ppp.conf.sample revision 53540
1116742Ssam################################################################# 2116904Ssam# 3139530Ssam# PPP Sample Configuration File 4116742Ssam# 5116742Ssam# Originally written by Toshiharu OHNO 6116742Ssam# 7116742Ssam# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 53540 1999-11-21 23:40:38Z brian $ 8116742Ssam# 9116742Ssam################################################################# 10116904Ssam 11116904Ssam# This file is separated into sections. Each section is named with 12116904Ssam# a label starting in column 0 and followed directly by a ``:''. The 13116904Ssam# section continues until the next section. Blank lines and lines 14116904Ssam# beginning with ``#'' are ignored. 15116904Ssam# 16116742Ssam# Lines beginning with "!include" will ``include'' another file. You 17116742Ssam# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 18116742Ssam# 19116742Ssam 20116742Ssam# Default setup. Always executed when PPP is invoked. 21116904Ssam# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 22116904Ssam# 23116904Ssam# This is the best place to specify your modem device, it's DTR rate, 24116904Ssam# your dial script and any logging specification. Logging specs should 25116904Ssam# be done first so that the results of subsequent commands are logged. 26116904Ssam# 27116904Ssamdefault: 28116904Ssam set log Phase Chat LCP IPCP CCP tun command 29116904Ssam set device /dev/cuaa1 30116904Ssam set speed 115200 31116742Ssam set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 32116742Ssam OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 33116742Ssam 34116742Ssam# Client side PPP 35116742Ssam# 36116742Ssam# Although the PPP protocol is a peer to peer protocol, we normally 37116742Ssam# consider the side that initiates the connection as the client and 38116742Ssam# the side that receives the connection as the server. Authentication 39116742Ssam# is required by the server either using a unix-style login procedure 40127646Ssam# or by demanding PAP or CHAP authentication from the client. 41127646Ssam# 42127646Ssam 43116742Ssam# An on demand example where we have dynamic IP addresses and wish to 44116742Ssam# use a unix-style login script: 45116742Ssam# 46116742Ssam# If the peer assigns us an arbitrary IP (most ISPs do this) and we 47116742Ssam# can't predict what their IP will be either, take a wild guess at 48116742Ssam# some IPs that you can't currently route to. Ppp can change this 49116742Ssam# when the link comes up. 50116742Ssam# 51116742Ssam# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 52116742Ssam# specified IP actually being correct, therefore, the other side can assign 53116742Ssam# any IP number. 54116742Ssam# 55127646Ssam# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 56127646Ssam# IP number, forcing the peer to make the decision. This is necessary 57127646Ssam# when negotiating with some (broken) ppp implementations. 58127646Ssam# 59127646Ssam# This entry also works with static IP numbers or when not in -auto mode. 60127646Ssam# The ``add'' line adds a `sticky' default route that will be updated if 61127646Ssam# and when any of the IP numbers are changed in IPCP negotiations. 62127646Ssam# The "set ifaddr" is required in -auto mode. 63127646Ssam# 64127646Ssam# Finally, the ``enable dns'' line tells ppp to ask the peer for the 65116742Ssam# nameserver addresses that should be used. This isn't always supported 66116742Ssam# by the other side, but if it is, ppp will update /etc/resolv.conf with 67116742Ssam# the correct nameserver values at connection time. 68116742Ssam# 69116742Ssam# The login script shown says that you're expecting ``ogin:''. If you 70138568Ssam# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 71138568Ssam# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 72138568Ssam# You *MUST* customise this login script according to your local 73138568Ssam# requirements. 