/share/examples/ppp/ppp.conf.sample
Unknown | 789 lines | 721 code | 68 blank | 0 comment | 0 complexity | 0772ee05fc47eaa7ccd50ff16a2dbe42 MD5 | raw file
1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD$ 8# 9################################################################# 10 11# This file is separated into sections. Each section is named with 12# a label starting in column 0 and followed directly by a ``:''. The 13# section continues until the next label. Blank lines and characters 14# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 15# or quoted with ""). All commands inside sections that do not begin 16# with ``!'' (e.g., ``!include'') *must* be indented by at least one 17# space or tab or they will not be recognized! 18# 19# Lines beginning with "!include" will ``include'' another file. You 20# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 21# 22 23# Default setup. Always executed when PPP is invoked. 24# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 25# 26# This is the best place to specify your modem device, its DTR rate, 27# your dial script and any logging specification. Logging specs should 28# be done first so that the results of subsequent commands are logged. 29# 30default: 31 set log Phase Chat LCP IPCP CCP tun command 32 set device /dev/cuad1 33 set speed 115200 34 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 35 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 36 37# Client side PPP 38# 39# Although the PPP protocol is a peer to peer protocol, we normally 40# consider the side that initiates the connection as the client and 41# the side that receives the connection as the server. Authentication 42# is required by the server either using a unix-style login procedure 43# or by demanding PAP or CHAP authentication from the client. 44# 45 46# An on demand example where we have dynamic IP addresses and wish to 47# use a unix-style login script: 48# 49# If the peer assigns us an arbitrary IP (most ISPs do this) and we 50# can't predict what their IP will be either, take a wild guess at 51# some IPs that you can't currently route to. Ppp can change this 52# when the link comes up. 53# 54# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 55# specified IP actually being correct, therefore, the other side can assign 56# any IP number. 57# 58# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 59# IP number, forcing the peer to make the decision. This is necessary 60# when negotiating with some (broken) ppp implementations. 61# 62# This entry also works with static IP numbers or when not in -auto mode. 63# The ``add'' line adds a `sticky' default route that will be updated if 64# and when any of the IP numbers are changed in IPCP negotiations. 65# The "set ifaddr" is required in -auto mode only. 66# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 67# 68# Finally, the ``enable dns'' line tells ppp to ask the peer for the 69# nameserver addresses that should be used. This isn't always supported 70# by the other side, but if it is, ppp will update /etc/resolv.conf with 71# the correct nameserver values at connection time. 72# 73# The login script shown says that you're expecting ``ogin:''. If you 74# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 75# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 76# You *MUST* customise this login script according to your local 77# requirements. 78# 79pmdemand: 80 set phone 1234567 81 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 82 set timeout 120 83 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 84 add default HISADDR 85 enable dns 86 87# If you want to use PAP or CHAP instead of using a unix-style login 88# procedure, do the following. Note, the peer suggests whether we 89# should send PAP or CHAP. By default, we send whatever we're asked for. 90# 91# You *MUST* customise ``MyName'' and ``MyKey'' below. 92# 93PAPorCHAPpmdemand: 94 set phone 1234567 95 set login 96 set authname "MyName" 97 set authkey "MyKey" 98 set timeout 120 99 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 100 add default HISADDR 101 enable dns 102 103# On demand dialup example with static IP addresses: 104# Here, the local side uses 192.244.185.226 and the remote side 105# uses 192.244.176.44. 106# 107# # ppp -auto ondemand 108# 109# With static IP numbers, our setup is similar to dynamic: 110# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 111# an "ondemand" label, and finally the "MYADDR" label. 112# 113ondemand: 114 set phone 1234567 115 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 116 set timeout 120 117 set ifaddr 192.244.185.226 192.244.176.44 118 add default HISADDR 119 enable dns 120 121# An on-demand dialup example using an external Terminal Adapter (TA) 122# that supports multi-link ppp itself. 123# 124# This may be specific to the AETHRA TA. 125# 126TA: 127 set phone 12345678 # Replace this with your ISPs phone number 128 129 set authname "somename" # Replace these with your login name & password. 130 set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. 131 132 enable lqr echo 133 set reconnect 3 5 134 set redial 3 10 135 set lqrperiod 45 136 disable pred1 deflate mppe 137 deny pred1 deflate mppe 138 139 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ 140 OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 141 set login 142 set logout 143 set hangup 144 145 set timeout 60 300 # The minimum charge period is 5 minutes, so don't 146 # hangup before then 147 148 set device /dev/cuad0 # Or whatever 149 set speed 115200 # Use as high a speed as possible 150 151 enable dns # Ask the peer what to put in resolv.conf 152 153 # Take a wild guess at an IP number and let the other side decide 154 set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 155 add! default hisaddr 156 157 set mru 1504 # Some extra room for the MP header 158 159 set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) 160 161 162# Example segments 163# 164# The following lines may be included as part of your configuration 165# section and aren't themselves complete. They're provided as examples 166# of how to achieve different things. 167 168examples: 169# Multi-phone example. Numbers separated by a : are used sequentially. 170# Numbers separated by a | are used if the previous dial or login script 171# failed. Usually, you will prefer to use only one of | or :, but both 172# are allowed. 173# 174 set phone 12345678|12345679:12345670|12345671 175# 176# Some phone numbers may include # characters - don't forget to escape 177# (or quote) them: 178# 179 set phone "12345##678" 180# 181# Ppp can accept control instructions from the ``pppctl'' program. 182# First, you must set up your control socket. It's safest to use 183# a UNIX domain socket, and watch the permissions: 184# 185 set server /var/run/ppp/internet MySecretPassword 0177 186# 187# Although a TCP port may be used if you want to allow control 188# connections from other machines: 189# 190 set server 6670 MySecretpassword 191# 192# If you don't like ppp's builtin chat, use an external one: 193# 194 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 195# 196# If we have a ``strange'' modem that must be re-initialized when we 197# hangup: 198# 199 set hangup "\"\" AT OK-AT-OK ATZ OK" 200# 201# To adjust logging without blowing away the setting in default: 202# 203 set log -command +tcp/ip 204# 205# To see log messages on the screen in interactive mode: 206# 207 set log local LCP IPCP CCP 208# 209# If you're seeing a lot of magic number problems and failed connections, 210# try this (see the man page): 211# 212 set openmode active 5 213# 214# For noisy lines, we may want to reconnect (up to 20 times) after loss 215# of carrier, with 3 second delays between each attempt: 216# 217 set reconnect 3 20 218# 219# When playing server for M$ clients, tell them who our NetBIOS name 220# servers are: 221# 222 set nbns 10.0.0.1 10.0.0.2 223# 224# Inform the client if they ask for our DNS IP numbers: 225# 226 enable dns 227# 228# If you don't want to tell them what's in your /etc/resolv.conf file 229# with `enable dns', override the values: 230# 231 set dns 10.0.0.1 10.0.0.2 232# 233# Some people like to prioritize DNS packets: 234# 235 set urgent udp +53 236# 237# If we're using the -nat switch, redirect ftp and http to an internal 238# machine: 239# 240 nat port tcp 10.0.0.2:ftp ftp 241 nat port tcp 10.0.0.2:http http 242# 243# or don't trust the outside at all 244# 245 nat deny_incoming yes 246# 247# I trust user brian to run ppp, so this goes in the `default' section: 248# 249 allow user brian 250# 251# But label `internet' contains passwords that even brian can't have, so 252# I empty out the user access list in that section so that only root can 253# have access: 254# 255 allow users 256# 257# I also may wish to set up my ppp login script so that it asks the client 258# for the label they wish to use. I may only want user ``dodgy'' to access 259# their own label in direct mode: 260# 261dodgy: 262 allow user dodgy 263 allow mode direct 264# 265# We don't want certain packets to keep our connection alive 266# 267 set filter alive 0 deny udp src eq 520 # routed 268 set filter alive 1 deny udp dst eq 520 # routed 269 set filter alive 2 deny udp src eq 513 # rwhod 270 set filter alive 3 deny udp src eq 525 # timed 271 set filter alive 4 deny udp src eq 137 # NetBIOS name service 272 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 273 set filter alive 6 deny tcp src eq 139 # NetBIOS session service 274 set filter alive 7 deny udp dst eq 137 # NetBIOS name service 275 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 276 set filter alive 9 deny tcp dst eq 139 # NetBIOS session service 277 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 278 set filter alive 11 permit 0/0 0/0 279# 280# And in auto mode, we don't want certain packets to cause a dialup 281# 282 set filter dial 0 deny udp src eq 513 # rwhod 283 set filter dial 1 deny udp src eq 525 # timed 284 set filter dial 2 deny udp src eq 137 # NetBIOS name service 285 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 286 set filter dial 4 deny tcp src eq 139 # NetBIOS session service 287 set filter dial 5 deny udp dst eq 137 # NetBIOS name service 288 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 289 set filter dial 7 deny tcp dst eq 139 # NetBIOS session service 290 set filter dial 8 deny tcp finrst # Badly closed TCP channels 291 set filter dial 9 permit 0 0 292# 293# Once the line's up, allow these connections 294# 295 set filter in 0 permit tcp dst eq 113 # ident 296 set filter out 0 permit tcp src eq 113 # ident 297 set filter in 1 permit tcp src eq 23 estab # telnet 298 set filter out 1 permit tcp dst eq 23 # telnet 299 set filter in 2 permit tcp src eq 21 estab # ftp 300 set filter out 2 permit tcp dst eq 21 # ftp 301 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 302 set filter out 3 permit tcp dst eq 20 # ftp-data 303 set filter in 4 permit udp src eq 53 # DNS 304 set filter out 4 permit udp dst eq 53 # DNS 305 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 306 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 307 set filter in 6 permit icmp # pings 308 set filter out 6 permit icmp # pings 309 set filter in 7 permit udp dst gt 33433 # traceroute 310 set filter out 7 permit udp dst gt 33433 # traceroute 311 312# 313# ``dodgynet'' is an example intended for an autodial configuration which 314# is connecting a local network to a host on an untrusted network. 315dodgynet: 316 set log Phase # Log link uptime 317 allow mode auto # For autoconnect only 318 set device /dev/cuad1 # Define modem device and speed 319 set speed 115200 320 deny lqr # Don't support LQR 321 set phone 0W1194 # Remote system phone number, 322 set authname "pppLogin" # login 323 set authkey "MyPassword" # and password 324 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 325 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 326 ATE1Q0M0 OK \\dATDT\\T \ 327 TIMEOUT 40 CONNECT" 328 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 329 gin:--gin: \\U word: \\P" 330 331 # Drop the link after 15 minutes of inactivity 332 # Inactivity is defined by the `set filter alive' line below 333 set timeout 900 334 335 # Hard-code remote system to appear within local subnet and use proxy arp 336 # to make this system the gateway for the rest of the local network 337 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 338 enable proxy 339 340 # Allow any TCP packet to keep the link alive 341 set filter alive 0 permit tcp 342 343 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 344 # private TCP ports 24 and 4000 345 set filter dial 0 7 0 0 tcp dst eq http 346 set filter dial 1 7 0 0 tcp dst eq login 347 set filter dial 2 7 0 0 tcp dst eq shell 348 set filter dial 3 7 0 0 tcp dst eq telnet 349 set filter dial 4 7 0 0 tcp dst eq ftp 350 set filter dial 5 7 0 0 tcp dst eq 24 351 set filter dial 6 deny ! 0 0 tcp dst eq 4000 352 353 # From hosts on a couple of local subnets to the remote peer 354 # If the remote host allowed IP forwarding and we wanted to use it, the 355 # following rules could be split into two groups to separately validate 356 # the source and destination addresses. 357 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 358 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 359 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 360 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 361 362 # Once the link's up, limit outgoing access to the specified hosts 363 set filter out 0 4 172.17.16.0/20 172.17.20.248 364 set filter out 1 4 172.17.36.0/22 172.17.20.248 365 set filter out 2 4 172.17.118.0/26 172.17.20.248 366 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 367 368 # Allow established TCP connections 369 set filter out 4 permit 0 0 tcp estab 370 371 # And new connections to http, rlogin, rsh, telnet, ftp and ports 372 # 24 and 4000 373 set filter out 5 permit 0 0 tcp dst eq http 374 set filter out 6 permit 0 0 tcp dst eq login 375 set filter out 7 permit 0 0 tcp dst eq shell 376 set filter out 8 permit 0 0 tcp dst eq telnet 377 set filter out 9 permit 0 0 tcp dst eq ftp 378 set filter out 10 permit 0 0 tcp dst eq 24 379 set filter out 11 permit 0 0 tcp dst eq 4000 380 381 # And outgoing icmp 382 set filter out 12 permit 0 0 icmp 383 384 # Once the link's up, limit incoming access to the specified hosts 385 set filter in 0 4 172.17.20.248 172.17.16.0/20 386 set filter in 1 4 172.17.20.248 172.17.36.0/22 387 set filter in 2 4 172.17.20.248 172.17.118.0/26 388 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 389 390 # Established TCP connections and non-PASV FTP 391 set filter in 4 permit 0/0 0/0 tcp estab 392 set filter in 5 permit 0/0 0/0 tcp src eq 20 393 394 # Useful ICMP messages 395 set filter in 6 permit 0/0 0/0 icmp src eq 3 396 set filter in 7 permit 0/0 0/0 icmp src eq 4 397 set filter in 8 permit 0/0 0/0 icmp src eq 11 398 set filter in 9 permit 0/0 0/0 icmp src eq 12 399 400 # Echo reply (local systems can ping the remote host) 401 set filter in 10 permit 0/0 0/0 icmp src eq 0 402 403 # And the remote host can ping the local gateway (only) 404 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 405 406 407# Server side PPP 408# 409# If you want the remote system to authenticate itself, you must insist 410# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 411# PAP are disabled by default. You may enable either or both. If both 412# are enabled, CHAP is requested first. If the client doesn't agree, PAP 413# will then be requested. 414# 415# Note: If you use the getty/login process to authenticate users, you 416# don't need to enable CHAP or PAP, but the user that has logged 417# in *MUST* be a member of the ``network'' group (in /etc/group). 418# 419# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 420# 421# If you wish to allow any user in the passwd database ppp access, you 422# can ``enable passwdauth'', but this will only work with PAP. 423# 424# When the peer authenticates itself, we use ppp.secret for verification 425# (although refer to the ``set radius'' command below for an alternative). 426# 427# Note: We may supply a third field in ppp.secret specifying the IP 428# address for that user, a fourth field to specify the 429# ppp.link{up,down} label to use and a fifth field to specify 430# callback characteristics. 431# 432# The easiest way to allow transparent LAN access to your dialin users 433# is to assign them a number from your local LAN and tell ppp to make a 434# ``proxy'' arp entry for them. In this example, we have a local LAN 435# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 436# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 437# override the dynamic IP number with a static IP number specified in 438# ppp.secret. 439# 440# Ppp is launched with: 441# # ppp -direct server 442# 443server: 444 enable chap chap80 chap81 pap passwdauth 445 enable proxy 446 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 447 accept dns 448 449# Example of a RADIUS configuration: 450# If there are one or more radius servers available, we can use them 451# instead of the ppp.secret file. Simply put then in a radius 452# configuration file (usually /etc/radius.conf) and give ppp the 453# file name. 454# Ppp will use the FRAMED characteristics supplied by the radius server 455# to configure the link. 456 457radius-server: 458 load server # load in the server config from above 459 set radius /etc/radius.conf 460 461 462# Example to connect using a null-modem cable: 463# The important thing here is to allow the lqr packets on both sides. 464# Without them enabled, we can't tell if the line's dropped - there 465# should always be carrier on a direct connection. 466# Here, the server sends lqr's every 10 seconds and quits if five in a 467# row fail. 468# 469# Make sure you don't have "deny lqr" in your default: on the client ! 470# If the peer denies LQR, we still send ECHO LQR packets at the given 471# lqrperiod interval (ppp-style-pings). 472# 473direct-client: 474 set dial 475 set device /dev/cuad0 476 set sp 115200 477 set timeout 900 478 set lqrperiod 10 479 set log Phase Chat LQM 480 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 481 set ifaddr 10.0.4.2 10.0.4.1 482 enable lqr echo 483 accept lqr 484 485direct-server: 486 set timeout 0 487 set lqrperiod 10 488 set log Phase LQM 489 set ifaddr 10.0.4.1 10.0.4.2 490 enable lqr echo 491 accept lqr 492 493 494# Example to connect via compuserve 495# Compuserve insists on 7 bits even parity during the chat phase. Modem 496# parity is always reset to ``none'' after the link has been established. 