Инструменты пользователя

Инструменты сайта


unix:mpd

Доступ в локалку через интернет посредством mpd

Необходимо обеспечить для работников относительно безопасный доступ из внешней сети к ресурсам своей - локальной сети. Делать будем стандартно. Используем mpd.

mpd.conf
#################################################################
#
#       MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.46 2009/04/29 11:04:17 amotin Exp $
#
#################################################################

startup:
# Задаем пароль для доступа в web-intarface
# т.е меняем password на свой пароль
#        set user usrname password just-pass
# set user password cancer
# configure the console
#        set console self 127.0.0.1 5005
#        set console open
# configure the web server
#        set web self 0.0.0.0 5006
#        set web open

default:
        load pptp_server

pptp_server:
# Видно, что имеем всего 3 одновременных подключения
        set ippool add poolsat 192.168.36.80 192.168.36.83
        create bundle template B
        set iface enable proxy-arp
        set iface idle 0
        set iface enable tcpmssfix
        set ipcp yes vjcomp

        set ipcp ranges 192.168.36.254/32 ippool poolsat
#DNS нам не нужен
#        set ipcp dns 192.168.0.254
#Wins можно оставить, если он действительно запущен
        set ipcp nbns 192.168.36.237


# Enable Microsoft Point-to-Point encryption (MPPE)
#        set bundle enable compression
#        set ccp yes mppc
#        set mppc yes compress e40 e56 e128 stateless

# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
        set link enable chap-msv1
        set link enable chap-msv2
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
        set link keep-alive 10 60

# Configure PPTP and open link
# IFFACE PPTPD
        set pptp self 26.31.130.242
# Allow to accept calls
        set link enable incoming

Файлик с паролями пользователей

mpd.secret
#################################################################
#
#       MPD secrets file
#
# This file contains login, password pairs, called "secrets".
# Entries are used for authentication in either or both directions,
# as well as telnet console login.
#
# For example, to use the "MyLogin" secret, use this command:
#
#       set bundle authname MyLogin
#
# Each entry may have a third field containing an IP address range
# specifying the allowable address assignments for that # peer.
#
# NOTE: this file should not be readable by anyone except root!
#
# $Id: mpd.secret.sample,v 1.2 2007/01/27 13:28:44 amotin Exp $
#
#################################################################
#USER NAME		PASSWD			IP static

usr1			pswd-1		        192.168.36.81
usr2     		pswd-2	                192.168.36.82

#USER NAME			PASSWD			IP dynamic
#user1                    "password1"                     *
#user2                    "password2"                     *

Собственно говоря, на этом с конфигурацией mpd покончено.

Наверно не бывает шлюзов в интернет без файрвола. В моем случае используется pf. Расскажем ему как надо работать.

pf.conf-crop
# FILTER RULES
block all
 
# разрешим хождение по нашим VPN-интерфейсам
pass on {lo, ng0, ng1, ng2, ng3} all
 
pass proto icmp all
 
# Разрешим входящие соединения по GRE только ИП из таблицы <leonchik> и чоп не плодить
# статические правила скажем: запомнить состояние (keep state)
pass in on $ext_if proto gre from <leonchik> keep state
pass in on $ext_if proto tcp from <leonchik> to ($ext_if) port 1723 keep state
 
# Это самое странное правило, но без него никуды ;)
pass out on $int_if to $int_if:network 
pfctl -f /etc/pf.conf

При конфигурации клиентов, обращаю внимание на то, что при получении адреса от сервера будет заменен шлюз по умолчанию (а так же DNS, у нас он не сконфигурирован). Поэтому например в своей Ubuntu я просто добавил нужный мне маршрут руками, в венде убрал нужную галку.

Все. Соединяемся и работаем.

К сожалению, не на все сервера можно поставить mpd-5.6. Далее конфиги для старого - mpd-3.18

mpd.conf
#################################################################
#
#	MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. A blank line ends an entry. Lines
# starting with a "#" are comments and get completely
# ignored.
#
# $Id: mpd.conf.sample,v 1.15.2.1 2004/03/07 14:33:27 mbretter Exp $
#
#################################################################

#
# Default configuration is "myisp"

default:
	load pptp0
    load pptp1
    load pptp2

#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP.  We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote.  From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# We 'set link mtu 1460' to avoid GRE packet fragmentation.
#
# Our DNS server is at 192.168.1.3 and our NT workstation is at 192.168.1.4.
# If you don't have an NBNS server (eg, NT workstation), leave that line out.
#
# Note, you can have as many of these configurations as you like, eg:
#	
#	default:
#		load client1
#		load client2
#		...
#	
#	client1:
#		new -i ng0 pptp1 pptp1
#		set ipcp ranges 192.168.1.1/32 192.168.1.50/32
#		load client_standard
#		...
#	
#	client2:
#		new -i ng1 pptp2 pptp2
#		set ipcp ranges 192.168.1.1/32 192.168.1.51/32
#		load client_standard
#		...
#	
#	client_standard:
#		set iface disable on-demand
#		set iface enable proxy-arp
#		set iface idle 1800
#		set iface enable tcpmssfix
#		set bundle enable multilink
#		set link yes acfcomp protocomp
#		set link no pap chap
#		set link enable chap
#		set link mtu 1460
#		set link keep-alive 10 60
#		set ipcp yes vjcomp
#		set ipcp dns 192.168.1.3
#		set ipcp nbns 192.168.1.4
#		set bundle enable compression
#		set ccp yes mppc
#		set ccp yes mpp-e40
#		set ccp yes mpp-e128
#		set ccp yes mpp-stateless
#
#	
# See also the 'pptp' link entry in mpd.links.sample.
#
# Note: If you cut & paste from the above example, be sure to left-justify
# the labels or else mpd won't parse them correctly.
#

pptp0:
	new -i ng0 pptp0 pptp0
	set ipcp ranges 192.168.2.254/32 192.168.2.80/32
    load pptp_standard

pptp1:
	new -i ng1 pptp1 pptp1
	set ipcp ranges 192.168.2.254/32 192.168.2.81/32
    load pptp_standard

pptp2:
	new -i ng2 pptp2 pptp2
	set ipcp ranges 192.168.2.254/32 192.168.2.82/32
    load pptp_standard

pptp_standard:
	set iface disable on-demand
	set iface enable proxy-arp
	set iface idle 1800
	set iface enable tcpmssfix
	set bundle enable multilink
# enable TCP-Wrapper (hosts_access(5)) to block unfriendly clients
#	set bundle enable tcp-wrapper
# use RADIUS servers 
#	load radius
	set link yes acfcomp protocomp
	set link no pap chap
	set link enable chap
	set link keep-alive 10 60
	set link mtu 1460
	set ipcp yes vjcomp
### 	set ipcp dns 192.168.1.3
	set ipcp nbns 192.168.2.254
#
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
#
	set bundle enable compression
	set ccp yes mppc
	set ccp yes mpp-e40
	set ccp yes mpp-e128
	set ccp yes mpp-stateless
    set pptp self 97.12.232.66

    set pptp enable incoming
    set pptp disable originate
mpd.links
#################################################################
#
#	MPD links file
#
# In this file you define the various "links" that comprise
# a bundle. Each link corresponds to a single serial device.
# These are commands that could be typed into the console directly.
#
# This file should only contain configuration for a link if
# that configuration is specific to that particular link. That
# is, things like device name and bandwidth. Other generic link
# options like LCP parameters belong in "mpd.conf".
#
# The first command for each link should be "set link type ..."
#
# $Id: mpd.links.sample,v 1.4.2.1 2004/03/07 14:33:27 mbretter Exp $
#
#################################################################

#
# For our PPTP server
#

pptp0:
        set link type pptp
###         set pptp self 9.12.232.66
###         set pptp enable incoming
###         set pptp disable originate

pptp1:
        set link type pptp

pptp2:
        set link type pptp
mpd.secret
#################################################################
#
#	MPD secrets file
#
# This file contains login, password pairs, called "secrets".
# Entries are used for authentication in either or both directions,
# as well as telnet console login.
#
# For example, to use the "MyLogin" secret, use this command:
#
#	set bundle authname MyLogin
#
# Each entry may have a third field containing an IP address range
# specifying the allowable address assignments for that # peer.
#
# NOTE: this file should not be readable by anyone except root!
#
# $Id: mpd.secret.sample,v 1.1 2001/03/10 06:06:47 archiecobbs Exp $
#
#################################################################

### bob		"\x34\"foo\n"	192.168.1.10/24

alexey    "super-pass"    192.168.2.80
viktor    "vik-pass"      *
unix/mpd.txt · Последние изменения: Sun, 25 Mar 2012 15:53 (внешнее изменение)