74138568Ssam# 75116742Ssampmdemand: 76116742Ssam set phone 1234567 77116742Ssam set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 78116742Ssam set timeout 120 79116742Ssam set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 80116742Ssam add default HISADDR 81138568Ssam enable dns 82138568Ssam 83138568Ssam# If you want to use PAP or CHAP instead of using a unix-style login 84138568Ssam# procedure, do the following. Note, the peer suggests whether we 85138568Ssam# should send PAP or CHAP. By default, we send whatever we're asked for. 86138568Ssam# 87138568Ssam# You *MUST* customise ``MyName'' and ``MyKey'' below. 88138568Ssam# 89138568SsamPAPorCHAPpmdemand: 90138568Ssam set phone 1234567 91138568Ssam set login 92138568Ssam set authname MyName 93138568Ssam set authkey MyKey 94138568Ssam set timeout 120 95138568Ssam set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 96138568Ssam add default HISADDR 97138568Ssam enable dns 98138568Ssam 99138568Ssam# On demand dialup example with static IP addresses: 100138568Ssam# Here, the local side uses 192.244.185.226 and the remote side 101138568Ssam# uses 192.244.176.44. 102138568Ssam# 103138568Ssam# # ppp -auto ondemand 104138568Ssam# 105138568Ssam# With static IP numbers, our setup is similar to dynamic: 106138568Ssam# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 107138568Ssam# a "ondemand" label, and finally the "MYADDR" label. 108138568Ssam# 109138568Ssamondemand: 110138568Ssam set phone 1234567 111138568Ssam set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 112138568Ssam set timeout 120 113138568Ssam set ifaddr 192.244.185.226 192.244.176.44 114138568Ssam add default HISADDR 115138568Ssam enable dns 116138568Ssam 117138568Ssam# Example segments 118138568Ssam# 119138568Ssam# The following lines may be included as part of your configuration 120138568Ssam# section and aren't themselves complete. They're provided as examples 121138568Ssam# of how to achieve different things. 122138568Ssam 123138568Ssamexamples: 124138568Ssam# Multi-phone example. Numbers separated by a : are used sequentially. 125138568Ssam# Numbers separated by a | are used if the previous dial or login script 126138568Ssam# failed. Usually, you will prefer to use only one of | or :, but both 127138568Ssam# are allowed. 128138568Ssam# 129138568Ssam set phone 12345678|12345679:12345670|12345671 130138568Ssam# 131138568Ssam# Ppp can accept control instructions from the ``pppctl'' program. 132138568Ssam# First, you must set up your control socket. It's safest to use 133138568Ssam# a UNIX domain socket, and watch the permissions: 134138568Ssam# 135138568Ssam set server /var/tmp/internet MySecretPassword 0177 136138568Ssam# 137138568Ssam# Although a TCP port may be used if you want to allow control 138138568Ssam# connections from other machines: 139138568Ssam# 140138568Ssam set server 6670 MySecretpassword 141138568Ssam# 142138568Ssam# If you don't like ppp's builtin chat, use an external one: 143138568Ssam# 144138568Ssam set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\"" 145138568Ssam# 146138568Ssam# If we have a ``strange'' modem that must be re-initialized when we 147138568Ssam# hangup: 148138568Ssam# 149138568Ssam set hangup "\"\" AT OK-AT-OK ATZ OK" 150138568Ssam# 151138568Ssam# To adjust logging withouth blasting the setting in default: 152138568Ssam# 153138568Ssam set log -command +tcp/ip 154138568Ssam# 155138568Ssam# To see log messages on the screen in interactive mode: 156138568Ssam# 157138568Ssam set log local LCP IPCP CCP 158138568Ssam# 159138568Ssam# If you're seeing a lot of magic number problems and failed connections, 160138568Ssam# try this (see the man page): 161138568Ssam# 162138568Ssam set openmode active 5 163138568Ssam# 164138568Ssam# For noisy lines, we may want to reconnect (up to 20 times) after loss 165138568Ssam# of carrier, with 3 second delays between each attempt: 166138568Ssam# 167138568Ssam set reconnect 3 20 168138568Ssam# 169138568Ssam# When playing server for M$ clients, tell them who our NetBIOS name 170138568Ssam# servers are: 171138568Ssam# 172138568Ssam set nbns 10.0.0.1 10.0.0.2 173138568Ssam# 174138568Ssam# Inform the client if they ask for our DNS IP numbers: 175138568Ssam# 