On Tue, Sep 18, 2007 at 12:15:55PM +0200, Stefan Sperling wrote: > List of changes:
*poke* This patch has been sitting on the list for a month now. Can someone please commit this? Thanks. > * Update my email address. > * Add detailed option description to pptp(8) man page. > * Move OpenBSD configuration examples from text file > ${PREFIX}/share/doc/pptp/USING into pptp(8) man page, > and remove patch to ${WRKSRC}/USING. Extend and > revise examples while at it. > * Add patch to ${WRKSRC}/util.c that prevents pptp > from logging the same stuff into both /var/log/daemon > and /var/log/messages. Just log to /var/log/daemon. > * Update pkg/DESCR with a new description based on > upstream web site. > * Fix URL to list of pptp security flaws in pkg/MESSAGE. > * [Re-]Create patches with `make update-patches'. > > Tested on i386. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/pptp/Makefile,v > retrieving revision 1.16 > diff -u -r1.16 Makefile > --- Makefile 12 Nov 2006 10:10:09 -0000 1.16 > +++ Makefile 18 Sep 2007 09:55:55 -0000 > @@ -3,13 +3,15 @@ > > COMMENT= 'PPTP client package for Microsoft VPN servers' > > -DISTNAME= pptp-1.7.1 > +VERSION= 1.7.1 > +DISTNAME= pptp-${VERSION} > +PKGNAME= ${DISTNAME}p0 > CATEGORIES= net > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pptpclient/} > > HOMEPAGE= http://pptpclient.sf.net > > -MAINTAINER= Stefan Sperling <[EMAIL PROTECTED]> > +MAINTAINER= Stefan Sperling <[EMAIL PROTECTED]> > > # GPL > PERMIT_PACKAGE_CDROM= Yes > Index: files/pptp_8 > =================================================================== > RCS file: /cvs/ports/net/pptp/files/pptp_8,v > retrieving revision 1.5 > diff -u -r1.5 pptp_8 > --- files/pptp_8 12 Nov 2006 10:10:09 -0000 1.5 > +++ files/pptp_8 18 Sep 2007 09:55:55 -0000 > @@ -14,10 +14,19 @@ > .Sh SYNOPSIS > .Nm > .Ar hostname > -[ > -.Op Ar --phone <phone number> > -.Op Ar --quirks ISP_NAME > --- ] > +.Op Fl -version > +.Op Fl -phone Ar number > +.Op Fl -nolaunchpppd > +.Op Fl -quirks Ar quirk > +.Op Fl -debug > +.Op Fl -sync > +.Op Fl -timeout Ar secs > +.Op Fl -nobuffer > +.Op Fl -idle-wait Ar time > +.Op Fl -max-echo-wait Ar time > +.Op Fl -logstring Ar name > +.Op Fl -localbind Ar addr > +.Op Fl -loglevel Ar level > .Op Ar ppp options > .Sh DESCRIPTION > .Nm > @@ -37,33 +46,285 @@ > The > .Ar hostname > parameter specifies which host should be contacted as the PPTP server. > -Additional parameters are passed on to > -.Ic ppp > +.Pp > +.Op Ar ppp options > +are passed on to > +.Xr ppp 8 > and typically include a remote username or a file containing options. > .Pp > .Nm > must be run as root. > - > -.Sh EXAMPLE > +.Pp > .Nm > -.Ar hostname > -.Op Ar ppp options > +accepts the following options: > +.Bl -tag -width Ds > +.It Fl -version > +Display version number and exit. > +.It Fl -phone Ar number > +Pass > +.Ar number > +to remote host as phone number. > +.It Fl -nolaunchpppd > +Do not launch a ppp daemon, for use as a ppp daemon pty. > +.It Fl -quirks Ar quirk > +Work around a buggy PPTP implementation. > +The only currently recognised value is > +.Ar BEZEQ_ISRAEL . > +See the file > +.Pa PREFIX/share/doc/pptp/USING > +for details. > +.It Fl -debug > +Run in foreground (for debugging with gdb). > +.It Fl -sync > +Enable Synchronous HDLC. > +.Xr ppp 8 > +must use it, too. > +.It Fl -timeout Ar secs > +Time to wait for reordered packets (0.01 to 10 secs). > +.It Fl -nobuffer > +Disable packet buffering and reordering completely > +.It Fl -idle-wait Ar secs > +Time to wait before sending echo request. > +.It Fl -max-echo-wait Ar secs > +Time to wait before giving up on lack of reply. This option > +seems to be unimplemented, because the flag can be set but is > +never evaluated (look at pptp_ctrl.c) \(em dead, unused code? > +.It Fl -logstring Ar name > +Use > +.Ar name > +instead of > +.Dq anon > +in syslog messages. > +.It Fl -localbind Ar addr > +Bind to specified IP address instead of wildcard. > +.It Fl -loglevel Ar level > +Sets the debugging level (0=low, 1=default, 2=high). > +.Sh EXAMPLES > +.Ss PPTP on a stand-alone VPN client > +This example assumes that you want to use pptp to connect > +to a VPN and use the VPN connection as your default route. > +Let us assume that the VPN server was called vpn-gateway.net. > +.Pp > +First, edit > +.Pa /etc/ppp/ppp.conf > +and add an entry for the VPN > +connection. See > +.Xr ppp 8 > +for details on the format of this file. > +.Bd -literal > + vpn: > + set device "!