16548SN/A################################################################# 217464Snaoto# 36548SN/A# PPP Sample Configuration File 46548SN/A# 56548SN/A# Originally written by Toshiharu OHNO 66548SN/A# 76548SN/A# $FreeBSD: releng/11.0/share/examples/ppp/ppp.conf.sample 244040 2012-12-08 22:16:36Z eadler $ 86548SN/A# 96548SN/A################################################################# 106548SN/A 116548SN/A# This file is separated into sections. Each section is named with 126548SN/A# a label starting in column 0 and followed directly by a ``:''. The 136548SN/A# section continues until the next label. Blank lines and characters 146548SN/A# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 156548SN/A# or quoted with ""). All commands inside sections that do not begin 166548SN/A# with ``!'' (e.g., ``!include'') *must* be indented by at least one 176548SN/A# space or tab or they will not be recognized! 186548SN/A# 196548SN/A# Lines beginning with "!include" will ``include'' another file. You 206548SN/A# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 216548SN/A# 226548SN/A 236548SN/A# Default setup. Always executed when PPP is invoked. 246548SN/A# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 256548SN/A# 266548SN/A# This is the best place to specify your modem device, its DTR rate, 276548SN/A# your dial script and any logging specification. Logging specs should 286548SN/A# be done first so that the results of subsequent commands are logged. 296548SN/A# 306548SN/Adefault: 316548SN/A set log Phase Chat LCP IPCP CCP tun command 326548SN/A set device /dev/cuau1 336548SN/A set speed 115200 346548SN/A set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 356548SN/A OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 366548SN/A 376548SN/A# Client side PPP 386548SN/A# 396548SN/A# Although the PPP protocol is a peer to peer protocol, we normally 406548SN/A# consider the side that initiates the connection as the client and 416548SN/A# the side that receives the connection as the server. Authentication 426548SN/A# is required by the server either using a unix-style login procedure 436548SN/A# or by demanding PAP or CHAP authentication from the client. 446548SN/A# 456548SN/A 466548SN/A# An on demand example where we have dynamic IP addresses and wish to 476548SN/A# use a unix-style login script: 486548SN/A# 496548SN/A# If the peer assigns us an arbitrary IP (most ISPs do this) and we 506548SN/A# can't predict what their IP will be either, take a wild guess at 516548SN/A# some IPs that you can't currently route to. Ppp can change this 526548SN/A# when the link comes up. 536548SN/A# 546548SN/A# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 556548SN/A# specified IP actually being correct, therefore, the other side can assign 566548SN/A# any IP number. 576548SN/A# 586548SN/A# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 596548SN/A# IP number, forcing the peer to make the decision. This is necessary 606548SN/A# when negotiating with some (broken) ppp implementations. 616548SN/A# 626548SN/A# This entry also works with static IP numbers or when not in -auto mode. 636548SN/A# The ``add'' line adds a `sticky' default route that will be updated if 646548SN/A# and when any of the IP numbers are changed in IPCP negotiations. 656548SN/A# The "set ifaddr" is required in -auto mode only. 666548SN/A# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 676548SN/A# 686548SN/A# Finally, the ``enable dns'' line tells ppp to ask the peer for the 696548SN/A# nameserver addresses that should be used. This isn't always supported 706548SN/A# by the other side, but if it is, ppp will update /etc/resolv.conf with 716548SN/A# the correct nameserver values at connection time. 726548SN/A# 736548SN/A# The login script shown says that you're expecting ``ogin:''. If you 746548SN/A# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 758042SN/A# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 769000SN/A# You *MUST* customise this login script according to your local 776548SN/A# requirements. 786548SN/A# 796548SN/Apmdemand: 806548SN/A set phone 1234567 816548SN/A set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 826548SN/A set timeout 120 836548SN/A set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 846548SN/A add default HISADDR 856548SN/A enable dns 866548SN/A 878390SN/A# If you want to use PAP or CHAP instead of using a unix-style login 886548SN/A# procedure, do the following. Note, the peer suggests whether we 896548SN/A# should send PAP or CHAP. By default, we send whatever we're asked for. 906897SN/A# 916548SN/A# You *MUST* customise ``MyName'' and ``MyKey'' below. 926548SN/A# 936548SN/APAPorCHAPpmdemand: 946548SN/A set phone 1234567 956548SN/A set login 966548SN/A set authname "MyName" 976548SN/A set authkey "MyKey" 986548SN/A set timeout 120 996548SN/A set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 1006548SN/A add default HISADDR 1016548SN/A enable dns 1026548SN/A 10317464Snaoto# On demand dialup example with static IP addresses: 1046548SN/A# Here, the local side uses 192.244.185.226 and the remote side 1056548SN/A# uses 192.244.176.44. 1069027SN/A# 1079027SN/A# # ppp -auto ondemand 1089027SN/A# 1099027SN/A# With static IP numbers, our setup is similar to dynamic: 1109027SN/A# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 1119027SN/A# an "ondemand" label, and finally the "MYADDR" label. 1129027SN/A# 1137138SN/Aondemand: 1146548SN/A set phone 1234567 1156548SN/A set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 1166548SN/A set timeout 120 1176548SN/A set ifaddr 192.244.185.226 192.244.176.44 1186548SN/A add default HISADDR 1196548SN/A enable dns 1206548SN/A 1216548SN/A# An on-demand dialup example using an external Terminal Adapter (TA) 1226548SN/A# that supports multi-link ppp itself. 1236548SN/A# 1246548SN/A# This may be specific to the AETHRA TA. 1256548SN/A# 1266548SN/ATA: 1276548SN/A set phone 12345678 # Replace this with your ISPs phone number 1286548SN/A 1296548SN/A set authname "somename" # Replace these with your login name & password. 1306548SN/A set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. 1316548SN/A 1326548SN/A enable lqr echo 1336548SN/A set reconnect 3 5 1346548SN/A set redial 3 10 1356548SN/A set lqrperiod 45 1366548SN/A disable pred1 deflate mppe 1376548SN/A deny pred1 deflate mppe 1386548SN/A 1396548SN/A set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ 1406548SN/A OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 1416548SN/A set login 1426548SN/A set logout 1436548SN/A set hangup 1446548SN/A 1456548SN/A set timeout 60 300 # The minimum charge period is 5 minutes, so don't 1466548SN/A # hangup before then 1476548SN/A 1486548SN/A set device /dev/cuau0 # Or whatever 1496548SN/A set speed 115200 # Use as high a speed as possible 1506548SN/A 1516548SN/A enable dns # Ask the peer what to put in resolv.conf 1526548SN/A 1536548SN/A # Take a wild guess at an IP number and let the other side decide 1546548SN/A set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 1556548SN/A add! default hisaddr 1569888SN/A 1576548SN/A set mru 1504 # Some extra room for the MP header 1586548SN/A 1596548SN/A set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) 1606548SN/A 1616548SN/A 1626548SN/A# Example segments 1639888SN/A# 1646548SN/A# The following lines may be included as part of your configuration 1656548SN/A# section and aren't themselves complete. They're provided as examples 1666548SN/A# of how to achieve different things. 1676548SN/A 1686548SN/Aexamples: 1696548SN/A# Multi-phone example. Numbers separated by a : are used sequentially. 1706548SN/A# Numbers separated by a | are used if the previous dial or login script 1716548SN/A# failed. Usually, you will prefer to use only one of | or :, but both 1729888SN/A# are allowed. 1736548SN/A# 1746548SN/A set phone 12345678|12345679:12345670|12345671 1756548SN/A# 1766548SN/A# Some phone numbers may include # characters - don't forget to escape 1776548SN/A# (or quote) them: 1786548SN/A# 1796548SN/A set phone "12345##678" 1806548SN/A# 1816548SN/A# Ppp can accept control instructions from the ``pppctl'' program. 1826548SN/A# First, you must set up your control socket. It's safest to use 1836548SN/A# a UNIX domain socket, and watch the permissions: 1846548SN/A# 1856548SN/A set server /var/run/ppp/internet MySecretPassword 0177 1866548SN/A# 1876548SN/A# Although a TCP port may be used if you want to allow control 1886548SN/A# connections from other machines: 1896548SN/A# 1906548SN/A set server 6670 MySecretpassword 1916548SN/A# 1926548SN/A# If you don't like ppp's builtin chat, use an external one: 1936548SN/A# 1946548SN/A set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 1956548SN/A# 1966548SN/A# If we have a ``strange'' modem that must be re-initialized when we 1976548SN/A# hangup: 1986548SN/A# 1996548SN/A set hangup "\"\" AT OK-AT-OK ATZ OK" 2006548SN/A# 2016548SN/A# To adjust logging without blowing away the setting in default: 2026548SN/A# 2036548SN/A set log -command +tcp/ip 2046548SN/A# 2056548SN/A# To see log messages on the screen in interactive mode: 2066548SN/A# 2076548SN/A set log local LCP IPCP CCP 2086548SN/A# 2096548SN/A# If you're seeing a lot of magic number problems and failed connections, 2106548SN/A# try this (see the man page): 2116548SN/A# 2126548SN/A set openmode active 5 2136548SN/A# 2146548SN/A# For noisy lines, we may want to reconnect (up to 20 times) after loss 2156548SN/A# of carrier, with 3 second delays between each attempt: 2166548SN/A# 2176548SN/A set reconnect 3 20 2186548SN/A# 2196548SN/A# When playing server for M$ clients, tell them who our NetBIOS name 2206548SN/A# servers are: 2216548SN/A# 2226548SN/A set nbns 10.0.0.1 10.0.0.2 2236548SN/A# 2246548SN/A# Inform the client if they ask for our DNS IP numbers: 2256548SN/A# 2266548SN/A enable dns 2276548SN/A# 2286548SN/A# If you don't want to tell them what's in your /etc/resolv.conf file 2296548SN/A# with `enable dns', override the values: 2306548SN/A# 2316548SN/A set dns 10.0.0.1 10.0.0.2 2326548SN/A# 2336548SN/A# Some people like to prioritize DNS packets: 2346548SN/A# 2356548SN/A set urgent udp +53 2366548SN/A# 2376548SN/A# If we're using the -nat switch, redirect ftp and http to an internal 2386548SN/A# machine: 2396548SN/A# 2406548SN/A nat port tcp 10.0.0.2:ftp ftp 2416548SN/A nat port tcp 10.0.0.2:http http 2426548SN/A# 2436548SN/A# or don't trust the outside at all 2446548SN/A# 2456548SN/A nat deny_incoming yes 2466548SN/A# 2476548SN/A# I trust user brian to run ppp, so this goes in the `default' section: 2486548SN/A# 2496548SN/A allow user brian 2506548SN/A# 2516548SN/A# But label `internet' contains passwords that even brian can't have, so 2526548SN/A# I empty out the user access list in that section so that only root can 2536548SN/A# have access: 2546548SN/A# 2556548SN/A allow users 2566548SN/A# 2576548SN/A# I also may wish to set up my ppp login script so that it asks the client 2586548SN/A# for the label they wish to use. I may only want user ``dodgy'' to access 2596548SN/A# their own label in direct mode: 2606548SN/A# 26114575Sbpbdodgy: 2626548SN/A allow user dodgy 2636548SN/A allow mode direct 2646548SN/A# 2656548SN/A# We don't want certain packets to keep our connection alive 2666548SN/A# 2676548SN/A set filter alive 0 deny udp src eq 520 # routed 2686548SN/A set filter alive 1 deny udp dst eq 520 # routed 2696548SN/A set filter alive 2 deny udp src eq 513 # rwhod 2706548SN/A set filter alive 3 deny udp src eq 525 # timed 2716548SN/A set filter alive 4 deny udp src eq 137 # NetBIOS name service 2726548SN/A set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 2736548SN/A set filter alive 6 deny tcp src eq 139 # NetBIOS session service 2746548SN/A set filter alive 7 deny udp dst eq 137 # NetBIOS name service 2756548SN/A set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 2766548SN/A set filter alive 9 deny tcp dst eq 139 # NetBIOS session service 2776548SN/A set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 2786548SN/A set filter alive 11 permit 0/0 0/0 2796548SN/A# 2809888SN/A# And in auto mode, we don't want certain packets to cause a dialup 2816548SN/A# 2826548SN/A set filter dial 0 deny udp src eq 513 # rwhod 2836548SN/A set filter dial 1 deny udp src eq 525 # timed 2846548SN/A set filter dial 2 deny udp src eq 137 # NetBIOS name service 2856548SN/A set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 2866548SN/A set filter dial 4 deny tcp src eq 139 # NetBIOS session service 2876548SN/A set filter dial 5 deny udp dst eq 137 # NetBIOS name service 2886548SN/A set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 2896548SN/A set filter dial 7 deny tcp dst eq 139 # NetBIOS session service 2906548SN/A set filter dial 8 deny tcp finrst # Badly closed TCP channels 2916548SN/A set filter dial 9 permit 0 0 2926548SN/A# 