Re: [gnome-network]VPN and other mac os things

[Paul Coates <Paul Coates ncl ac uk>]

On Mon, 2003-10-27 at 16:51, Rodrigo Moya wrote:
> On Thu, 2003-11-27 at 17:01, garnacho tuxerver net wrote:
> > Hi Rodrigo!
> > 
> > On Mon, Oct 27, 2003 at 02:53:37PM +0100, Rodrigo Moya wrote:
> > > Hi
> > > 
> > > http://diveintoosx.org/panther/networking.html
> > > 
> > > this shows the new network tools in panther. As you can see here:
> > > 
> > > http://unbolted.llarian.net/f8dy/sp_network_status.jpg
> > > 
> > > VPNs are included with the rest of network interfaces. So I guess it is
> > > also a good idea to do the same in GST.
> > 
> > it could really be a great idea, but unfortunatelly my experience with
> > VPNs is almost 0, nor I have access to any VPN, so I might need
> > some clues about how to configure an VPN in the distros that the GST
> > support, or aim to support...
> > 
> no problem! we've got Paul who can help you :-) Paul, is that ok then,
> to put your VPN code into GST? or at least try to?

Feel free.

http://www.poptop.org/ is the PPTP server on Linux. I've never
tried it myself, we already had the Microsoft VPN servers in place here
before I even started looking at VPNs.

I had a look at the GST code last night and it looks like the simplest
solution for the GUI is to copy then change the existing Modem (PPP)
interface. As for the backend scripts, they all seem to be written in
perl which is not my forte. I have attached a stripped down bash script
with comments, that works with our VPN servers. Feel free to use as you
see fit.

You do need to run the ppp and pptp-linux available on the
http://pptpclient.sourceforge.net/ site to get MPPE support which is
used on the Microsoft VPN servers. There is also a good document on that
site which describes the different ways routing should be handled.

Paul

#!/bin/sh
#
# Linux script for connecting to the trial VPN server
# Code is Free to uses as you see fit
#
# Author  Paul Coates
#
# You need to run as root
# Enter your DOMAIN, USERNAME, REMOTE_NETWORK, REMOTE_MASK and SERVER_NAME
# Start the tunnel with "nclvpn start"
# Stop the tunnel with "nclvpn stop"
# If you want to switch on debugging uncomment the DEBUG line
# The first time you run the script you will be asked for
# a password to create entries in the chap-secrets file
#
# Note: This version of the script has all the resolv.conf and VPN detection
# code ripped out, it's structured for clarity
#

# For remote network and mask use a.b.c.d form
# They are just needed to setup the routing

DOMAIN=MYDOMAIN
USERNAME=myusername
REMOTE_NETWORK=a.b.0.0
REMOTE_MASK=255.255.0.0
DEBUG=
#DEBUG="debug logfd 2"
SERVER_NAME=myserver.gnome.org

# These bits don't change

PPTPCMND=/usr/sbin/pptp
ROUTECMND=/sbin/route
IFCFGCMND=/sbin/ifconfig
CHAP_SECRETS=/etc/ppp/chap-secrets
DEFAULT_INTERFACE=`$ROUTECMND -n | awk '/UG/ { print $8 }'`
SERVER_ADDRESS=`host $SERVER_NAME | awk '/has address/ { print $4 }' | head -1`

# Check to see if we resolved the server name OK, we use a roundrobin DNS entry
# to cycle through our servers so you can get a different server everytime, we
# need to convert this into an IP address so we can setup the routing correctly

if [ 1$SERVER_ADDRESS = 1 ] ; then
	echo Failed to resolv name $SERVER_NAME
	echo Check that you have a valid /etc/resolv.conf file
	exit
fi

start() {
echo Starting VPN tunnel

# Here we append the appropriate lines to the chap-secrets file if they are
# not already there. This means asking the users for his password. A better
# way used in the GUI version is to ask for a password everytime and create
# a temporary chap-secrets file which is swapped in, used once, swapped out
# after use and deleted

MATCH1=`cat $CHAP_SECRETS | awk /^$DOMAIN\\\\\\\\\\\\\\\\$USERNAME/ | grep PPTP | wc | awk '{print $1}'`
MATCH2=`cat $CHAP_SECRETS | awk '/^PPTP/' | grep "$DOMAIN\\\\\\\\\\\\\\\\$USERNAME" | wc | awk '{print $1}'`
if [ 1$MATCH1 = 10 ] || [ 1$MATCH2 = 10 ] ; then
echo Updating $CHAP_SECRETS file
echo Password:
stty -echo
read PASSWD
stty echo
fi
if [ 1$MATCH1 = 10 ] ; then
	echo "$DOMAIN\\\\$USERNAME		PPTP		$PASSWD" >>$CHAP_SECRETS
fi
if [ 1$MATCH2 = 10 ] ; then
	echo "PPTP		$DOMAIN\\\\$USERNAME		$PASSWD" >>$CHAP_SECRETS
fi
chmod 0600 $CHAP_SECRETS

# Here we create the VPN tunnel but first we make a list of all the
# interfaces, then start the tunnel, then make a new list. The extra
# interface in the list is the tunnel interface.

# All the options are included on the command line here so we don't need to use
# options files stored in /etc/ppp

LST_BEFORE=`$IFCFGCMND | awk '/^[a-z]/ { print $1 }'`
$PPTPCMND $SERVER_ADDRESS name "$DOMAIN\\$USERNAME" remotename PPTP $DEBUG lock noauth nobsdcomp nodeflate require-mppe mtu 1000 mru 1000 lcp-echo-failure 10 lcp-echo-interval 10
sleep 5
LST_AFTER=`$IFCFGCMND | awk '/^[a-z]/ { print $1 }'`
DEFAULT_INTERFACE=`$ROUTECMND -n | awk '/UG/ { print $8 }'`

# Now work out the interface used by the VPN tunnel

PPTP_INTERFACE=
for i in $LST_AFTER; do
	MATCH=0
	for j in $LST_BEFORE; do
		if [ 1$i = 1$j ] ; then
			MATCH=1
		fi
	done
	if [ 1$MATCH = 10 ] ; then
		PPTP_INTERFACE=$i
	fi
done
if [ 1$PPTP_INTERFACE = 1 ] ; then
	echo Failed to create tunnel
	exit
fi

# The following routing works for our network but there are different routing
# needs for different types of VPN

$ROUTECMND add -net $REMOTE_NETWORK netmask $REMOTE_MASK $PPTP_INTERFACE
$ROUTECMND add -host $SERVER_ADDRESS $DEFAULT_INTERFACE
}

stop() {
echo Stopping VPN tunnel

### Restore Routing
###
$ROUTECMND del -net $REMOTE_NETWORK netmask $REMOTE_MASK 2>/dev/null
$ROUTECMND del -host $SERVER_ADDRESS 2>/dev/null

### Destroy Tunnel
###
killall -q -HUP pptp
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  *)
        echo $"Usage: $0 {start|stop}"
        exit 1
esac