On Tue, Sep 18, 2007 at 12:15:55PM +0200, Stefan Sperling wrote: > List of changes:
*poke*
This patch has been sitting on the list for a month now.
Can someone please commit this?
Thanks.
> * Update my email address.
> * Add detailed option description to pptp(8) man page.
> * Move OpenBSD configuration examples from text file
> ${PREFIX}/share/doc/pptp/USING into pptp(8) man page,
> and remove patch to ${WRKSRC}/USING. Extend and
> revise examples while at it.
> * Add patch to ${WRKSRC}/util.c that prevents pptp
> from logging the same stuff into both /var/log/daemon
> and /var/log/messages. Just log to /var/log/daemon.
> * Update pkg/DESCR with a new description based on
> upstream web site.
> * Fix URL to list of pptp security flaws in pkg/MESSAGE.
> * [Re-]Create patches with `make update-patches'.
>
> Tested on i386.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/pptp/Makefile,v
> retrieving revision 1.16
> diff -u -r1.16 Makefile
> --- Makefile 12 Nov 2006 10:10:09 -0000 1.16
> +++ Makefile 18 Sep 2007 09:55:55 -0000
> @@ -3,13 +3,15 @@
>
> COMMENT= 'PPTP client package for Microsoft VPN servers'
>
> -DISTNAME= pptp-1.7.1
> +VERSION= 1.7.1
> +DISTNAME= pptp-${VERSION}
> +PKGNAME= ${DISTNAME}p0
> CATEGORIES= net
> MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pptpclient/}
>
> HOMEPAGE= http://pptpclient.sf.net
>
> -MAINTAINER= Stefan Sperling <[EMAIL PROTECTED]>
> +MAINTAINER= Stefan Sperling <[EMAIL PROTECTED]>
>
> # GPL
> PERMIT_PACKAGE_CDROM= Yes
> Index: files/pptp_8
> ===================================================================
> RCS file: /cvs/ports/net/pptp/files/pptp_8,v
> retrieving revision 1.5
> diff -u -r1.5 pptp_8
> --- files/pptp_8 12 Nov 2006 10:10:09 -0000 1.5
> +++ files/pptp_8 18 Sep 2007 09:55:55 -0000
> @@ -14,10 +14,19 @@
> .Sh SYNOPSIS
> .Nm
> .Ar hostname
> -[
> -.Op Ar --phone <phone number>
> -.Op Ar --quirks ISP_NAME
> --- ]
> +.Op Fl -version
> +.Op Fl -phone Ar number
> +.Op Fl -nolaunchpppd
> +.Op Fl -quirks Ar quirk
> +.Op Fl -debug
> +.Op Fl -sync
> +.Op Fl -timeout Ar secs
> +.Op Fl -nobuffer
> +.Op Fl -idle-wait Ar time
> +.Op Fl -max-echo-wait Ar time
> +.Op Fl -logstring Ar name
> +.Op Fl -localbind Ar addr
> +.Op Fl -loglevel Ar level
> .Op Ar ppp options
> .Sh DESCRIPTION
> .Nm
> @@ -37,33 +46,285 @@
> The
> .Ar hostname
> parameter specifies which host should be contacted as the PPTP server.
> -Additional parameters are passed on to
> -.Ic ppp
> +.Pp
> +.Op Ar ppp options
> +are passed on to
> +.Xr ppp 8
> and typically include a remote username or a file containing options.
> .Pp
> .Nm
> must be run as root.
> -
> -.Sh EXAMPLE
> +.Pp
> .Nm
> -.Ar hostname
> -.Op Ar ppp options
> +accepts the following options:
> +.Bl -tag -width Ds
> +.It Fl -version
> +Display version number and exit.
> +.It Fl -phone Ar number
> +Pass
> +.Ar number
> +to remote host as phone number.
> +.It Fl -nolaunchpppd
> +Do not launch a ppp daemon, for use as a ppp daemon pty.
> +.It Fl -quirks Ar quirk
> +Work around a buggy PPTP implementation.
> +The only currently recognised value is
> +.Ar BEZEQ_ISRAEL .
> +See the file
> +.Pa PREFIX/share/doc/pptp/USING
> +for details.
> +.It Fl -debug
> +Run in foreground (for debugging with gdb).
> +.It Fl -sync
> +Enable Synchronous HDLC.
> +.Xr ppp 8
> +must use it, too.
> +.It Fl -timeout Ar secs
> +Time to wait for reordered packets (0.01 to 10 secs).
> +.It Fl -nobuffer
> +Disable packet buffering and reordering completely
> +.It Fl -idle-wait Ar secs
> +Time to wait before sending echo request.
> +.It Fl -max-echo-wait Ar secs
> +Time to wait before giving up on lack of reply. This option
> +seems to be unimplemented, because the flag can be set but is
> +never evaluated (look at pptp_ctrl.c) \(em dead, unused code?
> +.It Fl -logstring Ar name
> +Use
> +.Ar name
> +instead of
> +.Dq anon
> +in syslog messages.
> +.It Fl -localbind Ar addr
> +Bind to specified IP address instead of wildcard.
> +.It Fl -loglevel Ar level
> +Sets the debugging level (0=low, 1=default, 2=high).
> +.Sh EXAMPLES
> +.Ss PPTP on a stand-alone VPN client
> +This example assumes that you want to use pptp to connect
> +to a VPN and use the VPN connection as your default route.
> +Let us assume that the VPN server was called vpn-gateway.net.
> +.Pp
> +First, edit
> +.Pa /etc/ppp/ppp.conf
> +and add an entry for the VPN
> +connection. See
> +.Xr ppp 8
> +for details on the format of this file.
> +.Bd -literal
> + vpn:
> + set device "!/usr/local/sbin/pptp --nolaunchpppd vpn-gateway.net"
> + set authname User
> + set authkey MySecret
> + set mppe 128 stateless
> +.Ed
> +.Pp
> +Next, you need to configure routing in
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + add default HISADDR
> +.Ed
> +.Pp
> +If vpn-gateway.net does not reside on the local network,
> +we have to add a host route pointing to vpn-gateway.net in order to
> +avoid a chicken-and-egg problem once the default route is set to
> +the VPN tunnel.
> +Assuming the standard default route is 42.42.42.42:
> +.Pp
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + add vpn-gateway.net 42.42.42.42
> + add default HISADDR
> +.Ed
> +.Pp
> +If your default route is not fixed, for example if you connect
> +to the VPN from many different networks while on the road,
> +use a script to figure out the current default route and add the
> +host route to the VPN gateway. For example:
> +.Pp
> +.Pa /etc/ppp/vpn-default-route.sh :
> +.Bd -literal
> + #!/bin/sh
> + gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
> + route add -host vpn-gateway.net ${gw}
> +.Ed
> +.Pp
> +Call the script from
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + ! sh /etc/ppp/vpn-default-route.sh
> + add default HISADDR
> +.Pp
> +Make sure the changes to the routing table are reversed in
> +.Pa /etc/ppp/ppp.linkdown :
> +.Bd -literal
> + vpn:
> + delete vpn-gateway.net
> +.Ed
> +.Pp
> +Restoring the previous default route in
> +.Pa /etc/ppp/ppp.linkdown
> +is left as an exercise for the reader. On a laptop it is usually
> +enough to issue a DHCP request to restore the routing table
> +after the VPN connection is terminated.
> +.Pp
> +Connect by running:
> +.Dl ppp -ddial vpn
> +.Pp
> +To terminate the connection, kill the ppp process. It creates a PID
> +file in /var/run/tunX.pid, where X is the number of the tun device used.
> +.Ss PPTP on a router
> +This example assumes that you want to configure a router running
> +OpenBSD to provide PPTP VPN access to a remote network for all hosts
> +on your internal network.
> +.Pp
> +Let us assume that the VPN server was called vpn-gateway.net,
> +and that the default route of our OpenBSD box was 42.42.42.42.
> +The remote network shall be 10.42.0.0/16; we want all traffic to
> +this network to go through the VPN tunnel.
> +.Pp
> +First, edit
> +.Pa /etc/ppp/ppp.conf
> +and add an entry for the VPN
> +connection. See
> +.Xr ppp 8
> +for details on the format of this file.
> +.Bd -literal
> + default:
> + set log Phase Chat LCP IPCP CCP tun command
> + vpn:
> + set device "!/usr/local/sbin/pptp --nolaunchpppd vpn-gateway.net"
> + set authname User
> + set authkey MySecret
> + set mppe 128 stateless
> +.Ed
> +.Pp
> +Next, you need to configure routing in
> +.Pa /etc/ppp/ppp.linkup .
> +We also load
> +.Xr pf 4
> +anchors for the vpn interface here.
> +More on that later.
> +.Pp
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + add 10.42.0.0/16 HISADDR
> + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn"
> +.Ed
> +.Pp
> +If vpn-gateway.net resides inside 10.42.0.0/16, we have to add a host
> +route pointing to vpn-gateway.net in order to avoid a chicken-and-egg
> +problem once packets to 10.42.0.0/16 are routed through the tunnel.
> +.Pp
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + add vpn-gateway.net 42.42.42.42
> + add 10.42.0.0/16 HISADDR
> + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn"
> +.Ed
> +.Pp
> +If your default route is not fixed, for example if your ISP does not
> +always assign the same gateway to you, use a script to figure out
> +the current default route and add the host route to the VPN gateway.
> +For example:
> +.Pp
> +.Pa /etc/ppp/vpn-default-route.sh :
> +.Bd -literal
> + #!/bin/sh
> + gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
> + route add -host vpn-gateway.net ${gw}
> +.Ed
> +.Pp
> +Call the script from
> +.Pa /etc/ppp/ppp.linkup :
> +.Bd -literal
> + vpn:
> + ! sh /etc/ppp/vpn-default-route.sh
> + add 10.42.0.0/16 HISADDR
> + ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn"
> +.Pp
> +Make sure the changes to the routing table are
> +reversed when the VPN connection drops:
> +.Pp
> +.Pa /etc/ppp/ppp.linkdown:
> +.Bd -literal
> + vpn:
> + ! sh -c "/sbin/pfctl -a vpn -F all"
> + delete 10.42.0.0/16
> + delete vpn-gateway.net
> +.Ed
> +.Pp
> +To make
> +.Xr pf 4
> +aware of the vpn anchors, put these lines into the
> +NAT and Filter sections of
> +.Pa /etc/pf.conf ,
> +respectively:
> +.Bd -literal
> + nat-anchor vpn
> + anchor vpn
> +.Ed
> +.Pp
> +See
> +.Xr pf.conf 5
> +for details on the format of this file.
> +.Pp
> +Now define vpn anchor rules in
> +.Pa /etc/pf.conf.vpn ,
> +for example:
> +.Bd -literal
> + int_if=xl0
> + vpn_if=tun0
> +
> + # NAT is of course optional. The remote network needs
> + # a route to our network as well if we don't do NAT.
> + nat on $vpn_if from $int_if:network to any -> ($vpn_if)
> +
> + block drop on $vpn_if
> + pass out on $vpn_if
> +
> + # Allow ping from remote, and explicitly make sure our replies are
> + # routed back through the tunnel.
> + pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \e
> + inet proto icmp icmp-type echoreq keep state
> +
> + # Same for ssh.
> + pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \e
> + from any to ($vpn_if) port ssh flags S/SA keep state
> +.Ed
> +.Pp
> +Connect by running:
> +.Dl ppp -unit0 -ddial vpn
> +.Pp
> +The -unit0 option makes sure ppp configures tun0 as the VPN
> +connection end point, and not some other tun device.
> +The packet filter rules configured above assume tun0 as the
> +VPN connection end point.
> +.Pp
> +To terminate the connection, kill the ppp process. It creates a PID
> +file in /var/run/tunX.pid, where X is the number of the tun device used.
