NetBSD PPTP Server

NetBSD PPTP Server

关于 pptp

PPTP is short for Point-to-Point Tunneling Protocol,用来创建vpn连接,本地网络连接到世界上其他网络,或者移动工作站连接到公司网络,只要他们之间由租用线路.

    通常使用pptp允许拨号用户连接到organizations corporate网络.
关于 MPPE

Microsoft Point to Point Encryption (MPPE) is a protocol that provides encryption for Virtual Private Networks.
       它并不非常安全,但有(点安全)总比没好,是吧?

需要的软件

    配置netbsd为pptp服务器,你的安装第三方软件,在netbsd的pkgsrc中提供了简便的安装方法.


PoPToP

    它是一个服务器软件,没有它,netbsd将不会成为pptp服务器.它是一个gpl软件是第一个在unix系统中以gpl发布的的此类软件.

    更多信息,请参考http://www.poptop.org/.

PPPD-MPPE

    它拥有netbsd标准的pppd的所有特性,并且加入了mppe-协议中的加密技术,PPPD-MPPE在pksrc中pkgsrc/net/ppp-mppe/,适合从pksrc安装它.
    注意:这个软件使用openssl,并要求你接受fee-based-commercial-use.请加入它到/etc/mk.conf中:

    ACCEPTABLE_LICENSES+=fee-based-commercial-use

kernel配置
    内核配置中需要做一点点修改以便允许pptp服务能够同时接收2个以上的请求.

移除GRE-interface

    Due to the way that NetBSD's kernel handles packages for GRE-interfaces that it doesn't recognize (hasn't created itself), the GRE-interface needs to be removed from the kernel.

    In the GENERIC kernel, the gre-interfaces are enabled by the following line:

    pseudo-device gre 2 # generic L3 over IP tunnel

    So to disable it, you need will to find a similar entry in your configuration, and either remove it, or add a hash (#) at the beginning of the line.

激活PPP-interfaces

    pptp需要PPP-interfaces以便在节点间通讯,你需要配置kernel中的PPP-interfaces.

        The GENERIC kernel configures two PPP-interfaces by default using this line:

            pseudo-device ppp 2 # Point-to-Point Protocol

激活加密 encryption

    pptp的加密由kernel模块mppe.o提供,你可以在/usr/pkg/lkm中找到它.
    最好在/etc/lkm.conf中加入这个模块
    /usr/pkg/lkm/mppe.o  -  -  -  -  AFTERMOUNT
   
    当然首先的在/etc/rc.conf中允许栽入模块:
     lkm=YES
    为了使用模块,    重新启动计算机,或者直接运行:

         /etc/rc.d/lkm3 start
    注意1:为了在多用户环境下使用它,你的kernel的由INSECURE选项,否则无法栽入,或者你的转入单用户模式,或者重新启动以便能够栽入它.
    注意2:在/etc/rc.d中有lkm1,lkm2,lkm3,我们使用lkm3是因为在/etc/lkm.conf中我们加入为mppe 模块了AFTERMOUNT选项,这个选项表示在系统装载完(必须的模块)后,才 装载我们的mppe模块,而这些步骤lkm3可以我们处理.

PPP Binaries

    pptp服务器使用pppd提供部分连接,然后使用我们安装的 pkgsrc/net/ppp-mppe.看起来取了点巧,更早的解决方法是使用ln -s连接新软件到/usr/sbin/目录
   
    首先,改变netbsd提供的pppd名字
   
         # cd /usr/sbin
         # mv pppd pppd.orig
         # mv pppstats pppstats.orig

    然后连接我们的安装的软件

   
         # ln -s /usr/pkg/sbin/pppd
         # ln -s /usr/pkg/sbin/pppstats

    如果你愿意,可以删除orig

    注意:如果 PoPToP发现使用的是netbsd的pppd而不是我们安装的pppd,你将不能使用加密功能;并且下面配置文件的一下选项将会给你带来一些错误 "不认识的选项"

配置:

    你的编辑一些文件.一个是pptp服务的配置文件,另外两个配置文件是pppd使用的(就是那个提供部分虚拟连接的程序)


     /etc/ppp/options

    是pppd使用的,它包含一些pppd的选项,是pptd作为一个拨号服务器,并告诉pppd,它的客户使用pptp协议.

     /etc/ppp/chap-secrets

    这个文件包含有ppd处理的所有会话的帐号信息.它被用于client和server模式.当然,如果一个机器同时作为服务器和客户端(就是既通过modem和ppp接收拨号连接,又通过pptp连接到vpn网络),那么这个文件将包含所有进入和出去的用户名和密码信息.

     /usr/pkg/etc/pptpd.conf

    用于验证可以连接的用户帐号信息(即那些存于/etc/ppp/chap-secrets中的用户信息).每一个帐号占一行,有4个域,其中仅有2个是用于将pppd配置为一个服务.而同时它是pptp的客户,剩下的2个域就只有*,其中1和3是我们需要的域.一个是用户,一个是密码

    用户 * 密码 *

    这个用户和密码同时必须在/etc/ppp/chap-secrets中
   

    /etc/ppp/options

    用于pppd接受用户连接的选项,每一行做为一个选项.比如:

     name servername
    netmask 255.255.255.255
    lock
    auth
    -crtscts
    local
    +chap
    +chapms
    +chapms-v2
    require-chap
    -pap
    mppe-40
    mppe-128
    mppe-stateless
    lcp-echo-failure 6
    lcp-echo-interval 30
    ms-dns ns1.mreriksson.net

    下面我们会解释选项的细节

    name servername
        vpn-server的名字,通常用于多个vpn服务共享一个chap-secrets文件.大多数时候,你可以设为任何名字
   
    netmask 255.255.255.255
        设定pppd使用的接口掩码.大多时候使用这个netmask 255.255.255.255
        当然除非你的vpn不同.

     lock
        这个选项不会影响运行在pptp-link上的pppd,但是建议你使用ppp-links的时候使用.

    auth
        强制当客户连接验证.
    -crtscts
         This option configures pppd to not try to use any hardware flow control. This is normally used when connecting via a modem connected to a serial port, and this is nothing that we require when tunneling ppp over the pptp-tun
   
     local
          PPPD should ignore Carrier Detect (CD) and DTR (Data Terminal Ready) on the link. These are used when running PPP over serial links, and don't provide any functionality over a pptp-tunnel.
   
        
     +chap
    +chapms
    +chapms-v2

         This enabled the use of various versions of CHAP (Challenge Handshake Authentication Protocol) for authentication against the serv
      require-chap
    Configures pppd to require authentication from the client using the CHAP protocol.
    -pap
            This disables the use of PAP (Password Authentication Protocol) since we have no pap-accounts configured. This to avoid problems with badly configured PPTP-servers.
    mppe-40
    mppe-128
    mppe-stateless

            These options enables the MPPE encryption provided by the MPPE kernel module.
   
    lcp-echo-failure 6
    lcp-echo-interval 30

            LCP-ECHO is used to verify that a link is working. These options configure pppd to send an lcp-echo request every 30 seconds, and if no answer has been received on the last six requests, pppd will exit with an error-code, and the ppp-link will be terminated. If you omit these options, a link could appear to be up even though it is unable to transfer data.
    ms-dns ns1.mreriksson.net

            This will configure pppd to provide details about nameservers to use when connected to the VPN.
   

usr/pkg/etc/pptpd.conf

    这个配置文件包含pptpd选项

   
     speed 115200
    options /etc/ppp/options
    localip 172.31.1.1
    remoteip 172.31.1.2-63

下面是选项的解释:


    speed 115200
            This options defines the speed that pptpd will configure pppd to use. Using 115200 implies no speed limit.
    options /etc/ppp/options
            The file configured with this option is used as 'options'-file by pppd. Please note that most versions (including NetBSD's standard pppd, and the version provided with the ppp-mppe package) will start out by reading options from this file, and if this file is any other than /etc/ppp/options, pppd will try to read options from that file too, if it exists. This can cause problems if another file is used and the /etc/ppp/options-file contains options that effects settings required by the pptp-setup.
    localip 172.31.1.1
            This configures pptpd to use IP address 172.31.1.1 as it's local address on all running tunnels.
    remoteip 172.31.1.2-63
            Configures a pool of IP addresses that will be assigned to connecting clients. The option above configures a pool containing addresses from 172.31.1.2 up to 172.31.1.63. For more details regarding valid formats of the pool-definition, see the pptpd.conf-manpage.

协议的局限:

   
Due to some limitations in the Point to Point Tunneling Protocol (PPTP), it cannot be used by clients that are connected to the Internet trough a Network Address Translation (NAT) or similar configurations. However, there are ways to allow clients to do this, but it requires that the firewall that does the address translation has support for this. Some firewalls supports this and has it enabled by default, others require some patch or additional software to be added. Ask your administrator for more details regarding the equipment used at your location.
大意是说:不能用在nat场合,即使要用,也要做很多更改,比如防火墙,系统设置,额外的软件等等.