Re: PPTP Support
Robert & Dan, I got a very useful response from James Cameron (the PPTP maintainer). It looks like my correct course of action is to build a pppd plugin, which apparently are very version dependent, but I'm sure the packaging for a particular distro will be able to get around that. It seems a pppd plugin can solve both the chap-secrets and ip-up issue. I think I may be able to make nm-pptp-service-pptp-helper into a dbus aware pppd plugin thus solving it all in one. I'm looking onto this now. Doesn't seem too bad so far! The VPN gateway IP issue is not yet so obvious. It may be that the plugin can solve that too, but I haven't quite figured that out yet. James made a suggestion about using netstat to find out the ip of the machine connected to port 1732 but that may be a little clumsy. James has invited me to submit a patch for pptp if needed. Also however, James suggested something I had thought of myself and have already implemented. That is that nm-pptp-service does a gethostbyname look up on the given VPN server name then passes the IP to pppd and remembers it for it's own routing purposes later. This appears to work just nicely. tOnY Robert Love wrote: On Tue, 2005-11-22 at 11:33 -0500, Dan Williams wrote: Yeah, this does rather suck. But if pptp just calls pppd and doesn't allow specification of stuff like a script file to run after everything is done, etc, its going to be hard. Hopefully there's a way to do this without touching/moving stuff around... In the case of the secrets file, I suppose you could write that data out yourself, no? I did this initially for vpnc before they added the 'options written to stdin' option in 0.3.3 (which is why NM requires 0.3.3). It works, but of course its a security risk. If there's no alternative though, it's probably the best route. Yah. I am not so worried about the secrets file (although we ought to work toward fixing that, too) but the ifup modifications needed: ipparam=$6 if [ "$ipparam" == "nm-pptp-service" ]; then export route_vpn_gateway=$5 export dev=$1 export ifconfig_local=$4 if [ -e /etc/ppp/resolv.conf ]; then export IP4_DNS=`grep '^nameserver[[:space:]]' /etc/ppp/resolv.conf | sed -e 's/^nameserver\s*\(.*\)/\1/' | xargs | sed -e 's/ /,/'` fi /usr/bin/nm-pptp-service-pptp-helper exit fi I dunno if we can get distros to carry edits to /etc/ppp/ip-up. Anyhow, Dan -- should we merge this or wait until some of the other issues are resolved? I have a copy in my tree that I can commit now, if the former. Antony is right in that "almost just works" is better than nothing, but I also don't want to put a solution into the tree if it is far from what we want. Robert Love ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Tue, 2005-11-22 at 16:29 +, Antony J Mee wrote: > So. I have attempted to start a discussion on the linux-ppp and > pptp-client-devel lists to sniff out solutions to precisely these > issues. I didn't want to fill everyones mail boxes with it but you can > find it archived here: > > http://marc.theaimsgroup.com/?l=linux-ppp&m=113267583227164&w=2 Another thought I had. Could any of the functionality required be implemented in a pppd plugin? If there's not enough exposed there, could we convince the pppd authors to add a hook to be executed whenever ifup would be executed? We could instead run the pptp helper binary at that point, directly from pppd. Although, that would be my second choice. First choice would be the command line option for path to the ifup script, which NM could override (as long as pptp does the same). Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Tue, 2005-11-22 at 11:36 -0500, Robert Love wrote: > On Tue, 2005-11-22 at 11:33 -0500, Dan Williams wrote: > > > Yeah, this does rather suck. But if pptp just calls pppd and doesn't > > allow specification of stuff like a script file to run after everything > > is done, etc, its going to be hard. Hopefully there's a way to do this > > without touching/moving stuff around... > > > > > In the case of the secrets file, I suppose you could write that data out > > > yourself, no? > > > > I did this initially for vpnc before they added the 'options written to > > stdin' option in 0.3.3 (which is why NM requires 0.3.3). It works, but > > of course its a security risk. If there's no alternative though, it's > > probably the best route. > > Yah. I am not so worried about the secrets file (although we ought to > work toward fixing that, too) but the ifup modifications needed: > > ipparam=$6 > if [ "$ipparam" == "nm-pptp-service" ]; then > export route_vpn_gateway=$5 > export dev=$1 > export ifconfig_local=$4 > if [ -e /etc/ppp/resolv.conf ]; then > export IP4_DNS=`grep '^nameserver[[:space:]]' /etc/ppp/resolv.conf | > sed -e 's/^nameserver\s*\(.*\)/\1/' | xargs | sed -e 's/ /,/'` > fi > /usr/bin/nm-pptp-service-pptp-helper > exit > fi > > I dunno if we can get distros to carry edits to /etc/ppp/ip-up. Yeah, seems dodgy. > Anyhow, Dan -- should we merge this or wait until some of the other > issues are resolved? I have a copy in my tree that I can commit now, if > the former. > > Antony is right in that "almost just works" is better than nothing, but > I also don't want to put a solution into the tree if it is far from what > we want. My suggestion: let's see where the conversation with pptp and pppd go. If they are amenable to adding something like the ifup/ip-up command-line option, and do so in a short time, then lets add it. Otherwise, I think we should push back on them for a bit and get this sorted out before putting it in CVS. I'm not married to this though, suggestions welcome. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Tue, 2005-11-22 at 16:29 +, Antony J Mee wrote: > That discusses the two issues mentioned already. And a third, more > annoying one that I only discovered on connecting to a different network > today. This is related to the lack of a way to get the VPN server's IP > which is needed for adjusting the routing tables. I think I have a work > around for that now though by getting NetworkManager to resolve the IP > of the VPN server before spawning pptp. What's the issue here? Is the VPN server specified as a hostname or something? I don't think we support VPN servers as hostnames in NM at this time, but if you've got a patch I'm sure we'll take it :) Seems like something quite useful. > >In the case of the secrets file, I suppose you could write that data out > >yourself, no? > > > > > That I have considered, but was unsure how to proceed. If I were to do > so how would people like to see it done? >a) NM maintains lines in chap-secrets >b) before connecting backup chap-secrets, and replace it with an NM > generated file > and replace the original when the connection has been established >c) other The best way to do this (without a lot of invasive crap) is to have command line options to specify what script to run in place of ifup. Ideally, pppd would take a '--everything-working-script' (it already has a 'connect-script' parameter that _wont_ do what you want) that by default would be /sbin/ifup, but that pptp could specify itself. Then, pptp takes a command line parameter that's the script to pass to pppd. This script would be the 'nm-pptp-service-helper' binary from the NM vpn package. It should ideally parse everything and anything required to pass info to NM, including DNS servers and such. The idea here is that we want as _few_ scripts and tools as possible so that the call chain from tool to tool is as simple and efficient as possible. It's hard to see why the pppd and pptp guys wouldn't add an option for this, it seems entirely reasonable to me. It's not like we're asking them to add full DBus support to their tools and it certainly doesn't change default behavior of either one. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Tue, 2005-11-22 at 11:33 -0500, Dan Williams wrote: > Yeah, this does rather suck. But if pptp just calls pppd and doesn't > allow specification of stuff like a script file to run after everything > is done, etc, its going to be hard. Hopefully there's a way to do this > without touching/moving stuff around... > > > In the case of the secrets file, I suppose you could write that data out > > yourself, no? > > I did this initially for vpnc before they added the 'options written to > stdin' option in 0.3.3 (which is why NM requires 0.3.3). It works, but > of course its a security risk. If there's no alternative though, it's > probably the best route. Yah. I am not so worried about the secrets file (although we ought to work toward fixing that, too) but the ifup modifications needed: ipparam=$6 if [ "$ipparam" == "nm-pptp-service" ]; then export route_vpn_gateway=$5 export dev=$1 export ifconfig_local=$4 if [ -e /etc/ppp/resolv.conf ]; then export IP4_DNS=`grep '^nameserver[[:space:]]' /etc/ppp/resolv.conf | sed -e 's/^nameserver\s*\(.