
                         á˽·(VPN)
                                       
: Arpad Magosanyi <mag@bunuel.tii.matav.hu>
: ΰ <dawei@sinica.edu.tw>

   v0.2, 7 August 1997 : 20 Feb 1999
     _________________________________________________________________
   
   ν˽·(Virtual Private Network)
     _________________________________________________________________
   
1. 

2. Ƽ

     * 2.1 Ȩ
     * 2.2 
     * 2.3 ֣
     * 2.4 
     * 2.5 ĵֿ
     * 2.6 ļ
       
3. 

     * 3.1 
       
4. ʼ

     * 4.1 滮
     * 4.2 Ѽ
     * 4.3 밲װ
     * 4.4 ϵͳ趨
     * 4.5 趨 VPN ʹʻ
     * 4.6 Ϊ master ʻһ ssh key 
     * 4.7 Ϊ slave ʻԶ ssh 뻷
     * 4.8 ǿ ssh  bastion ϵİȫԡ
     * 4.9  ppp ִУʻ·ɡ
     * 4.10 ׫дʽ
       
5. ǼִеĽ

6. ִС

     * 6.1 
     * 6.2  ppp 
     * 6.3 һ
     * 6.4 Pty ص
     * 6.5 װ棬Щʲᶫ
     * 6.6 趨·
       
7. 

     * 7.1 趨ĵ
     * 7.2 Ƶ밲ȫ˭Ҫ
       
8. ܹ
     _________________________________________________________________
   
1. 

   'no controlling tty problem' -> -o 'BatchMode yes'  Zot O'Connor
   <zot@crl.com> 
   
    2.0.30 ľѶϢ mag 
   
2. Ƽ

   ļ Linux VPN howtoռ Linux (Լһ UNIX) Ͻ
    һⱣʽ·Ѷ
   
2.1 Ȩ

   ļ Linux HOWTO ƻһ֡İȨ£ر˵
   Linux HOWTO ļİȨǸԵСLinux HOWTO ļȫ
   򲿷֣ ʹκʽýɢֻҪȨ
   ÿݿ СҵΪɢǱܻӭģǣκε
   ɢΪ߶ϣ ֪з롢Ĺϲκ Linux
   HOWTO ļľۼ ܵȨıҲ˵㲻
    HOWTO һļȻ ļɢǿ
   һЩض״£ŻŵЩ  Linux HOWTO Э
   ˣĵַ¡֮ϣܹ ͸ֹܵƶ
   ѶɢȻҲϣ HOWTO ļ ȨԼ
   ζ HOWTOs ɢƻҲϣܹ֪ͨκ 
   Linux HOWTO Э Tim Bynumĵʼַ
   linux-howto@sunsite.unc.edu 
   
2.2 

   һĶɵκΣһŲΡȷģ
    GNU GPL 0.1.1 ز֡
   
2.3 ֣

   ٵǰȫԵ⣺ûγһõİȫԣԼ
   ص ʩ㽫޷İȫ
   
2.4 

   лṩ߳ʽʹõˡ
   
   л Zot O'Connor <zot@crl.com> ָno controlling tty⣬
    ṩ˽
   
2.5 ĵֿ

   ĶǰӦѾ߱ IP ֪ʶҪԡ
   ǽ(firewall)ppp  ssh ֪ʶһЩ˽⡣Ҫ趨һ
   VPN һ֪Щ ֻǽҵľд 
   صݡԣһаȫ ©ڡΪ
   Ϊ·ʽԷǽķʽ ˵ݣϣ
   ɾܹ˽Ȿġ
   
2.6 ļ

     *  /usr/doc/HOWTO/Firewall-HOWTO ϵ Linux Firewall-HOWTO ļ
     *  /usr/doc/HOWTO/PPP-HOWTO.gz ϵ Linux PPP-HOWTO ļ
     * Ŀ¼ /usr/doc/ssh/* е ssh ļ
     * Linux ·ָ(Network Admins' Guide)
     * ұ׼ίԱ (National Institute Standards and Technology
       дΪ NIST) ڵ԰ȫĳƷοַ
       http://csrc.ncsl.nist.gov/nistpubs/
     * ǽ̳ͨ(Firewall list) (majordomo@greatcircle.com)
       
3. 

   ·ȫܵӣԣǽļԽԽ㷺رӦڣ
   · ͡˾ڲ·(intranet)ϣǽӣ VPN İ
   ȫص Ӱ졣ֻҸ˵ᡣӭԼĿ
   
3.1 

   ҽʹõǽ(master firewall)͡ηǽ(slave firewall)
   ר ƣȻVPN Ľʽܹ֮ûκιԡֻ
   ǿɣ ʱǸĲ߻򱻶Ĳߡ
   ߵᱻ ǽȻĲߣͻᱻηǽ
   
   
4. ʼ

4.1 滮

   㿪ʼ趨ϵͳǰӦҪ˽һ·ӵϸڡڣҼٶ
   ǽ һ˾ڲ·ԣÿǽӦû
   ·棨٣һ ֽдǵ IP λַ·֡ÿ VPN ķ
   ǽʹõ IP λַ ΡЩ IP λַΣӦ趨㹫˾
   е·ġΧ⡣ҽʹá˽С IP λַεġΧʾ
   
     * 10.0.0.0 - 10.255.255.255
     * 172.16.0.0 - 172.31.255.255
     * 192.168.0.0 - 192.168.255.255
       
   Ϊ˵˴Ҿһ趨Į̇ bastion [ע] ֱ
   Ϊ fellini  polanskiǸһ· (-out)һ
   ӹ˾ڲ· (-in) Լһ VPN (-vpn)е IP λַ
   ·֣£
   
     * fellini-out: 193.6.34.12 255.255.255.0
     * fellini-in: 193.6.35.12 255.255.255.0
     * fellini-vpn: 192.168.0.1 Ե
     * polanski-out: 193.6.36.12 255.255.255.0
     * polanski-in: 193.6.37.12 255.255.255.0
     * polanski-vpn: 192.168.0.2 Ե
       
   ע bastion ָ¶ڹ˾·ⲿķǽբ
   
   иƻ
   
4.2 Ѽ

   㽫Ҫ
     * Linux ǽ
     * 
     * ǳٵ趨
     * ipfwadm ʽ
     * fwtk ʽ
     * VPN ʹõĹ
     * ssh ʽ
     * pppd ʽ
     * sudo ʽ
     * pty-redir ʽ
       
   Ŀǰʹõİ汾
     * ģ 2.0.29 ʹȶĺģң 2.0.20 £Ϊ
       ping'o'death Ĵ׫дʱһȶĺǰ汾 2.0.30
       һЩ Ҫʹ°ṩȿֿ
       ·ʽ룬ԼԳԿ汾 2.0.30 ҶԣѾܺˡ
     * ҵϵͳұȽϲ Debian еİ汾ʹòκ
       ͵ ׼ȻҲ sendmail ڡҲԲ
       UNIX һ telnetftp 'r' ȹܵʹá
     * ipfwadm ʽ ʹõ 2.3.0
     * fwtk ʽ ʹõ 1.3
     * ssh ʽ >= 1.2.20Ͼɵİ汾²Э⡣
     * pppd ʽ ҲԵ 2.2.0f޷ȷǷȫΪʲ
       һ  setuid λԪõ͸ sudo ִԭ
     * sudo ʽ ֪°汾 1.5.2
     * pty-redir ʽ д
       ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz ȡáڵ
       汾 0.1 ʹκ⣬Ÿ֪
       
4.3 밲װ

   ڵĹǱǰװѼĹߡ 䣨Լ
   firewall-howto ϸ˵ļڣѾװЩˡ
   
4.4 ϵͳ趨

   趨ǽԼĿ̨ǽ֮䣬 ssh ϵ
   ͨ ָǽ·ߵηǽĲ 22ڴηǽ
   sshd֤Ƿ 㡰(login)δԹ
   ĲԽ
   
4.5 趨 VPN ʹʻ

   ճʹõĹߣ磬vimkdirchownchmodڴηǽϽһ
   ʹ ҲǽϽһʹʻǣΪڿ
   ׶趨߾Ϳ ˣԣʹԭʼ root ʻ㹻κ˿
   Ϊ˵һ£ǽ ʹ root ʻʲΣԣ
   
4.6 Ϊ master ʻһ ssh key

   ʹ ssh-keygen ʽҪԶ VPN趨һû
    ˽Կ(private key)
   
4.7 Ϊ slave ʻԶ ssh 뻷

   ڴηǽУղŲġԿ(public key)ʹʻ
   slave   .ssh/authorized_keys ң趨ʹȨޣ
   
   
drwx------ 2 slave slave 1024 Apr 7 23:49 ./
drwx------ 4 slave slave 1024 Apr 24 14:05 ../
-rwx------ 1 slave slave 328 Apr 7 03:04 authorized_keys
-rw------- 1 slave slave 660 Apr 14 15:23 known_hosts
-rw------- 1 slave slave 512 Apr 21 10:03 random_seed

   Уһ ~slave/.sshڶ ~slave
   
4.8 ǿ ssh  bastion ϵİȫԡ

   밴 sshd_conf ϵ趨
   
PermitRootLogin no
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

   ֤(PasswordAuthentication)رˣԣֻʹȨ key
   ܹ ɵĶȻҲѾرˣtelnet  'r' 
   
4.9  ppp ִУʻ·ɡ

    master ʻ root ʱҵӶԣ㲻κ顣
   slave ʻ /etc/sudoers ĵгһУ
   
Cmnd_Alias VPN=/usr/sbin/pppd,/usr/local/vpn/route
slave ALL=NOPASSWD: VPN

   ģڴηǽϣʹһЩ(scripts)趨
   ppp ·ɱ
   
4.10 ׫дʽ

   ǽϣʹһʼ壺
#! /bin/sh
# ʽܹ  Ǹ /etc/init.d/ Ŀ¼µʵ
#               Ӧ /etc/init.d Ŀ¼ʹ塣
#
#                Miquel van Smoorenburg <miquels@cistron.nl>.
#               Debian GNU/Linux ޶
#               Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# 汾:               @(#)skeleton  1.6  11-Nov-1996  miquels@cistron.nl
#

PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
PPPAPP=/home/slave/ppp
ROUTEAPP=/home/slave/route
PPPD=/usr/sbin/pppd
NAME=VPN
REDIR=/usr/local/bin/pty-redir
SSH=/usr/bin/ssh
MYPPPIP=192.168.0.1
TARGETIP=192.168.0.2
TARGETNET=193.6.37.0
MYNET=193.6.35.0
SLAVEWALL=polanski-out
SLAVEACC=slave

test -f $PPPD || exit 0

set -e

case "$1" in
  start)
        echo setting up vpn
        $REDIR $SSH -o 'Batchmode yes' -t -l $SLAVEACC $SLAVEWALL sudo $PPPAPP
>/tmp/device
        TTYNAME=`cat /tmp/device`
echo tty is $TTYNAME
        sleep 10s
        if [ ! -z $TTYNAME ]
        then
        $PPPD $TTYNAME ${MYPPPIP}:${TARGETIP}
        else
                echo FAILED!
                logger "vpn setup failed"
        fi
        sleep 5s
        route add -net $TARGETNET gw $TARGETIP
        $SSH -o 'Batchmode yes' -l $SLAVEACC $SLAVEWALL sudo $ROUTEAPP
    ;;
  stop)
        ps -ax | grep "ssh -t -l $SLAVEACC " | grep -v grep | awk '{print $1}'
| xargs kill
    ;;
  *)
    # echo "Usage: /etc/init.d/$NAME {start|stop|reload}"
    echo "Usage: /etc/init.d/$NAME {start|stop}"
    exit 1
    ;;
esac

exit 0

   slave ʻʹ趨· (/usr/local/vpn/route)
#!/bin/bash
/sbin/route add -net 193.6.35.0 gw 192.168.0.1

    .ppprc ݣ£
passive

5. ǼִеĽ

   master 뵽 slave ʻ pppdԼеص
   pty ն˻ִ£
   
     * һµ pty
     * ͸ ssh  slave ʻ
     *  slave ʻִ pppd
     * master ڱ pty ִ pppd
     * û趨·ɱ
       
   ˴ǿǵʱ⣨̫ϸҪ󣩣Ϊʲǻʹ
    'sleep 10s' ԭ
   
6. ִС

6.1 

   ڣӦѾԹ ssh Ƿܹعslave ܾ룬
   Ķ ¼ҲǵʹȨ޻ sshd 趨ϵ⡣
   
6.2  ppp

   뵽 slave ʻִУ
sudo /usr/sbin/pppd passive

   ʱӦûῴһЩ롣裬ûг룬 sudo
    pppd ⡣ο¼/etc/ppp/options  .ppprc ȵ
   ԱҳǸ⡣ųᣬ 'passive' д
   .ppprc Ȼ һΡѹ enter'~' '^Z'Ȱķʽ
   өĻϵ룬 ڣӦûῴ master ġʾ
   (prompt)Ȼִ kill %1 ֪йءݳԪ(escape
   character)˵ġ(tuning) һڡ
   
6.3 һ

   ȻҲ
   
ssh -l slave polanski sudo /usr/sbin/pppd

   ͻᵱ棬һЩϡ
   
6.4 Pty ص

   ΣصĶ
/usr/local/bin/pty-redir /usr/bin/ssh -l slave polanski sudo /usr/sbin/pppd

   óľӣӦʹ ssh ִеȫ·ƣΪ˰ȫ
   pty-redir ʽֻʹַʽڣ͸ʽȡһװ
   ơ裬ȡõ  /dev/ttyp0 ʹ ps Ŀǰ״
   Ѱ 'p0' װ õ
   
6.5 װ棬Щʲᶫ

   ִ
/usr/sbin/pppd /dev/ttyp0 local 192.168.0.1:192.168.0.2

   ߡȻᣬ ifconfig ǷѾװ
   ãȻ ʹ ping ·
   
6.6 趨·

   趨ǽ·ɣηǽҲҪ趨ڣӦܹӹ
   ˾һ ڲ·ϵping ڲ·ϵ趨
   ķǽ ڣѾӵ VPN Ļ趨˾ڲ
   ·֮ӹ
   
7. 

7.1 趨ĵ

   ˵ģļֻҸ趨 VPN ı¼ѡ趨вֵ
   ݣһ δԹȵҲԹᣬȷĶλκ˸
   ιġ иҪұģppp ·δ
   ʹ 8-bitԼҲ ssh  pty 趨һҪǿĵط
   ssh 趨Уʹˡ򦻯(tilde) (~) ԪΪݳԪͣ
   ֹ֮ͨѶκεġз- 򦻯(newline-tilde)
   ˳ĳ֣ʹ ssh ʾŵģʽssh ļ˵ < 
   󲿷ֵϵͳϣ趨ʹݳԪʹ tty Ҳͨ
   ѶԻ͸ͨ>  ssh ѡ '-e' Ҳ趨
   趨
   
7.2 Ƶ밲ȫ˭Ҫ

   ۽κε·˷ѵʵԴVPN ԵƵͼԴ
   Ŀ Ӧȡ˫Ӯľ档ʹ '-C' ػ
   'CompressionLevel' ѡ ҲԳʹһּܷǣ
   ҲҲע⣬ʹԽ ѹȼ㴫ϵ
   ʱԽӭṩκصĲԱ档
   
8. ܹ

   ڴ˴˵һ£ر趨 VPNs һЩܹ㡣
   ȳϵػӭ λκ
     * sudo ʽҳϣҹȵʹ sudoĿǰȻʹ
       setuid bits ȫLinux ȻûкõĴȡƻƣǸ
       ʵֻеȵ POSIX.6 ׼ĺʽ<
       http://www.xarius.demon.co.uk/software/posix6/> ǣҾ
       Ȼ͸ sudo ִ shell ʽʵ͸ˡκ
       ᣿
     * pppd ʽҲʹ suid root (ע) ִзʽ͸ʹ
        .ppprc 趨ģܻСת(buffer
       overrun)״ ܵر slave ʻİȫ
       
     * ssh ʽģssh  1.2.20 ǰİ汾аȫ©ǣ
       ǵ 趨ǣǶ master ʻİȫòԵأҲ
        slave ʻİ ȫޣңʹ͸ sudo ĳ
       ʽҲ˹֮šΪΪ ܹԶ趨 VPNѡ
       master ʹûġ˽Կ(secret key)
     * firewall ʽ bastion ϵķǽ趨Ĳǡ͵
       Ǵ󿪹 ˾ڲ·ķ֮šҽʹ IPα
       װ(Masquerading)ļʱ ·趨ȷɵӰ
       Ҳ΢ģԼ VPN ĽϸĿ 
       
   ע suid root ָκִиóʽˣִеĵʱȡ root Ȩ
   Уsuid 趨ʹʶ룩ָ趨Եĵ 11 λԪִ
   иõˣΪ ӵߡ