176138568Ssam enable dns 177138568Ssam# 178138568Ssam# If you don't want to tell them what's in your /etc/resolf.conf file 179138568Ssam# with `enable dns', override the values: 180138568Ssam# 181138568Ssam set dns 10.0.0.1 10.0.0.2 182138568Ssam# 183138568Ssam# Some people like to prioritize DNS packets: 184138568Ssam# 185116742Ssam set urgent udp +53 186138568Ssam# 187116742Ssam# If we're using the -nat switch, redirect ftp and http to an internal 188138568Ssam# machine: 189116742Ssam# 190116742Ssam nat port 10.0.0.2:ftp ftp 191116742Ssam nat port 10.0.0.2:http http 192116742Ssam# 193116742Ssam# or don't trust the outside at all 194116742Ssam# 195116742Ssam nat deny_incoming yes 196116742Ssam# 197116742Ssam# I trust user brian to run ppp, so this goes in the `default' section: 198116742Ssam# 199116742Ssam allow user brian 200116742Ssam# 201116742Ssam# But label `internet' contains passwords that even brian can't have, so 202116742Ssam# I empty out the user access list in that section so that only root can 203116742Ssam# have access: 204116742Ssam# 205116742Ssam allow users 206116742Ssam# 207116742Ssam# I also may wish to set up my ppp login script so that it asks the client 208116742Ssam# for the label they wish to use. I may only want user ``dodgy'' to access 209116742Ssam# their own label in direct mode: 210116742Ssam# 211116742Ssamdodgy: 212116742Ssam allow user dodgy 213116742Ssam allow mode direct 214116742Ssam# 215116742Ssam# If we don't want ICMP and DNS packets to keep the connection alive: 216116742Ssam# 217116742Ssam set filter alive 0 deny icmp 218116742Ssam set filter alive 1 deny udp src eq 53 219116742Ssam set filter alive 2 deny udp dst eq 53 220116742Ssam set filter alive 3 permit 0 0 221116742Ssam# 222116742Ssam# And we don't want ICMPs to cause a dialup: 223116742Ssam# 224116742Ssam set filter dial 0 deny icmp 225116742Ssam set filter dial 1 permit 0 0 226116742Ssam# 227116742Ssam# or any TCP FIN or RST packets (badly closed TCP channels): 228116742Ssam# 229116742Ssam set filter dial 2 deny 0 0 tcp finrst 230116742Ssam# 231116742Ssam# Once the line's up, allow connections for ident (113), telnet (23), 232116742Ssam# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24), 233116742Ssam# ICMP (ping) and traceroute (>33433). 234116742Ssam# 235116742Ssam# Anything else is blocked by default 236116742Ssam# 237116742Ssam set filter in 0 permit tcp dst eq 113 238116742Ssam set filter out 0 permit tcp src eq 113 239116742Ssam set filter in 1 permit tcp src eq 23 estab 240116742Ssam set filter out 1 permit tcp dst eq 23 241116742Ssam set filter in 2 permit tcp src eq 21 estab 242116742Ssam set filter out 2 permit tcp dst eq 21 243116742Ssam set filter in 3 permit tcp src eq 20 dst gt 1023 244116742Ssam set filter out 3 permit tcp dst eq 20 245116742Ssam set filter in 4 permit udp src eq 53 246116742Ssam set filter out 4 permit udp dst eq 53 247116742Ssam set filter in 5 permit 192.244.191.0/24 0/0 248116742Ssam set filter out 5 permit 0/0 192.244.191.0/24 249116742Ssam set filter in 6 permit icmp 250116742Ssam set filter out 6 permit icmp 251116742Ssam set filter in 7 permit udp dst gt 33433 252116742Ssam set filter out 7 permit udp dst gt 33433 253116742Ssam 254116742Ssam# 255116742Ssam# ``dodgynet'' is an example intended for an autodial configuration which 256116742Ssam# is connecting a local network to a host on an untrusted network. 257116742Ssamdodgynet: 258116742Ssam # Log link uptime 259138568Ssam set log Phase 260116742Ssam # For autoconnect only 261116742Ssam allow modes auto 262116742Ssam # Define modem device and speed 263116742Ssam set device /dev/cuaa1 264116742Ssam set speed 115200 265116742Ssam # Don't support LQR 266116742Ssam deny lqr 267116742Ssam # Remote system phone number, login and password 268116742Ssam set phone 0W1194 269116742Ssam set authname pppLogin 270116742Ssam set authkey MyPassword 271116742Ssam # Chat script to dial remote system 272116742Ssam set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 273116742Ssam ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 