pppd and NetworkManager - 3 issues

pppd and NetworkManager - 3 issues

[Antony J Mee]

Firstly the standard apologies for cross posting.  However, this mail 
concerns both lists and may require a solution from both communities.

I have just created a PPTP VPN plugin for NetworkManager:  
http://www.students.ncl.ac.uk/a.j.mee/blog/index.php/2005/11/21/networkmanager-pptp-vpn-support/

This uses the Linux PPTP client which in turn is heavily dependent upon 
pppd.
There are two methods for establishing a connection (currently I'm using 
the first of the following:

  pptp <hostname> [<pptp options>] [[--] <pppd options>]
or using pppd's pty option:
  pppd pty "pptp <hostname> --nolaunchpppd <pptp options>"

Two issues involve getting information about the connection back to 
NetworkManager.
The information I require is:
    a) The IP of the VPN server
    b) The local IP of the PPP tunnel
    c) USEPEERDNS information

Presently I am obtaining most of this by having a doctored version of 
/etc/ppp/ip-up
which passes the second two pieces of information to the 
NetworkManager-pptp helper
process which in turn, via DBUS passes the information to NetworkManager 
so that it may configure routing tables etc.

So this brings me to issue 1.  It appears the only way to get the any of 
this information
is via environment variables and parameters passed to the /etc/ppp/ip-up 
scripts on connect.  While the use of environment variables is not 
uncommon I cannot find a way to ask pppd/pptp to run my own 
script/binary (the NM helper) to process this information.
Doctoring /etc/ip-up is not a very good solution since /etc/ip-up is 
often heavily distro dependent already.  Other tunnel clients eg. 
OpenVPN and vpnc (Cisco VPN) also use environment variables BUT provide 
a --script option to allow the execution of arbitrary scripts.  Is such 
behaviour possible?

Issue 2. Worse still it appears that item a) is simply unavailable.  But 
you say... You must know what it is before you execute pppd/pptp. Not 
so. If the target host is actually a pool of IPs in the DNS then one 
must be able to ask pptp/pppd what it resolved the hostname to be. For 
example, our wireless access is via PPTP vpn in Newcastle served via a 
pool of machines:

mee ~> host ivpn.ncl.ac.uk
ivpn.ncl.ac.uk has address 128.240.231.4
ivpn.ncl.ac.uk has address 128.240.231.5
ivpn.ncl.ac.uk has address 128.240.231.20
ivpn.ncl.ac.uk has address 128.240.231.21
ivpn.ncl.ac.uk has address 128.240.231.36
ivpn.ncl.ac.uk has address 128.240.231.53

Finally issue 3.
I wish to have NetworkManager provide the authentication information for 
MS-CHAP.  There appears to be no way to do so other than via the 
chap-secrets file. Or can I get pptp/ppp to ask for them on the standard 
input perhaps?

Kind regards,

tOnY

Re: pppd and NetworkManager - 3 issues

[James Cameron]

[-- Attachment #1: Type: text/plain, Size: 4145 bytes --]

On Tue, Nov 22, 2005 at 04:06:19PM +0000, Antony J Mee wrote:
> There are two methods for establishing a connection (currently I'm using 
> the first of the following:
> 
>  pptp <hostname> [<pptp options>] [[--] <pppd options>]
> or using pppd's pty option:
>  pppd pty "pptp <hostname> --nolaunchpppd <pptp options>"

The second is more flexible and better supported, as it allows pppd to
control pptp.  As the pptp maintainer, I've deprecated the first method.
It only existed because pppd didn't have pty option long ago.

> Two issues involve getting information about the connection back to 
> NetworkManager.
> The information I require is:
>    a) The IP of the VPN server
>    b) The local IP of the PPP tunnel
>    c) USEPEERDNS information

I'll look at each of these in turn.

a) The IP of the VPN server

Nobody really seems to need this, and so there is no interface that
cleanly provides it.  An interface doesn't seem necessary, since it's
really an input argument, despite your point about multiple IPs returned
for a DNS query.

However, it can be obtained using netstat; look for a connection to
destination port 1723 for a process id that matches the pptp or child of
pptp.

Another method is to do the DNS resolution before you call pppd or pptp,
that way you'll have the IP address already.

b) The local IP of the PPP tunnel

This is provided to you by the ip-up scripts activated by pppd.  You are
expected to integrate with these scripts, and communicate back to your
application.  Distributions vary in their implementation of ip-up
addons.

Another method is to build a pppd plugin that is called when the IP
address is assigned.

Another method is to parse the available network devices looking for the
one created by the tunnel, and then use ifconfig or reads from /proc to
determine the IP address.

c) USEPEERDNS information

pppd places this in a resolv.conf file, and you are expected to pick it
up and use it as appropriate.  It would normally be handled by an ip-up
script.

You could also use a pppd plugin.

> While the use of environment variables is not uncommon I cannot find a
> way to ask pppd/pptp to run my own script/binary (the NM helper) to
> process this information.

Use pppd plugins.  They aren't difficult to setup.  I've written one
myself for user accounting on pptpd.  (logwtmp).

> Doctoring /etc/ip-up is not a very good solution since /etc/ip-up is
> often heavily distro dependent already.  Other tunnel clients eg.
> OpenVPN and vpnc (Cisco VPN) also use environment variables BUT
> provide a --script option to allow the execution of arbitrary scripts.
> Is such behaviour possible?

Patch your pppd, yes, it's possible.  Is there a reason why you want to
use the distribution's pppd?

> Issue 2. Worse still it appears that item a) is simply unavailable.

As the maintainer for pptp, I'll take a patch to make this available.
I look forward to your contribution.

My preference is for pptp to provide a plugin that accepts the IP
address of the connected server to pppd, so that pppd can pass it to
ip-up scripts.

> Finally issue 3.
> I wish to have NetworkManager provide the authentication information for 
> MS-CHAP.  There appears to be no way to do so other than via the 
> chap-secrets file. Or can I get pptp/ppp to ask for them on the standard 
> input perhaps?

pppd plugins implement this fine.  There's the password prompting
plugin.  Provide a plugin that contacts your application to cause a
prompt and then process the response.

Or you could look at the "read a file" behaviour documented in "man
pppd" for the chap-secrets file.

The only negative thing I'll point out about pppd plugins is that they
appear to have strict version dependencies.  So it might be wise for you
to ship your own pppd version.  At 265kB, that shouldn't be too much of
a problem.

-- 
James Cameron                         http://quozl.netrek.org/
HP Open Source, Volunteer             http://opensource.hp.com/
PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [pptp-devel] Re: pppd and NetworkManager - 3 issues

[Matt Domsch]

On Wed, Nov 23, 2005 at 10:39:30AM +1100, James Cameron wrote:
> a) The IP of the VPN server
[snip] 
> Another method is to do the DNS resolution before you call pppd or pptp,
> that way you'll have the IP address already.

For establishing static routes, the Microsoft Network Access
Quarantine feature of Windows Server 2003, and other uses, one really
does need to know the IP of the server.  For my purposes, my
hand-rolled scripts do the DNS resolution, then call pppd with the IP
address, and this works quite well.

Thanks,
Matt

-- 
Matt Domsch
Software Architect
Dell Linux Solutions linux.dell.com & www.dell.com/linux
Linux on Dell mailing lists @ http://lists.us.dell.com