L'uso di questo sito
autorizza anche l'uso dei cookie
necessari al suo funzionamento.
(Altre informazioni)

Wednesday, November 17, 2010

Setting up a PPTP link on a fedora system, without NetworkManager

NetworkManager is a Linux applet (Not really. It is a system daemon, and it is controlled via desktop applets, but still...) It allows you to setup and manage (activate, deactivate and such) network connections. It is mostly OK for desktop usage, and I'd say it is more than OK for wireless connections. I do have some major bones with it, though:


  • It is greedy - it tends to hog all the network connections, included the ones that should not be touched (your main ethernet connection,for instance), and you have pry them from its dead, cold fingers.

  • It screws up - sometimes. When it does, you're on your own without a lifeboat - unless you thought to bring one with you, and this is because....

  • Having been designed by GUI zealots, it has no Command Line Interface (well it does have one, but it sucks more than a tornado) and no visible configuration files - to the best of my knowledge it keeps all its config somewhere inside the user branch of the gconf DB (a configuration system that makes the windows registry seem OK - 'nuff
    said). So it is very hard to tell what is going wrong, where and why.

  • Not only this, but because it is in the user branche, connections are not shared between users, nor can they be system wide (AFAIK)

  • Not only this, but because it is so GUI oriented, there is no clear way to tailor the connection setup/tear down. For instance, on pptp/vpn links it would be nice to set up custom routes. No such luck, kiddo: with NM it's either default route or zilch (there is, truth be said, a check mark that purports to do something different, bu it does not. Or perhaps it would do something with some server side help - but this is the client side, sorry.)



So it is only fair to say that, for server oriented connection management, NetworkManger basically sucks - and I find slightly worrying the talks I read about system-config-network going away. However, what above explains why - setting up a systemwide VPN link for development work - I found it necessary to ascertain that I had a CLI way to set it up, tear it down and debug it. That is the lifeboat I was talking about a few paragraphs ago....

This was tested on FC13, kernel 2.6.34.7-61, ppp-2.4.5-9 , pptp-1.7.2-9, for a standard MSCHAP-V2 Microsoft like tunnel - your mileage will vary, and substantially if your system is much older then mine. Everything is still a little rough around the edges - smoothing it out would require integrating it with ifup-ppp, complete with all the options and stuff. The way it is, it pushes most configuration options to the ppp side (options.pptp and peers/CONNID). And yes, one would need a GUI plugin for system-config-network. You are welcome to write it. At the end, you will be able to control the connection via:


$ ifup CONNID
$ ifdown CONNID


It goes like this (by no design of mine: this is THE WAY networking scripts work in fedora/RH):



  • 'ifup CONNID' reads /etc/sysconfig/network-scripts/ifcfg-CONNID;


  • the variable DEVICETYPE=pptp (inside ifcfg-CONNID) directs ifup to invoke ifup-pptp (an undocumented innard of the RH sysconfig files);


  • ifup-pptp executes "pppd call CONNID", which uses /etc/ppp/peers/CONNID, (which in turn reads /etc/ppp/options.pptp).


  • PPPD starts the ppp process and kicks off ip-up, which (eventually) calls /etc/ppp/ip-up.local. pppd also saves its PID in /var/run/pppx.pid (x is 0,1...)


  • ip-up.local saves the interface name (pppx) inside /var/run/pptp-CONNID.pid (misnomer, but ehi)


  • ifup-pptp waits for the creation of /var/run/pptp-CONNID.pid and uses


  • its contents to try hard (too hard, perhaps: i have a feeling ifup-routes is being called twice, but no harm appear to have been done) to convince to /etc/sysconfig/network-scripts/ifup-routes to install the correct routes for the new interface.


  • ifup-routes reads the route informations /etc/sysconfig/network-scripts/route-CONNID, and uses "ip route add " to do its job.

To get to the goodies, you will need to edit/create the
following files (contents are listed below).


