
                         p]mp(VPN)
                                       
@: Arpad Magosanyi <mag@bunuel.tii.matav.hu>
Ķ: j <dawei@sinica.edu.tw>

   v0.2, 7 August 1997 ½Ķ: 20 Feb 1999
     _________________________________________________________________
   
   pإߵp(Virtual Private Network)C
     _________________________________________________________________
   
1. 

2. si

     * 2.1 vn
     * 2.2 Kdn
     * 2.3 Gn
     * 2.4 \
     * 2.5 媺{p
     * 2.6 
       
3. 

     * 3.1 RWD
       
4. }lظm

     * 4.1 W
     * 4.2 ju
     * 4.3 sĶPw
     * 4.4 䥦ltΪ]w
     * 4.5 ]w VPN ϥΪ̱b
     * 4.6  master bAͤ@ ssh key 
     * 4.7  slave bA]m۰ʪ ssh nJҡC
     * 4.8 [j ssh b bastion DWwʡC
     * 4.9 \ ppp AMoӱb᪺ѡC
     * 4.10 gROZ{
       
5. ڭ˵檺GG

6. ۤC

     * 6.1 nJ
     * 6.2 Ұ ppp 
     * 6.3 @Ӱʧ@
     * 6.4 Pty ɥ\
     * 6.5 oӸ˸mWA|ǤFH
     * 6.6 ]w
       
7. վ

     * 7.1 ]wվ
     * 7.2 WePw֭n
       
8. RzI
     _________________________________________________________________
   
1. 

   'no controlling tty problem' -> -o 'BatchMode yes' O Zot O'Connor
   <zot@crl.com> ҧ󥿡C
   
   ֤ 2.0.30 ĵiTAO mag ҧ󥿡C
   
2. si

   oO Linux VPN howtoAFpb Linux (HΤ@몺 UNIX) W
    @ӵO@TC
   
2.1 vn

   oO Linux HOWTO p@CvnpUGDSO
   ALinux HOWTO 󪺪vkݥL̦U۪@̩ҦCLinux HOWTO 󪺥
   γAiH ϥΥ󪫲zιqlΦCӽƻsPGAunoӪvn
   QOdbC Cӷ~欰AGOQ\ӥBw諸FOA
   G欰@̳Ʊ QiCҦ½ĶNlͪu@NΦX֥ Linux
   HOWTO 󪺻Eu@A oӪvnO@C]NOAAiH
   q HOWTO lͥX@AMo lͤ󪺴Gj[WLC
   Db@ǯSwpUA~|ճoǭ Fp Linux HOWTO 
   դHALa}pUC²ӨAڭ̧Ʊɥi zLUغ޹DAӱʳo
   ӸTGu@CMӡAڭ̤]ƱOd HOWTO  vAHΦpG
    HOWTOs AGp]ƱQqCpGð Ap
   Linux HOWTO դH Tim BynumALqlla}O
   linux-howto@sunsite.unc.edu C
   
2.2 Kdn

   @p`GAҳyM`A@̤@tdCTAа
   \ GNU GPL 0.1.1 C
   
2.3 Gn

   ڭ̩ҭ{OwʪDGpGASΦ@ӦnwAHΰn
   tM IAANLkouwC
   
2.4 \

   P©ҦѤu{ϥΪHKC
   
   P Zot O'Connor <zot@crl.com> ȫno controlling ttyDA
   ӥB ٴѤFѨMkC
   
2.5 媺{p

   b\ŪeAAӤwƧ㪺 IP ޲zѡAܤ֭n
   (firewall)Nppp NM ssh AѡA@AѡCpGAn]w@
   VPN ҡALצp@woDo FCڥuONڪggU AHK
   ѰOeCҥHAڬ۫H@w|w |}sbCFM_A
   յۥHD]mѾ覡AӤOH𪺤覡A ӤeAƱ
   jaPPNAѥC
   
2.6 

     * ɮ /usr/doc/HOWTO/Firewall-HOWTO W Linux Firewall-HOWTO 
     * ɮ /usr/doc/HOWTO/PPP-HOWTO.gz W Linux PPP-HOWTO 
     * ؿ /usr/doc/ssh/*  ssh 
     * Linux ޲z(Network Admins' Guide)
     * aзǤΧ޳Ne| (National Institute Standards and TechnologyA
       ²g NIST) bqw譱X~AаѦҺ}
       http://csrc.ncsl.nist.gov/nistpubs/
     * qH׾(Firewall list) (majordomo@greatcircle.com)
       
3. 