/usr/local/sbin/pptp --nolaunchpppd vpn-gateway.net" > + set authname User > + set authkey MySecret > + set mppe 128 stateless > +.Ed > +.Pp > +Next, you need to configure routing in > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + add default HISADDR > +.Ed > +.Pp > +If vpn-gateway.net does not reside on the local network, > +we have to add a host route pointing to vpn-gateway.net in order to > +avoid a chicken-and-egg problem once the default route is set to > +the VPN tunnel. > +Assuming the standard default route is 42.42.42.42: > +.Pp > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + add vpn-gateway.net 42.42.42.42 > + add default HISADDR > +.Ed > +.Pp > +If your default route is not fixed, for example if you connect > +to the VPN from many different networks while on the road, > +use a script to figure out the current default route and add the > +host route to the VPN gateway. For example: > +.Pp > +.Pa /etc/ppp/vpn-default-route.sh : > +.Bd -literal > + #!/bin/sh > + gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'` > + route add -host vpn-gateway.net ${gw} > +.Ed > +.Pp > +Call the script from > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + ! sh /etc/ppp/vpn-default-route.sh > + add default HISADDR > +.Pp > +Make sure the changes to the routing table are reversed in > +.Pa /etc/ppp/ppp.linkdown : > +.Bd -literal > + vpn: > + delete vpn-gateway.net > +.Ed > +.Pp > +Restoring the previous default route in > +.Pa /etc/ppp/ppp.linkdown > +is left as an exercise for the reader. On a laptop it is usually > +enough to issue a DHCP request to restore the routing table > +after the VPN connection is terminated. > +.Pp > +Connect by running: > +.Dl ppp -ddial vpn > +.Pp > +To terminate the connection, kill the ppp process. It creates a PID > +file in /var/run/tunX.pid, where X is the number of the tun device used. > +.Ss PPTP on a router > +This example assumes that you want to configure a router running > +OpenBSD to provide PPTP VPN access to a remote network for all hosts > +on your internal network. > +.Pp > +Let us assume that the VPN server was called vpn-gateway.net, > +and that the default route of our OpenBSD box was 42.42.42.42. > +The remote network shall be 10.42.0.0/16; we want all traffic to > +this network to go through the VPN tunnel. > +.Pp > +First, edit > +.Pa /etc/ppp/ppp.conf > +and add an entry for the VPN > +connection. See > +.Xr ppp 8 > +for details on the format of this file. > +.Bd -literal > + default: > + set log Phase Chat LCP IPCP CCP tun command > + vpn: > + set device "!/usr/local/sbin/pptp --nolaunchpppd vpn-gateway.net" > + set authname User > + set authkey MySecret > + set mppe 128 stateless > +.Ed > +.Pp > +Next, you need to configure routing in > +.Pa /etc/ppp/ppp.linkup . > +We also load > +.Xr pf 4 > +anchors for the vpn interface here. > +More on that later. > +.Pp > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + add 10.42.0.0/16 HISADDR > + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn" > +.Ed > +.Pp > +If vpn-gateway.net resides inside 10.42.0.0/16, we have to add a host > +route pointing to vpn-gateway.net in order to avoid a chicken-and-egg > +problem once packets to 10.42.0.0/16 are routed through the tunnel. > +.Pp > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + add vpn-gateway.net 42.42.42.42 > + add 10.42.0.0/16 HISADDR > + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn" > +.Ed > +.Pp > +If your default route is not fixed, for example if your ISP does not > +always assign the same gateway to you, use a script to figure out > +the current default route and add the host route to the VPN gateway. > +For example: > +.Pp > +.Pa /etc/ppp/vpn-default-route.sh : > +.Bd -literal > + #!