274116742Ssam # Chat script to login to remote Unix system 275116742Ssam set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P" 276148290Ssam # Drop the link after 15 minutes of inactivity 277116742Ssam # Inactivity is defined by the `set filter alive' line below 278116742Ssam set timeout 900 279116742Ssam # Hard-code remote system to appear within local subnet and use proxy arp 280116742Ssam # to make this system the gateway 281116742Ssam set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 282116742Ssam enable proxy 283116742Ssam 284116742Ssam # Allow any TCP packet to keep the link alive 285116742Ssam set filter alive 0 permit tcp 286116742Ssam 287116742Ssam # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 288116742Ssam # private TCP ports 24 and 4000 289116742Ssam set filter dial 0 7 0 0 tcp dst eq http 290116742Ssam set filter dial 1 7 0 0 tcp dst eq login 291116742Ssam set filter dial 2 7 0 0 tcp dst eq shell 292116742Ssam set filter dial 3 7 0 0 tcp dst eq telnet 293116742Ssam set filter dial 4 7 0 0 tcp dst eq ftp 294116742Ssam set filter dial 5 7 0 0 tcp dst eq 24 295116742Ssam set filter dial 6 deny ! 0 0 tcp dst eq 4000 296116742Ssam # From hosts on a couple of local subnets to the remote peer 297116742Ssam # If the remote host allowed IP forwarding and we wanted to use it, the 298116742Ssam # following rules could be split into two groups to separately validate 299116742Ssam # the source and destination addresses. 300116742Ssam set filter dial 7 permit 172.17.16.0/20 172.17.20.248 301116742Ssam set filter dial 8 permit 172.17.36.0/22 172.17.20.248 302116742Ssam set filter dial 9 permit 172.17.118.0/26 172.17.20.248 303116742Ssam set filter dial 10 permit 10.123.5.0/24 172.17.20.248 304138568Ssam 305116742Ssam # Once the link's up, limit outgoing access to the specified hosts 306116742Ssam set filter out 0 4 172.17.16.0/20 172.17.20.248 307116742Ssam set filter out 1 4 172.17.36.0/22 172.17.20.248 308116742Ssam set filter out 2 4 172.17.118.0/26 172.17.20.248 309116742Ssam set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 310116742Ssam # Allow established TCP connections 311116742Ssam set filter out 4 permit 0 0 tcp estab 312116742Ssam # And new connections to http, rlogin, rsh, telnet, ftp and ports 313116742Ssam # 24 and 4000 314116742Ssam set filter out 5 permit 0 0 tcp dst eq http 315116742Ssam set filter out 6 permit 0 0 tcp dst eq login 316116742Ssam set filter out 7 permit 0 0 tcp dst eq shell 317116742Ssam set filter out 8 permit 0 0 tcp dst eq telnet 318116742Ssam set filter out 9 permit 0 0 tcp dst eq ftp 319116742Ssam set filter out 10 permit 0 0 tcp dst eq 24 320116742Ssam set filter out 11 permit 0 0 tcp dst eq 4000 321116742Ssam # And outgoing icmp 322116742Ssam set filter out 12 permit 0 0 icmp 323116742Ssam 324116742Ssam # Once the link's up, limit incoming access to the specified hosts 325138568Ssam set filter in 0 4 172.17.20.248 172.17.16.0/20 326116742Ssam set filter in 1 4 172.17.20.248 172.17.36.0/22 327116742Ssam set filter in 2 4 172.17.20.248 172.17.118.0/26 328116742Ssam set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 329116742Ssam # Established TCP connections and non-PASV FTP 330116742Ssam set filter in 4 permit 0/0 0/0 tcp estab 331116742Ssam set filter in 5 permit 0/0 0/0 tcp src eq 20 332116742Ssam # Useful ICMP messages 333116742Ssam set filter in 6 permit 0/0 0/0 icmp src eq 3 334138568Ssam set filter in 7 permit 0/0 0/0 icmp src eq 4 335116742Ssam set filter in 8 permit 0/0 0/0 icmp src eq 11 336116742Ssam set filter in 9 permit 0/0 0/0 icmp src eq 12 337116742Ssam # Echo reply (local systems can ping the remote host) 338138568Ssam set filter in 10 permit 0/0 0/0 icmp src eq 0 339116742Ssam # And the remote host can ping the local gateway (only) 340116742Ssam set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 341116742Ssam 342116742Ssam 343116742Ssam# Server side PPP 344116742Ssam# 345116742Ssam# If you want the remote system to authenticate itself, you must insist 346116742Ssam# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 347116742Ssam# PAP are disabled by default. You may enable either or both. If both 348116742Ssam# are enabled, CHAP is requested first. If the client doesn't agree, PAP 349116742Ssam# will then be requested. 350116742Ssam# 351116742Ssam# Note: If you use the getty/login process to authenticate users, you 352138568Ssam# don't need to enable CHAP or PAP, but the user that has logged 353116742Ssam# in *MUST* be a member of the ``network'' group (in /etc/group). 354138568Ssam# 355138568Ssam# If you wish to allow any user in the passwd database ppp access, you 356116742Ssam# can ``enable passwdauth''. 357116742Ssam# 358116742Ssam# When the peer authenticates itself, we use ppp.secret for verification 359116742Ssam# (although refer to the ``set radius'' command below for an alternative). 360138568Ssam# 361116742Ssam# Note: We may supply a third field in ppp.secret specifying the IP 362116742Ssam# address for that user, a forth field to specify the 363116742Ssam# ppp.link{up,down} label to use and a fifth field to specify 364116742Ssam# callback characteristics. 365116742Ssam# 366116742Ssam# The easiest way to allow transparent LAN access to your dialin users 367138568Ssam# is to assign them a number from your local LAN and tell ppp to make a 368138568Ssam# ``proxy'' arp entry for them. In this example, we have a local LAN 369138568Ssam# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 370138568Ssam# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 371138568Ssam# override the dynamic IP number with a static IP number specified in 372138568Ssam# ppp.secret. 373138568Ssam# 374138568Ssam# Ppp is launched with: 375138568Ssam# # ppp -direct server 376138568Ssam# 377138568Ssamserver: 378138568Ssam enable chap 379138568Ssam enable pap 380138568Ssam enable passwdauth 381138568Ssam enable proxy 382138568Ssam set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 383116742Ssam accept dns 384116742Ssam 385138568Ssam# Example of a RADIUS configuration: 386138568Ssam# If there are one or more radius servers available, we can use them 387116742Ssam# instead of the ppp.secret file. Simply put then in a radius 388116742Ssam# configuration file (usually /etc/radius.conf) and give ppp the 389116742Ssam# file name. 390138568Ssam# Ppp will use the FRAMED characteristics supplied by the radius server 391138568Ssam# to configure the link. 392138568Ssam 393138568Ssamradius-server: 394138568Ssam load server 395138568Ssam set radius /etc/radius.conf 396138568Ssam 397138568Ssam 398138568Ssam# Example to connect using a null-modem cable: 399138568Ssam# The important thing here is to allow the lqr packets on both sides. 400138568Ssam# Without them enabled, we can't tell if the line's dropped - there 401138568Ssam# should always be carrier on a direct connection. 402138568Ssam# Here, the server sends lqr's every 10 seconds and quits if five in a 403138568Ssam# row fail. 404138568Ssam# 405138568Ssam# Make sure you don't have "deny lqr" in your default: on the client ! 406116742Ssam# If the peer denies LQR, we still send ECHO LQR packets at the given 407116742Ssam# lqrperiod interval (ppp-style-pings). 408138568Ssam# 409138568Ssamdirect-client: 410138568Ssam set dial "" 411138568Ssam set device /dev/cuaa0 412138568Ssam set sp 115200 413138568Ssam set timeout 900 414138568Ssam set lqrperiod 10 415116742Ssam set log Phase Chat LQM 416138568Ssam set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 417116742Ssam set ifaddr 10.0.4.2 10.0.4.1 418116742Ssam enable lqr 419116742Ssam accept lqr 420116742Ssam 421116742Ssamdirect-server: 422116742Ssam set timeout 0 423116742Ssam set lqrperiod 10 424116742Ssam set log Phase LQM 425116742Ssam set ifaddr 10.0.4.1 10.0.4.2 426116742Ssam enable lqr 427116742Ssam accept lqr 428116742Ssam 429116742Ssam 430116742Ssam# Example to connect via compuserve 431116742Ssam# Compuserve insists on 7 bits even parity during the chat phase. Modem 432116742Ssam# parity is always reset to ``none'' after the link has been established. 433116742Ssam# 434116742Ssamcompuserve: 435116742Ssam set phone 1234567 436116742Ssam set parity even 437116742Ssam set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 438116742Ssam word: XXXXXXXX PPP" 439116742Ssam set timeout 300 440116742Ssam set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 441122600Ssam delete ALL 442122600Ssam add default HISADDR 443122600Ssam 444122600Ssam 445122600Ssam# Example for PPP over TCP. 446122600Ssam# We assume that inetd on tcpsrv.mynet has been 447122600Ssam# configured to run "ppp -direct tcp-server" when it gets a connection on 448138568Ssam# port 1234. Read the man page for further details 449122600Ssam# 450122600Ssam# Note, we assume we're using a binary-clean connection. If something 451122600Ssam# such as `rlogin' is involved, you may need to ``set escape 0xff'' 452138568Ssam# 453138568Ssamtcp-client: 454138568Ssam set device tcpsrv.mynet:1234 455138568Ssam set dial 456138568Ssam set login 457138568Ssam set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 458138568Ssam 459138568Ssamtcp-server: 460138568Ssam set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 461138568Ssam 462122600Ssam# Example for PPP testing. 463122600Ssam# If you want to test ppp, do it through the loopback interface: 464122600Ssam# 465122600Ssam# Requires a line in /etc/services: 466122600Ssam# ppploop 6671/tcp # loopback ppp daemon 467122600Ssam# 468122600Ssam# and a line in /etc/inetd.conf: 469122600Ssam# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in 470122600Ssam# 471122600Ssamloop: 472122600Ssam set timeout 0 473122600Ssam set log phase chat connect lcp ipcp command 474122600Ssam set device localhost:ppploop 475122600Ssam set dial 476138568Ssam set login 477122600Ssam set ifaddr 127.0.0.2 127.0.0.3 478138568Ssam set server /var/tmp/loop "" 0177 479138568Ssam 480138568Ssamloop-in: 481122600Ssam set timeout 0 482138568Ssam set log phase lcp ipcp command 483138568Ssam allow mode direct 484138568Ssam 485122600Ssam# Example of a VPN. 486122600Ssam# If you're going to create a tunnel through a public network, your VPN 487116742Ssam# should be set up something like this: 488138568Ssam# 489116742Ssam# You should already have set up ssh using ssh-agent & ssh-add. 490138568Ssam# 491116742Ssamsloop: 492116742Ssam load loop 493116742Ssam # Passive mode allows ssh plenty of time to establish the connection 494116742Ssam set openmode passive 495116742Ssam set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in" 496116742Ssam 497116742Ssam# Example of non-PPP callback. 498116742Ssam# If you wish to connect to a server that will dial back *without* using 499116742Ssam# the ppp callback facility (rfc1570), take advantage of the fact that 500116742Ssam# ppp doesn't look for carrier 'till `set login' is complete: 501116742Ssam# 502116742Ssam# Here, we expect the server to say DIALBACK then disconnect after 503116742Ssam# we've authenticated ourselves. When this has happened, we wait 504116742Ssam# 60 seconds for a RING. 505116742Ssam# 506116742Ssam# Note, it's important that we tell ppp not to expect carrier, otherwise 507116742Ssam# we'll drop out at the ``NO CARRIER'' stage. 508116742Ssam# 509116742Ssamdialback: 510116742Ssam set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 511116742Ssam ATDT\\T TIMEOUT 60 CONNECT" 512116742Ssam set cd off 513116742Ssam set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 514116742Ssam \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 515116742Ssam 516117040Ssam# Example of PPP callback. 517116742Ssam# Alternatively, if the peer is using the PPP callback protocol, we're 518116742Ssam# happy either with ``auth'' style callback where the server dials us 519116742Ssam# back based on what we authenticate ourselves with, ``cbcp'' style 520116742Ssam# callback (invented by Microsoft but not agreed by the IETF) where 521116742Ssam# we negotiate callback *after* authentication or E.164 callback where 522116742Ssam# we specify only a phone number. I would recommend only ``auth'' and/or 523116742Ssam# ``cbcp'' callback methods. 524116742Ssam# For ``cbcp'', we insist that we choose ``1234567'' as the number that 525116742Ssam# the server must call back. 526116742Ssam# 527116742Ssamcallback: 528116742Ssam load pmdemand 529116742Ssam set callback auth cbcp e.164 1234567 530138568Ssam set cbcp 1234567 531138568Ssam 532138568Ssam# If we're running a ppp server that wants to only call back microsoft 533116742Ssam# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 534116742Ssam# 535116742Ssamcallback-server: 536116742Ssam load server 537116742Ssam set callback cbcp 538116742Ssam set cbcp 539116742Ssam set log +cbcp 540116742Ssam set redial 3 1 541116742Ssam set device /dev/cuaa0 542116742Ssam set speed 115200 543116742Ssam set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 544116742Ssam 545116742Ssam# Or if we want to allow authenticated clients to specify their own 546116742Ssam# callback number: 547116742Ssam# 548116742Ssamcallback-server-client-decides: 549116742Ssam load callback-server 550116742Ssam set cbcp * 551116742Ssam 552116742Ssam# Multilink mode is available (rfc1990). 553116742Ssam# To enable multilink capabilities, you must specify a MRRU. 1500 is 554116742Ssam# a reasonable value. To create new links, use the ``clone'' command 555116742Ssam# to duplicate an existing link. If you already have more than one 556116742Ssam# link, you must specify which link you wish to run the command on via 557116742Ssam# the ``link'' command. 558116742Ssam# 559116742Ssam# You can now ``dial'' specific links, or even dial all links at the 560116742Ssam# same time. The `dial' command may also be prefixed with a specific 561116742Ssam# link that should do the dialing. 562116742Ssam# 563116742Ssammloop: 564116742Ssam load loop 565116742Ssam set mode interactive 566116742Ssam set mrru 1500 567116742Ssam clone 1 2 3 568116742Ssam link deflink remove 569116742Ssam # dial 570116742Ssam # link 2 dial 571116742Ssam # link 3 dial 572116742Ssam 573116742Ssammloop-in: 574116742Ssam set timeout 0 575116742Ssam set log tun phase 576116742Ssam allow mode direct 577116742Ssam set mrru 1500 578138568Ssam 579116742Ssam# User supplied authentication: 580116742Ssam# It's possible to run ppp in the background while specifying a 581116742Ssam# program to use to obtain authentication details on demand. 582116742Ssam# This program would usually be a simple GUI that presents a 583116742Ssam# prompt to a known user. The ``chap-auth'' program is supplied 584116742Ssam# as an example (and requires tcl version 8.0). 585116742Ssam# 586116742SsamCHAPprompt: 587116742Ssam load PAPorCHAPpmdemand 588116742Ssam set authkey !/usr/share/examples/ppp/chap-auth 589116742Ssam 590116742Ssam# It's possible to do the same sort of thing at the login prompt. 591116742Ssam# Here, after sending ``brian'' in response to the ``name'' prompt, 592116742Ssam# we're prompted with ``code:''. A window is then displayed on the 593116742Ssam# ``keep:0.0'' display and the typed response is sent to the peer 594116742Ssam# as the password. We then expect to see ``MTU'' and ``.'' in the 595148290Ssam# servers response. 596116742Ssam# 597116742Ssamloginprompt: 598116742Ssam load pmdemand 599116742Ssam set authname brian 600116742Ssam set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 601116742Ssam code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 602116742Ssam AUTHNAME\" MTU \\c ." 603116742Ssam 604116742Ssam# ppp supports ppp over ethernet (PPPoE) 605116742Ssam# 606116742Ssam# The client should be something like: 607116742Ssam# 608116742Ssampppoe: 609116742Ssam set device PPPoE:de0:pppoe-in 610116742Ssam set mru 1492 611116742Ssam set mtu 1492 612116742Ssam set speed sync 613116742Ssam enable lqr 614116742Ssam set cd 5 615116742Ssam set dial 616116742Ssam set login 617116742Ssam set redial 0 0 618116742Ssam 619116742Ssam# And the server should be running 620116742Ssam# 621116742Ssam# /usr/libexec/pppoed -p pppoe-in fxp0 622116742Ssam# 623116742Ssampppoe-in: 624116742Ssam allow mode direct 625116742Ssam set mru 1492 626138568Ssam set mtu 1492 627116742Ssam set speed sync 628116742Ssam enable lqr 629116742Ssam set ifaddr 10.0.0.1 10.0.0.2 630116742Ssam