137

8.4.2.7 Setting up the VPN script

If youve gotten this far, youre practically there. All thats left is setting up the script that will make the VPN connection. This script resides on the master, and must accomplish the following: • Allocate a new pseudo terminal on the master. • Open an SSH connection to the slave. • Start pppd on the slave. • Start pppd, which also assigns IP addresses, on the master through the redirected pseudo-terminal. • Set up the routing table on the slave through a second SSH connection. • Set up the routing table on the master. The VPN script thats part of the Linux HOWTO accomplishes all of these. A listing of the script, along with our modified version, can be found on the Tools section of the authors web site. The first thing to do is edit the script and change the appropriate initialization settings for the VPN script. In this case, were going to want to change the following: PPPAPP Change this to the path of the ppp script in the home directory of the masters account on the slave server. In our case, its homevpn1ppp. ROUTEAPP Likewise, change this to the path to the routing script. For us, its homevpnroute. MYPPPIP This is the IP address of the VPN interface on the master. For us, its 192.168.1.1. TARGETIP The is the IP address for the VPN interface on the slave. We have it set to 192.168.1.2. TARGETNET This is the network address not the IP address for the LAN side of the slave. Its 192.168.4.0 for us. MYNET This is the network address for the LAN side of the master 192.168.3.0. SLAVEWALL This is the hostname of the slave. We have it set to slave-gw.ora-vpn.com. 138 SLAVEACC This is the login name for the masters account on the slave. For us, its vpn1. PPPD, REDIR, SSH Check the location of these utilities to make sure the paths match those on your system. When we were finished editing the file, our settings looked like this: PATH=usrlocalsbin:sbin:bin:usrsbin:usrbin:usrbinX11: PPPAPP=homevpn1ppp ROUTEAPP=homevpn1route PPPD=usrsbinpppd NAME=VPN REDIR=usrlocalbinpty-redir SSH=usrlocalbinssh MYPPPIP=192.168.1.1 TARGETIP=192.168.1.2 TARGETNET=192.168.4.0 MYNET=192.168.3.0 SLAVEWALL=slave-gw.ora-vpn.com SLAVEACC=vpn1 The next useful item to look at in the script is the line that actually starts up pppd on the slave. It looks like this: REDIR SSH -o Batchmode yes -t -l SLAVEACC SLAVEWALL\ sudo PPPAPP tmpdevice As you can see, this is similar to what we did by hand earlier. The -o Batchmode yes option has been added to ssh to let it know its in a script and shouldnt ask for passwords or passphrases. The -t option forces ssh to allocate a pseudo terminal on the slave which, as we said earlier, doesnt normally occur when ssh is used solely to execute a remote command. The pseudo tty on the slave is required for pppds IO. The pty-redir program generates a new pseudo-terminal on the master, which is used to actually run the ssh program. The name of the pseudo- terminal is redirected into the file called tmpdevice, which is used later by the master-side pppd in the script. Note that pty-redir outputs the tty name using STDERR. In order for us to get the script to redirect the STDERR output to the tmpdevice file, we had to change it to look like this the 2 is the number for the standard error output: REDIR SSH -o Batchmode yes -t -l SLAVEACC SLAVEWALL\ sudo PPPAPP 2tmpdevice Another thing to note is that theres a ten-second sleep period after this command is run before execution continues. This is to give the SSH connection time to open, and the slave long enough to start the PPP daemon. This value can be adjusted for your environment. Once the VPN script is configured, you can place it in a startup directory, such as etc.rc.d. Youll want to change the permissions so that only root can execute it rwx------ . It can be called from the rc.local file with the following command: