^#' /etc/ppp/routes.vpn |\
while read NET NETMASK GATEWAY ; do
/sbin/route del -net $NET netmask $NETMASK gw $GATEWAY
done
fi
## Remove changes made to /etc/resolv.conf
if [ $USER -eq 0 ]; then
if [ -f $svcdir/resolver ]; then
perl -pi -e "s/(search.+?)\s+$DOMAIN\s+/\$1\n/" $CONFFILE
perl -pi -e "s/^nameserver\s+$DNSSERVER\s+//" $CONFFILE
rm -f $svcdir/resolver
fi
fi
rm -f $svcdir/on
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: telnetd {start|stop|on|off}"
;;
esac
options.vpn:
lock
noipdefault
defaultroute
updetach
lcp-echo-interval 5
lcp-echo-failure 10
pty /home/rob/vpn/pppssh
call server.vpn
!/usr/bin/perl -w
# Taken from Olaf Titz's ppp over ssh script.
# pppd starts up ppp connection, but ssh hangs
# and prevents pppd from taking over the terminal
# this script gives ssh a little kick.
#use strict
# ---- configuration ----- #
# Your user login here
$user="$USER_NAME";
# ------------------------ #
# Customize if necessary
$home=$ENV{HOME};
$svcdir="$home/.pppssh";
$rundir="$svcdir/run";
$ssh="/usr/bin/ssh";
$timeout=10;
$host=`head $svcdir/host`;
# ------------------------ #
if ( ! defined($host)) {
print "No host given\n";
exit 1;
}
# subroutine to handle sshd hang bug.
&bugdaemon($timeout) if ($timeout);
# Write pid to control file
open FD, ">$rundir/sshpppd.pid" or die $!;
printf FD $$;
close FD;
# exec ssh to start pppd on remote host
exec $ssh, "-t", "-l$user", $host, "-p 24";
die "exec $ssh: $!";
# -------------------------------------------- #
# This cures a "hang" of the local ssh process
sub bugdaemon
{
local($secs)=@_;
local($p)=fork;
# fork returns 0 to child, pid to parent, and undefined to parent if
failed.
if (!defined($p)) {
warn "can't fork, no bug daemon";
return;
}
# Return if I'm the child to execute ssh
return if (!$p);
# returning the child avoids a zombie
# Parent sleeps to allow the child to exec ssh
if ($secs) {
sleep $secs;
} else {
sleep 10;
}
# If I'm the parent, give ssh a kick
kill "STOP", $p;
sleep 1;
kill "CONT", $p;
exit 0;
}
> You don't need the pty. I don't recommend vpn over ssh, unless its
> absolutely necessary. OpenVPN is much better ...
>
> I've set it up (as it was absolutely necessary :-), and here is a config
> from the 'client'.
>
> default:
> set timeout 0
> set log phase chat connect lcp ipcp
> set dial
> set login
>
> cli:
> set device "!ssh -l cli -i /etc/ppp/ppp.key server.domain.com
> /usr/sbin/ppp -direct srv"
> set ifaddr 10.0.4.4 10.0.4.3 255.255.255.255
> add! 192.168.x.0/24 HISADDR
> set lqrperiod 60
> enable lqr
>
> 'client' is enabled by running ppp -ddial cli from rc script.
>
> Then the 'Server' - of course, 'cli' needs a user account on the system,
> and all the ssh stuff setup (authorized keys, etc).
>
> default:
>
> set log Phase Chat LCP IPCP CCP tun command
>
> srv:
>
> allow user cli
> set ifaddr 10.0.4.3 10.0.4.4 255.255.255.255
> set timeout 0
> add! 192.168.y.0/24 HISADDR
> set lqrperiod 60
> enable lqr
> accept lqr
>
> Rob Zietlow wrote:
> >Good day List,
> >
> >I have a question about pppd. We use ppp over ssh for a VPN solution into
> >work. The script works on linux, but not in freebsd because the
> >implementation of pppd that comes with freebsd does not recognize the pty
> >command. When I attempt to connect up I get the following.
> >
> >testee# bash bin/vpn.init start
> >Waiting for connection...
> >Using interface ppp0
> >/usr/sbin/pppd: In file /usr/home/rob/vpn/options.vpn: unrecognized option
> >'pty'
> >Connection Failed
> >
> >This appears to be the last piece of the puzzle for me in order to get
> > this to work. So it leaves me to ask Is there an equivalent in Freebsd?
> >
> >From the pppd man page on a linux machine.
> >
> > pty script
> > Specifies that the command script is to be used to
> > communicate rather than a specific terminal device. Pppd will
> > allocate itself a pseudo-tty master/slave pair and use the slave as its
> > terminal device. The script will be run in a child process with
> > the pseudo-tty master as its standard input and output. An explicit
> > device name may not be given if this option is used. (Note: if the
> > record option is used in conjuction with the pty option, the child
> > process will have pipes on its standard input and output.)
> >
> >The fbsd pppd's man page doesn't list anything for pty, and a google
> > doesn't turn up much.
> >
> >Thanks for your time.
> >
> >Rob
> >_______________________________________________
> >freebsd-net@freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-net
> >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505232031.15516.Rob>