  1. FILE: /etc/ppp/options.pptp. Edit and accept some auth, compression. Most comments below removed: #ALF# means commented out by me)


  2. FILE: /etc/ppp/chap-secrets: edit. Add authentication information user and password, choose CONNID as you wish


  3. FILE: /etc/ppp/peers/CONNID: Create.


  4. FILE: /etc/ppp/ip-up.local: Create.


  5. FILE: /etc/ppp/ip-down.local: Create.


  6. FILE: /etc/sysconfig/network-scripts/ifcfg-CONNID: Create.


  7. FILE: /etc/sysconfig/network-scripts/ifup-pptp: Create, mode
    755 (rwx-rx-rx).


  8. FILE: /etc/sysconfig/network-scripts/ifdown-pptp: Create, mode
    755 (rwx-rx-rx).


  9. FILE: /etc/sysconfig/network-scripts/route-CONNID: Create



FILE: /etc/ppp/options.pptp. Edit and accept some auth, compression.


(Most comments below removed: #ALF# means commented out by me)

 
lock
noauth
refuse-pap
refuse-eap
#ALF#refuse-chap
#ALF#refuse-mschap
#ALF#nobsdcomp
#ALF#nodeflate
#ALF#For debug, comment later.
dump

FILE: /etc/ppp/chap-secrets: edit. Add authentication information (user and password), choose CONNID as you wish




# Secrets for authentication using CHAP
# client server secret IP addresses
####### system-config-network will overwrite this part!!! (begin) ##########
####### system-config-network will overwrite this part!!! (end) ############

username CONNID password *


FILE: /etc/ppp/peers/CONNID: Create.




#vpn.server.com is the server we connect to
pty "pptp vpn.server.com --nolaunchpppd"
lock
nodeflate
file /etc/ppp/options.pptp
require-mppe-128
#As entered in chap-secrets above
name username
remotename CONNID
ipparam CONNID


FILE: /etc/ppp/ip-up.local: Create.



#!/bin/bash
set -x
TRACEFILE=/tmp/ip-up.log
cat /dev/null > ${TRACEFILE}
exec 1>> ${TRACEFILE} 2>> ${TRACEFILE}

LOGGER="/usr/bin/logger -s -t ip-up.local -p "

IFACE=$1
REALDEVICE=$2
SPEED=$3
LOCALIP=$4
REMOTEIP=$5
LOGDEVICE=$6

PIDFILE="/var/run/pptp-$LOGDEVICE.pid"
$LOGGER daemon.info "Creating pidfile: $PIDFILE"
echo $IFACE > $PIDFILE
exit 0

FILE: /etc/ppp/ip-down.local: Create.



#!/bin/bash
set -x
TRACEFILE=/tmp/ip-down.log
cat /dev/null > ${TRACEFILE}
exec 1>> ${TRACEFILE} 2>> ${TRACEFILE}

LOGGER="/usr/bin/logger -s -t ip-down.local -p "


FILE: /etc/sysconfig/network-scripts/ifcfg-CONNID: Create.



NAME="Connessione PPTP a CONNID"
DEVICE=CONNID
DEFROUTE=no
BOOTPROTO=none
DEVICETYPE=pptp
ONBOOT=no
USERCTL=yes
PEERDNS=no
IPV6INIT=no
NM_CONTROLLED=no


FILE: /etc/sysconfig/network-scripts/ifup-pptp: Create, mode 755 (rwx-rx-rx).




#! /bin/bash
LOGGER="/usr/bin/logger -s -t ifup-pptp -p "

. /etc/init.d/functions

cd /etc/sysconfig/network-scripts
. ./network-functions


CONFIG=$1
[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
source_config

[ -x /usr/sbin/pppd ] || {
echo $"pppd does not exist or is not executable"
echo $"ifup-ppp for ${DEVICE} exiting"
$LOGGER daemon.info \
$"pppd does not exist or is not executable for ${DEVICE}"
exit 1
}

PEERCONF=/etc/ppp/peers/${DEVNAME}

if [ ! -f ${PEERCONF} ]; then
$LOGGER daemon.info \
$"no configuration file ${PEERCONF} for ${DEVICE}"
exit 1
fi

$LOGGER daemon.notice \
$"calling pppd on ${PEERCONF} config file: pppd call $DEVNAME" \

pppd call $DEVNAME || { $LOGGER daemon.crit "pppd call $DEVNAME failed" ; exit 2 ; }


for nap in 1 2 2 5 10; do
if [[ ! -f /var/run/pptp-${DEVNAME}.pid ]]; then
$LOGGER daemon.info "Waiting for /var/run/pptp-${DEVNAME}.pid"
sleep $nap
else
break
fi
done

if [ -f /var/run/pptp-${DEVNAME}.pid ] ; then
REALDEVICE=$(tail -1 /var/run/pptp-${DEVNAME}.pid)
$LOGGER daemon.info \
$"setting up routes from /var/run/pptp-${DEVNAME}.pid on $REALDEVICE"
/etc/sysconfig/network-scripts/ifup-routes ${REALDEVICE} ${DEVNAME}
else
$LOGGER daemon.info \
$"no file /var/run/pptp-${DEVNAME}.pid cannot setup routes"
fi

exit 0


FILE: /etc/sysconfig/network-scripts/ifdown-pptp: Create, mode 755 (rwx-rx-rx).




#! /bin/bash

cd /etc/sysconfig/network-scripts
. ./network-functions

LOGGER="/usr/bin/logger -s -t ifdown-pptp -p "

CONFIG=$1
source_config


CONFIG=${CONFIG##ifcfg-}
ifile=/var/run/pptp-${DEVICE}.pid

$LOGGER daemon.info "Tearing down pptp link: will look for $ifile"
if [ ! -f $ifile ]; then
$LOGGER daemon.err $"No intfile $ifile, ppp isn't running, or we didn't start it"
exit 1
fi

IFACE=$(cat $ifile)
[ -n "${IFACE}" ] || { $LOGGER daemon.err $"No interface in $ifile"; exit 2 ; }

pfile=/var/run/$IFACE.pid
$LOGGER daemon.info "Tearing down pptp link: will look for $pfile (interface is $IFACE)
"
PID=$(cat $pfile)
[ -n "${PID}" ] || { $LOGGER daemon.err $"No pid in $pfile"; exit 2 ; }

if [ ! -f $ifile ]; then
$LOGGER daemon.err $"No PPP pidfile $pfile, is ppp running?"
exit 3
fi

kill -TERM ${PID} > /dev/null 2>&1
$LOGGER daemon.info $"Waiting for PPPD termination"
[ ! -d /proc/${PID} ] && { $LOGGER daemon.info $"PPTP link torn down"; exit 0; }

$LOGGER daemon.info $"Waiting for PPPD termination"
sleep 2
[ ! -d /proc/${PID} ] && { $LOGGER daemon.info $"PPTP link torn down"; exit 0; }

$LOGGER daemon.info $"Waiting for PPPD termination"
sleep 5
[ ! -d /proc/${PID} ] && { $LOGGER daemon.info $"PPTP link torn down"; exit 0; }

$LOGGER daemon.info $"Waiting for PPPD termination"
sleep 10
[ ! -d /proc/${PID} ] && { $LOGGER daemon.info $"PPTP link torn down"; exit 0; }

# killing ppp-watch twice in a row causes it to send a SIGKILL to pppd pgrp
kill -TERM ${PID} > /dev/null 2>&1
[ ! -d /proc/${PID} ] && { $LOGGER daemon.info $"PPTP link torn down"; exit 0; }

$LOGGER daemon.err $"Problems in terminating PPP."
exit 1


FILE: /etc/sysconfig/network-scripts/route-CONNID: Create




ADDRESS0=192.168.63.0
NETMASK0=255.255.255.0
#this is the P-t-P (remote) address at the end of the PPTP tunnel.
GATEWAY0=10.52.63.1

No comments: