netbsd-help: RE: VPN

Subject: RE: VPN - HOW?
To: None <netbsd-help@netbsd.org>
From: Paul Newhouse <newhouse@rockhead.com>
List: netbsd-help
Date: 10/22/1999 07:51:31
Claude Marinier <marinier@dreo.dnd.ca> asked:

>If I were to build a VPN between two branch offices (we can ignore mobile
>clients) and I wanted to use NetBSD to do it, how would I proceed? Would I
>use IPsec, SSL, ... ?
>
>I would not want to buy anything. I expect that one system would reside
>inside one branch office and the other system would reside inside the
>other branch office. They would act as routers. They would encrypt and
>pass all the traffic between each other.
>
>I hope I have provided enough information to get useful answers and not
>too much so I do not limit the scope of answers.
>
>If there is already a document outlining this, please tell me where I can
>get it (I have not found one).

You can start by looking at:

   http://www.linuxdoc.org/HOWTO/mini/VPN.html

It's for Linux but, it uses pppd and ssh which are common to NetBSD.  I got 
it working in less than a day on NetBSD.  I changed the scripts around a 
little (like using nodetach so I don't have to poll for pppd death and
using lcp-echo and a few other things).  The How-to's explanation of how
to swap the ssh keys is a little less than clear.  And it didn't look like
.ppprc was getting loaded (I think sudo isn't getting the environment set
right so it's not looking in the right $HOME/.ppprc) that was kind of annoying.

A friend set this up between work and home. At work he has a Linux machine
and can't make it route his home network at work so he's converting the box 
to NetBSD.  We set this up between our home sites using NetBSD and it works 
great.  His SOHO LAN and mine look like they are on the same segment (using 
fake space addresses).  There are probably other solutions.

Install the pty-redir (as well as ssh and sudo) package.

My script looks like (substitute your stuff for <>):


  #!/bin/sh
  VPN_REMOTE=<remote machine name>
  VPN_USER=<a vpn account on the remote machine>
  while [ 1 ]; do
  	/sbin/ping  -c 1 -w 2 $VPN_REMOTE >/dev/null 2>&1
  	if [ $? = 0 ]; then
  		/usr/pkg/bin/sudo /usr/sbin/pppd `/usr/pkg/bin/pty-redir /usr/pkg/bin/ssh -t \
		-l $VPN_USER $VPN_REMOTE  -o 'BatchMode yes' /usr/pkg/bin/sudo /usr/sbin/pppd \
		\\\$SSH_TTY \\\`cat .ppprc\\\`` `cat .ppprc`
  	else
  		echo "Destination is down"
  	fi
  done

and .ppprc looks like:

  nodetach lcp-echo-failure 30 lcp-echo-interval 5 nopersist noauth \
  <local ip addr>:<remote ip addr> vj-max-slots 16 deflate 15,15 \
  local nocrtscts netmask 255.255.255.255 mtu 1500 ipparam WANVPN

Good luck,
Paul

P.S. - anybody now how to get ppp to use an arbitrary tty on IRIX?