DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Thumbs down poptop - Radioamateur needs help plz

Hello!

I am runing serveral public proxy for echolink radio amateur networks.

Everthing is runing absolut perfect!

For security reason i need to setup an easy VPN daemon. Therefore i picked up poptop.


Hardware:
1 Server with 1 NIC. Distri: openBSD 3.9 (i do not want to ruin the uptime )

I´ve set up tun devices, did the options, pptpd.conf, chap secrets, etc.

Unfortunately i get this error:
Oct 14 08:11:09 hugo ppp[11791]: Warning: iface rm: ioctl(SIOCDIFADDR_IN6, fe80:9::204:75ff:febe:fc96/64): Can't assign requested address

Here is my pptpd.conf:

option /etc/ppp/options-pptpd
Quote:
localip 172.19.1.1
remoteip 172.19.1.30-50
# PID file (can be used for monitoring)
pidfile /var/run/pptpd.pid
noipparam
options-pptpd:
Quote:
name pptpd
lock
mtu 1450
mru 1450
proxyarp
auth
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0

# Handshake Auth Method
+chap
+mschap-v2

# Data Encryption Methods
mppe required
remoteip 172.19.1.30-50
ppp.conf:
Quote:
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhostptp
set dial
set login
set mppe * stateful
# Server (local) IP address, Range for Clients, and Netmask
# Use the same IP addresses you specified in /etc/pppd.conf :
set ifaddr 172.19.1.1 172.19.1.30-172.19.1.50 255.255.255.0
set server /tmp/loop "" 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
# Disable unsecured auth
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
# DNS Servers to assign client
# Use your own DNS server IP address :
set dns 10.100.10.10
set device !/etc/ppp/secure
chap secret:
Quote:
#username pptpd password *
oe1ssu pptpd YEP 172.19.1.30
pap secret:
Quote:
# Secrets for authentication using PAP
# client server secret IP addresses
oe1ssu pptpd jojo 172.19.1.30
Ifconfig:
<root@hugo:47:~>$ ifconfig
Quote:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:75:be:fc:96
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 83.xxx.xxx.xx netmask 0xfffffff8 broadcast 83.xxx.xxx.xx
inet6 fe80::204:75ff:febe:fc96%xl0 prefixlen 64 scopeid 0x1
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=41<UP,RUNNING> mtu 1536
tun1: flags=11<UP,POINTOPOINT> mtu 3000
groups: tun
tun2: flags=11<UP,POINTOPOINT> mtu 3000
groups: tun
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
groups: ppp
inet 0.0.0.0 --> 0.0.0.0 netmask 0xffffff00
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
groups: tun

I hope someone can help me. Fact is, i love openBSD and this is the very first time where i´ve not found a solutions in howtos, rtfms etc.
Reply With Quote
  #2   (View Single Post)  
Old 14th October 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Uptime? You are already aware, are you not, that 3.9 has not been supported since 1 May 2007?

Look at your error message - it indicates a problem with the IPv6 address of your xl0 device.
Reply With Quote
  #3   (View Single Post)  
Old 14th October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
Uptime? You are already aware, are you not, that 3.9 has not been supported since 1 May 2007?

Look at your error message - it indicates a problem with the IPv6 address of your xl0 device.
2007 -> BSD is still runing without any problems.

ipv6.. yes thats the point. I do not know, why pptpd is offering ipv6 instead of ipv4.
Reply With Quote
  #4   (View Single Post)  
Old 14th October 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Poptop is currently maintained by giovanni@. You could contact him, but .... you will likely be told to go upgrade your system. Here's why:
  • You are running an unsupported -release.
  • At your -release, poptop was 1.1.4-b4, from 2004.
  • It was updated to 1.3.0 in 2008, which was prior to 4.3-release.
  • It was updated to 1.3.4 in January, in time for 4.5-release.
  • 4.6 is being released in less than three weeks.
And while your base OS might be working fine, you are asking for support of a version of an application for it, that, quite likely, no one is running today.

But ... the purpose of an OS is to run applications, isn't it? And you can't run this application, can you? -I- wouldn't describe that as running fine.

By the way, PPTP is generally not considered a secure VPN technology -- due to Microsoft's implementation of it -- in comparison to SSL-based or IPSec-based VPNs. See http://www.schneier.com/pptp-faq.html for an opening discussion.

Last edited by jggimi; 14th October 2009 at 12:32 PM.
Reply With Quote
  #5   (View Single Post)  
Old 14th October 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by oe1ssu View Post
2007 -> BSD is still runing without any problems.
This is something I hear often, and it causes me to scratch me head.

All of us here are aware how stable OpenBSD can be, but none of us are delusional enough to ignore that major security bugs (..both remote and local) have been fixed between 3.9/4.6.

Uptime shouldn't be a competition, in fact.. we would be more impressed if you were running the latest release with all of the errata patches applied.

As an example, if you run on i386.. a local user exploit.. it will cause a kernel panic on any release that isn't properly patched (..only 4.4-4.6 have an errata for it).
Code:
#include <xmmintrin.h>
#include <stdio.h>

int main(void)
{
	_MM_SET_EXCEPTION_MASK(_MM_GET_EXCEPTION_MASK() & ~(_MM_MASK_DIV_ZERO));
	__m128 a = _mm_div_ss(_mm_set_ss(1.0F), _mm_set_ss(0.0F));
	return 0;
}
$ gcc -msse example.c -o crash

None of us are overly eager to support older releases, especially if the maintainer isn't being proactive about security.. which is apparent by your choice of VPN technology.

Good luck.
Reply With Quote
  #6   (View Single Post)  
Old 14th October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Default

Thanks for your answers. You are absolut right. The system should have been upgraded already some years ago.

Since the server is just offering echolink proxy, and runing absolutly perfect, i´ve not moved to a newer distri.


I was hopeing, that even "old" distri can support an much older protocol.
The only thing the server has to do, exkluding the proxy, is offering samba connections - so hams can mount a directory "local".

I can remember, runing redhat 3.1 with pptpd It must have been arround 2002, 2003.

Let´s stick to the point -> I will use 4.6 in the future.

And i will Support the forum. I like it.
Reply With Quote
  #7   (View Single Post)  
Old 14th October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Default

Forgotten - Thx 4 the link!!
schleier - i am not allowed to post links here - yet.
Reply With Quote
  #8   (View Single Post)  
Old 14th October 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

To be fair regarding the VPN tech -- it is not PPTP which is at fault, it is Microsoft's implementation. But, since Windows platforms are the overwhelming majority of PPTP users, such VPNs are prejudged to be insecure.

If uptime is critical, just copy and paste into /usr/local/bin/uptime:
Code:
#!/bin/sh
var=$(date | awk '{print $4}' | awk -F : '{print $1 ":" $2}')
echo $var up like forever, dude!
Reply With Quote
  #9   (View Single Post)  
Old 14th October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
To be fair regarding the VPN tech -- it is not PPTP which is at fault, it is Microsoft's implementation. But, since Windows platforms are the overwhelming majority of PPTP users, such VPNs are prejudged to be insecure.

If uptime is critical, just copy and paste into /usr/local/bin/uptime:
Code:
#!/bin/sh
var=$(date | awk '{print $4}' | awk -F : '{print $1 ":" $2}')
echo $var up like forever, dude!
I know it Nah. I mentioned the uptime in case of OS stability.

I can still not believe, that pptp is not working with 3.9. I will give it one more day trying. At least i kick out ipv6 support.
Reply With Quote
Old 15th October 2009
gbechis gbechis is offline
Port Guard
 
Join Date: Oct 2009
Posts: 13
Thanked 0 Times in 0 Posts
Default

Try to add "disable ipv6cp" to your /etc/ppp/ppp.conf, then pre-order a 4.6 cdrom and upgrade your computers
Reply With Quote
Old 22nd October 2009
oe1ssu oe1ssu is offline
New User
 
Join Date: Oct 2009
Posts: 6
Thanked 0 Times in 0 Posts
Default

I'll move to 4.6.

I've read serveral security issues about it. I will use ipsec.

Thanks for your help!!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
poptop on OpenBSD 4.3 bartman OpenBSD Packages and Ports 15 22nd September 2008 11:18 PM


All times are GMT. The time now is 12:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick