/share/examples/ppp/ppp.conf.sample

https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 789 lines · 721 code · 68 blank · 0 comment · 0 complexity · 0772ee05fc47eaa7ccd50ff16a2dbe42 MD5 · raw file

  1. #################################################################
  2. #
  3. # PPP Sample Configuration File
  4. #
  5. # Originally written by Toshiharu OHNO
  6. #
  7. # $FreeBSD$
  8. #
  9. #################################################################
  10. # This file is separated into sections. Each section is named with
  11. # a label starting in column 0 and followed directly by a ``:''. The
  12. # section continues until the next label. Blank lines and characters
  13. # after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\''
  14. # or quoted with ""). All commands inside sections that do not begin
  15. # with ``!'' (e.g., ``!include'') *must* be indented by at least one
  16. # space or tab or they will not be recognized!
  17. #
  18. # Lines beginning with "!include" will ``include'' another file. You
  19. # may want to ``!include ~/.ppp.conf'' for backwards compatibility.
  20. #
  21. # Default setup. Always executed when PPP is invoked.
  22. # This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
  23. #
  24. # This is the best place to specify your modem device, its DTR rate,
  25. # your dial script and any logging specification. Logging specs should
  26. # be done first so that the results of subsequent commands are logged.
  27. #
  28. default:
  29. set log Phase Chat LCP IPCP CCP tun command
  30. set device /dev/cuad1
  31. set speed 115200
  32. set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
  33. OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
  34. # Client side PPP
  35. #
  36. # Although the PPP protocol is a peer to peer protocol, we normally
  37. # consider the side that initiates the connection as the client and
  38. # the side that receives the connection as the server. Authentication
  39. # is required by the server either using a unix-style login procedure
  40. # or by demanding PAP or CHAP authentication from the client.
  41. #
  42. # An on demand example where we have dynamic IP addresses and wish to
  43. # use a unix-style login script:
  44. #
  45. # If the peer assigns us an arbitrary IP (most ISPs do this) and we
  46. # can't predict what their IP will be either, take a wild guess at
  47. # some IPs that you can't currently route to. Ppp can change this
  48. # when the link comes up.
  49. #
  50. # The /0 bit in "set ifaddr" says that we insist on 0 bits of the
  51. # specified IP actually being correct, therefore, the other side can assign
  52. # any IP number.
  53. #
  54. # The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
  55. # IP number, forcing the peer to make the decision. This is necessary
  56. # when negotiating with some (broken) ppp implementations.
  57. #
  58. # This entry also works with static IP numbers or when not in -auto mode.
  59. # The ``add'' line adds a `sticky' default route that will be updated if
  60. # and when any of the IP numbers are changed in IPCP negotiations.
  61. # The "set ifaddr" is required in -auto mode only.
  62. # It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
  63. #
  64. # Finally, the ``enable dns'' line tells ppp to ask the peer for the
  65. # nameserver addresses that should be used. This isn't always supported
  66. # by the other side, but if it is, ppp will update /etc/resolv.conf with
  67. # the correct nameserver values at connection time.
  68. #
  69. # The login script shown says that you're expecting ``ogin:''. If you
  70. # don't receive that, send a ``\n'' and expect ``ogin:'' again. When
  71. # it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
  72. # You *MUST* customise this login script according to your local
  73. # requirements.
  74. #
  75. pmdemand:
  76. set phone 1234567
  77. set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
  78. set timeout 120
  79. set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
  80. add default HISADDR
  81. enable dns
  82. # If you want to use PAP or CHAP instead of using a unix-style login
  83. # procedure, do the following. Note, the peer suggests whether we
  84. # should send PAP or CHAP. By default, we send whatever we're asked for.
  85. #
  86. # You *MUST* customise ``MyName'' and ``MyKey'' below.
  87. #
  88. PAPorCHAPpmdemand:
  89. set phone 1234567
  90. set login
  91. set authname "MyName"
  92. set authkey "MyKey"
  93. set timeout 120
  94. set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
  95. add default HISADDR
  96. enable dns
  97. # On demand dialup example with static IP addresses:
  98. # Here, the local side uses 192.244.185.226 and the remote side
  99. # uses 192.244.176.44.
  100. #
  101. # # ppp -auto ondemand
  102. #
  103. # With static IP numbers, our setup is similar to dynamic:
  104. # Remember, ppp.linkup is searched for a "192.244.176.44" label, then
  105. # an "ondemand" label, and finally the "MYADDR" label.
  106. #
  107. ondemand:
  108. set phone 1234567
  109. set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
  110. set timeout 120
  111. set ifaddr 192.244.185.226 192.244.176.44
  112. add default HISADDR
  113. enable dns
  114. # An on-demand dialup example using an external Terminal Adapter (TA)
  115. # that supports multi-link ppp itself.
  116. #
  117. # This may be specific to the AETHRA TA.
  118. #
  119. TA:
  120. set phone 12345678 # Replace this with your ISPs phone number
  121. set authname "somename" # Replace these with your login name & password.
  122. set authkey "somepasswd" # This profile assumes you're using PAP or CHAP.
  123. enable lqr echo
  124. set reconnect 3 5
  125. set redial 3 10
  126. set lqrperiod 45
  127. disable pred1 deflate mppe
  128. deny pred1 deflate mppe
  129. set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \
  130. OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
  131. set login
  132. set logout
  133. set hangup
  134. set timeout 60 300 # The minimum charge period is 5 minutes, so don't
  135. # hangup before then
  136. set device /dev/cuad0 # Or whatever
  137. set speed 115200 # Use as high a speed as possible
  138. enable dns # Ask the peer what to put in resolv.conf
  139. # Take a wild guess at an IP number and let the other side decide
  140. set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0
  141. add! default hisaddr
  142. set mru 1504 # Some extra room for the MP header
  143. set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------)
  144. # Example segments
  145. #
  146. # The following lines may be included as part of your configuration
  147. # section and aren't themselves complete. They're provided as examples
  148. # of how to achieve different things.
  149. examples:
  150. # Multi-phone example. Numbers separated by a : are used sequentially.
  151. # Numbers separated by a | are used if the previous dial or login script
  152. # failed. Usually, you will prefer to use only one of | or :, but both
  153. # are allowed.
  154. #
  155. set phone 12345678|12345679:12345670|12345671
  156. #
  157. # Some phone numbers may include # characters - don't forget to escape
  158. # (or quote) them:
  159. #
  160. set phone "12345##678"
  161. #
  162. # Ppp can accept control instructions from the ``pppctl'' program.
  163. # First, you must set up your control socket. It's safest to use
  164. # a UNIX domain socket, and watch the permissions:
  165. #
  166. set server /var/run/ppp/internet MySecretPassword 0177
  167. #
  168. # Although a TCP port may be used if you want to allow control
  169. # connections from other machines:
  170. #
  171. set server 6670 MySecretpassword
  172. #
  173. # If you don't like ppp's builtin chat, use an external one:
  174. #
  175. set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
  176. #
  177. # If we have a ``strange'' modem that must be re-initialized when we
  178. # hangup:
  179. #
  180. set hangup "\"\" AT OK-AT-OK ATZ OK"
  181. #
  182. # To adjust logging without blowing away the setting in default:
  183. #
  184. set log -command +tcp/ip
  185. #
  186. # To see log messages on the screen in interactive mode:
  187. #
  188. set log local LCP IPCP CCP
  189. #
  190. # If you're seeing a lot of magic number problems and failed connections,
  191. # try this (see the man page):
  192. #
  193. set openmode active 5
  194. #
  195. # For noisy lines, we may want to reconnect (up to 20 times) after loss
  196. # of carrier, with 3 second delays between each attempt:
  197. #
  198. set reconnect 3 20
  199. #
  200. # When playing server for M$ clients, tell them who our NetBIOS name
  201. # servers are:
  202. #
  203. set nbns 10.0.0.1 10.0.0.2
  204. #
  205. # Inform the client if they ask for our DNS IP numbers:
  206. #
  207. enable dns
  208. #
  209. # If you don't want to tell them what's in your /etc/resolv.conf file
  210. # with `enable dns', override the values:
  211. #
  212. set dns 10.0.0.1 10.0.0.2
  213. #
  214. # Some people like to prioritize DNS packets:
  215. #
  216. set urgent udp +53
  217. #
  218. # If we're using the -nat switch, redirect ftp and http to an internal
  219. # machine:
  220. #
  221. nat port tcp 10.0.0.2:ftp ftp
  222. nat port tcp 10.0.0.2:http http
  223. #
  224. # or don't trust the outside at all
  225. #
  226. nat deny_incoming yes
  227. #
  228. # I trust user brian to run ppp, so this goes in the `default' section:
  229. #
  230. allow user brian
  231. #
  232. # But label `internet' contains passwords that even brian can't have, so
  233. # I empty out the user access list in that section so that only root can
  234. # have access:
  235. #
  236. allow users
  237. #
  238. # I also may wish to set up my ppp login script so that it asks the client
  239. # for the label they wish to use. I may only want user ``dodgy'' to access
  240. # their own label in direct mode:
  241. #
  242. dodgy:
  243. allow user dodgy
  244. allow mode direct
  245. #
  246. # We don't want certain packets to keep our connection alive
  247. #
  248. set filter alive 0 deny udp src eq 520 # routed
  249. set filter alive 1 deny udp dst eq 520 # routed
  250. set filter alive 2 deny udp src eq 513 # rwhod
  251. set filter alive 3 deny udp src eq 525 # timed
  252. set filter alive 4 deny udp src eq 137 # NetBIOS name service
  253. set filter alive 5 deny udp src eq 138 # NetBIOS datagram service
  254. set filter alive 6 deny tcp src eq 139 # NetBIOS session service
  255. set filter alive 7 deny udp dst eq 137 # NetBIOS name service
  256. set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service
  257. set filter alive 9 deny tcp dst eq 139 # NetBIOS session service
  258. set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside
  259. set filter alive 11 permit 0/0 0/0
  260. #
  261. # And in auto mode, we don't want certain packets to cause a dialup
  262. #
  263. set filter dial 0 deny udp src eq 513 # rwhod
  264. set filter dial 1 deny udp src eq 525 # timed
  265. set filter dial 2 deny udp src eq 137 # NetBIOS name service
  266. set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
  267. set filter dial 4 deny tcp src eq 139 # NetBIOS session service
  268. set filter dial 5 deny udp dst eq 137 # NetBIOS name service
  269. set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
  270. set filter dial 7 deny tcp dst eq 139 # NetBIOS session service
  271. set filter dial 8 deny tcp finrst # Badly closed TCP channels
  272. set filter dial 9 permit 0 0
  273. #
  274. # Once the line's up, allow these connections
  275. #
  276. set filter in 0 permit tcp dst eq 113 # ident
  277. set filter out 0 permit tcp src eq 113 # ident
  278. set filter in 1 permit tcp src eq 23 estab # telnet
  279. set filter out 1 permit tcp dst eq 23 # telnet
  280. set filter in 2 permit tcp src eq 21 estab # ftp
  281. set filter out 2 permit tcp dst eq 21 # ftp
  282. set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data
  283. set filter out 3 permit tcp dst eq 20 # ftp-data
  284. set filter in 4 permit udp src eq 53 # DNS
  285. set filter out 4 permit udp dst eq 53 # DNS
  286. set filter in 5 permit 192.244.191.0/24 0/0 # Where I work
  287. set filter out 5 permit 0/0 192.244.191.0/24 # Where I work
  288. set filter in 6 permit icmp # pings
  289. set filter out 6 permit icmp # pings
  290. set filter in 7 permit udp dst gt 33433 # traceroute
  291. set filter out 7 permit udp dst gt 33433 # traceroute
  292. #
  293. # ``dodgynet'' is an example intended for an autodial configuration which
  294. # is connecting a local network to a host on an untrusted network.
  295. dodgynet:
  296. set log Phase # Log link uptime
  297. allow mode auto # For autoconnect only
  298. set device /dev/cuad1 # Define modem device and speed
  299. set speed 115200
  300. deny lqr # Don't support LQR
  301. set phone 0W1194 # Remote system phone number,
  302. set authname "pppLogin" # login
  303. set authkey "MyPassword" # and password
  304. set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer
  305. TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
  306. ATE1Q0M0 OK \\dATDT\\T \
  307. TIMEOUT 40 CONNECT"
  308. set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system
  309. gin:--gin: \\U word: \\P"
  310. # Drop the link after 15 minutes of inactivity
  311. # Inactivity is defined by the `set filter alive' line below
  312. set timeout 900
  313. # Hard-code remote system to appear within local subnet and use proxy arp
  314. # to make this system the gateway for the rest of the local network
  315. set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
  316. enable proxy
  317. # Allow any TCP packet to keep the link alive
  318. set filter alive 0 permit tcp
  319. # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
  320. # private TCP ports 24 and 4000
  321. set filter dial 0 7 0 0 tcp dst eq http
  322. set filter dial 1 7 0 0 tcp dst eq login
  323. set filter dial 2 7 0 0 tcp dst eq shell
  324. set filter dial 3 7 0 0 tcp dst eq telnet
  325. set filter dial 4 7 0 0 tcp dst eq ftp
  326. set filter dial 5 7 0 0 tcp dst eq 24
  327. set filter dial 6 deny ! 0 0 tcp dst eq 4000
  328. # From hosts on a couple of local subnets to the remote peer
  329. # If the remote host allowed IP forwarding and we wanted to use it, the
  330. # following rules could be split into two groups to separately validate
  331. # the source and destination addresses.
  332. set filter dial 7 permit 172.17.16.0/20 172.17.20.248
  333. set filter dial 8 permit 172.17.36.0/22 172.17.20.248
  334. set filter dial 9 permit 172.17.118.0/26 172.17.20.248
  335. set filter dial 10 permit 10.123.5.0/24 172.17.20.248
  336. # Once the link's up, limit outgoing access to the specified hosts
  337. set filter out 0 4 172.17.16.0/20 172.17.20.248
  338. set filter out 1 4 172.17.36.0/22 172.17.20.248
  339. set filter out 2 4 172.17.118.0/26 172.17.20.248
  340. set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
  341. # Allow established TCP connections
  342. set filter out 4 permit 0 0 tcp estab
  343. # And new connections to http, rlogin, rsh, telnet, ftp and ports
  344. # 24 and 4000
  345. set filter out 5 permit 0 0 tcp dst eq http
  346. set filter out 6 permit 0 0 tcp dst eq login
  347. set filter out 7 permit 0 0 tcp dst eq shell
  348. set filter out 8 permit 0 0 tcp dst eq telnet
  349. set filter out 9 permit 0 0 tcp dst eq ftp
  350. set filter out 10 permit 0 0 tcp dst eq 24
  351. set filter out 11 permit 0 0 tcp dst eq 4000
  352. # And outgoing icmp
  353. set filter out 12 permit 0 0 icmp
  354. # Once the link's up, limit incoming access to the specified hosts
  355. set filter in 0 4 172.17.20.248 172.17.16.0/20
  356. set filter in 1 4 172.17.20.248 172.17.36.0/22
  357. set filter in 2 4 172.17.20.248 172.17.118.0/26
  358. set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
  359. # Established TCP connections and non-PASV FTP
  360. set filter in 4 permit 0/0 0/0 tcp estab
  361. set filter in 5 permit 0/0 0/0 tcp src eq 20
  362. # Useful ICMP messages
  363. set filter in 6 permit 0/0 0/0 icmp src eq 3
  364. set filter in 7 permit 0/0 0/0 icmp src eq 4
  365. set filter in 8 permit 0/0 0/0 icmp src eq 11
  366. set filter in 9 permit 0/0 0/0 icmp src eq 12
  367. # Echo reply (local systems can ping the remote host)
  368. set filter in 10 permit 0/0 0/0 icmp src eq 0
  369. # And the remote host can ping the local gateway (only)
  370. set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
  371. # Server side PPP
  372. #
  373. # If you want the remote system to authenticate itself, you must insist
  374. # that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and
  375. # PAP are disabled by default. You may enable either or both. If both
  376. # are enabled, CHAP is requested first. If the client doesn't agree, PAP
  377. # will then be requested.
  378. #
  379. # Note: If you use the getty/login process to authenticate users, you
  380. # don't need to enable CHAP or PAP, but the user that has logged
  381. # in *MUST* be a member of the ``network'' group (in /etc/group).
  382. #
  383. # Note: Chap80 and chap81 are Microsoft variations of standard chap (05).
  384. #
  385. # If you wish to allow any user in the passwd database ppp access, you
  386. # can ``enable passwdauth'', but this will only work with PAP.
  387. #
  388. # When the peer authenticates itself, we use ppp.secret for verification
  389. # (although refer to the ``set radius'' command below for an alternative).
  390. #
  391. # Note: We may supply a third field in ppp.secret specifying the IP
  392. # address for that user, a fourth field to specify the
  393. # ppp.link{up,down} label to use and a fifth field to specify
  394. # callback characteristics.
  395. #
  396. # The easiest way to allow transparent LAN access to your dialin users
  397. # is to assign them a number from your local LAN and tell ppp to make a
  398. # ``proxy'' arp entry for them. In this example, we have a local LAN
  399. # with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
  400. # ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to
  401. # override the dynamic IP number with a static IP number specified in
  402. # ppp.secret.
  403. #
  404. # Ppp is launched with:
  405. # # ppp -direct server
  406. #
  407. server:
  408. enable chap chap80 chap81 pap passwdauth
  409. enable proxy
  410. set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
  411. accept dns
  412. # Example of a RADIUS configuration:
  413. # If there are one or more radius servers available, we can use them
  414. # instead of the ppp.secret file. Simply put then in a radius
  415. # configuration file (usually /etc/radius.conf) and give ppp the
  416. # file name.
  417. # Ppp will use the FRAMED characteristics supplied by the radius server
  418. # to configure the link.
  419. radius-server:
  420. load server # load in the server config from above
  421. set radius /etc/radius.conf
  422. # Example to connect using a null-modem cable:
  423. # The important thing here is to allow the lqr packets on both sides.
  424. # Without them enabled, we can't tell if the line's dropped - there
  425. # should always be carrier on a direct connection.
  426. # Here, the server sends lqr's every 10 seconds and quits if five in a
  427. # row fail.
  428. #
  429. # Make sure you don't have "deny lqr" in your default: on the client !
  430. # If the peer denies LQR, we still send ECHO LQR packets at the given
  431. # lqrperiod interval (ppp-style-pings).
  432. #
  433. direct-client:
  434. set dial
  435. set device /dev/cuad0
  436. set sp 115200
  437. set timeout 900
  438. set lqrperiod 10
  439. set log Phase Chat LQM
  440. set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
  441. set ifaddr 10.0.4.2 10.0.4.1
  442. enable lqr echo
  443. accept lqr
  444. direct-server:
  445. set timeout 0
  446. set lqrperiod 10
  447. set log Phase LQM
  448. set ifaddr 10.0.4.1 10.0.4.2
  449. enable lqr echo
  450. accept lqr
  451. # Example to connect via compuserve
  452. # Compuserve insists on 7 bits even parity during the chat phase. Modem
  453. # parity is always reset to ``none'' after the link has been established.
  454. #
  455. compuserve:
  456. set phone 1234567
  457. set parity even
  458. set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
  459. word: XXXXXXXX PPP"
  460. set timeout 300
  461. set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
  462. delete ALL
  463. add default HISADDR
  464. # Example for PPP over TCP.
  465. # We assume that inetd on tcpsrv.mynet has been
  466. # configured to run "ppp -direct tcp-server" when it gets a connection on
  467. # port 1234 with an entry something like this in /etc/inetd.conf.:
  468. #
  469. # ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
  470. #
  471. # with this in /etc/services:
  472. #
  473. # ppp 6671/tcp
  474. #
  475. # Read the man page for further details.
  476. #
  477. # Note, we assume we're using a binary-clean connection. If something
  478. # such as `rlogin' is involved, you may need to ``set escape 0xff''
  479. #
  480. tcp-client:
  481. set device tcpsrv.mynet:1234
  482. set dial
  483. set login
  484. set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
  485. tcp-server:
  486. set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
  487. # Using UDP is also possible with this in /etc/inetd.conf:
  488. #
  489. # ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
  490. #
  491. # and this in /etc/services:
  492. #
  493. # ppp 6671/tcp
  494. #
  495. udp-client:
  496. set device udpsrv.mynet:1234/udp
  497. set dial
  498. set login
  499. set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
  500. udp-server:
  501. set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
  502. # Example for PPP testing.
  503. # If you want to test ppp, do it through the loopback interface:
  504. #
  505. # Requires a line in /etc/services:
  506. # ppploop 6671/tcp # loopback ppp daemon
  507. #
  508. # and a line in /etc/inetd.conf:
  509. # ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in
  510. #
  511. inet-loop:
  512. set timeout 0
  513. set log phase chat connect lcp ipcp command
  514. set device localhost:ppploop
  515. set dial
  516. set login
  517. set ifaddr 127.0.0.2 127.0.0.3
  518. set server /var/run/ppp/loop "" 0177
  519. inet-loop-in:
  520. set timeout 0
  521. set log phase lcp ipcp command
  522. allow mode direct
  523. # Example of a VPN.
  524. # If you're going to create a tunnel through a public network, your VPN
  525. # should be set up something like this:
  526. #
  527. # You should already have set up ssh using ssh-agent & ssh-add.
  528. #
  529. sloop:
  530. load inet-loop
  531. # Passive mode allows ssh plenty of time to establish the connection
  532. set openmode passive
  533. set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in"
  534. # or a better VPN solution (which doesn't run IP over a reliable
  535. # protocol like tcp) may be:
  536. #
  537. vpn-client:
  538. set device udpsrv.mynet:1234/udp # PPP over UDP
  539. set dial
  540. set login
  541. set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
  542. disable deflate pred1
  543. deny deflate pred1
  544. enable MPPE # With encryption
  545. accept MPPE
  546. vpn-server:
  547. set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
  548. disable deflate pred1
  549. deny deflate pred1
  550. enable MPPE
  551. accept MPPE
  552. enable chap81 # Required for MPPE
  553. # Example of non-PPP callback.
  554. # If you wish to connect to a server that will dial back *without* using
  555. # the ppp callback facility (rfc1570), take advantage of the fact that
  556. # ppp doesn't look for carrier 'till `set login' is complete:
  557. #
  558. # Here, we expect the server to say DIALBACK then disconnect after
  559. # we've authenticated ourselves. When this has happened, we wait
  560. # 60 seconds for a RING.
  561. #
  562. # Note, it's important that we tell ppp not to expect carrier, otherwise
  563. # we'll drop out at the ``NO CARRIER'' stage.
  564. #
  565. dialback:
  566. set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
  567. ATDT\\T TIMEOUT 60 CONNECT"
  568. set cd off
  569. set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
  570. \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
  571. # Example of PPP callback.
  572. # Alternatively, if the peer is using the PPP callback protocol, we're
  573. # happy either with ``auth'' style callback where the server dials us
  574. # back based on what we authenticate ourselves with, ``cbcp'' style
  575. # callback (invented by Microsoft but not agreed by the IETF) where
  576. # we negotiate callback *after* authentication or E.164 callback where
  577. # we specify only a phone number. I would recommend only ``auth'' and/or
  578. # ``cbcp'' callback methods.
  579. # For ``cbcp'', we insist that we choose ``1234567'' as the number that
  580. # the server must call back.
  581. #
  582. callback:
  583. load pmdemand # load in the pmdemand config
  584. set callback auth cbcp e.164 1234567
  585. set cbcp 1234567
  586. # If we're running a ppp server that wants to only call back microsoft
  587. # clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
  588. #
  589. callback-server:
  590. load server
  591. set callback cbcp
  592. set cbcp
  593. set log +cbcp
  594. set redial 3 1
  595. set device /dev/cuad0
  596. set speed 115200
  597. set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
  598. # Or if we want to allow authenticated clients to specify their own
  599. # callback number:
  600. #
  601. callback-server-client-decides:
  602. load callback-server
  603. set cbcp *
  604. # Multilink mode is available (rfc1990).
  605. # To enable multi-link capabilities, you must specify a MRRU. 1500 is
  606. # a reasonable value. To create new links, use the ``clone'' command
  607. # to duplicate an existing link. If you already have more than one
  608. # link, you must specify which link you wish to run the command on via
  609. # the ``link'' command.
  610. #
  611. # It's worth increasing your MTU and MRU slightly in multi-link mode to
  612. # prevent full packets from being fragmented.
  613. #
  614. # You can now ``dial'' specific links, or even dial all links at the
  615. # same time. The `dial' command may also be prefixed with a specific
  616. # link that should do the dialing.
  617. #
  618. mloop:
  619. load loop
  620. set device /dev/cuad0 /dev/cuad1 /dev/cuad2 # Use any of these devices
  621. set mode interactive
  622. set mrru 1500
  623. set mru 1504 # Room for the MP header
  624. clone 1 2 3
  625. link deflink remove
  626. # dial
  627. # link 2 dial
  628. # link 3 dial
  629. mloop-in:
  630. set timeout 0 # No idle timer
  631. set log tun phase
  632. allow mode direct
  633. set mrru 1500
  634. set mru 1504 # Room for the MP header
  635. # User supplied authentication:
  636. # It's possible to run ppp in the background while specifying a
  637. # program to use to obtain authentication details on demand.
  638. # This program would usually be a simple GUI that presents a
  639. # prompt to a known user. The ``chap-auth'' program is supplied
  640. # as an example (and requires tcl version 8.0).
  641. #
  642. CHAPprompt:
  643. load PAPorCHAPpmdemand
  644. set authkey !/usr/share/examples/ppp/chap-auth
  645. # It's possible to do the same sort of thing at the login prompt.
  646. # Here, after sending ``brian'' in response to the ``name'' prompt,
  647. # we're prompted with ``code:''. A window is then displayed on the
  648. # ``keep:0.0'' display and the typed response is sent to the peer
  649. # as the password. We then expect to see ``MTU'' and ``.'' in the
  650. # servers response.
  651. #
  652. loginprompt:
  653. load pmdemand
  654. set authname "brian"
  655. set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
  656. code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
  657. AUTHNAME\" MTU \\c ."
  658. # ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache
  659. # the MAC address that connects to them, making it impossible to switch
  660. # your PPPoE connection between machines.
  661. #
  662. # The current implementation requires Netgraph, so it doesn't work with
  663. # OpenBSD or NetBSD.
  664. #
  665. # The client should be something like this:
  666. #
  667. pppoe:
  668. set device PPPoE:de0:pppoe-in
  669. enable lqr echo
  670. set cd 5
  671. set dial
  672. set login
  673. set redial 0 0
  674. # And the server should be running
  675. #
  676. # /usr/libexec/pppoed -p pppoe-in fxp0
  677. #
  678. # See rc.conf(5)
  679. #
  680. pppoe-in:
  681. allow mode direct # Only for use on server-side
  682. enable lqr echo proxy # Enable LQR and proxy-arp
  683. enable chap pap passwdauth # Force client authentication
  684. set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers
  685. accept dns # Allow DNS negotiation
  686. # It's possible to run ppp back-to-back with itself. This is useful
  687. # for testing.
  688. #
  689. # When testing scalability and concurrency, the following profile might
  690. # be used.
  691. #
  692. # Note, you'll have to make some other machine adjustments:
  693. #
  694. # o Bump maxusers in your kernel configuration to about 256 so that there
  695. # are enough process table slots.
  696. # o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll
  697. # need 3 descriptors per ppp process (assuming no server socket).
  698. #
  699. # You can now create 2000 processes (1000 pairs) with:
  700. #
  701. # n=0
  702. # while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done
  703. #
  704. # If you want to test concurrency, try using ``ppp -dd loop'' instead.
  705. #
  706. loop:
  707. set timeout 0
  708. set log
  709. set device "!ppp -direct loop-in"
  710. set dial
  711. set login
  712. set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255
  713. disable deflate pred1 mppe
  714. deny deflate pred1 mppe
  715. loop-in:
  716. set timeout 0
  717. set log
  718. allow mode direct
  719. set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255
  720. disable deflate pred1 mppe
  721. deny deflate pred1 mppe