136 users or groups to execute as superuser. The next entry in the file says that the user vpn1 can execute all of the commands in that alias from any host without a password. Normally, sudo requires that you enter your password before executing the command as root. You should now be able to test sudo on the slave as the user vpn1. Try the following command: sudo usrsbinpppd It should launch pppd for you as root, and youll see the PPP protocol garbage output again. If you have problems and you know that PPP already works, there might be something wrong with your sudoers file. Check the varadmsudo.log file for errors. If sudo worked, try the following line on the master, logged in as root: ssh -l vpn1 slave-gw.ora-vpn.com sudo usrsbinpppd Once again, you should see the garbage output. This time, its being delivered across your SSH connection to your local terminal.

8.4.2.6 Putting pty-redir on the master

The pty-redir program allows you to create a new pseudo-terminal on the master in order to run the PPP traffic through it. It comes with a Makefile, so all you should have to do is a make, then move the binary to your usrlocalbin directory. This file needs to be only on the master. Line 84 of pty-redir.c v0.1 controls the name of the pseudo terminals that pty-redir uses. This name must match the naming convention of your system. In the original source, the line looked like this: fprintfstderr,devptycc,a,b; For our Slackware Linux configuration, we had to change it to look like the line below in order for it to work: fprintfstderr,devttycc,a,b; For your particular flavor of Unix, you may have to make modifications as well. Now you should be able to run everything through pty-redir. pty-redir usrlocalbinssh -l vpn1 slave-gw.ora-vpn.com \ sudo usrsbinpppd You wont get any output here, so its probably best to watch the logs and do a ps on the slave to see if pppd is running. If you enter ps on the master, you should see your entire command. 137

8.4.2.7 Setting up the VPN script

If youve gotten this far, youre practically there. All thats left is setting up the script that will make the VPN connection. This script resides on the master, and must accomplish the following: • Allocate a new pseudo terminal on the master. • Open an SSH connection to the slave. • Start pppd on the slave. • Start pppd, which also assigns IP addresses, on the master through the redirected pseudo-terminal. • Set up the routing table on the slave through a second SSH connection. • Set up the routing table on the master. The VPN script thats part of the Linux HOWTO accomplishes all of these. A listing of the script, along with our modified version, can be found on the Tools section of the authors web site. The first thing to do is edit the script and change the appropriate initialization settings for the VPN script. In this case, were going to want to change the following: PPPAPP Change this to the path of the ppp script in the home directory of the masters account on the slave server. In our case, its homevpn1ppp. ROUTEAPP Likewise, change this to the path to the routing script. For us, its homevpnroute. MYPPPIP This is the IP address of the VPN interface on the master. For us, its 192.168.1.1. TARGETIP The is the IP address for the VPN interface on the slave. We have it set to 192.168.1.2. TARGETNET This is the network address not the IP address for the LAN side of the slave. Its 192.168.4.0 for us. MYNET This is the network address for the LAN side of the master 192.168.3.0. SLAVEWALL This is the hostname of the slave. We have it set to slave-gw.ora-vpn.com.