Monday, October 6, 2014

ppp over ssh

Just as reminder to myself, here is an easy ppp over ssh solution with openbsd as server and linux as client.
Openbsd server:
  • Allow IP forwarding for nat: sysctl net.inet.ip.forwarding=1
  • Configure NAT in /etc/pf.conf:
    ext_ip="*.*.*.*" # your's external IP
    match out on {$ext_if} from {$int_net} to any nat-to {$ext_ip} 
    pass out on {$ext_if} from {$int_net} to any
  • Create a user ppp, configure linux client and openbsd's server user ppp, [optionally, but highly recommended] set ssh key auth, check that ssh ppp@server linux client reaches openbsd's shell. Add ppp user to /etc/ftpusers. Disable password auth for that user.
  • Create /usr/local/bin/ppplogin and make it executable for user ppp:
    /usr/sbin/pppd $TTY nodetach proxyarp ms-dns server.dns.IP.addr
    [UPD: no need for proxyarp, probably] In /etc/ppp/chap-secrets create an ppp auth entry:
    clientusername * clientpassword
  • Add /usr/local/bin/ppplogin to /etc/shells. Also check if you have ppp0 interface; you may need to run ifconfig ppp0 create (and several ppp interfaces if you need it)
  • On linux client side, create callppp script:
    pppd debug nodetach defaultroute usepeerdns name clientusername passive pty  \
        "ssh -o Batchmode=yes"
    Strange thing, if we say defaultroute - it does not help us to set the default route over the ppp link; we have to do that manually (in ip-up and ip-down scripts)
  • An auth entry in /etc/ppp/chap-secrets:
    clientusername * clientpassword
  • In /etc/ppp/ip-up:
    /sbin/route add -host gw
    /sbin/route del default 
    /sbin/route add default gw $5 
    (also, here you can keed those routes that should not pass via ppp interface)
  • And in /etc/ppp/ip-down we should restore everything back:
    /sbin/route del default
    /sbin/route del -host
    /sbin/route add default gw

Do not forget to run traceroute and check how are you connected to the internet now.
And the last advice: do not listen to my advices [because I do not undestand anything in the things I write, at least for now, even handcrafted that all myself], read all the docs and do it the right way (mostly be aware of some security holes in this installation - but only in OpenBSD NAT rules, I believe).

No comments:

Post a Comment