3

I'm trying to setup a VPN over SSH using PPPD (following the Arch Wiki). The command given is:

/usr/sbin/pppd updetach noauth silent nodeflate pty \
  "/usr/bin/ssh root@remote-gw /usr/sbin/pppd nodetach notty noauth"  \
  ipparam vpn 10.0.8.1:10.0.8.2

I have successfully managed to set it up with appropriate modifications to the above command. To connect to the internal network on the server side, I had to set up forwarding using iptables on the server side (blindly following this SF post):

iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I'd like to automate this. Now, eth0 is fixed, but the ppp0 may change (for example, someone else also has started a similar setup). How can I detect what interface was created by the pppd command on the server side? Parse dmesg? Diff the output of ip -o a? Can I get pppd to report it to me?

  • Client is an up-to-date Arch Linux
  • Server is an up-to-date Ubuntu 14.04

dmesg seems to be useless:

$ dmesg | grep -i ppp
[    0.803033] PPP generic driver version 2.4.2
[135747.442807] PPP BSD Compression module registered
[135747.459013] PPP Deflate Compression module registered

No mention of a device being created. syslog seems to be more useful:

Apr 26 13:52:15 server pppd[12725]: pppd 2.4.5 started by muru, uid 0
Apr 26 13:52:15 server pppd[12725]: Using interface ppp0
Apr 26 13:52:15 server pppd[12725]: Connect: ppp0 <--> /dev/pts/7
Apr 26 13:52:15 server pppd[12725]: BSD-Compress (15) compression enabled

The Using interface ppp0 line seems to be what I want. I think I can get it thus:

awk '/started by muru/{getline; pppdev=$NF} END {print pppdev}'

Can I rely on the output of pppd for this?

Community
  • 1
muru
  • 69,900
  • 13
  • 192
  • 292

1 Answers1

3

Most probably /etc/ppp/ip-up.d is the location you are looking for.

My example is valid on Gentoo Linux but the same directory structure seems to exist on Arch.

Every time a VPN connection is made /etc/ppp/ip-up is run, which typically executes /etc/ppp/ip-up.d/* in turn. Its first argument is the attached pppn device.

Put this script under /etc/ppp/ip-up.d/90-local for instance:

#!/bin/sh

# Optional trace:
# logger -t "ppp" "$6: $1 (${2:--}, $3) $4 --> $5"

iptables -A FORWARD -i $1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

You might as well use the environment variables pppd sets before running scripts. The one you are looking for is $DEVICE. Simply replace $1 with $DEVICE in the above script:

iptables -A FORWARD -i $DEVICE -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o $DEVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

See man pppd for more info on what pppd does when establishing a connection.

muru
  • 69,900
  • 13
  • 192
  • 292
  • Correction: The server is Ubuntu, the client is Arch. But yes, I checked and the same directory structure is present on the server. And it works beautifully. – muru Apr 26 '15 at 09:19
  • @muru Glad it works. It would make more sense to add `-i $DEVICE` to `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE`. Without it you can just make it a permanent rule... IIF *all* traffic going through `eth0` *must* be masqueraded. –  Apr 26 '15 at 10:00