> .Sh FILES
> .Pa /var/run/pptp/<ip-address>
> is created as a socket. It is used for communicating with an existing
> PPTP call manager for a given remote server host.
> -.Pp
> -.Pa PREFIX/sbin/pptp-reconnect
> -can be used to (re)establish a pptp connection.
> .Sh SEE ALSO
> .Xr ppp 8 ,
> .Xr gre 4 ,
> +.Xr pf 4 ,
> +.Xr pf.conf 5 ,
> .Pa PREFIX/share/doc/pptp/USING .
> .Sh HISTORY
> This man page appeared first in
> -.Nx
> -\'s pptp-package.
> +.Nx
> +\'s pptp package.
> .Sh AUTHORS
> +.An Stefan Sperling Aq [EMAIL PROTECTED]
> +(detailed option description, EXAMPLES section),
> .An C. Scott Ananian Aq [EMAIL PROTECTED] ,
> .An John Kohl Aq [EMAIL PROTECTED]
> (patches and original man page).
> Index: patches/patch-USING
> ===================================================================
> RCS file: patches/patch-USING
> diff -N patches/patch-USING
> --- patches/patch-USING 12 Nov 2006 10:10:09 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,110 +0,0 @@
> ---- USING.orig Sat Nov 4 15:37:29 2006
> -+++ USING Thu Nov 9 14:17:25 2006
> -@@ -1,5 +1,10 @@
> - Usage Notes
> -
> -+[ Note by your friendly OpenBSD pptp port maintainer:
> -+Most examples in this file are quite Linux-centric. See the section
> -+EXAMPLE CONFIGURATION FOR OPENBSD below for an example that focuses
> -+on OpenBSD exclusively. ]
> -+
> - pptp is started as a psuedo-tty child process using pppd's pty option:
> -
> - pppd call provider [pppd-options] \
> -@@ -94,5 +99,96 @@
> -
> - test-multiple-tunnels-1.sh creates multiple source interfaces
> - test-multiple-tunnels-2.sh creates multiple tunnels
> -+
> -+
> -+EXAMPLE CONFIGURATION FOR OPENBSD:
> -+
> -+On OpenBSD, pptp uses the userspace ppp(8) implementation
> -+by default, instead of using pppd(8). This is a compile-time option
> -+hardcoded in the port's Makefile, and it is not recommended that you
> -+change this unless you really have a reason to do so. If your VPN
> -+requires mppe/mppc in conjunction with pptp, ppp(8) is your
> -+only option anyway since pppd(8) does not support mppe/mppc.
> -+
> -+This example assumes that you want to configure a gateway running
> -+OpenBSD to provide PPTP VPN access to a remote network for all hosts
> -+on your internal LAN. While this may not match your situation at
> -+all, you will hopefully gather enough hints you can use for your
> -+own setup.
> -+
> -+Let us assume that the VPN server is called vpn-gateway.net,
> -+and that the default route of our OpenBSD box is 42.42.42.42.
> -+The remote network is 10.42.0/16; all traffic to this network
> -+should go through the VPN tunnel.
> -+
> -+Having ppp start pptp seems to be working much better than the
> -+other way round. So first, put something like this into /etc/ppp/ppp.conf
> -+to connect to the vpn gateway:
> -+
> -+ default:
> -+ set log Phase Chat LCP IPCP CCP tun command
> -+ vpn:
> -+ set device "!PREFIX/sbin/pptp --nolaunchpppd vpn-gateway.net"
> -+ set authname User
> -+ set authkey MySecret
> -+ set mppe 128 stateless
> -+
> -+Next, you need to configure routing in /etc/ppp/ppp.linkup.
> -+Assuming vpn-gateway.net resides inside 10.42.0/16, we have to add a host
> -+route pointing to vpn-gateway.net in order to avoid a chicken-and-egg
> -+problem once packets to 10.42.0/16 are routed through the tunnel.
> -+(Of course, this also applies if you need to configure the tunnel as
> -+your default route, but that is not covered in this example.)
> -+
> -+We also load packet filter anchors for the vpn interface here.
> -+More on that later.
> -+
> -+/etc/ppp/ppp.linkup:
> -+
> -+ vpn:
> -+ ! sh -c "/sbin/route add -host vpn-gateway.net 42.42.42.42"
> -+ ! sh -c "/sbin/route add -net 10.42.0.0 -netmask 255.255.0.0 HISADDR"
> -+ ! sh -c "/sbin/pfctl -a vpn -f /etc/pf.conf.vpn"
> -+
> -+Commands in ppp.linkdown simply undo changes made in ppp.linkup.
> -+
> -+/etc/ppp/ppp.linkdown:
> -+
> -+ vpn:
> -+ ! sh -c "/sbin/pfctl -a vpn -F all"
> -+ ! sh -c "/sbin/route delete -net 10.42.0.0 -netmask 255.255.0.0 HISADDR"
> -+ ! sh -c "/sbin/route delete -host vpn-gateway.net 42.42.42.42"
> -+
> -+To make pf aware of the vpn anchors, put these lines into the
> -+nat and filter sections of /etc/pf.conf, respectively:
> -+
> -+ nat-anchor vpn
> -+ anchor vpn
> -+
> -+Now define vpn anchor rules in /etc/pf.conf.vpn:
> -+
> -+ int_if=xl0
> -+ vpn_if=tun0
> -+
> -+ nat on $vpn_if from $int_if:network to any -> ($vpn_if)
> -+
> -+ pass out on $vpn_if keep state
> -+
> -+ # Allow ping from remote, and explicitly make sure our replies are
> -+ # routed back through the tunnel.
> -+ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) \
> -+ inet proto icmp icmp-type echoreq keep state
> -+
> -+ # Same for ssh.
> -+ pass in on $vpn_if reply-to ($vpn_if vpn-gateway.net) proto tcp \
> -+ from any to ($vpn_if) port ssh flags S/SA keep state
> -+
> -+
> -+Connect by running:
> -+
> -+ ppp -ddial vpn
> -+
> -+To terminate the connection, kill the ppp process. It creates a PID
> -+file in /var/run/tunX.pid, where X is the number of the tun device used.
> -
> - $Id: patch-USING,v 1.2 2006/11/12 10:10:09 grunk Exp $
> Index: patches/patch-inststr_c
> ===================================================================
> RCS file: /cvs/ports/net/pptp/patches/patch-inststr_c,v
> retrieving revision 1.1
> diff -u -r1.1 patch-inststr_c
> --- patches/patch-inststr_c 24 Mar 2005 00:57:58 -0000 1.1
> +++ patches/patch-inststr_c 18 Sep 2007 09:55:55 -0000
> @@ -1,7 +1,7 @@
> $OpenBSD: patch-inststr_c,v 1.1 2005/03/24 00:57:58 naddy Exp $
> ---- inststr.c.orig Sat Mar 5 16:20:34 2005
> -+++ inststr.c Sat Mar 5 16:24:38 2005
> -@@ -20,7 +20,7 @@ inststr(int argc, char **argv, char **en
> +--- inststr.c.orig Mon Feb 13 04:07:42 2006
> ++++ inststr.c Tue Sep 18 07:24:08 2007
> +@@ -20,7 +20,7 @@ inststr(int argc, char **argv, char **environ, char *s
>
> for (ptr = argv[0]; *ptr; *(ptr++) = '\0');
>
> Index: patches/patch-pptp_ctrl_c
> ===================================================================
> RCS file: /cvs/ports/net/pptp/patches/patch-pptp_ctrl_c,v
> retrieving revision 1.1
> diff -u -r1.1 patch-pptp_ctrl_c
> --- patches/patch-pptp_ctrl_c 22 Sep 2006 02:00:50 -0000 1.1
> +++ patches/patch-pptp_ctrl_c 18 Sep 2007 09:55:55 -0000
> @@ -1,6 +1,6 @@
> $OpenBSD: patch-pptp_ctrl_c,v 1.1 2006/09/22 02:00:50 pvalchev Exp $
> ---- pptp_ctrl.c.orig Thu Sep 21 19:03:03 2006
> -+++ pptp_ctrl.c Thu Sep 21 19:03:19 2006
> +--- pptp_ctrl.c.orig Mon Feb 13 04:07:42 2006
> ++++ pptp_ctrl.c Tue Sep 18 07:24:12 2007
> @@ -457,6 +457,7 @@ void pptp_conn_destroy(PPTP_CONN * conn)
> void pptp_fd_set(PPTP_CONN * conn, fd_set * read_set, fd_set * write_set,
> int * max_fd)
> @@ -9,7 +9,7 @@
> assert(conn && conn->call);
> /* Add fd to write_set if there are outstanding writes. */
> if (conn->write_size > 0)
> -@@ -465,7 +466,7 @@ void pptp_fd_set(PPTP_CONN * conn, fd_se
> +@@ -465,7 +466,7 @@ void pptp_fd_set(PPTP_CONN * conn, fd_set * read_set,
> FD_SET(conn->inet_sock, read_set);
> if (*max_fd < conn->inet_sock) *max_fd = conn->inet_sock;
> /* Add signal pipe file descriptor to set */
> Index: patches/patch-util_c
> ===================================================================
> RCS file: patches/patch-util_c
> diff -N patches/patch-util_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-util_c 18 Sep 2007 09:55:55 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- util.c.orig Tue Sep 18 07:22:28 2007
> ++++ util.c Tue Sep 18 07:22:35 2007
> +@@ -45,7 +45,7 @@ static void close_log(void)
> + void _log(const char *func, const char *file, int line, const char *format,
> ...)
> + {
> + MAKE_STRING("log");
> +- syslog(LOG_NOTICE, "%s", string);
> ++ syslog(LOG_INFO, "%s", string);
> + }
> +
> + /*** print a warning to syslog
> ************************************************/
> Index: pkg/DESCR
> ===================================================================
> RCS file: /cvs/ports/net/pptp/pkg/DESCR,v
> retrieving revision 1.4
> diff -u -r1.4 DESCR
> --- pkg/DESCR 15 Dec 2003 21:55:09 -0000 1.4
> +++ pkg/DESCR 18 Sep 2007 09:55:55 -0000
> @@ -1,10 +1,4 @@
> -pptp-linux is an implementation of the PPTP protocol for Linux and
> -other Unix systems.
> -
> -The code is released under the terms of the GPL; see the file COPYING
> -for details.
> -
> -You can find notes on installing and using this package in the file
> -${PREFIX}/share/doc/pptp/USING; design notes are in the Documentation
> -directory; and the standards documents used to implement pptp-linux
> -can be found in the Reference directory.
> +PPTP Client is a client for the proprietary Microsoft Point-to-Point
> +Tunneling Protocol. It connects to PPTP-based Virtual Private Networks
> +as used by some universities, companies and cable and ADSL internet
> +service providers.
> Index: pkg/MESSAGE
> ===================================================================
> RCS file: /cvs/ports/net/pptp/pkg/MESSAGE,v
> retrieving revision 1.5
> diff -u -r1.5 MESSAGE
> --- pkg/MESSAGE 12 Nov 2006 10:10:09 -0000 1.5
> +++ pkg/MESSAGE 18 Sep 2007 09:55:55 -0000
> @@ -1,10 +1,7 @@
> You will need to allow gre traffic for pptp to work:
> sysctl net.inet.gre.allow=1
>
> -See ${PREFIX}/share/doc/pptp/USING for an example configuration
> -specific to OpenBSD.
> -
> -See http://www.counterpane.com/pptp-faq.html for a list of security flaws.
> +See http://www.schneier.com/pptp-faq.html for a list of security flaws.
> ==========================================================================
> ATTENTION:
> Alcatel ADSL modems contain default logins with easily computed passwords.
>
>
>
> --
> stefan
> http://stsp.name PGP Key: 0xF59D25F0
--
stefan
http://stsp.name PGP Key: 0xF59D25F0
pgpnnff5J0vi0.pgp
Description: PGP signature
