+++ /dev/null
-<?xml version="1.0"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<refentry id="network-zone-pptp">
- <refentryinfo>
- <title>network-zone-pptp</title>
- <productname>network</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Stefan</firstname>
- <surname>Schantl</surname>
- <email>stefan.schantl@ipfire.org</email>
- </author>
- </authorgroup>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>network-zone-pptp</refentrytitle>
- <manvolnum>8</manvolnum>
- </refmeta>
-
- <refnamediv>
- <refname>network-zone-pptp</refname>
- <refpurpose>Network Configuration Control Program</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>network zone new <replaceable>ZONE</replaceable> pptp ...</command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1>
- <title>Description</title>
-
- <para>
- The pptp hook creates a Point-to-Point tunnel over IP and is used by some ISP for
- internet dialin or other VPN services.
- </para>
- </refsect1>
-
- <refsect1>
- <title>Options</title>
-
- <para>
- The following options are understood:
- </para>
-
- <variablelist>
- <varlistentry>
- <term>
- <option>--peer-address=<replaceable>ADDRESS</replaceable></option>
- </term>
-
- <listitem>
- <para>
- The IPv4 address of the system to connect to.
- </para>
- <para>
- For PPTP dialin connections this will be IP address of your modem.
- If you are using PPTP for VPN services use the address of the remote server.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--username=<replaceable>USERNAME</replaceable></option>
- </term>
-
- <listitem>
- <para>
- Sets the username for authentication.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--password=<replaceable>PASSWORD</replaceable></option>
- </term>
-
- <listitem>
- <para>
- Sets the password for authentication.
- </para>
- <para>
- Use the <option>--auth=</option> option to transmit it
- in a secure manner to the provider.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--port=<replaceable>PORT</replaceable></option>
- </term>
-
- <listitem>
- <para>
- This options sets the port, pppd is using to connect to
- the modem. This may be a normal ethernet or vlan interface.
- </para>
- <para>
- The port option is only required if you are using PPTP for
- dialin connections.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--interface-address=<replaceable>ADDRESS</replaceable></option>
- </term>
-
- <listitem>
- <para>
- Add this IPV4 address to the configured port.
- </para>
-
- <para>
- Optionally a DHCP client can be used, istead of
- configuring a static IPv4 address. Use the <option>--use-dhcp</option>
- to benefit from this feature.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--prefix=<replaceable>PREFIX</replaceable></option>
- </term>
-
- <listitem>
- <para>
- Sets the following network prefix to the configured port.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--use-dhcp=[<emphasis>false</emphasis>|true]</option>
- </term>
-
- <listitem>
- <para>
- Use a DHCP client to gather the interface address and prefix settings.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--ipv6=[<emphasis>true</emphasis>|false]</option>
- </term>
-
- <listitem>
- <para>
- By this option the support for IPv6 can be enabled or disabled.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--mtu=<emphasis>1492</emphasis></option>
- </term>
-
- <listitem>
- <para>
- Sets the default MTU of the PPP connection.
- The default value is 1492 which is a common MTU used
- for DSL.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--auth=[chap|pap]</option>
- </term>
-
- <listitem>
- <para>
- Define the authentication method that is used to
- authenticate against your provider.
- The default is to use the provider's preference.
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <emphasis>Challange-Handshake Authentication Protocol</emphasis>
- (chap) is the preferred secure method.
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis>Password Authentication Protocol</emphasis>
- (pap) sends the plaintext password to the authentication
- server which is the reason why it should be avoided to use PAP.
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>--refuse-auth-methods=<replaceable>STRING</replaceable></option>
- </term>
-
- <listitem>
- <para>
- By this option, you may define a list of auth methods which
- are not supported by the service provider.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1>
- <title>See Also</title>
-
- <para>
- <citerefentry>
- <refentrytitle>network</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>network-zone</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-</refentry>
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 IPFire Network Development Team #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-. /usr/lib/network/header-zone
-
-HOOK_SETTINGS="HOOK AUTH INTERFACE_ADDRESS IPV6 MTU PASSWORD PEER_ADDRESS PORT"
-HOOK_SETTINGS="${HOOK_SETTINGS} PREFIX PREFIX_DELEGATION REFUSED_AUTH_METHODS"
-HOOK_SETTINGS="${HOOK_SETTINGS} USERNAME USE_DHCP"
-
-# User credentials for the dialin.