   ѩwDq쭫AҥHA𪺧޳NVӶVsxaQΦbA
   ں Mq(intranet)WAOuHA VPN w
   ʦ| vTCouOڭӤH|CwjaXۤvݪkC
   
3.1 RWD

   ڱN|ϥΨ졧D(master firewall)M(slave firewall)
   oӱM W١AMӡAVPN ظmPD[cSpʡCڥuO
   ⥦̬ݦAݦb إ߳suɡAOӥDʪѻP̩γQʪѻP̡Co_
   ߳suDA|Q@D FMӡAQʪѻP̡AN|Q@
   C
   
4. }lظm

4.1 W

   bA}l]wtΫeAAӭnAѤ@UsӸ`C{bAڰwA
   Ө AUO@@ӤqCҥHA{bCӨӷ|Ӻ
   ɭ]ܤ֡^C@ iȡAgU̪ IP }MBnCC VPN 
   AN|ϥΨƭ IP } qCo IP }ϬqAӳ]wbAq{
   ldH~CګĳϥΡp IP }ϬqdCpUҥܡG
   
     * 10.0.0.0 - 10.255.255.255
     * 172.16.0.0 - 172.31.255.255
     * 192.168.0.0 - 192.168.255.255
       
   FAB|F@ӳ]wרҡGx bastion [Ķ] DAOQ
   ٬ fellini M polanskiC̦U@Ӭɭsں (-out)A@Ӭɭ
   sq (-in) AHΡA@Ӭɭs VPN (-vpn)CҦ IP }
   MBnApUG
   
     * fellini-out: 193.6.34.12 255.255.255.0
     * fellini-in: 193.6.35.12 255.255.255.0
     * fellini-vpn: 192.168.0.1 II
     * polanski-out: 193.6.36.12 255.255.255.0
     * polanski-in: 193.6.37.12 255.255.255.0
     * polanski-vpn: 192.168.0.2 II
       
   ĶG bastion OSbq~hDC
   
   ҥHڭ̦ӭpC
   
4.2 ju

   AN|ݭn
     * Linux 
     * ֤
     * D`֪]w
     * ipfwadm {
     * fwtk {
     * VPN ҨϥΪu
     * ssh {
     * pppd {
     * sudo {
     * pty-redir {
       
   ثeϥΪG
     * ֤ߡG 2.0.29 CШϥíw֤ߡAӥBA 2.0.20 ٷsA]
       ping'o'death ~CbgɡA̫@íw֤߬O 2.0.30
       AO@ǿ~CpG AAQnϥγ̷s֤ߩҴѡAJ֤SŪ
       {XAAۤviHլݬݡA 2.0.30 ڦӨAwgܦnΤFC
     * 򥻪@~tΡGڤw Debian ҵo檺CAϥΤ
       j nMAMA]]t sendmail bCA]藍๳䥦
       UNIX D@ˡA\ telnetNftpNM 'r' ROA\઺ϥΡC
     * ipfwadm {G ڨϥΪO 2.3.0C
     * fwtk {G ڨϥΪO 1.3C
     * ssh {G >= 1.2.20CªAUhw|DC
     * pppd {G ڴժO 2.2.0fAOڵLkTwO_wAoNO
       ڷ| N setuid 줸AózL sudo Ӱ楦]C
     * sudo {G کҪD̷sO 1.5.2C
     * pty-redir {G oOڼgCЦ
       ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz oC{b
       O 0.1 CpGϥΤWDAШӫHiC
       
4.3 sĶPw

   A{bu@OsĶNOw˩ҷj쪺uC ðѾ\]H
   firewall-howto^ ԲӪC{bAڭ̤wgw˦noǤuFC
   
4.4 䥦ltΪ]w

   ]wHΨ䥦ءCAbxDA\ ssh ƪy
   qCo OAD|su즸𪺰 22CbWҰ
   sshdAO_ \AnJ(login)CoӨBJ|չLAЧiDڧA
   յGC
   
4.5 ]w VPN ϥΪ̱b

   HA`ϥΪu]ҦpAviNmkdirNchownNchmod^bWإߤ@
   ϥΪ̱b AA]iHbDWإߤ@ӨϥΪ̱bAOAڻ{b}
   q]wsuNiH FAҥHAϥέl root bNwCHiH
   ڭ̻@UAbDW ϥ root bA|MIʡH
   
4.6  master bAͤ@ ssh key

   AiHϥ ssh-keygen {CpGAAn۰ʳ]m VPNAAiH]w@ӨS
   KX pH_(private key)C
   
4.7  slave bA]m۰ʪ ssh nJҡC

   b𤤡AƻsA~ͪ@_(public key)AϥΪ̱b
   slave   .ssh/authorized_keys ɮ׸̡AåBA]wɮתϥvApU
   G
   
drwx------ 2 slave slave 1024 Apr 7 23:49 ./
drwx------ 4 slave slave 1024 Apr 24 14:05 ../
-rwx------ 1 slave slave 328 Apr 7 03:04 authorized_keys
-rw------- 1 slave slave 660 Apr 14 15:23 known_hosts
-rw------- 1 slave slave 512 Apr 21 10:03 random_seed

   䤤AĤ@O ~slave/.sshAĤGO ~slaveC
   
4.8 [j ssh b bastion DWwʡC

   Ыӧڦb sshd_conf W]wG
   
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

   KX{(PasswordAuthentication)QFAҥHAAuϥαvL key
   A~ nJʧ@C]MAA]wgFAtelnet P 'r' RO^C
   
4.9 \ ppp AMoӱb᪺ѡC

   A master bO root ɡ]HڪҤlӨ^AAƱCܩ
   slave bAh|bA /etc/sudoers ɮפX{@G
   
Cmnd_Alias VPN=/usr/sbin/pppd,/usr/local/vpn/route
slave ALL=NOPASSWD: VPN

   pAҬݨ쪺AڦbDWAϥΤF@ǩROZ(scripts)Aӳ]w
   ppp MѪC
   
4.10 gROZ{

   bDDWAڨϥΤF@ӦҩlROZG
#! /bin/sh
# {[c  oɮ׬Oӫإߦb /etc/init.d/ ؿUROZҡC
#               AӦb /etc/init.d ؿUϥγoөROZC
#
#               @ Miquel van Smoorenburg <miquels@cistron.nl>.
#               Debian GNU/Linux ׭q@
#               Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# :               @(#)skeleton  1.6  11-Nov-1996  miquels@cistron.nl
#

PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPAPP=/home/slave/ppp
ROUTEAPP=/home/slave/route
PPPD=/usr/sbin/pppd
NAME=VPN
REDIR=/usr/local/bin/pty-redir
SSH=/usr/bin/ssh
MYPPPIP=192.168.0.1
TARGETIP=192.168.0.2
TARGETNET=193.6.37.0
MYNET=193.6.35.0
SLAVEWALL=polanski-out
SLAVEACC=slave

test -f $PPPD || exit 0

set -e

case "$1" in
  start)
        echo setting up vpn
        $REDIR $SSH -o 'Batchmode yes' -t -l $SLAVEACC $SLAVEWALL sudo $PPPAPP
>/tmp/device
        TTYNAME=`cat /tmp/device`
echo tty is $TTYNAME
        sleep 10s
        if [ ! -z $TTYNAME ]
        then
        $PPPD $TTYNAME ${MYPPPIP}:${TARGETIP}
        else
                echo FAILED!
                logger "vpn setup failed"
        fi
        sleep 5s
        route add -net $TARGETNET gw $TARGETIP
        $SSH -o 'Batchmode yes' -l $SLAVEACC $SLAVEWALL sudo $ROUTEAPP
    ;;
  stop)
        ps -ax | grep "ssh -t -l $SLAVEACC " | grep -v grep | awk '{print $1}'
| xargs kill
    ;;
  *)
    # echo "Usage: /etc/init.d/$NAME {start|stop|reload}"
    echo "Usage: /etc/init.d/$NAME {start|stop}"
    exit 1
    ;;
esac

exit 0

   slave biHϥΩROZӳ]w (/usr/local/vpn/route)G
#!/bin/bash
/sbin/route add -net 193.6.35.0 gw 192.168.0.1

   Ө .ppprc eApUG
passive

5. ڭ˵檺GG

   master |nJ slave b̡NҰ pppdNHΡANҦƭɦܥ
   pty] ׺ݾ^CӰy{pUG
   
     * tm@ӷs pty
     * zL ssh nJ slave b
     * b slave bᤤ pppd
     * master b pty  pppd
     * åBbΤݳ]wѪC
       
   Bڭ̦Ҽ{FɧǪD]OY檺nD^AoNOڭ̷|ϥ
    'sleep 10s' oӱԭz]C
   
6. ۤC

6.1 nJ

   {bAAӤwgչL ssh O_`au@CpGAslave ڵAnJA
   о\Ū OɡC]\Oɮרϥv sshd Ab]wWDC
   
6.2 Ұ ppp

   nJ slave bAðG
sudo /usr/sbin/pppd passive

   ɡApGu@`Aӷ|ݨ@ǶýXC]ASX{ýXAO sudo
   NO pppd DCаѦҡAOɡN/etc/ppp/options NM .ppprc Aɮ
   AHKXOөROXFDCDưAN 'passive' oӦrg
   .ppprc ̡AM Aդ@CHU enterN'~'NM '^Z'䪺覡AM
   ùWýXA~ u@C{bAAӷ|ݨ master Jܲ
   (prompt)AM kill %1 CpGAQDhhXr(escape
   character)AаѾ\վ(tuning) @`C
   
6.3 @Ӱʧ@

   MAA]iHo
   
ssh -l slave polanski sudo /usr/sbin/pppd

   pGu@`AN|ۧAAǰe@ǬݦýXơC
   
6.4 Pty ɥ\

   oAڭ̸յۭɤWʧ@G
/usr/local/bin/pty-redir /usr/bin/ssh -l slave polanski sudo /usr/sbin/pppd

   nylAOܡHAӨϥ ssh ɪ|W١AFwz
   Apty-redir {u\Aϥγoؤ覡C{bAA|zLoӵ{o@Ӹ
   mW١C]AAo O /dev/ttyp0 CAiHϥ ps RO˵ثe
   pCЧM 'p0' oӸ mԭzC
   
6.5 oӸ˸mWA|ǤFH

   յ۰
/usr/sbin/pppd /dev/ttyp0 local 192.168.0.1:192.168.0.2

   ӫإ߳suCMA˵ ifconfig ROXGAݬO_wgإߤFoӸ
   mAM Aϥ ping ˬdAC
   
6.6 ]w

   F]wDDѡAD]n]wC{bAAӯq
   q@ WDAping 䥦WDCۡA]wB~
   WhC{ bAAwg֦F VPN ҡAAiH]wqӤ
   sWhC
   
7. վ

7.1 ]wվ

   pکһAouOڭӤH]w VPN ƧѿӤwC]w
   eA չLCڴչLA|̥TwAΦHiD
   Opu@ Cӳ̭nƱjaʰObߡAppp su|
   ϥ 8-bitCڦۤv]ıo ssh  pty ]wA@w٦n[jaCb
   ssh ]wAϥΤFEƲŸ(tilde) (~) rhXrCiH
   δwݤqTA󪺡sŸ- EƲŸ(newline-tilde)h
   XǪX{A|ϱo ssh JܲŸҦCssh WG < b
   jtΤWAY]wϥζhXrAhNOAϥΤF tty A]|yq
   TܪzqơC> oӥ\۹ ssh ﶵаOO '-e' AA]iHb]w
   ɤ]wC
   
7.2 WePw֭n

   ׫ظm󪺵A|Oڸ귽CVPN |YWeMp⪺귽
   CAؼ ӬOpoĹCAiHϥ '-C' }
   'CompressionLevel' ﶵAӽվ CA]HըϥΥt@إ[KkAOA
   ڨäĳo򰵡C]Ъ`NApGAϥζV YšAAǰeƪӦ^
   ɶNVCwﴣѥճiC
   
8. RzI

   ڸյۦbB@UAoӯSO]wM VPNs @릳ǩzIC
   ۦaw UoNC
     * sudo {Gکӻ{AڹLצaϥΤF sudoCڲ`HثeMϥ
       setuid bits ٦wCLinux WMSnsAOӤ
       Cuۮe POSIX.6 зǪ֤ߥoF<
       http://www.xarius.demon.co.uk/software/posix6/>C V|OAک~
       MzL sudo өIs shell ROZ{CbV|zFCA
       ĳH
     * pppd {G]|ϥ suid root (Ķ) 覡CAiHzLϥΪ
        .ppprc ӳ]wCdߡAi|wİ϶WB(buffer
       overrun)po͡CO GɥiaO@A slave b᪺w
       C
     * ssh {GߡAssh b 1.2.20 Hew|}CV|OA
       ڭ̪ ]wOAڭ̹ master b᪺wʰXFBA۹aA]
       uF slave b᪺w AӥBAڭ̨ϥΤFӳzL sudo Ұʪ{
       A]j}FCO]A F۰ʳ]w VPNAڭ̿
       master ϥΨSKXpH_(secret key)C
     * firewall {G bastion DWAYWh]wAN
       Oj} qKCګĳjaϥ IP
       (Masquerading)޳N]ɡANO ѳ]wTAҳyvT
       ]OLD^AHΡAb VPN ɭWY檺 C
       
   ĶG suid root Oӵ{HAb檺ɷ|o root v
   C䤤Asuid] ]wϥΪѧONX^O]wɮݩʪ 11 Ӧ줸A
   ɮתHAɮת ̡֦C
