echothrust/howtos

A list of OpenBSD (mostly) material

View on GitHub

OpenBSD PPPoE

This was an research paper written by one of our members back in 2006. This research was made in order to familiarize with the available technologies under OpenBSD.

Author: Panagiotis Efstratiou Created: 2006/07/06 02:05

Introduction

What is PPP ?

PPP stands for Point-to-Point Protocol. It is a protocol designed for directly connecting two (2) peers. This is done by several means, that is the protocol has the ability to be adopted on several Layer2 technologies. It also has the ability to adopt and incorporate any Layer3 protocol (that includes IP and IPX, though using PPP for IPX is becoming increasingly rare). Finally PPP incorporates several authentication methods for the peers.

What is PPPoE ?

PPPoE stands for PPP over Ethernet. As told in the above section PPP can be used over several Layer2 Technologies one of which is Ethernet. For this to work both a kernel driver and a user-land program are required.

OpenBSD and PPPoE

OpenBSD has support for both PPP and PPPoE. There exist both drivers and user-land programs (that use to tun interface). Though the kernel drivers are much faster but have less options. Therefore it is recommended that we use only the user-land programs. No extra kernel configuration is required in order to achieve this since OpenBSD ships with the required options enabled by default.

The PPP Program

The PPP program ([[http://www.openbsd.org/cgi-bin/man.cgi?query=ppp&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html|ppp(8)]]) can be used both as a client and a server. It supports the most used technologies including :

The PPPoE Program

The PPPoE program ([[http://www.openbsd.org/cgi-bin/man.cgi?query=pppoe&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html|pppoe(8)]]) work in conjection with the PPP program. It can act both as a server (thus listening for incoming PPPoE Requests) and as client (connecting/sending PPPoE requests to other PPPoE servers).

PPP Program Configuration

PPP configuration is divided into sections which are called ‘systems’. Each system has a unique label and the options below it are applied only to the connection specified. There is a global section that can be used for setting system wide this section is called ‘default’.

PPP stores its configuration to the following files :

Sample client configuration

To create a client PPPoE configuration just create a system in the main configuration file (look above) as follows :

pppoe:
  set device "!/usr/sbin/pppoe -i <interface>"
  set mtu max 1492
  set mru max 1492
  set speed sync
  disable acfcomp protocomp
  deny acfcomp
  set authname "<myUsername>"
  set authkey "<myPassword>"

Where interface is an Ethernet that is only up and running (there is no need to setup an IP address for that interface) and myUsername and myPassword are the credentials used for authenticating to the peer. You may also notice a smaller than 1500 mtu and mru size, this is done to give PPP enough space for its headers.

The final step is to dial this system using the ppp(8) command (Please refer to the manual page for dialing mode).

It will automatically invoke the pppoe(8) program. This will bind to standard input and standard output and will allow ppp(8) to handle the PPP protocol while pppoe(8) will handle to the Ethernet layer.

Sample server configuration

As you have noticed in the above example for pppoe(8) to act as a client we first invoke ppp(8) and then pppoe(8) is invoked as a child process. The exact opposite is done when we want to use pppoe(8) as server. We have to invoke pppoe(8) in such a way that it will listen for incoming PPPoE Requests and the invoke ppp(8) to handle the PPP Session.

To do so we should invoke pppoe(8) as follows : pppoe -i -s -p [-n ]

The interface has the same semantics as the interface in ‘3.2’ the system value is the ppp(8) system to use when invoking the program. The service value can be a PPPoE Service that is sent along with client’s credentials. It is an optional value.

Now we have to setup the specified system in our ppp(8) main configuration file. This section should contain information about how the peer is to authenticate itself (that is with that what protocol) and what range of IP addresses can use and should be assigned to it. For a speed-up hack we will also proxy all ARP requests from the client to the server. So far by this version of ppp(8) routes are added automatically. If system is set to pppoe-in you can use the following configuration :

       pppoe-in:
          set mtu max 1492
          set mru max 1492
          set speed sync
          disable acfcomp protocomp
          deny acfcomp
          enable pap
          enable chap
          enable MSCHAP
          enable MSCHAPv2
          set timeout 120
          set ifaddr 10.0.1.1 10.0.1.2-10.0.1.120
          enable proxy

The above configuration allows the peer to authenticate itself using PAP, CHAP, MSCHAP or MSCHAPv2 (look at section 4 for a complete explanation of authentication techniques that can be used with ppp(8)) and allows them to negotiate through IPCP an IP address from withing the range of 10.0.1.2 to 10.0.1.120.

Authentication through PPP

Authentication protocols supported

The problem that arises from the various Protocols that are supported is that different clients use different protocols. For example most UNIXes tend to use PAP or CHAP to authenticate themselves while newer MicroSoft clients (that is Windows98SE and on) tend to prefer MSCHAPv2. Other older MicroSoft clients will MSCHAP. It is mandatory for the server to support all these protocols.

Authentication back-ends supported

ppp(8) can support three different back-ends.

passwd(5) backend cannot be used for CHAP or MSCHAP[v2] authentication. That is because CHAP has to know the plain-text password. Also the standard way of using back-ends is to first search within ppp.secrets then in passwd(5) and then to query RADIUS.

Appendix A - ppp.secrets format

The ppp.secrets file uses the following format

  <username><TAB><password><TAB><IP Address><TAB><Label><TAB><Callback>

Since Callback is a protocol beyond the scope of this document we will not discuss the option here.