497# 498compuserve: 499 set phone 1234567 500 set parity even 501 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 502 word: XXXXXXXX PPP" 503 set timeout 300 504 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 505 delete ALL 506 add default HISADDR 507 508 509# Example for PPP over TCP. 510# We assume that inetd on tcpsrv.mynet has been 511# configured to run "ppp -direct tcp-server" when it gets a connection on 512# port 1234 with an entry something like this in /etc/inetd.conf.: 513# 514# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 515# 516# with this in /etc/services: 517# 518# ppp 6671/tcp 519# 520# Read the man page for further details. 521# 522# Note, we assume we're using a binary-clean connection. If something 523# such as `rlogin' is involved, you may need to ``set escape 0xff'' 524# 525tcp-client: 526 set device tcpsrv.mynet:1234 527 set dial 528 set login 529 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 530 531tcp-server: 532 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 533 534 535# Using UDP is also possible with this in /etc/inetd.conf: 536# 537# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 538# 539# and this in /etc/services: 540# 541# ppp 6671/tcp 542# 543udp-client: 544 set device udpsrv.mynet:1234/udp 545 set dial 546 set login 547 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 548 549udp-server: 550 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 551 552 553# Example for PPP testing. 554# If you want to test ppp, do it through the loopback interface: 555# 556# Requires a line in /etc/services: 557# ppploop 6671/tcp # loopback ppp daemon 558# 559# and a line in /etc/inetd.conf: 560# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in 561# 562inet-loop: 563 set timeout 0 564 set log phase chat connect lcp ipcp command 565 set device localhost:ppploop 566 set dial 567 set login 568 set ifaddr 127.0.0.2 127.0.0.3 569 set server /var/run/ppp/loop "" 0177 570 571inet-loop-in: 572 set timeout 0 573 set log phase lcp ipcp command 574 allow mode direct 575 576# Example of a VPN. 577# If you're going to create a tunnel through a public network, your VPN 578# should be set up something like this: 579# 580# You should already have set up ssh using ssh-agent & ssh-add. 581# 582sloop: 583 load inet-loop 584 # Passive mode allows ssh plenty of time to establish the connection 585 set openmode passive 586 set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" 587 588 589# or a better VPN solution (which doesn't run IP over a reliable 590# protocol like tcp) may be: 591# 592vpn-client: 593 set device udpsrv.mynet:1234/udp # PPP over UDP 594 set dial 595 set login 596 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 597 disable deflate pred1 598 deny deflate pred1 599 enable MPPE # With encryption 600 accept MPPE 601 602vpn-server: 603 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 604 disable deflate pred1 605 deny deflate pred1 606 enable MPPE 607 accept MPPE 608 enable chap81 # Required for MPPE 609 610# Example of non-PPP callback. 611# If you wish to connect to a server that will dial back *without* using 612# the ppp callback facility (rfc1570), take advantage of the fact that 613# ppp doesn't look for carrier 'till `set login' is complete: 614# 615# Here, we expect the server to say DIALBACK then disconnect after 616# we've authenticated ourselves. When this has happened, we wait 617# 60 seconds for a RING. 618# 619# Note, it's important that we tell ppp not to expect carrier, otherwise 620# we'll drop out at the ``NO CARRIER'' stage. 621# 622dialback: 623 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 624 ATDT\\T TIMEOUT 60 CONNECT" 625 set cd off 626 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 627 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 628 629# Example of PPP callback. 630# Alternatively, if the peer is using the PPP callback protocol, we're 631# happy either with ``auth'' style callback where the server dials us 632# back based on what we authenticate ourselves with, ``cbcp'' style 633# callback (invented by Microsoft but not agreed by the IETF) where 634# we negotiate callback *after* authentication or E.164 callback where 635# we specify only a phone number. I would recommend only ``auth'' and/or 636# ``cbcp'' callback methods. 637# For ``cbcp'', we insist that we choose ``1234567'' as the number that 638# the server must call back. 639# 640callback: 641 load pmdemand # load in the pmdemand config 642 set callback auth cbcp e.164 1234567 643 set cbcp 1234567 644 645# If we're running a ppp server that wants to only call back microsoft 646# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 647# 648callback-server: 649 load server 650 set callback cbcp 651 set cbcp 652 set log +cbcp 653 set redial 3 1 654 set device /dev/cuad0 655 set speed 115200 656 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 657 658# Or if we want to allow authenticated clients to specify their own 659# callback number: 660# 661callback-server-client-decides: 662 load callback-server 663 set cbcp * 664 665# Multilink mode is available (rfc1990). 666# To enable multi-link capabilities, you must specify a MRRU. 1500 is 667# a reasonable value. To create new links, use the ``clone'' command 668# to duplicate an existing link. If you already have more than one 669# link, you must specify which link you wish to run the command on via 670# the ``link'' command. 671# 672# It's worth increasing your MTU and MRU slightly in multi-link mode to 673# prevent full packets from being fragmented. 674# 675# You can now ``dial'' specific links, or even dial all links at the 676# same time. The `dial' command may also be prefixed with a specific 677# link that should do the dialing. 678# 679mloop: 680 load loop 681 set device /dev/cuad0 /dev/cuad1 /dev/cuad2 # Use any of these devices 682 set mode interactive 683 set mrru 1500 684 set mru 1504 # Room for the MP header 685 clone 1 2 3 686 link deflink remove 687 # dial 688 # link 2 dial 689 # link 3 dial 690 691mloop-in: 692 set timeout 0 # No idle timer 693 set log tun phase 694 allow mode direct 695 set mrru 1500 696 set mru 1504 # Room for the MP header 697 698# User supplied authentication: 699# It's possible to run ppp in the background while specifying a 700# program to use to obtain authentication details on demand. 701# This program would usually be a simple GUI that presents a 702# prompt to a known user. The ``chap-auth'' program is supplied 703# as an example (and requires tcl version 8.0). 704# 705CHAPprompt: 706 load PAPorCHAPpmdemand 707 set authkey !/usr/share/examples/ppp/chap-auth 708 709# It's possible to do the same sort of thing at the login prompt. 710# Here, after sending ``brian'' in response to the ``name'' prompt, 711# we're prompted with ``code:''. A window is then displayed on the 712# ``keep:0.0'' display and the typed response is sent to the peer 713# as the password. We then expect to see ``MTU'' and ``.'' in the 714# servers response. 715# 716loginprompt: 717 load pmdemand 718 set authname "brian" 719 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 720 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 721 AUTHNAME\" MTU \\c ." 722 723# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 724# the MAC address that connects to them, making it impossible to switch 725# your PPPoE connection between machines. 726# 727# The current implementation requires Netgraph, so it doesn't work with 728# OpenBSD or NetBSD. 729# 730# The client should be something like this: 731# 732pppoe: 733 set device PPPoE:de0:pppoe-in 734 enable lqr echo 735 set cd 5 736 set dial 737 set login 738 set redial 0 0 739 740# And the server should be running 741# 742# /usr/libexec/pppoed -p pppoe-in fxp0 743# 744# See rc.conf(5) 745# 746pppoe-in: 747 allow mode direct # Only for use on server-side 748 enable lqr echo proxy # Enable LQR and proxy-arp 749 enable chap pap passwdauth # Force client authentication 750 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 751 accept dns # Allow DNS negotiation 752 753# It's possible to run ppp back-to-back with itself. This is useful 754# for testing. 755# 756# When testing scalability and concurrency, the following profile might 757# be used. 758# 759# Note, you'll have to make some other machine adjustments: 760# 761# o Bump maxusers in your kernel configuration to about 256 so that there 762# are enough process table slots. 763# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll 764# need 3 descriptors per ppp process (assuming no server socket). 765# 766# You can now create 2000 processes (1000 pairs) with: 767# 768# n=0 769# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done 770# 771# If you want to test concurrency, try using ``ppp -dd loop'' instead. 772# 773loop: 774 set timeout 0 775 set log 776 set device "!ppp -direct loop-in" 777 set dial 778 set login 779 set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 780 disable deflate pred1 mppe 781 deny deflate pred1 mppe 782 783loop-in: 784 set timeout 0 785 set log 786 allow mode direct 787 set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 788 disable deflate pred1 mppe 789 deny deflate pred1 mppe