Just as reminder to myself, here is an easy ppp over ssh solution with openbsd as server and linux as client.
Openbsd server:
Do not forget to run traceroute and check how are you connected to the internet now.
And the last advice: do not listen to my advices [because I do not undestand anything in the things I write, at least for now, even handcrafted that all myself], read all the docs and do it the right way (mostly be aware of some security holes in this installation - but only in OpenBSD NAT rules, I believe).
-
Allow IP forwarding for nat:
sysctl net.inet.ip.forwarding=1 -
Configure NAT in /etc/pf.conf:
ext_if="xl0" int_if="ppp0" ext_ip="*.*.*.*" # your's external IP int_net="10.0.0.1/24" match out on {$ext_if} from {$int_net} to any nat-to {$ext_ip} pass out on {$ext_if} from {$int_net} to any -
Create a user ppp, configure linux client and openbsd's server user ppp, [optionally, but highly recommended] set ssh key auth, check that
ssh ppp@serverlinux client reaches openbsd's shell. Add ppp user to /etc/ftpusers. Disable password auth for that user. -
Create
/usr/local/bin/ppploginand make it executable for user ppp:
[UPD: no need for proxyarp, probably] In#!/bin/sh TTY=`tty` /usr/sbin/pppd $TTY nodetach proxyarp ms-dns server.dns.IP.addr 10.0.0.1: exit/etc/ppp/chap-secretscreate an ppp auth entry:clientusername * clientpassword 10.0.0.12 -
Add
/usr/local/bin/ppploginto/etc/shells. Also check if you have ppp0 interface; you may need to runifconfig ppp0 create(and several ppp interfaces if you need it) -
On linux client side, create
callpppscript:
Strange thing, if we saypppd debug nodetach defaultroute usepeerdns name clientusername passive pty \ "ssh ppp@openbsd.serv.er -o Batchmode=yes"defaultroute- it does not help us to set the default route over the ppp link; we have to do that manually (inip-upandip-downscripts) -
An auth entry in
/etc/ppp/chap-secrets:
clientusername * clientpassword
-
In
/etc/ppp/ip-up:
(also, here you can keed those routes that should not pass via ppp interface)/sbin/route add -host openbsd.serv.er gw yours.ethernet.default.gw /sbin/route del default /sbin/route add default gw $5 -
And in
/etc/ppp/ip-downwe should restore everything back:
/sbin/route del default /sbin/route del -host openbsd.serv.er /sbin/route add default gw yours.ethernet.default.gw
Do not forget to run traceroute and check how are you connected to the internet now.
And the last advice: do not listen to my advices [because I do not undestand anything in the things I write, at least for now, even handcrafted that all myself], read all the docs and do it the right way (mostly be aware of some security holes in this installation - but only in OpenBSD NAT rules, I believe).
No comments:
Post a Comment