wiki:vpn_ppp

How to setup dynamic pppX interfaces for VPN usage.

Vuurmuur requires you to specify the interfaces for a certain zone. This can be a problem when interfaces are created on-the-fly. For instance, a PPTP server or client will create a pppX interface (where X is a number starting at 0). These interfaces should be dynamically added to vuurmuur. When a pppX interface comes online, scripts from the /etc/ppp/ip-up.d/ directory will be executed. Parameters will be parsed which define the interface name and the interface IP-address. We can use this to dynamically create and destroy interfaces within vuurmuur.

The following script will create the pppX interface and it will add it to the vpn.local network. PLEASE SPECIFY YOUR VPN NETWORK! --> networkname="vpn.local"

/etc/ppp/ip-up.d/vuurmuur_ppp.up

#!/bin/bash
networkname="vpn.local"
vuurmuur="vuurmuur_script"
interface=$1
ipaddress=$4

#Create the interface
$vuurmuur -C -i $interface

#Setup interface rules
$vuurmuur -M -i $interface -V RULE -S "protect against source-routed-packets"
$vuurmuur -A -M -i $interface -V RULE -S "protect against icmp-redirect"
$vuurmuur -A -M -i $interface -V RULE -S "protect against send-redirect"
$vuurmuur -A -M -i $interface -V RULE -S "protect against rp-filter"
$vuurmuur -A -M -i $interface -V RULE -S "protect against log-martians"

#Setup the interface options.
$vuurmuur -M -i $interface -V DEVICE -S $interface
$vuurmuur -M -i $interface -V IPADDRESS -S $ipaddress
$vuurmuur -M -i $interface -V VIRTUAL -S No
$vuurmuur -M -i $interface -V COMMENT -S "Dynamic vpn tunnel interface"
$vuurmuur -M -i $interface -V ACTIVE -S Yes

#Add the interface to specified network.
#--First check which interfaces are already there, don't add the current interface if it is in the list.
interfaces=`vuurmuur_script -P -n vpn.local | grep INTERFACE | sed s/INTERFACE=\"// | sed s/\"//` #list variables | grep for INTERFACE | del INTERFACE=" | del "

#loop through current interfaces, add these to current_interfaces array. Do not add our new interface if its already there.
for current_interface in ${interfaces[@]}
do
	if [ "$current_interface" != "$interface" ]
	then
		current_interfaces=("${current_interfaces[@]}" $current_interface) 
	fi
done
#now add our interface to the current interfaces.
current_interfaces=("${current_interfaces[@]}" $interface) 

#Loop through the current interfaces. The first entry should overwrite, the rest should be appended.
for (( i = 0 ; i < ${#current_interfaces[@]} ; i++ ))
do
	if [ $i -eq 0 ]
	then
		#create
		$vuurmuur -M -n $networkname -V INTERFACE -S ${current_interfaces[$i]}
		#echo "Create: ${current_interfaces[$i]}"
	else
		#append
		$vuurmuur -A -M -n $networkname -V INTERFACE -S ${current_interfaces[$i]}
		#echo "Append: ${current_interfaces[$i]}"
	fi
done

#apply the changes.
$vuurmuur --reload

The following script will remove the pppX interface and it will remove it from the vpn.local network. PLEASE SPECIFY YOUR VPN NETWORK! --> networkname="vpn.local"

/etc/ppp/ip-down.d/vuurmuur_ppp.down

#!/bin/bash
networkname="vpn.local"
vuurmuur="vuurmuur_script"
interface=$1
ipaddress=$4

#Remove the current interface
$vuurmuur -D -i $interface

#Add the interface to specified network.
#--First check which interfaces are already there.
interfaces=`vuurmuur_script -P -n vpn.local | grep INTERFACE | sed s/INTERFACE=\"// | sed s/\"//` #list variables | grep for INTERFACE | del INTERFACE=" | del "

#loop through current interfaces, add these to current_interfaces array. Do not add our current interface.
for current_interface in ${interfaces[@]}
do
	if [ "$current_interface" != "$interface" ]
	then
		current_interfaces=("${current_interfaces[@]}" $current_interface) 
	fi
done

if [ ${#current_interfaces} -eq 0 ]
then
	#Remove all interfaces
	$vuurmuur -M -n $networkname -V INTERFACE -S ""
else
	for (( i = 0 ; i < ${#current_interfaces[@]} ; i++ ))
	do
		if [ $i -eq 0 ]
		then
			#create
			$vuurmuur -M -n $networkname -V INTERFACE -S ${current_interfaces[$i]}
			#echo "Create: ${current_interfaces[$i]}"
		else
			#append
			$vuurmuur -A -M -n $networkname -V INTERFACE -S ${current_interfaces[$i]}
			#echo "Append: ${current_interfaces[$i]}"
		fi
	done
fi

#apply the changes.
$vuurmuur --reload

Last modified 10 years ago Last modified on 07/23/08 17:59:35