2936548SN/A# Once the line's up, allow these connections 2946548SN/A# 2958342SN/A set filter in 0 permit tcp dst eq 113 # ident 2968342SN/A set filter out 0 permit tcp src eq 113 # ident 2976548SN/A set filter in 1 permit tcp src eq 23 estab # telnet 2986548SN/A set filter out 1 permit tcp dst eq 23 # telnet 2996548SN/A set filter in 2 permit tcp src eq 21 estab # ftp 3006548SN/A set filter out 2 permit tcp dst eq 21 # ftp 3016548SN/A set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 3026548SN/A set filter out 3 permit tcp dst eq 20 # ftp-data 3036548SN/A set filter in 4 permit udp src eq 53 # DNS 3046548SN/A set filter out 4 permit udp dst eq 53 # DNS 3056548SN/A set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 3066548SN/A set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 3076548SN/A set filter in 6 permit icmp # pings 3086548SN/A set filter out 6 permit icmp # pings 3096548SN/A set filter in 7 permit udp dst gt 33433 # traceroute 3106548SN/A set filter out 7 permit udp dst gt 33433 # traceroute 3116548SN/A 3126548SN/A# 3136548SN/A# ``dodgynet'' is an example intended for an autodial configuration which 3146548SN/A# is connecting a local network to a host on an untrusted network. 3156548SN/Adodgynet: 3166548SN/A set log Phase # Log link uptime 3176548SN/A allow mode auto # For autoconnect only 3186548SN/A set device /dev/cuau1 # Define modem device and speed 3196548SN/A set speed 115200 3206548SN/A deny lqr # Don't support LQR 3216548SN/A set phone 0W1194 # Remote system phone number, 3226548SN/A set authname "pppLogin" # login 3236548SN/A set authkey "MyPassword" # and password 3246548SN/A set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 3256548SN/A TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 3266548SN/A ATE1Q0M0 OK \\dATDT\\T \ 3276548SN/A TIMEOUT 40 CONNECT" 3286548SN/A set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 3296548SN/A gin:--gin: \\U word: \\P" 3306548SN/A 3316548SN/A # Drop the link after 15 minutes of inactivity 3326548SN/A # Inactivity is defined by the `set filter alive' line below 3336548SN/A set timeout 900 3346548SN/A 3356548SN/A # Hard-code remote system to appear within local subnet and use proxy arp 3366548SN/A # to make this system the gateway for the rest of the local network 3376548SN/A set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 3386548SN/A enable proxy 3396548SN/A 3406548SN/A # Allow any TCP packet to keep the link alive 3416548SN/A set filter alive 0 permit tcp 3426548SN/A 3436548SN/A # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 3446548SN/A # private TCP ports 24 and 4000 3456548SN/A set filter dial 0 7 0 0 tcp dst eq http 3466548SN/A set filter dial 1 7 0 0 tcp dst eq login 3476548SN/A set filter dial 2 7 0 0 tcp dst eq shell 3486548SN/A set filter dial 3 7 0 0 tcp dst eq telnet 3496548SN/A set filter dial 4 7 0 0 tcp dst eq ftp 3506548SN/A set filter dial 5 7 0 0 tcp dst eq 24 3516548SN/A set filter dial 6 deny ! 0 0 tcp dst eq 4000 3526548SN/A 3536548SN/A # From hosts on a couple of local subnets to the remote peer 3546548SN/A # If the remote host allowed IP forwarding and we wanted to use it, the 3556548SN/A # following rules could be split into two groups to separately validate 3566548SN/A # the source and destination addresses. 3576548SN/A set filter dial 7 permit 172.17.16.0/20 172.17.20.248 3586548SN/A set filter dial 8 permit 172.17.36.0/22 172.17.20.248 3596548SN/A set filter dial 9 permit 172.17.118.0/26 172.17.20.248 3607716SN/A set filter dial 10 permit 10.123.5.0/24 172.17.20.248 3617716SN/A 3627716SN/A # Once the link's up, limit outgoing access to the specified hosts 3636548SN/A set filter out 0 4 172.17.16.0/20 172.17.20.248 3646548SN/A set filter out 1 4 172.17.36.0/22 172.17.20.248 3656548SN/A set filter out 2 4 172.17.118.0/26 172.17.20.248 3666548SN/A set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 3676548SN/A 3686548SN/A # Allow established TCP connections 3696548SN/A set filter out 4 permit 0 0 tcp estab 3706548SN/A 3716548SN/A # And new connections to http, rlogin, rsh, telnet, ftp and ports 3726548SN/A # 24 and 4000 3736548SN/A set filter out 5 permit 0 0 tcp dst eq http 3746548SN/A set filter out 6 permit 0 0 tcp dst eq login 3756548SN/A set filter out 7 permit 0 0 tcp dst eq shell 3766548SN/A set filter out 8 permit 0 0 tcp dst eq telnet 3776548SN/A set filter out 9 permit 0 0 tcp dst eq ftp 3786548SN/A set filter out 10 permit 0 0 tcp dst eq 24 3796548SN/A set filter out 11 permit 0 0 tcp dst eq 4000 3806548SN/A 3816548SN/A # And outgoing icmp 3826548SN/A set filter out 12 permit 0 0 icmp 3836548SN/A 3846548SN/A # Once the link's up, limit incoming access to the specified hosts 3856548SN/A set filter in 0 4 172.17.20.248 172.17.16.0/20 3866548SN/A set filter in 1 4 172.17.20.248 172.17.36.0/22 3876548SN/A set filter in 2 4 172.17.20.248 172.17.118.0/26 3886548SN/A set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 3896548SN/A 3906548SN/A # Established TCP connections and non-PASV FTP 3916548SN/A set filter in 4 permit 0/0 0/0 tcp estab 3926548SN/A set filter in 5 permit 0/0 0/0 tcp src eq 20 3936548SN/A 3946548SN/A # Useful ICMP messages 3956548SN/A set filter in 6 permit 0/0 0/0 icmp src eq 3 3966548SN/A set filter in 7 permit 0/0 0/0 icmp src eq 4 3976897SN/A set filter in 8 permit 0/0 0/0 icmp src eq 11 3986548SN/A set filter in 9 permit 0/0 0/0 icmp src eq 12 3996548SN/A 4006548SN/A # Echo reply (local systems can ping the remote host) 4016548SN/A set filter in 10 permit 0/0 0/0 icmp src eq 0 4026548SN/A 4037716SN/A # And the remote host can ping the local gateway (only) 4047716SN/A set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 4059888SN/A 4067716SN/A 4077716SN/A# Server side PPP 4087716SN/A# 4097716SN/A# If you want the remote system to authenticate itself, you must insist 4107716SN/A# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 4117716SN/A# PAP are disabled by default. You may enable either or both. If both 4127716SN/A# are enabled, CHAP is requested first. If the client doesn't agree, PAP 4137716SN/A# will then be requested. 4147716SN/A# 4157716SN/A# Note: If you use the getty/login process to authenticate users, you 4167716SN/A# don't need to enable CHAP or PAP, but the user that has logged 4177716SN/A# in *MUST* be a member of the ``network'' group (in /etc/group). 4187716SN/A# 4197716SN/A# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 4207716SN/A# 4217716SN/A# If you wish to allow any user in the passwd database ppp access, you 4227716SN/A# can ``enable passwdauth'', but this will only work with PAP. 4237716SN/A# 4247716SN/A# When the peer authenticates itself, we use ppp.secret for verification 4257716SN/A# (although refer to the ``set radius'' command below for an alternative). 4267716SN/A# 4277716SN/A# Note: We may supply a third field in ppp.secret specifying the IP 4287716SN/A# address for that user, a fourth field to specify the 4297716SN/A# ppp.link{up,down} label to use and a fifth field to specify 4307716SN/A# callback characteristics. 4317716SN/A# 4327716SN/A# The easiest way to allow transparent LAN access to your dialin users 4337716SN/A# is to assign them a number from your local LAN and tell ppp to make a 4347716SN/A# ``proxy'' arp entry for them. In this example, we have a local LAN 4357716SN/A# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 4367716SN/A# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 4377716SN/A# override the dynamic IP number with a static IP number specified in 4387716SN/A# ppp.secret. 4397716SN/A# 4406548SN/A# Ppp is launched with: 4416548SN/A# # ppp -direct server 4426548SN/A# 4436548SN/Aserver: 4446548SN/A enable chap chap80 chap81 pap passwdauth 4456548SN/A enable proxy 4466548SN/A set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 4476548SN/A accept dns 4486548SN/A 4496548SN/A# Example of a RADIUS configuration: 4506897SN/A# If there are one or more radius servers available, we can use them 4516548SN/A# instead of the ppp.secret file. Simply put then in a radius 4526548SN/A# configuration file (usually /etc/radius.conf) and give ppp the 4536548SN/A# file name. 4546548SN/A# Ppp will use the FRAMED characteristics supplied by the radius server 4556548SN/A# to configure the link. 4566548SN/A 4576548SN/Aradius-server: 4586548SN/A load server # load in the server config from above 4596548SN/A set radius /etc/radius.conf 4606897SN/A 4616548SN/A 4626548SN/A# Example to connect using a null-modem cable: 4636548SN/A# The important thing here is to allow the lqr packets on both sides. 4646548SN/A# Without them enabled, we can't tell if the line's dropped - there 4656548SN/A# should always be carrier on a direct connection. 4666548SN/A# Here, the server sends lqr's every 10 seconds and quits if five in a 4676548SN/A# row fail. 4686548SN/A# 4696548SN/A# Make sure you don't have "deny lqr" in your default: on the client ! 4706548SN/A# If the peer denies LQR, we still send ECHO LQR packets at the given 4716548SN/A# lqrperiod interval (ppp-style-pings). 4726548SN/A# 4736548SN/Adirect-client: 4746548SN/A set dial 4756548SN/A set device /dev/cuau0 4769888SN/A set sp 115200 4776548SN/A set timeout 900 4786548SN/A set lqrperiod 10 4796548SN/A set log Phase Chat LQM 4806548SN/A set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 4816548SN/A set ifaddr 10.0.4.2 10.0.4.1 4826548SN/A enable lqr echo 4836548SN/A accept lqr 48414405Sigerasim 4856897SN/Adirect-server: 4866548SN/A set timeout 0 4876548SN/A set lqrperiod 10 4886548SN/A set log Phase LQM 4896548SN/A set ifaddr 10.0.4.1 10.0.4.2 4906548SN/A enable lqr echo 4916548SN/A accept lqr 4926548SN/A 4936548SN/A 4946897SN/A# Example to connect via compuserve 4956897SN/A# Compuserve insists on 7 bits even parity during the chat phase. Modem 4966897SN/A# parity is always reset to ``none'' after the link has been established. 4976897SN/A# 4986548SN/Acompuserve: 4996548SN/A set phone 1234567 5006548SN/A set parity even 5016548SN/A set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 5026548SN/A word: XXXXXXXX PPP" 5036548SN/A set timeout 300 5046548SN/A set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 5056548SN/A delete ALL 5066548SN/A add default HISADDR 5076548SN/A 5089888SN/A 5096548SN/A# Example for PPP over TCP. 5106548SN/A# We assume that inetd on tcpsrv.mynet has been 5116548SN/A# configured to run "ppp -direct tcp-server" when it gets a connection on 5126548SN/A# port 1234 with an entry something like this in /etc/inetd.conf.: 5136548SN/A# 5146548SN/A# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 5156897SN/A# 5166548SN/A# with this in /etc/services: 5176548SN/A# 5186548SN/A# ppp 6671/tcp 5196548SN/A# 5206548SN/A# Read the man page for further details. 5216548SN/A# 5226548SN/A# Note, we assume we're using a binary-clean connection. If something 5236548SN/A# such as `rlogin' is involved, you may need to ``set escape 0xff'' 5246548SN/A# 5256897SN/Atcp-client: 5266548SN/A set device tcpsrv.mynet:1234 5276548SN/A set dial 5286548SN/A set login 5296548SN/A set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 5306548SN/A 5316548SN/Atcp-server: 5326548SN/A set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 5336548SN/A 5346548SN/A 5356548SN/A# Using UDP is also possible with this in /etc/inetd.conf: 5366548SN/A# 5376548SN/A# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 5386548SN/A# 5396548SN/A# and this in /etc/services: 5406548SN/A# 5416548SN/A# ppp 6671/tcp 5426548SN/A# 5436548SN/Audp-client: 5446548SN/A set device udpsrv.mynet:1234/udp 5456548SN/A set dial 5466548SN/A set login 5476548SN/A set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 5486548SN/A 5496548SN/Audp-server: 5506548SN/A set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 5516548SN/A 5526548SN/A 5536548SN/A# Example for PPP testing. 5546548SN/A# If you want to test ppp, do it through the loopback interface: 5556548SN/A# 5566548SN/A# Requires a line in /etc/services: 5576548SN/A# ppploop 6671/tcp # loopback ppp daemon 5586548SN/A# 5596548SN/A# and a line in /etc/inetd.conf: 5606548SN/A# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in 5616548SN/A# 5626548SN/Ainet-loop: 5636548SN/A set timeout 0 5646548SN/A set log phase chat connect lcp ipcp command 5656548SN/A set device localhost:ppploop 5666548SN/A set dial 5676548SN/A set login 5686548SN/A set ifaddr 127.0.0.2 127.0.0.3 5696548SN/A set server /var/run/ppp/loop "" 0177 5706548SN/A 5716548SN/Ainet-loop-in: 5726548SN/A set timeout 0 5736548SN/A set log phase lcp ipcp command 5746548SN/A allow mode direct 5756548SN/A 5766548SN/A# Example of a VPN. 5776548SN/A# If you're going to create a tunnel through a public network, your VPN 5789888SN/A# should be set up something like this: 5796548SN/A# 5806548SN/A# You should already have set up ssh using ssh-agent & ssh-add. 5816548SN/A# 5826548SN/Asloop: 5836548SN/A load inet-loop 5846548SN/A # Passive mode allows ssh plenty of time to establish the connection 5856548SN/A set openmode passive 5866548SN/A set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" 5876548SN/A 5886548SN/A 5896548SN/A# or a better VPN solution (which doesn't run IP over a reliable 5906548SN/A# protocol like tcp) may be: 5916548SN/A# 5926548SN/Avpn-client: 5936548SN/A set device udpsrv.mynet:1234/udp # PPP over UDP 5946548SN/A set dial 5956548SN/A set login 5966548SN/A set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 5976548SN/A disable deflate pred1 5986548SN/A deny deflate pred1 5996548SN/A enable MPPE # With encryption 6006548SN/A accept MPPE 6016548SN/A 6026548SN/Avpn-server: 6036548SN/A set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 6046548SN/A disable deflate pred1 6056548SN/A deny deflate pred1 6066548SN/A enable MPPE 6076548SN/A accept MPPE 6086548SN/A enable chap81 # Required for MPPE 6096548SN/A 6106548SN/A# Example of non-PPP callback. 6116548SN/A# If you wish to connect to a server that will dial back *without* using 6126548SN/A# the ppp callback facility (rfc1570), take advantage of the fact that 6136548SN/A# ppp doesn't look for carrier 'till `set login' is complete: 6146548SN/A# 6156548SN/A# Here, we expect the server to say DIALBACK then disconnect after 6166548SN/A# we've authenticated ourselves. When this has happened, we wait 6176548SN/A# 60 seconds for a RING. 6186548SN/A# 6196548SN/A# Note, it's important that we tell ppp not to expect carrier, otherwise 6206548SN/A# we'll drop out at the ``NO CARRIER'' stage. 6216548SN/A# 6226548SN/Adialback: 6236548SN/A set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 6246548SN/A ATDT\\T TIMEOUT 60 CONNECT" 6256548SN/A set cd off 6266548SN/A set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 6276548SN/A \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 6286548SN/A 6296548SN/A# Example of PPP callback. 6306548SN/A# Alternatively, if the peer is using the PPP callback protocol, we're 6316548SN/A# happy either with ``auth'' style callback where the server dials us 6326548SN/A# back based on what we authenticate ourselves with, ``cbcp'' style 6336548SN/A# callback (invented by Microsoft but not agreed by the IETF) where 6346548SN/A# we negotiate callback *after* authentication or E.164 callback where 6356548SN/A# we specify only a phone number. I would recommend only ``auth'' and/or 6366548SN/A# ``cbcp'' callback methods. 6376548SN/A# For ``cbcp'', we insist that we choose ``1234567'' as the number that 6386548SN/A# the server must call back. 6396548SN/A# 6406548SN/Acallback: 6416548SN/A load pmdemand # load in the pmdemand config 6426548SN/A set callback auth cbcp e.164 1234567 6436548SN/A set cbcp 1234567 6446548SN/A 6456548SN/A# If we're running a ppp server that wants to only call back microsoft 6466548SN/A# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 6476548SN/A# 6486548SN/Acallback-server: 6496548SN/A load server 6506548SN/A set callback cbcp 6516548SN/A set cbcp 6526548SN/A set log +cbcp 6536548SN/A set redial 3 1 6546548SN/A set device /dev/cuau0 6556548SN/A set speed 115200 6566548SN/A set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 6576548SN/A 6586548SN/A# Or if we want to allow authenticated clients to specify their own 6596548SN/A# callback number: 6606548SN/A# 6616548SN/Acallback-server-client-decides: 6626548SN/A load callback-server 6636548SN/A set cbcp * 6646548SN/A 6656548SN/A# Multilink mode is available (rfc1990). 6666548SN/A# To enable multi-link capabilities, you must specify a MRRU. 1500 is 6676548SN/A# a reasonable value. To create new links, use the ``clone'' command 6686548SN/A# to duplicate an existing link. If you already have more than one 6696548SN/A# link, you must specify which link you wish to run the command on via 6706548SN/A# the ``link'' command. 6716548SN/A# 6726548SN/A# It's worth increasing your MTU and MRU slightly in multi-link mode to 6736548SN/A# prevent full packets from being fragmented. 6746548SN/A# 6756548SN/A# You can now ``dial'' specific links, or even dial all links at the 6766548SN/A# same time. The `dial' command may also be prefixed with a specific 6776548SN/A# link that should do the dialing. 6786548SN/A# 6796548SN/Amloop: 6806548SN/A load loop 6816548SN/A set device /dev/cuau0 /dev/cuau1 /dev/cuau2 # Use any of these devices 6826548SN/A set mode interactive 6836548SN/A set mrru 1500 6846548SN/A set mru 1504 # Room for the MP header 6856548SN/A clone 1 2 3 6866548SN/A link deflink remove 6876548SN/A # dial 6886548SN/A # link 2 dial 6896548SN/A # link 3 dial 6906548SN/A 6916548SN/Amloop-in: 6926548SN/A set timeout 0 # No idle timer 6936548SN/A set log tun phase 6946548SN/A allow mode direct 6956548SN/A set mrru 1500 6966548SN/A set mru 1504 # Room for the MP header 6976548SN/A 6986548SN/A# User supplied authentication: 6996548SN/A# It's possible to run ppp in the background while specifying a 7006548SN/A# program to use to obtain authentication details on demand. 7016548SN/A# This program would usually be a simple GUI that presents a 7026548SN/A# prompt to a known user. The ``chap-auth'' program is supplied 7036548SN/A# as an example (and requires tcl version 8.0). 7046548SN/A# 7056548SN/ACHAPprompt: 7066548SN/A load PAPorCHAPpmdemand 7076548SN/A set authkey !/usr/share/examples/ppp/chap-auth 7086548SN/A 7096548SN/A# It's possible to do the same sort of thing at the login prompt. 7106897SN/A# Here, after sending ``brian'' in response to the ``name'' prompt, 7116548SN/A# we're prompted with ``code:''. A window is then displayed on the 7126548SN/A# ``keep:0.0'' display and the typed response is sent to the peer 7136548SN/A# as the password. We then expect to see ``MTU'' and ``.'' in the 7146548SN/A# servers response. 7156548SN/A# 7166548SN/Aloginprompt: 7176548SN/A load pmdemand 7186548SN/A set authname "brian" 7196548SN/A set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 7206548SN/A code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 7216548SN/A AUTHNAME\" MTU \\c ." 7226548SN/A 7236897SN/A# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 7246548SN/A# the MAC address that connects to them, making it impossible to switch 7256548SN/A# your PPPoE connection between machines. 7266548SN/A# 7276548SN/A# The current implementation requires Netgraph, so it doesn't work with 7286548SN/A# OpenBSD or NetBSD. 7296548SN/A# 7306548SN/A# The client should be something like this: 7316548SN/A# 7326548SN/Apppoe: 7336548SN/A set device PPPoE:de0:pppoe-in 7346548SN/A enable lqr echo 7356548SN/A set cd 5 7366548SN/A set dial 7376548SN/A set login 7386548SN/A set redial 0 0 7396548SN/A 7409888SN/A# And the server should be running 7416548SN/A# 7426548SN/A# /usr/libexec/pppoed -p pppoe-in fxp0 7436548SN/A# 7446548SN/A# See rc.conf(5) 7456548SN/A# 7466548SN/Apppoe-in: 7476548SN/A allow mode direct # Only for use on server-side 7486548SN/A enable lqr echo proxy # Enable LQR and proxy-arp 7496548SN/A enable chap pap passwdauth # Force client authentication 7506548SN/A set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 7516548SN/A accept dns # Allow DNS negotiation 7526548SN/A 7536548SN/A# It's possible to run ppp back-to-back with itself. This is useful 7546548SN/A# for testing. 7559888SN/A# 7566548SN/A# When testing scalability and concurrency, the following profile might 7576548SN/A# be used. 7586548SN/A# 7596548SN/A# Note, you'll have to make some other machine adjustments: 7606548SN/A# 7616548SN/A# o Bump maxusers in your kernel configuration to about 256 so that there 7626548SN/A# are enough process table slots. 7636548SN/A# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll 7646548SN/A# need 3 descriptors per ppp process (assuming no server socket). 7656548SN/A# 7666548SN/A# You can now create 2000 processes (1000 pairs) with: 7676548SN/A# 7686548SN/A# n=0 7696548SN/A# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done 7709888SN/A# 7716548SN/A# If you want to test concurrency, try using ``ppp -dd loop'' instead. 7726548SN/A# 7736548SN/Aloop: 7746548SN/A set timeout 0 7756548SN/A set log 7766548SN/A set device "!ppp -direct loop-in" 7776548SN/A set dial 7786548SN/A set login 7796548SN/A set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 7806548SN/A disable deflate pred1 mppe 7816548SN/A deny deflate pred1 mppe 7826548SN/A 7836548SN/Aloop-in: 7846548SN/A set timeout 0 7859888SN/A set log 7866548SN/A allow mode direct 7876548SN/A set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 7886548SN/A disable deflate pred1 mppe 7896548SN/A deny deflate pred1 mppe 7906548SN/A