unix:mpd
Доступ в локалку через интернет посредством mpd
Необходимо обеспечить для работников относительно безопасный доступ из внешней сети к ресурсам своей - локальной сети. Делать будем стандартно. Используем mpd.
- mpd.conf
################################################################# # # MPD configuration file # # This file defines the configuration for mpd: what the # bundles are, what the links are in those bundles, how # the interface should be configured, various PPP parameters, # etc. It contains commands just as you would type them # in at the console. Lines without padding are labels. Lines # starting with a "#" are comments. # # $Id: mpd.conf.sample,v 1.46 2009/04/29 11:04:17 amotin Exp $ # ################################################################# startup: # Задаем пароль для доступа в web-intarface # т.е меняем password на свой пароль # set user usrname password just-pass # set user password cancer # configure the console # set console self 127.0.0.1 5005 # set console open # configure the web server # set web self 0.0.0.0 5006 # set web open default: load pptp_server pptp_server: # Видно, что имеем всего 3 одновременных подключения set ippool add poolsat 192.168.36.80 192.168.36.83 create bundle template B set iface enable proxy-arp set iface idle 0 set iface enable tcpmssfix set ipcp yes vjcomp set ipcp ranges 192.168.36.254/32 ippool poolsat #DNS нам не нужен # set ipcp dns 192.168.0.254 #Wins можно оставить, если он действительно запущен set ipcp nbns 192.168.36.237 # Enable Microsoft Point-to-Point encryption (MPPE) # set bundle enable compression # set ccp yes mppc # set mppc yes compress e40 e56 e128 stateless # Create clonable link template named L create link template L pptp # Set bundle template to use set link action bundle B # Multilink adds some overhead, but gives full 1500 MTU set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap set link enable chap-msv1 set link enable chap-msv2 # We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1460 set link keep-alive 10 60 # Configure PPTP and open link # IFFACE PPTPD set pptp self 26.31.130.242 # Allow to accept calls set link enable incoming
Файлик с паролями пользователей
- mpd.secret
################################################################# # # MPD secrets file # # This file contains login, password pairs, called "secrets". # Entries are used for authentication in either or both directions, # as well as telnet console login. # # For example, to use the "MyLogin" secret, use this command: # # set bundle authname MyLogin # # Each entry may have a third field containing an IP address range # specifying the allowable address assignments for that # peer. # # NOTE: this file should not be readable by anyone except root! # # $Id: mpd.secret.sample,v 1.2 2007/01/27 13:28:44 amotin Exp $ # ################################################################# #USER NAME PASSWD IP static usr1 pswd-1 192.168.36.81 usr2 pswd-2 192.168.36.82 #USER NAME PASSWD IP dynamic #user1 "password1" * #user2 "password2" *
Собственно говоря, на этом с конфигурацией mpd покончено.
Наверно не бывает шлюзов в интернет без файрвола. В моем случае используется pf. Расскажем ему как надо работать.
- pf.conf-crop
# FILTER RULES block all # разрешим хождение по нашим VPN-интерфейсам pass on {lo, ng0, ng1, ng2, ng3} all pass proto icmp all # Разрешим входящие соединения по GRE только ИП из таблицы <leonchik> и чоп не плодить # статические правила скажем: запомнить состояние (keep state) pass in on $ext_if proto gre from <leonchik> keep state pass in on $ext_if proto tcp from <leonchik> to ($ext_if) port 1723 keep state # Это самое странное правило, но без него никуды ;) pass out on $int_if to $int_if:network
pfctl -f /etc/pf.conf
При конфигурации клиентов, обращаю внимание на то, что при получении адреса от сервера будет заменен шлюз по умолчанию (а так же DNS, у нас он не сконфигурирован). Поэтому например в своей Ubuntu я просто добавил нужный мне маршрут руками, в венде убрал нужную галку.
Все. Соединяемся и работаем.
К сожалению, не на все сервера можно поставить mpd-5.6. Далее конфиги для старого - mpd-3.18
- mpd.conf
################################################################# # # MPD configuration file # # This file defines the configuration for mpd: what the # bundles are, what the links are in those bundles, how # the interface should be configured, various PPP parameters, # etc. It contains commands just as you would type them # in at the console. A blank line ends an entry. Lines # starting with a "#" are comments and get completely # ignored. # # $Id: mpd.conf.sample,v 1.15.2.1 2004/03/07 14:33:27 mbretter Exp $ # ################################################################# # # Default configuration is "myisp" default: load pptp0 load pptp1 load pptp2 # # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients. # # Suppose you have a private Office LAN numbered 192.168.1.0/24 and the # machine running mpd is at 192.168.1.1, and also has an externally visible # IP address of 1.2.3.4. # # We want to allow a client to connect to 1.2.3.4 from out on the Internet # via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP # for that address, so the virtual PPP link will be numbered 192.168.1.1 local # and 192.168.1.50 remote. From the client machine's perspective, it will # appear as if it is actually on the 192.168.1.0/24 network, even though in # reality it is somewhere far away out on the Internet. # # We 'set link mtu 1460' to avoid GRE packet fragmentation. # # Our DNS server is at 192.168.1.3 and our NT workstation is at 192.168.1.4. # If you don't have an NBNS server (eg, NT workstation), leave that line out. # # Note, you can have as many of these configurations as you like, eg: # # default: # load client1 # load client2 # ... # # client1: # new -i ng0 pptp1 pptp1 # set ipcp ranges 192.168.1.1/32 192.168.1.50/32 # load client_standard # ... # # client2: # new -i ng1 pptp2 pptp2 # set ipcp ranges 192.168.1.1/32 192.168.1.51/32 # load client_standard # ... # # client_standard: # set iface disable on-demand # set iface enable proxy-arp # set iface idle 1800 # set iface enable tcpmssfix # set bundle enable multilink # set link yes acfcomp protocomp # set link no pap chap # set link enable chap # set link mtu 1460 # set link keep-alive 10 60 # set ipcp yes vjcomp # set ipcp dns 192.168.1.3 # set ipcp nbns 192.168.1.4 # set bundle enable compression # set ccp yes mppc # set ccp yes mpp-e40 # set ccp yes mpp-e128 # set ccp yes mpp-stateless # # # See also the 'pptp' link entry in mpd.links.sample. # # Note: If you cut & paste from the above example, be sure to left-justify # the labels or else mpd won't parse them correctly. # pptp0: new -i ng0 pptp0 pptp0 set ipcp ranges 192.168.2.254/32 192.168.2.80/32 load pptp_standard pptp1: new -i ng1 pptp1 pptp1 set ipcp ranges 192.168.2.254/32 192.168.2.81/32 load pptp_standard pptp2: new -i ng2 pptp2 pptp2 set ipcp ranges 192.168.2.254/32 192.168.2.82/32 load pptp_standard pptp_standard: set iface disable on-demand set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set bundle enable multilink # enable TCP-Wrapper (hosts_access(5)) to block unfriendly clients # set bundle enable tcp-wrapper # use RADIUS servers # load radius set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 set link mtu 1460 set ipcp yes vjcomp ### set ipcp dns 192.168.1.3 set ipcp nbns 192.168.2.254 # # The five lines below enable Microsoft Point-to-Point encryption # (MPPE) using the ng_mppc(8) netgraph node type. # set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set pptp self 97.12.232.66 set pptp enable incoming set pptp disable originate
- mpd.links
################################################################# # # MPD links file # # In this file you define the various "links" that comprise # a bundle. Each link corresponds to a single serial device. # These are commands that could be typed into the console directly. # # This file should only contain configuration for a link if # that configuration is specific to that particular link. That # is, things like device name and bandwidth. Other generic link # options like LCP parameters belong in "mpd.conf". # # The first command for each link should be "set link type ..." # # $Id: mpd.links.sample,v 1.4.2.1 2004/03/07 14:33:27 mbretter Exp $ # ################################################################# # # For our PPTP server # pptp0: set link type pptp ### set pptp self 9.12.232.66 ### set pptp enable incoming ### set pptp disable originate pptp1: set link type pptp pptp2: set link type pptp
- mpd.secret
################################################################# # # MPD secrets file # # This file contains login, password pairs, called "secrets". # Entries are used for authentication in either or both directions, # as well as telnet console login. # # For example, to use the "MyLogin" secret, use this command: # # set bundle authname MyLogin # # Each entry may have a third field containing an IP address range # specifying the allowable address assignments for that # peer. # # NOTE: this file should not be readable by anyone except root! # # $Id: mpd.secret.sample,v 1.1 2001/03/10 06:06:47 archiecobbs Exp $ # ################################################################# ### bob "\x34\"foo\n" 192.168.1.10/24 alexey "super-pass" 192.168.2.80 viktor "vik-pass" *
unix/mpd.txt · Последнее изменение: 2024/05/02 13:20 — 127.0.0.1