On Wed, Sep 07, 2005 at 07:27:24PM -0401, yippy ya yah wrote: > trying to get a ppp tunnel over ssh working.... > > server/gateway > ------------------- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > allow mode direct > set ifaddr 10.1.1.1 10.1.1.2 255.255.255.255 > > /etc/sudoers: > pppuser ALL = NOPASSWD: /usr/sbin/ppp > > ~pppuser/.ssh/authorized_keys > command="sudo /usr/sbin/ppp -direct vpn" ....key follows > > client > ------- > ip.inet.net.forwarding=1 > > /etc/ppp/ppp.conf > vpn: > set ifaddr 10.1.1.2 10.1.1.1 255.255.255.255 > set dial > set timeout 3600 > set device "!env SSH_AUTH_SOCK= ssh -C -c blowfish -i > /path/to/pppuser.key [EMAIL PROTECTED]" > > on the client, i can see tun0 get created and assigned 10.1.1.2, but > on the gateway, tun0 is created but no ip is assigned. (pf on both > devices has skip on tun, also disabled pf on both to test) > > 10.1.1/24 is not used anywhere in the network. > > if i "ssh -C -c blowfish -i pppuser.key [EMAIL PROTECTED]", i can see > sudo ppp -direct vpn getting launched... > > what is the key ingredient i'm missing here to get the gateway to > assign tun0 10.1.1.1? or rather to get the tunnel up? > > both are i386, running the same snapshot: > OpenBSD 3.8 (GENERIC) #137: Thu Sep 1 17:41:20 MDT 2005 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > > p.s. i'm not subscribed to [EMAIL PROTECTED], so please cc: on replies... >
imho, 'ppp -direct' expects that descriptor 0 is a socket (used for both input and output). But ssh(1) uses two descriptors: descriptor 0 (stdin) for input only and descriptor 1 (stdout) for output only. Thus if ppp(8) is launched by ssh(1), its output will be silently discarded. Have i missed something? There is an ugly workaround: on the server side, add an entry for ppp(8) in inetd.conf(5), like: 127.0.0.1:6669 stream tcp nowait root /usr/sbin/ppp ppp -unit0 -direct vpn and restart inetd. On the client side, set the device in ppp.conf(8) to "127.0.0.1:6669/tcp" and finally use ssh just for port forwarding. Example: ssh -N -f -L 6669:127.0.0.1:6669 [EMAIL PROTECTED] ppp vpn Let me know if you find a more elegant solution. -- Alexandre