*\)/\1/' | xargs | sed -e 's/ /,/'` fi /usr/bin/nm-pptp-service-pptp-helper exit fi I dunno if we can get distros to carry edits to /etc/ppp/ip-up. Anyhow, Dan -- should we merge this or wait until some of the other issues are resolved? I have a copy in my tree that I can commit now, if the former. Antony is right in that "almost just works" is better than nothing, but I also don't want to put a solution into the tree if it is far from what we want. Robert Love ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Tue, 2005-11-22 at 11:03 -0500, Robert Love wrote: > On Mon, 2005-11-21 at 22:46 +, Antony Mee wrote: > > Hi, Anthony. Looks nice! > > > There are somethings ToDo relating to the fact that PPTP is dependent > > upon pppd. Comments and patches welcome. Am I correct in assuming here that NM has no ability to control pppd? Does pptp launch pppd? Any chance to get the pptp author to make some modifications to work better with NM? > The need to edit the secrets file is one thing, but requiring the user > edit the ppp ifup script is quite another. We really need stuff to > "just work" and I understand that PPTP and PPP are heavily interwoven, > and this sucks, but is there any way to work around this? Yeah, this does rather suck. But if pptp just calls pppd and doesn't allow specification of stuff like a script file to run after everything is done, etc, its going to be hard. Hopefully there's a way to do this without touching/moving stuff around... > In the case of the secrets file, I suppose you could write that data out > yourself, no? I did this initially for vpnc before they added the 'options written to stdin' option in 0.3.3 (which is why NM requires 0.3.3). It works, but of course its a security risk. If there's no alternative though, it's probably the best route. Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
Hi Robert, Thanks for the response. I do want it to "just work". But "minor edits then just works" seems to be better than "doesn't work"; if only a step in the right direction. This means for me that I can now run NM in one important location (office) and gives me more motivation to get it working in the other important place (home requires WPA-PSK). Robert Love wrote: The need to edit the secrets file is one thing, but requiring the user edit the ppp ifup script is quite another. We really need stuff to "just work" and I understand that PPTP and PPP are heavily interwoven, and this sucks, but is there any way to work around this? So. I have attempted to start a discussion on the linux-ppp and pptp-client-devel lists to sniff out solutions to precisely these issues. I didn't want to fill everyones mail boxes with it but you can find it archived here: http://marc.theaimsgroup.com/?l=linux-ppp&m=113267583227164&w=2 That discusses the two issues mentioned already. And a third, more annoying one that I only discovered on connecting to a different network today. This is related to the lack of a way to get the VPN server's IP which is needed for adjusting the routing tables. I think I have a work around for that now though by getting NetworkManager to resolve the IP of the VPN server before spawning pptp. In the case of the secrets file, I suppose you could write that data out yourself, no? That I have considered, but was unsure how to proceed. If I were to do so how would people like to see it done? a) NM maintains lines in chap-secrets b) before connecting backup chap-secrets, and replace it with an NM generated file and replace the original when the connection has been established c) other Editing the ifup script seems harder, to be sure ... I agree of course, but this appears to be the only interface provided by ppp for getting the tunnel and dns properties. I hope the pppd list will provide me an answer there. tOnY ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: PPTP Support
On Mon, 2005-11-21 at 22:46 +, Antony Mee wrote: Hi, Anthony. Looks nice! > There are somethings ToDo relating to the fact that PPTP is dependent > upon pppd. Comments and patches welcome. The need to edit the secrets file is one thing, but requiring the user edit the ppp ifup script is quite another. We really need stuff to "just work" and I understand that PPTP and PPP are heavily interwoven, and this sucks, but is there any way to work around this? In the case of the secrets file, I suppose you could write that data out yourself, no? Editing the ifup script seems harder, to be sure ... Robert Love ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list