Using a PPP Link

Most of this book assumes that the network to which the Linux computer is connected is a dedicated one, such as an Ethernet network. In this environment, it's possible to run servers, as discussed in Parts II and III; the security and router issues of Part IV are very important, as well. Some configurations, though, use a less permanent type of network link. These connections use a telephone modem and PPP to create a temporary connection to the Internet, or at least to one other computer. Although you're not likely to run servers over a PPP link, they do have their place. For instance, you might run a small office or home office network, and so use various local network servers, as discussed in Part II, but use a PPP link to connect that network to the Internet on an as-needed basis. You can even share this connection among all the computers on the network by setting up Network Address Translation (NAT; also called IP masquerading), as discussed in Chapter 25. In order to do these things, though, you'll first have to establish the PPP connection. This section describes how to do this.

Using a GUI Dialer

PPP can be a tricky tool to use; the protocol has many options that, if set incorrectly, can disrupt the PPP connection or even prevent it from coming up initially. For this reason, many people find it easier to use PPP via a GUI dialer than through configuration scripts. In fact, many Linux GUI PPP dialers closely resemble their counterparts in other OSs, such as Windows, so if you're familiar with PPP in another OS, you shouldn't have too much difficulty using a Linux GUI PPP dialer.

Different GUI dialers differ in some details, but they are similar in broad outline. This section presents information on the popular KPPP dialer, which is part of the K Desktop Environment (KDE). You can use KPPP even if you don't use KDE; or you can use GNOME PPP (part of the GNU Network Object Model Environment, or GNOME) or a dialer that's not part of any desktop environment, such as X-ISP (http://xisp.hellug.gr).

NOTE

Before using KPPP, you must sign up for a dial-up account and test your modem's functionality in Linux. Check your telephone book for ISPs to obtain an account, or consult an online resource such as The List (http://www.thelist.com) if you've got access through some other computer. To test the modem, connect it and (if it's an external model) turn it on. You should be able to send data to /dev/ttyS0 , /dev/ttyS1 , or some other port. If you're using the new devfs (http://www.atnf.csiro.au/~rgooch/linux/docs/ devfs .html) to automatically create device files, you'll use /dev/tts/0 , /dev/tts/1 , and so on. You can most easily test this configuration by using a terminal program like the text-based minicom or the GUI Seyon, both of which ship with most Linux distributions. If you can get an AT prompt from the modem, you know that Linux can use the modem.

To start KPPP, you can select it from a menu on your desktop environment, or you can type kppp in an xterm . The result should resemble Figure 2.4, except that the first time you launch KPPP, it probably won't include any ISP names in the Connect To list, nor a login ID or password. In order to set the program up to use an account, follow these steps:

1. Click the Setup button. This action will produce the KPPP Configuration dialog box shown in Figure 2.5. From here, you can enter critical account information for future connections.

   Figure 2.5. The KPPP Configuration dialog box controls hardware features associated with a PPP connection, such as what modem device to use, and lets you modify specific accounts using other dialog boxes.

   

2. Click New to create a new account. KPPP asks if you want to use a wizard or set up via dialog boxes. Although the wizard is purported to be easier, it begins by asking for your country, and there's no entry for the United States. I therefore present the dialog box procedure, which produces the New Account dialog box shown in Figure 2.6.

   Figure 2.6. The New Account dialog box lets you enter many important account details.

   

3. Type the name of your ISP into the Connection Name field.

4. Click Add. This action produces a small dialog box in which you may enter a telephone number for your ISP. Be sure to include any digits you need to dial an outside line, or the area code if you need to dial it. When you click OK in this dialog box, the Phone Number field should reflect the addition. You may repeat this step if you want to enter multiple numbers that the dialer will attempt in sequence, should one number be busy.

5. Most ISPs today use the Password Authentication Protocol (PAP) for communicating the username and password, so you should probably leave the Authentication selector in the New Account dialog box set to PAP. You can change this to various other options if required, though. Of particular interest is the Challenge Handshake Authentication Protocol (CHAP), which some ISPs use.

6. If your ISP gave you a list of DNS servers as part of your sign-up process, click the DNS tab of the New Account information and enter each IP address in the DNS IP Address field, clicking Add after entering each address.

7. Click OK in the New Account dialog box. You should see the new entry appear in the list in the KPPP Configuration dialog box (Figure 2.5).

8. Click the Device tab in the KPPP Configuration dialog box. Set the Modem Device to whatever device name your system uses for the modem. This is often /dev/modem (the default), but may be /dev/ttyS0 , / dev/ttyS1 , or something more exotic. You may also want to adjust the Connection Speed option on this tab. The default is 57,600, but 115,200 provides better speed on most systems. (Higher values don't work on most hardware.) The speed you set here is for communication between your computer and your modem. The connect speed between your modem and your ISP is likely to be lower, but if your modem uses compression, a local connection speed of about twice the modem-to-modem speed is optimal.

9. Click OK in the KPPP Configuration dialog box. You should now be able to select your new account in the main KPPP window (Figure 2.4), if it's not selected by default.

NOTE

The KPPP Configuration and New Account dialog boxes both include tabs and options I've not discussed here. In most cases, you won't need to adjust these values, but sometimes they're vital . If you have problems connecting or if you want to enable a feature you've heard about but that's not covered here, check these tabs for options that might help. The PPP HOWTO document (http://www.linuxdoc.org/HOWTO/PPP-HOWTO/) includes additional information on PPP and debugging PPP connections.

Using a GUI PPP dialer is a fairly simple matter; after launching the program, you need only click the Connect button (which may be called something else in some programs). Some dialers will provide you with an indication of their progress during the connection phase, and many modems will echo the sounds of the modem negotiations. In KPPP, clicking the Show Log Window button will provide added details. Some dialers, including KPPP, require you to enter the username (in the Login ID field) and password before clicking Connect. Others will ask for this information after you click Connect. Many let you store your password on disk (the Store Password check box in the KPPP New Account dialog box lets you set this option).

WARNING

Storing your PPP dialup password on the computer is a potential security risk. This risk may be small for an isolated computer that you use to initiate connections, but if the computer has many users, some of whom shouldn't have access to the PPP account, the risk may be greater. At the very least, you should not use your PPP dialup account password for any other purpose, so that if the PPP password is stolen you need not change any other passwords.

Once a connection is initiated, the Connect button changes names so that you can break a connection. (Some dialers may use a different button or present another dialog box to let you end a connection.) If your ISP or telephone company charges by the minute, remember to do this or you'll get an unexpectedly large bill!

Adjusting Configuration Scripts

GUI dialers are a convenient way to get started with PPP, but they aren't ideal for all situations. For instance, if you want to initiate a PPP connection automatically, a GUI dialer won't do the job, because it requires manual intervention to begin the call. For this reason, PPP connection scripts can also initiate connections. You may use these scripts manually or as part of an auto-dialing scheme, as discussed in the next section, "Configuring Dial-on-Demand." Using the scripts requires setting authentication options and configuring the scripts themselves .

Setting PPP Authentication Options

As noted earlier, most ISPs use a protocol called PAP for authenticating dial-in users. In order to use this protocol from a dialing script, you need to edit the file /etc/ppp/pap-secrets . (A similar file, called /etc/ppp/ chap-secrets , is used by another protocol that some ISPs use. Both files use the same format, so you can edit both, if you like.) This file consists of a series of lines, one for each PPP account you have. The format of each line is as follows :

  username   server   password   IP_address  

Each of these elements is separated by one or more spaces or tabs. Their meanings are as follows:

• username This is the username to be used on the ISP's system. This username is unrelated to your Linux username; it's the one your ISP gave you.

• server This is the name of the computer to which yours communicates. You don't normally know this name, so this field should contain a single asterisk ( * ), to denote that PPP will accept any hostname.

• password As you might guess, this is the password on the remote system.

• IP_address This is the IP address your system expects to get. Most PPP systems don't guarantee you a specific IP address, so this field is empty (the line has only three fields).

WARNING

The pap-secrets file must store the password in an unencrypted form. This fact means that the file is extremely sensitive; if an unauthorized party obtains the file, that individual will be able to use your PPP account without your authorization. If possible, you shouldn't use this password for anything other than basic access; try to use a different password for e-mail retrieval or to log on to any other computer or network, for instance. For security, most distributions ship with pap-secrets set to root ownership, and only root has read access to the file. You should leave it this way unless you have a good reason for changing it.

Most systems connect to just one ISP, so the pap-secrets file will have just one line. This line might resemble the following:

 penguin   *   w8terfow1 

Configuring Dialing Scripts

Once you've set up the PAP or CHAP authentication file, you can begin adjusting the dialing scripts themselves. Because GUI dialers have become so prevalent , most distributions now hide these scripts in a documentation directory, such as /usr/share/doc/ppp- version /scripts , where version is the version of PPP your distribution uses, such as 2.4.0 . There are three scripts that are of interest:

• ppp-on This script sets important variables , such as your ISP's telephone number, and calls the Linux PPP utility ( pppd ).

• ppp-on-dialer ppp-on passes this script to pppd , which uses it to control the initial stages of communication with the ISP's system.

• ppp-off This script terminates a PPP session.

You'll need to modify ppp-on , and possibly ppp-on-dialer , in order to connect to an ISP. You'll also probably want to move all three scripts to a convenient location, like /usr/local/bin . In ppp-on , set the following items:

• Locate the TELEPHONE variable and set it to your ISP's telephone number. For instance, the line might read TELEPHONE=555-9876 when it's set correctly.

• Set the values for the ACCOUNT and PASSWORD variables. If your ISP uses PAP, these variables won't actually be used, so you should set them to some dummy values, such as the values they contain by default.

• If your ISP provides you with a fixed IP address or if you know the IP address of the system to which you'll be connecting, you can set the LOCAL_IP and REMOTE_IP variables appropriately. Likewise, you can change the NETMASK variable if you know what your network mask should be. You can usually leave all three of these variables alone.

• Locate the DIALER_SCRIPT variable and set it to point to the location of your ppp-on-dialer script. (Point to the copy you intend to modify, not the original in the documentation directory.) The default value is /etc/ppp/ppp-on-dialer , and you can put your script there if you like.

• The end of the script is a call to pppd . This is Linux's PPP tool, and it supports a large number of options. You should not have to modify most of these, but there are some exceptions. Specifically, you may need to set the device file used by your modem (the default is usually /dev/ttyS0 ), as well as the connection speed (the default is normally 38400 , but 115200 usually works better).

Once you've adjusted your ppp-on script to your needs, you should examine the ppp-on-dialer script. This script controls pppd 's interactions with your modem, including sending the commands that cause it to dial, and any interactions required to log in if your ISP doesn't use PAP or CHAP. The script does this by calling a utility known as chat , which handles automated exchanges with tools that expect text-based input. Most of this script is a series of expect/reply strings, arranged in columns . The first column is the value for which the script looks, and the second column is the response that chat sends in response. Some of these, such as an expect value of ABORT , carry special meaning; for instance, ABORT tells chat when to halt because of an error. Most of the lines end in a backslash ( \ ), the common convention for a line continuation. (In reality, chat expects a single line with interspersed expect/reply pairs; they're grouped in columns only for the convenience of humans .) The final line lacks a backslash.

The main feature that may need adjustment is the final three lines of the ppp-on-dialer script. The default script is usually written with the expectation that the ISP is not using PAP, so it concludes with two lines that echo your username and password (as entered in the ACCOUNT and PASSWORD variables in ppp-on ). You may need to delete these lines or comment them out (by preceding them with pound signs, # ). If you do this, you'll also have to remove the backslash from the third-to-last line, which normally begins with an expect string of CONNECT . Removing these final two lines and adjusting the preceding one will cause chat to terminate immediately after connection, whereupon pppd will try to use PAP or CHAP to authenticate the connection. If your ISP does not use PAP or CHAP, you may need to modify the expect portions of these lines to match the prompts your ISP uses for your username and password, and possibly add more prompts if you have to enter additional commands yourself, such as a command to explicitly start PPP on the ISP's system.

Using PPP Dialing Scripts

Editing the script files is the most difficult part of initiating a PPP connection via these scripts. When this task is done, you need only type ppp-on (preceded by a complete path to the script, if you didn't put it somewhere on your path ) to initiate a connection. If your modem is external, you should see its lights blink, and if it's configured to echo sounds to its speaker during dialing, you should hear this process. If all goes well, after a few seconds you should be able to access the Internet using Linux's normal networking tools.

If you encounter problems, you should first check the log file to which pppd logs its actions (normally /var/log/messages ). The end of this file should contain information on pppd 's actions, including whatever caused it to faila timeout waiting for PAP, a failure when running chat , or what have you. If this output is cryptic or doesn't provide you with the clues you need, try searching for keywords related to your problem on http://groups.google.com. This site hosts archives of recent posts to Usenet newsgroups, where discussions of problems with PPP and other Linux networking tools frequently appear. Searching there will quite possibly turn up an answer, or at least a lead you can follow. The PPP HOWTO document, mentioned earlier, also has PPP debugging tips.

One drawback to connecting via scripts is that most distributions are configured in such a way that only root may initiate a PPP connection. This can be an important security measure on a multi-user system, because you may not want unauthorized personnel making random PPP connections. It can be a nuisance, though. The GUI dialers get around this problem by using the set user ID (SUID) bit to have the GUI dialer run with root privileges. Of course, this opens up the system to the security problems of allowing random users access to the dialer. (You may restrict execute privileges to the GUI dialer by creating a PPP users group, assigning the GUI dialer to that group , and denying world execute privileges on the program.)

Many ISPs communicate the IP addresses of DNS servers along with other information as part of the PPP negotiation. Sometimes, though, you'll need to enter this information in /etc/resolv.conf yourself, as described earlier in this chapter in "Configuring DNS." You should be able to set up your DNS servers permanently.

Configuring Dial-on-Demand

When your computer is used primarily as a single-user workstation, GUI dialers or manually launched scripts like ppp-on are good methods of initiating PPP connections. In a multi-user environment, though, these tools have their problems. Users could try to initiate connections when they're already up, terminate connections when other users are using them, or accidentally leave connections active for long periods of time. For this reason, Linux supports a procedure known as dial-on-demand, which is implemented through a program called diald . This tool detects outgoing network traffic, initiates a PPP connection in response to the traffic, and terminates the connection after a specified period of time with no network activity. The result is that users may use network tools almost as if they were on an always-up network connection; they need take no explicit actions to start or stop the PPP link. There will be a delay, however, between the time when diald detects the outgoing traffic and the time the connection is finished (after all, the system has to dial the modem, and the modem must negotiate the connection). If you program the system to drop a connection too soon after the cessation of network activity, this can result in annoying delays during normal network usesay, a long pause when a user clicks on a link in a Web page, because the connection timed out when the user was reading the first page.

To use diald , you must have SLIP support compiled in your kernel, as described in Chapter 1. This is because diald uses SLIP to set up a virtual connection, essentially linking your computer to the diald program itself. Programs therefore see an always-up network interface, and diald receives the network traffic so that it can control when to initiate the real connection.

Unfortunately, most Linux distributions don't ship with diald . You can obtain the package from its home Web site, http://diald. sourceforge .net, or you can search for a prebuilt binary on http://www. rpmfind .net or http://www.debian.org/distrib/packages for RPM or Debian packages, respectively.

The diald program is controlled through three configuration files:

• /etc/diald.conf This file sets many of the configuration options that are normally handled by ppp-on , including the modem device filename ( device ) and connect speed ( speed ). The local and remote options set the IP addresses used internally by diald . You should set both addresses to ones on the same network segment, but neither address should be used on the Internet or your own local network (if you have one). Addresses in the 192.168. x. x range are typically good choices.

• /etc/ppp/diald-dialer This file is essentially identical to the ppp-on-dialer script described earlier. You should adjust it just as you would ppp-on-dialer .

• /usr/lib/diald/standard.filter This file defines the timeout periods that diald uses to decide when to drop a connection. You can specify different types of connections by the destination connection type, as shown in /etc/services . In each case, you tell diald to remain up for a given number of seconds. The default file should be a reasonable starting point, and you can modify it if you find that diald is dropping connections too soon.

In addition to these configuration files, you must edit your /etc/ppp/ pap-secrets or /etc/ppp/chap-secrets file if your ISP uses PAP or CHAP, just as for a regular script-based PPP connection. You may also need to enter your ISP's DNS server addresses in /etc/resolv.conf , as described earlier. To use diald , type /usr/sbin/diald as root to start the program. It should then detect outgoing network activity and initiate a connection. Because of the connection delays, though, a first attempt to use a tool may fail; for instance, a Web browser may time out before it can display a page. The second attempt should work, though.

If you want your system to start diald automatically when it boots, you can create a SysV startup script, or add an entry to a local startup script, such as /etc/rc.d/rc.local or /etc/rc.d/boot.local . Whether you start it manually or automatically, diald can detect network traffic that originates on a local network if you configure your computer to function as a NAT router, as described in Chapter 25. Thus, you can link a small local network to the Internet via a Linux computer and modem, and configure your local computers as if they were on the Internet at large, using the Linux system as the local gateway.