/bin/sh > + gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'` > + route add -host vpn-gateway.net ${gw} > +.Ed > +.Pp > +Call the script from > +.Pa /etc/ppp/ppp.linkup : > +.Bd -literal > + vpn: > + ! sh /etc/ppp/vpn-default-route.sh > + add 10.42.0.0/16 HISADDR > + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn" > +.Pp > +Make sure the changes to the routing table are > +reversed when the VPN connection drops: > +.Pp > +.Pa /etc/ppp/ppp.linkdown: > +.Bd -literal > + vpn: > + ! sh -c "/sbin/pfctl -a vpn -F all" > + delete 10.42.0.0/16 > + delete vpn-gateway.net > +.Ed > +.Pp > +To make > +.Xr pf 4 > +aware of the vpn anchors, put these lines into the > +NAT and Filter sections of > +.Pa /etc/pf.conf , > +respectively: > +.Bd -literal > + nat-anchor vpn > + anchor vpn > +.Ed > +.Pp > +See > +.Xr pf.conf 5 > +for details on the format of this file. > +.Pp > +Now define vpn anchor rules in > +.Pa /etc/pf.conf.vpn , > +for example: > +.Bd -literal > + int_if=xl0 > + vpn_if=tun0 > + > + # NAT is of course optional. The remote network needs > + # a route to our network as well if we don't do NAT. > + nat on $vpn_if from $int_if:network to any -> ($vpn_if) > + > + block drop on $vpn_if > + pass out on $vpn_if > + > + # Allow ping from remote, and explicitly make sure our replies are > + # routed back through the tunnel. > + pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \e > + inet proto icmp icmp-type echoreq keep state > + > + # Same for ssh. > + pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \e > + from any to ($vpn_if) port ssh flags S/SA keep state > +.Ed > +.Pp > +Connect by running: > +.Dl ppp -unit0 -ddial vpn > +.Pp > +The -unit0 option makes sure ppp configures tun0 as the VPN > +connection end point, and not some other tun device. > +The packet filter rules configured above assume tun0 as the > +VPN connection end point. > +.Pp > +To terminate the connection, kill the ppp process. It creates a PID > +file in /var/run/tunX.pid, where X is the number of the tun device used. > .Sh FILES > .Pa /var/run/pptp/<ip-address> > is created as a socket. It is used for communicating with an existing > PPTP call manager for a given remote server host. > -.Pp > -.Pa PREFIX/sbin/pptp-reconnect > -can be used to (re)establish a pptp connection. > .Sh SEE ALSO > .Xr ppp 8 , > .Xr gre 4 , > +.Xr pf 4 , > +.Xr pf.conf 5 , > .Pa PREFIX/share/doc/pptp/USING . > .Sh HISTORY > This man page appeared first in > -.Nx > -\'s pptp-package. > +.Nx > +\'s pptp package. > .Sh AUTHORS > +.An Stefan Sperling Aq [EMAIL PROTECTED] > +(detailed option description, EXAMPLES section), > .An C. Scott Ananian Aq [EMAIL PROTECTED] , > .An John Kohl Aq [EMAIL PROTECTED] > (patches and original man page). > Index: patches/patch-USING > =================================================================== > RCS file: patches/patch-USING > diff -N patches/patch-USING > --- patches/patch-USING 12 Nov 2006 10:10:09 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,110 +0,0 @@ > ---- USING.orig Sat Nov 4 15:37:29 2006 > -+++ USING Thu Nov 9 14:17:25 2006 > -@@ -1,5 +1,10 @@ > - Usage Notes > - > -+[ Note by your friendly OpenBSD pptp port maintainer: > -+Most examples in this file are quite Linux-centric. See the section > -+EXAMPLE CONFIGURATION FOR OPENBSD below for an example that focuses > -+on OpenBSD exclusively. ] > -+ > - pptp is started as a psuedo-tty child process using pppd's pty option: > - > - pppd call provider [pppd-options] \ > -@@ -94,5 +99,96 @@ > - > - test-multiple-tunnels-1.sh creates multiple source interfaces > - test-multiple-tunnels-2.sh creates multiple tunnels > -+ > -+ > -+EXAMPLE CONFIGURATION FOR OPENBSD: > -+ > -+On OpenBSD, pptp uses the userspace ppp(8) implementation > -+by default, instead of using pppd(8). This is a compile-time option > -+hardcoded in the port's Makefile, and it is not recommended that you > -+change this unless you really have a reason to do so. If your VPN > -+requires mppe/mppc in conjunction with pptp, ppp(8) is your > -+only option anyway since pppd(8) does not support mppe/mppc. > -+ > -+This example assumes that you want to configure a gateway running > -+OpenBSD to provide PPTP VPN access to a remote network for all hosts > -+on your internal LAN. While this may not match your situation at > -+all, you will hopefully gather enough hints you can use for your > -+own setup. > -+ > -+Let us assume that the VPN server is called vpn-gateway.net, > -+and that the default route of our OpenBSD box is 42.42.42.42. > -+The remote network is 10.42.0/16; all traffic to this network > -+should go through the VPN tunnel. > -+ > -+Having ppp start pptp seems to be working much better than the > -+other way round. So first, put something like this into /etc/ppp/ppp.conf > -+to connect to the vpn gateway: > -+ > -+ default: > -+ set log Phase Chat LCP IPCP CCP tun command > -+ vpn: > -+ set device "!PREFIX/sbin/pptp --nolaunchpppd vpn-gateway.net" > -+ set authname User > -+ set authkey MySecret > -+ set mppe 128 stateless > -+ > -+Next, you need to configure routing in /etc/ppp/ppp.linkup. > -+Assuming vpn-gateway.net resides inside 10.42.0/16, we have to add a host > -+route pointing to vpn-gateway.net in order to avoid a chicken-and-egg > -+problem once packets to 10.42.0/16 are routed through the tunnel. > -+(Of course, this also applies if you need to configure the tunnel as > -+your default route, but that is not covered in this example.) > -+ > -+We also load packet filter anchors for the vpn interface here. > -+More on that later. > -+ > -+/etc/ppp/ppp.linkup: > -+ > -+ vpn: > -+ ! sh -c "/sbin/route add -host vpn-gateway.net 42.42.42.42" > -+ ! sh -c "/sbin/route add -net 10.42.0.0 -netmask 255.255.0.0 HISADDR" > -+ ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn" > -+ > -+Commands in ppp.linkdown simply undo changes made in ppp.linkup. > -+ > -+/etc/ppp/ppp.linkdown: > -+ > -+ vpn: > -+ ! sh -c "/sbin/pfctl -a vpn -F all" > -+ ! sh -c "/sbin/route delete -net 10.42.0.0 -netmask 255.255.0.0 HISADDR" > -+ ! sh -c "/sbin/route delete -host vpn-gateway.net 42.42.42.42" > -+ > -+To make pf aware of the vpn anchors, put these lines into the > -+nat and filter sections of /etc/pf.conf, respectively: > -+ > -+ nat-anchor vpn > -+ anchor vpn > -+ > -+Now define vpn anchor rules in /etc/pf.conf.vpn: > -+ > -+ int_if=xl0 > -+ vpn_if=tun0 > -+ > -+ nat on $vpn_if from $int_if:network to any -> ($vpn_if) > -+ > -+ pass out on $vpn_if keep state > -+ > -+ # Allow ping from remote, and explicitly make sure our replies are > -+ # routed back through the tunnel. > -+ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \ > -+ inet proto icmp icmp-type echoreq keep state > -+ > -+ # Same for ssh. > -+ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \ > -+ from any to ($vpn_if) port ssh flags S/SA keep state > -+ > -+ > -+Connect by running: > -+ > -+ ppp -ddial vpn > -+ > -+To terminate the connection, kill the ppp process. It creates a PID > -+file in /var/run/tunX.pid, where X is the number of the tun device used. > - > - $Id: patch-USING,v 1.2 2006/11/12 10:10:09 grunk Exp $ > Index: patches/patch-inststr_c > =================================================================== > RCS file: /cvs/ports/net/pptp/patches/patch-inststr_c,v > retrieving revision 1.1 > diff -u -r1.1 patch-inststr_c > --- patches/patch-inststr_c 24 Mar 2005 00:57:58 -0000 1.1 > +++ patches/patch-inststr_c 18 Sep 2007 09:55:55 -0000 > @@ -1,7 +1,7 @@ > $OpenBSD: patch-inststr_c,v 1.1 2005/03/24 00:57:58 naddy Exp $ > ---- inststr.c.orig Sat Mar 5 16:20:34 2005 > -+++ inststr.c Sat Mar 5 16:24:38 2005 > -@@ -20,7 +20,7 @@ inststr(int argc, char **argv, char **en > +--- inststr.c.orig Mon Feb 13 04:07:42 2006 > ++++ inststr.c Tue Sep 18 07:24:08 2007 > +@@ -20,7 +20,7 @@ inststr(int argc, char **argv, char **environ, char *s > > for (ptr = argv[0]; *ptr; *(ptr++) = '\0'); > > Index: patches/patch-pptp_ctrl_c > =================================================================== > RCS file: /cvs/ports/net/pptp/patches/patch-pptp_ctrl_c,v > retrieving revision 1.1 > diff -u -r1.1 patch-pptp_ctrl_c > --- patches/patch-pptp_ctrl_c 22 Sep 2006 02:00:50 -0000 1.1 > +++ patches/patch-pptp_ctrl_c 18 Sep 2007 09:55:55 -0000 > @@ -1,6 +1,6 @@ > $OpenBSD: patch-pptp_ctrl_c,v 1.1 2006/09/22 02:00:50 pvalchev Exp $ > ---- pptp_ctrl.c.orig Thu Sep 21 19:03:03 2006 > -+++ pptp_ctrl.c Thu Sep 21 19:03:19 2006 > +--- pptp_ctrl.c.orig Mon Feb 13 04:07:42 2006 > ++++ pptp_ctrl.c Tue Sep 18 07:24:12 2007 > @@ -457,6 +457,7 @@ void pptp_conn_destroy(PPTP_CONN * conn) > void pptp_fd_set(PPTP_CONN * conn, fd_set * read_set, fd_set * write_set, > int * max_fd) > @@ -9,7 +9,7 @@ > assert(conn && conn->call); > /* Add fd to write_set if there are outstanding writes. */ > if (conn->write_size > 0) > -@@ -465,7 +466,7 @@ void pptp_fd_set(PPTP_CONN * conn, fd_se > +@@ -465,7 +466,7 @@ void pptp_fd_set(PPTP_CONN * conn, fd_set * read_set, > FD_SET(conn->inet_sock, read_set); > if (*max_fd < conn->inet_sock) *max_fd = conn->inet_sock; > /* Add signal pipe file descriptor to set */ > Index: patches/patch-util_c > =================================================================== > RCS file: patches/patch-util_c > diff -N patches/patch-util_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-util_c 18 Sep 2007 09:55:55 -0000 > @@ -0,0 +1,12 @@ > +$OpenBSD$ > +--- util.c.orig Tue Sep 18 07:22:28 2007 > ++++ util.c Tue Sep 18 07:22:35 2007 > +@@ -45,7 +45,7 @@ static void close_log(void) > + void _log(const char *func, const char *file, int line, const char *format, > ...) > + { > + MAKE_STRING("log"); > +- syslog(LOG_NOTICE, "%s", string); > ++ syslog(LOG_INFO, "%s", string); > + } > + > + /*** print a warning to syslog > ************************************************/ > Index: pkg/DESCR > =================================================================== > RCS file: /cvs/ports/net/pptp/pkg/DESCR,v > retrieving revision 1.4 > diff -u -r1.4 DESCR > --- pkg/DESCR 15 Dec 2003 21:55:09 -0000 1.4 > +++ pkg/DESCR 18 Sep 2007 09:55:55 -0000 > @@ -1,10 +1,4 @@ > -pptp-linux is an implementation of the PPTP protocol for Linux and > -other Unix systems. > - > -The code is released under the terms of the GPL; see the file COPYING > -for details. > - > -You can find notes on installing and using this package in the file > -${PREFIX}/share/doc/pptp/USING; design notes are in the Documentation > -directory; and the standards documents used to implement pptp-linux > -can be found in the Reference directory. > +PPTP Client is a client for the proprietary Microsoft Point-to-Point > +Tunneling Protocol. It connects to PPTP-based Virtual Private Networks > +as used by some universities, companies and cable and ADSL internet > +service providers. > Index: pkg/MESSAGE > =================================================================== > RCS file: /cvs/ports/net/pptp/pkg/MESSAGE,v > retrieving revision 1.5 > diff -u -r1.5 MESSAGE > --- pkg/MESSAGE 12 Nov 2006 10:10:09 -0000 1.5 > +++ pkg/MESSAGE 18 Sep 2007 09:55:55 -0000 > @@ -1,10 +1,7 @@ > You will need to allow gre traffic for pptp to work: > sysctl net.inet.gre.allow=1 > > -See ${PREFIX}/share/doc/pptp/USING for an example configuration > -specific to OpenBSD. > - > -See http://www.counterpane.com/pptp-faq.html for a list of security flaws. > +See http://www.schneier.com/pptp-faq.html for a list of security flaws. > ========================================================================== > ATTENTION: > Alcatel ADSL modems contain default logins with easily computed passwords. > > > > -- > stefan > http://stsp.name PGP Key: 0xF59D25F0 -- stefan http://stsp.name PGP Key: 0xF59D25F0
pgpnnff5J0vi0.pgp
Description: PGP signature