-USERNAME=""
-PASSWORD=""
-
-# The physical ethernet port the modem is connected to.
-PORT=""
-
-# The IPv4 address of the PPTP server to connect to.
-PEER_ADDRESS=""
-
-# Set the authentication mechanism.
-AUTH=""
-
-# Maximum Transmission Unit.
-# 1492 is a very common value for that.
-MTU="1492"
-
-# This hook can work with all authentication methods supported by pppd.
-PPP_SUPPORTED_AUTH_METHODS="${PPP_SUPPORTED_AUTH_METHODS}"
-
-# Use DHCP to get a IPv4 Address for the interface.
-USE_DHCP="false"
-
-# Request an IPv6 address.
-IPV6="true"
-
-# Use IPv6 prefix delegation.
-PREFIX_DELEGATION="false"
-
-# A list of refused authentification methods.
-REFUSED_AUTH_METHODS=""
-
-function hook_check_settings() {
- assert isset USERNAME
- assert isset PASSWORD
- assert isset PEER_ADDRESS
- assert isset IPV6
- assert isset PREFIX_DELEGATION
-
- # Check for valid port and IP settings.
- if isset PORT; then
- assert isset DHCP
-
- # Check if port exists.
- assert port_exists ${PORT}
-
- # Check for valid interface address.
- assert isset INTERFACE_ADDRESS
-
- if ! ipv4_is_valid "${INTERFACE_ADDRESS}"; then
- log ERROR "Invalid interface address. Please use a valid IPv4 address."
- return ${EXIT_ERROR}
- fi
-
- # Check for a valid network prefix.
- assert isinteger PREFIX
-
- if [ ${PREFIX} -gt 30 ]; then
- error "PREFIX is greater than 30."
- exit ${EXIT_ERROR}
- fi
- fi
-
- # Check if the peer-address is valid.
- if ! ipv4_is_valid "${PEER_ADDRESS}"; then
- log ERROR "Invalid peer-address. Please use a valid IPv4 address."
- return ${EXIT_ERROR}
- fi
-
- # Check if a supported AUTH Mechanism has been given.
- isset AUTH && assert isoneof AUTH ${PPP_SUPPORTED_AUTH_METHODS}
-}
-
-function hook_parse_cmdline() {
- while [ $# -gt 0 ]; do
- case "${1}" in
- --auth=*)
- AUTH="$(cli_get_val ${1})"
- ;;
- --interface-address=*)
- INTERFACE_ADDRESS="$(cli_get_val ${1})"
- ;;
- --ipv6=*)
- local value="$(cli_get_val "${1}")"
-
- if enabled value; then
- IPV6="true"
- else
- IPV6="false"
- fi
- ;;
- --mtu=*)
- MTU="$(cli_get_val ${1})"
- ;;
- --password=*)
- PASSWORD="$(cli_get_val ${1})"
- ;;
- --peer-address=*)
- PEER_ADDRESS="$(cli_get_val ${1})"
- ;;
- --port=*)
- PORT="$(cli_get_val ${1})"
- ;;
- --prefix=*)
- PREFIX="$(cli_get_val ${1})"
- ;;
- --prefix-delegation=*)
- local value="$(cli_get_val "${1}")"
-
- if enabled value; then
- PREFIX_DELEGATION="true"
- else
- PREFIX_DELEGATION="false"
- fi
- ;;
- --refuse-auth-methods=*)
- REFUSED_AUTH_METHODS="$(cli_get_val ${1})"
- ;;
- --username=*)
- USERNAME="$(cli_get_val ${1})"
- ;;
- --use-dhcp=*)
- local value="$(cli_get_val "${1}")"
-
- if enabled value; then
- USE_DHCP="true"
- else
- USE_DHCP="false"
- fi
- ;;
- *)
- warning "Unknown argument: ${1}" >&2
- ;;
- esac
- shift
- done
-}
-
-function hook_up() {
- local zone="${1}"
- assert isset zone
-
- zone_settings_read "${zone}"
-
- # Check if a port will be used.
- if isset PORT; then
- # Bring up the port.
- log DEBUG "Bringing up port '${PORT}'."
- port_up "${PORT}"
-
- # Check if DHCP will be used, or a static IP has been configured.
- if enabled USE_DHCP; then
- # Start dhclient for IPv4 on this zone.
- dhclient_start "${PORT}" "ipv4"
- else
- # Add ip address and network prefix.
- ip_address_add "${PORT}" "${INTERFACE_ADDRESS}"/"${PREFIX}"
- fi
- fi
-
- # Start the ppp daemon.
- pppd_start "${zone}"
-
- exit ${EXIT_OK}
-}
-
-function hook_down() {
- local zone="${1}"
- assert isset zone
-
- zone_settings_read "${zone}"
-
- # Stop the ppp daemon.
- pppd_stop "${zone}"
-
- # Check if a port has been used.
- if isset PORT; then
- # Stop DHCP-Client or remove static IP address.
- if enabled USE_DHCP; then
- # Stop dhclient for IPv4 on this zone.
- dhclient_stop "${PORT}" "ipv4"
- else
- # Remove address from interface.
- ip_address_del "${PORT}" "${INTERFACE_ADDRESS}"/"${PREFIX}"
- fi
-
- # Bring down the port.
- log DEBUG "Bringing down port '${PORT}'."
- port_down "${PORT}"
- fi
-
- exit ${EXIT_OK}
-}
-
-function hook_status() {
- local zone="${1}"
- assert isset zone
-
- cli_device_headline "${zone}"
-
- zone_settings_read "${zone}"
-
- # Display port configuration if a port is used.
- if isset PORT; then
- cli_headline 2 "Configuration"
- cli_print_fmt1 2 "IP Address" "${INTERFACE_ADDRESS}"/"${PREFIX}"
- cli_print_fmt1 2 "Peer Address" "${PEER_ADDRESS}"
- cli_print_fmt1 2 "Port" "${PORT}"
- cli_space
- fi
-
- cli_headline 2 "Dialin Information"
- cli_print_fmt1 2 "Username" "${USERNAME}"
- cli_print_fmt1 2 "Password" "<hidden>"
- cli_space
-
- # Exit if zone is down
- if ! zone_is_up ${zone}; then
- echo # Empty line
- exit ${EXIT_ERROR}
- fi
-
- cli_headline 2 "Point-to-Point-Tunneling protocol"
- local proto
- for proto in ${IP_SUPPORTED_PROTOCOLS}; do
- routing_db_exists ${zone} ${proto} || continue
-
- local headline
- case "${proto}" in
- ipv6)
- headline="Internet Protocol Version 6"
- ;;
- ipv4)
- headline="Internet Protocol Version 4"
- ;;
- *)
- headline="Unkown protocol"
- ;;
- esac
- cli_headline 3 "${headline}"
-
- cli_print_fmt1 3 "IP address" "$(routing_db_get "${zone}" "${proto}" "local-ip-address")"
- cli_print_fmt1 3 "Gateway" "$(routing_db_get "${zone}" "${proto}" "remote-ip-address")"
- cli_print_fmt1 3 "DNS servers" "$(routing_db_get "${zone}" "${proto}" "dns")"
- cli_space
- done
-
- exit ${EXIT_OK}
-}
-
-function hook_ppp_write_config() {
- local zone="${1}"
- assert isset zone
-
- local file="${2}"
- assert isset file
-
- # Read in the configuration files.
- zone_settings_read "${zone}"
-
- # Prepare the command line options for the pptp plugin.
- local pptp_commandline="pptp ${PEER_ADDRESS} --nolaunchpppd"
-
- pppd_write_config ${file} \
- --interface="${zone}" \
- --username="${USERNAME}" \
- --password="${PASSWORD}" \
- --mtu="${MTU}" \
- --auth="${AUTH}" \
- --pty="${pptp_commandline}" \
- --ipv6="${IPV6}" \
- --refuse="${REFUSED_AUTH_METHODS}"
-
- exit ${EXIT_OK}
-}