  VPN HOWTO
  Matthew D. Wilson, matthew@shinythings.com
  <mailto:matthew@shinythings.com>
  v 1.0, Dec 1999
  {c , t-miya@rb3.so-net.ne.jp <mailto:t-miya@rb3.so-
  net.ne.jp>
  v1.0j, 18 August 2000

   HOWTO ́Aɂ Linux ŉzvCx[glbg[N (VPN)
  \z邩ƂƂɂċLqꂽ̂łB
  ______________________________________________________________________

  ڎ

  1. 
     1.1 Ȃ HOWTO 
     1.2 ӂƂ
     1.3 ̃hLǧ`
     1.4 쌠іƐӎ
     1.5 
     1.6 ֘AhLg

  2. _
     2.1 VPNƂ͉H
        2.1.1 ŁAۂ̂ƂAVPN Ƃ́H
        2.1.2 łǂɓ삷́H
     2.2 SSHPPP
     2.3 ̑ VPN VXe
        2.3.1 PPTP
        2.3.2 IP Sec
        2.3.3 CIPE

  3. T[o
     3.1 ZLeB | lXߏo
        3.1.1 f[点
        3.1.2 pX[h
     3.2 [UANZX - ݂Ȃ𒆂
        3.2.1 sshd ݒ肷
     3.3 [U𐧌
        3.3.1 sudo ۂ
     3.4 lbg[LO
        3.4.1 J[l
        3.4.2 tB^K
        3.4.3 [eBO

  4. NCAg
     4.1 J[l
     4.2 Nm
     4.3 XNvg
     4.4 LRP - Linux [^vWFNg

  5. s
     5.1 v
     5.2 c[W߂
        5.2.1 T[oɑ΂ -
        5.2.2 NCAgɑ΂ -
     5.3 T[o - J[l\z
     5.4 T[o - lbg[Nݒ肷
        5.4.1 C^[tF[Xݒ肷
        5.4.2 oHݒ肷
        5.4.3 tB^K쐬
        5.4.4 oHݒ肷
     5.5 T[o - pppd ݒ肷
        5.5.1 /etc/ppp/
        5.5.2 /etc/ppp/options
        5.5.3 Փ˂
     5.6 T[o - sshd ݒ肷
     5.7 T[o - [UAJEgݒ肷
        5.7.1 vpn-users O[vǉ
        5.7.2 vpn-users ̃z[fBNg
        5.7.3 .ssh fBNg
        5.7.4 [Uǉ
     5.8 T[o - Ǘ
     5.9 NCAg - J[l\z
     5.10 NCAg - lbg[Nݒ肷
        5.10.1 C^[tF[X
        5.10.2 tB^K
        5.10.3 oHݒ肷
     5.11 NCAg - pppdݒ肷
     5.12 NCAg - ssh ݒ肷
     5.13 NCAg - ڑm
     5.14 NCAg - oHݒ肷
     5.15 NCAg - XNvg
        5.15.1 s

  6. tL
     6.1 Ƃ
        6.1.1 read: I/O error (ǂݍ - I/O G[)
        6.1.2 SIOCADDRT: Network is unreachable (SIOCADDRT - lbg[N͓Bs\)
        6.1.3 IPv4 tH[fBO 2.2 J[l
        6.1.4 oHݒ肷
     6.2 n[hEFAу\tgEFAv
        6.2.1 Œ̃n[hEFAv
        6.2.2 \tgEFAv

  ______________________________________________________________________

  1.  

  1.1.  Ȃ HOWTO 

  ̓Albg[NXɋΖĂ VPN T[rXKvƂĂ܂
  B͎ɂƂď߂Ă̌̃vWFNgŁA̎dɔׂƁA
   Linux ɂĖ{ɑwт܂B́Aw񂾂Ƃ𑼂
  ݂ȂƋLAނ܂ Linux łƂĂf炵Ƃo悤A
  ̃vWFNgɂogẴhLgM܂B

  1.2.  ӂƂ

  ܂A^ɉ䂪 Julie Ɋӂ܂BޏȂč͖̎
  ł傤B܂ȂSĂ\ɂAŏ VPN mini-howto and
  pty-redir ̎M҂ł Arpad Magosanyi ɂƎv
  BJerry, Rod, Glen, Mark V., Mark W., ꂩ David, CĂ邺B
  ݂Ȃ̋͂Ɋӂ܂B

  1.3.  ̃hLǧ`

  ̃hLg 5̃ZNVɕĂ܂B

     ZNV1 - 
        ̃ZNV

     ZNV2 - _
        VPN ̊{I_łBVPN Ƃ͉Aǂ̂悤ɓ삷̂B
        VPN ɂđS̏߂ĂȂAǂłB

     ZNV3 - T[o
        ̃ZNVł VPN T[o̐ݒ@ɂďqׂ܂B

     ZNV4 - NCAg
        ̃ZNVł VPN NCAg̐ݒ@ɂďqׂ܂B

     ZNV5 - s
        TvƂȂ VPN ̐ݒ菇𓥂ŎsĂ݂܂B

     ZNV6 - tL
        Ȃ̏ɂȂ邩ȂȂ̂ƂłB

  1.4.  쌠іƐӎ

  ȉ͎̕Ql̂ߖ󕶂܂AD悳܂B

  Copyright (c) by Matthew Wilson. This document may be distributed only
  subject to the terms and conditions set forth in the LDP License at
  http://www.linuxdoc.org/COPYRIGHT.html
  <http://www.linuxdoc.org/COPYRIGHT.html>, except that this document
  must not be distributed in modified form without the author's consent.

  쌠 Matthew Wilson ɂ܂B̃hLg
  http://www.linuxdoc.org/COPYRIGHT.html
  <http://www.linuxdoc.org/COPYRIGHT.html>ɂ LDP CZX̔zz
  іɏ]ꍇɂ̂݁Azz邱Ƃł܂A҂̓ӂȂ
  ςꂽꍇɂ͔zz邱Ƃ͏o܂B

  The author assumes no responsibility for anything done with this
  document, nor does he make any warranty, implied or explicit.  If you
  break it, it's not my fault.  Remember, what you do here could make
  very large holes in the security model of your network.  You've been
  warned.

  ҂́AÖقł邩ł邩̔@ɂ炸ÃhLg
  ǂ̂悤Ȏۂɑ΂ĂӔC𕉂܂񂵁A܂@Ȃۏ؂
  BȂQƂĂA͎̎sł͂܂B
  ł邱ƂAlbg[ÑZLeBfɔɑ傫Ȍ
  JƂƂoĂĂBx܂ˁH

  1.5.  

  ȉ͎̕Ql̂ߖ󕶂܂AD悳܂B

  The original VPN mini-HOWTO was written by Arpad Magosanyi
  <mag@bunuel.tii.matav.hu> in 1997.  He has since allowed me to take up
  the document and extend it into a full HOWTO.  All of this would not
  be possible without his original document.  Thanks again Arpad. :)

  IWi VPN mini-HOWTO  Arpad Magosanyi
  <mag@bunuel.tii.matav.hu> ɂ 1997 NɋLq܂Bނ͎
  ̃hLgグAS HOWTO Ɋg邱ƂĂ܂
  BSĂ͔ނ̃IWĩhLgĂׂ͈ȂƂ
  傤Bēx Arpad Ɋӂ܂B:)

   HOWTO ̃o[W 1.0  1999 N 12  10 Ɋ܂B

  1.6.  ֘AhLg

  o  Networking Overview HOWTO
     <http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html>

  o  Networking HOWTO <http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html>
     [󒍁F{
     <http://www.linux.or.jp/JF/JFdocs/NET3-4-HOWTO.html> ɂ܂B]

  o  VPN-Masquerade HOWTO <http://www.linuxdoc.org/HOWTO/VPN-Masquerade-
     HOWTO.html>

  2.  _

  2.1.  VPNƂ͉H

  VPN Ƃ͉zvCx[glbg[N (Virtual Private Network) Ӗ
  Ă܂B VPN ̓f[^̈SmۂA̗A@\ƂăC
  ^[lbg𗘗p܂B

  2.1.1.  ŁAۂ̂ƂAVPN Ƃ́H

  ̎ɂ͂̓܂B͐Ƀlbg[NCAEg
  łBƂʓIȍ\́AЂƂ̃Clbg[N
  A VPN gꂽɂm[h𒆉lbg[N֊SɃANZ
  Xł悤ɂ̂łBꂽɂm[hƂ̂́AʏA
  ItBXƂs]ƈȂǂłB́A菬 (
  ͑傫!) lbg[NqŁAɑ傫ȒP̃lbg[NƂ
  邱Ƃo܂B

  2.1.2.  łǂɓ삷́H

  VPN \z邽߂ɂ͒PɁA̃lbg[NԂɈS̊mۂꂽg
  lAʂ悤 IP ̌oH߂܂BAɎ̌
  ƂłȂ̂łAThe Linux Networking Overview HOWTO
  <http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html> ǂ
   Linux ɂlbg[Nɂĕ׋ĂB

  䖝ĂB̃AXL[A[g͉Ɏg܂B

                                        \          \
                     --------------     /          /    --------
       [g  ___| NCAg |____\ C^[ \___| T[o |______ vCx[g
     lbg[N   |    [^    |    /   lbg /   | [^ |       lbg[N
                     --------------     \          \    --------
                                        /          /

                           NCAg[^
                    -----------------------------------------------------
                   |   /->    10.0.0.0/255.0.0.0   \                     |
   [g        |  |-->  172.16.0.0/255.240.0.0  |--> gl >--\   |
    lbg[N>--|--|--> 192.168.0.0/255.255.0.0 /                  |--|----> C^[lbg
   192.168.12.0    |  |                                               |  |
                   |   \-----> 0.0.0.0/0.0.0.0 --> IP}XJ[h >--/   |
                    -----------------------------------------------------

                             T[o[^
                     ------------------------------------------------------
                    |                     /->    10.0.0.0/255.0.0.0    \   |
                    |   /--> gl >--|-->  172.16.0.0/255.240.0.0   |--|--> vCx[g
  C^[lbg >--|--|                  \--> 192.168.0.0/255.255.0.0 /   |    lbg[N
                    |  |                                                   |   172.16.0.0/12
                    |   \-----> 0.0.0.0/0.0.0.0 -----> /dev/null           |  192.168.0.0/16
                     ------------------------------------------------------

  ̐}̓lbg[Nǂ̗lɍ\z邩Ă܂B IP }X
  J[hł邩Ȃ̂ȂAɂׂł͂܂B
  The Linux Networking Overview HOWTO
  <http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html>ǂ
  ŁA𗝉Ă߂ėĂB

  NCAg[^̓[glbg[Nɑ΂Q[gEFC/t@CA
  EH[Ƃē삷 Linux {bNXłBĕ悤ɁA[g
  lbg[N̓[Jlbg[N 192.168.12.0 gpĂ܂B}
  ȗ邽߁A[^̃[Jȃ[eBO\ɏo܂B
  {IȍĺAvCx[glbg[NS (10.0.0.0, 172.16.0.0,
  192.168.0.0) ɑ΂gtBbNglʂ悤ɌoH߂
  ƂłBŎ͈̂ʍsłB܂A[glbg
  [NvCx[glbg[N邩ƂāAvCx[glb
  g[N烊[glbg[NƂ͌܂B邽߂
  ͌oHoƂȂ悤w肵ȂĂ͂Ȃ܂B

  }ANCAg[^ʂďogtBbNSĂ̓NCAg
  [^痈ĂA܂SĂ IP AhX痈Ă邱Ƃ
  ł傤Bۂ̂Ȃ̃lbg[N̐oHݒ肷邱
  o܂AƂނ̃ZLeB肪邱Ƃ
  Ȃ܂B

  2.2.  SSHPPP

  VPN ƂāASSH  PPP pVXeɂĂLĂ܂B
  {IɎ̓glڑ邽߂ ssh gAʂ TCP/IP 
  Ms߂ɁApppd gĂ܂Bꂪgl̍łB

  ssh  pppd ꏏɓۂ̂܂@́AArpad Magosanyi ɂ
  ꂽɂŁAɏ]΋^[̕Wo͂_CNg
  邱Ƃo܂Bɂ pppd ́A sshʂĂꂪV
  Ał邩̂悤ɒʐM邱Ƃo悤ɂȂ܂BT[o
  ł́Apppd  ssh ZbVɂ郆[ŨVF̂悤ɓ삵Ă
  ANmĂ܂BƂ͌oH̐ݒsłB

  2.3.  ̑ VPN VXe

  AVPN \z邽߂̑̕@܂Bł͑̃VXe
  ̂ 3܂B

  2.3.1.  PPTP

  PPTP ̓}CN\tg VPN ̂߂̃vgRłB Linux ŃT
  |[gĂ܂A[ȃZLeB̖Ă邱Ƃ
  Ă܂Bǂ̂悤Ɏgp邩 Linux VPN Masquerade HOWTO
  <http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html> ɎĂ
  ̂ŁAł͐܂B

  2.3.2.  IP Sec

  IP Sec  SSH Ƃ͈قȂvgR̃ZbgłB́A͂ɂ
  ܂悭mȂ̂ŁAN̎菕ĂȂɂ肪
  łBēxA̎gɂĂLinux VPN Masquerade HOWTO
  <http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html>ɎĂ
  ̂ŁAł͐ȂƂɂ܂B

  2.3.3.  CIPE

  CIPE ́Aƌ̐ݒɓKAJ[lx̃lbg[NÍV
  XełBڂethe CIPE homepage
  <http://sites.inka.de/sites/bigred/devel/cipe.html>ɂ܂B
  Ă͂ڂׂ悤ƎvĂ̂ŁAŏ
  Ƃłł傤B

  3.  T[o

  T[oł̓NCAg͉̖ɂȂ̂ŁÃZNVł
  ŏɂׂ̂ƂAT[ołɐݒ肷邩qׂ邱Ƃ
  ܂B

  3.1.  ZLeB | lXߏo

  VPN ɂƂăZLeB͔ɏdvłBA炱 VPN \z
  ĂłˁH T[oݒ肷ɂẮA̂ƂS
  ɗ߂ĂKv܂B

  3.1.1.  f[点

  ̃T[o̓t@CAEH[̗ɒuAgtBbNlbg[N
  ̒֓]悤ɐݒ肳Ă̂ŁA\Ȍ肻̔Sɂ
  ̂͗ǂlłBLinux ̃ZLeBɂĂ Linux Security
  HOWTO <http://www.linuxdoc.org/HOWTO/Security-HOWTO.html> łɒ
  邱Ƃł܂B [ 󒍁F{
  <http://www.linux.or.jp/JF/JFdocs/Security-HOWTO.html> ɂ܂B]
  ړÎ߂ɁA sshd  Roxen Web server ȊȎSĂ kill ܂
  BVPN ɃANZXV}Vݒ肷邽߁A 2̃t@CiXN
  vgȂj_E[hړIŃEFuT[o𗘗pĂ܂B
  FTP T[o͎g܂B́AEFuT[ooRő̃t@C
  悤ɂ̂ɔׁAFTP T[ooRœƂSɂł悤ɐݒ
  ͓̂łBɁAPɃt@C_E[hł΂
  ̂łB{ɃQ[gEFCŕʁX̃T[o𑖂点ƎvĂ
  ł΁AvCx[glbg[Nɂ}VȊOÃT[oɃA
  NZXłȂ悤ׂm܂B

  3.1.2.  pX[h

  A͔nƂɕ܂BǂCɂȂł傤HpX
  [h͎g킸ASɖɂĂ܂̂łB̃}V̑SĂ̔F
  ؂ ssh ̌JF؃VXeʂčsׂłB̕@ł̓L
  [҂邱Ƃł܂A530 ̒̃oCĩL
  [o邱Ƃ́AwǕs\łB

  ł́Â߂ɂ͂ǂΗǂ̂ł傤H/etc/passwd t@CҏW
  邱ƂKvłB2 Ԗڂ̃tB[h̓pX[hnbVA邢͔F
  ؃VXe /etc/shadow t@C悤w 'x' ̂ꂩ
  ܂Ă܂BȂĂ͂ȂȂƂ́ÃtB[h
  łȂƂƂ܂B

  T^I /etc/passwd t@Č`Ɏ܂B

  ....
  nobody:x:65534:100:nobody:/dev/null:
  mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
  joe:*:504:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
  bill:*:504:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
  frank:*:504:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
  ....

   2Ԗڂ̃tB[hҏW邾łȂAƎƂ
  oĂĂB̃tB[hɂĂ͌q܂B

  3.2.  [UANZX - ݂Ȃ𒆂

  [UANZX ssh ̔F؃XL[ʂĈׂ܂Bŏqׂ悤
  ɁAꂪx̃ZLeBێA[UVXeɃANZ
  X@łB ssh ɓ݂Ȃ΁Ahttp://www.ssh.org/
  <http://www.ssh.org/>`FbNĂ݂ĂB ssh ̃o[W
  2 łȂo[W 1 gĂƂƂɒӂĂBɁA
  o[W 1 ̓t[ŁA2 ͂łȂƂ傫ȈႢ܂B

  3.2.1.  sshd  ݒ肷

  Ȃ sshd ݒ肷Kvł傤BIvVɂ͎̂悤Ȃ
  ̂܂BӐ}Ă̂̓pX[hF؂ rhosts F؂s
  ƂƂłB/etc/sshd_config t@Cɂ́Aɋ悤ȃI
  vV܂B

  PermitRootLogin yes
  IgnoreRhosts yes
  StrictModes yes
  QuietMode no
  CheckMail no
  IdleTimeout 3d
  X11Forwarding no
  PrintMotd no
  KeepAlive yes
  RhostsAuthentication no
  RhostsRSAAuthentication no
  RSAAuthentication yes
  PasswordAuthentication no
  PermitEmptyPasswords no
  UseLogin no

  3.3.  [U𐧌

  ňl͒ߏoAǂlANZX悤ɂȂ
  ̂ŁAx͗ǂlȂ悤ɎłĂׂ
  ܂B͔ނ pppd ȊÔ̂NȂƂƂŁAɂ߂
  ȒPɎsł܂B͕Kv܂񂵁AKvłȂ܂
  B̓[U𐧌Ă܂B́Aێ炵ĂVXe VPN 
  płA[U͂̏ł̑̂ƂKvȂ߂łB

  3.3.1.  sudo ۂ

  Unix VXe̊Ǘ҂A郆[ŨvO root Ŏ
  sł悤^A sudo ƌĂ΂鏬đfGȃvO
  ܂Bpppd  root ƂĎsKv̂ŁȀꍇɂ͕Kv
  B[UɃVFANZX悤Ƃꍇɂ́A̕@gK
  vł傤Bsudo ǂ̂悤ɐݒ肵Asudo ǂ̂悤Ɏg
  sudo ̃}jAy[WŒׂĂBTāA̐Mł郆[
  UɎg悤ȕpVXeɂāAsudo gƂ͍őP̕
  @łB

  [UɃVFANZXȂƂ߂Ȃ΁AɐN
  ɂƂǂ@́Aނ̃VF pppd ɂ邱ƂłB
  /etc/passwd t@CɂĎł܂BŌ 3 l̃[Uɂ
  Ƃ ``ɂLq'' Ō邱Ƃo܂B/etc/passwd ̍Ō
  tB[h̓[ŨVFłBpppd 𓮂߂ɓʂȂƂK
  v͂܂B̓[Uڑ root ƂĎs܂B
  ͍łSłƓɁAׂ邤̊ԈႢȂłPȐݒ@
  B͑K͂ł܂Ƃ܂VXeɑ΂Ă͗zIłBׂ
  ͂̃hLǧ̕łƐ܂B]݂ł ``
  ɓǂ'' Ƃł܂B

  3.4.  lbg[LO

  Ń[U̓VXeɃANZXo悤ɂȂ킯łAނ炪
  lbg[NɃANZXł邱Ƃ͊mFKv܂B
  Linux J[l̃t@CAEH[̃[ƃ[eBOe[uɂ
  s܂Broute  ipfwadm R}hgƁAlbg[Ng
  tBbNK؂ȕ@ň悤J[lݒ肷邱Ƃł܂B
  ȏ ipfwadm, ipchains ꂩ route ɂĂ̏̂߂ɂLinux
  Networking HOWTO <http://www.linuxdoc.org/HOWTO/Linux-Networking-
  HOWTO.html> QƂĂB

  3.4.1.  J[l

  ̂𓮍삳邽߂ɂ́AJ[l𐳂ݒ肵ȂĂ͂Ȃ
  B̃J[lǂ̂悤ɍ\z΂悢Ȃ
  AKernel HOWTO <http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>
  ނׂłB{lbg[NɉāAɎJ[lIvVI
  ɂȂĂ邱ƂmFKvł傤B͎̃VXe
  2.0.38 J[lgĂ܂B

  2.0 J[lɂ -

  o  CONFIG_FIREWALL

  o  CONFIG_IP_FORWARD

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_IP_MASQUERADE (optional)

  o  CONFIG_IP_MASQUERADE_ICMP (optional)

  o  CONFIG_PPP

  2.2 J[lɂ -

  o  CONFIG_FIREWALL

  o  CONFIG_IP_ADVANCED_ROUTER

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_IP_MASQUERADE (optional)

  o  CONFIG_IP_MASQUERADE_ICMP (optional)

  o  CONFIG_PPP

  3.4.2.  tB^K

  ܂AÕC^[lbgւ̃ANZX𐧌A[Ulbg
  [NփANZXo悤At@CAEH[̃tB^KLq
  傤BꂪɕȂAɂĂ͂lĂ݂Ă
   - ނ͊ɃC^[lbgɃANZXłԂɂAłȂ
  ނ炪lbgɃANZXۂɃglg킹̂B͑ш敝ƃv
  ZbT̖ʌłB

  KptB^K͗plbg[NɈˑĂ܂B
  ہA[U͌܂ - "VPN ̊OAlbgɌėĂ
  gtBbNȂ"Bł͂ǂǂ̂ł傤H
  ̂悤ɁA͏ꍇɂ̂łB 2.0 J[l𓮂ĂȂ
  ΁Aipfwadm ƌĂ΂c[g܂BA 2.2 J[l𓮂
  Ă̂ȂAipchains ƌĂ΂郆[eBeBg܂B

  ipfwadm ŋKݒ肷邽߂ɂ́AɎ悤ȃIvVłs
  ĂB

  # /sbin/ipfwadm -F -f
  # /sbin/ipfwadm -F -p deny
  # /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12

  ipchains ŋKݒ肷邽߂ɂ́AɎ悤ȃIvVł
  sĂB

  # /sbin/ipchains -F forward
  # /sbin/ipchains -P forward DENY
  # /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12

  2.2 J[lgĂl``''ǂłB

  3.4.3.  [eBO

  [U̓lbgւ̃ANZX܂̂ŁAx̓J[lɁApPbg
  𑗂ꏊwȂ΂Ȃ܂BVXeɂāA 2 ̃C
  [TlbgJ[hĂ܂B͊Olbg[Nɑ΂́A
  ͓lbg[Nɑ΂̂łB̂Ƃ́AOɌg
  tBbN̓Q[gEFCŃ}XJ[hAɓĂSẴg
  tBbN Cisco Ŏ菜 oH߂̂ŁASۂ̂ɖ
  ܂B啔̐ݒɂāAoHݒ̓VvłׂłB

  ꂩ̂́AC^[tF[XoăvCx[glbg[N
  ɌėSẴgtBbNAꂩOC^[tF[Xo
  ̑ SẴgtBbŇoHݒ肷ƂƂłB̌oH
  R}h͗pĂlbgɈˑĂ܂Bȉ͂ꂪǂ̂
  Ȃ̂ł邩̈̗łB̍s͂A[Jlbg
  {oHɕt܂BɁAȂ ԍ 3 O[vS
  gĂ킯ł͂Ȃł傤B

  172.16.254.254 Q[gEFCłƂ -

  # /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
  # /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
  # /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1

  oH̐ݒɂtIȒӂłBAႦΗꂽɂItBX
  ȂǑǒoHݒgĂ̂ȂAȂĂ͂ȂȂ
  ܂BT[oɂāANCAg֖߂oHݒ肷Kv
  ܂B萋łȒPȕ@́AÂɖ߂̌oHݒ肷悤
   cron Wu 1 Ɏs邱ƂłBNCAgڑĂ
  Ăł͂ȂAroute ̓G[iȂŝ悤
  /dev/null ɑjfłB

  4.  NCAg

  ăNCAg̕𒲂ׂĂ݂܂傤BہA[glbg[Nɑ
  ďɃANZXƂɂ́A̔͊ȒP SambaiWindows lbg
  [NjT[oA DHCP T[oAꂩ̃EFuT[oɂł܂Bo
  ĂȂĂ͂ȂȂdvȂƂ́A̔̓[glbg[NŜ
  삷̂łA\ȌSłׂƂƂłB

  4.1.  J[l

  dvȂ̂ɘbĂƁAȂ̓J[l̒ ppp Lɂ
  ĂKv܂B̃}Vɑ΂ăgl̎gp
  Ă̂ł΁At@CAEH[AtH[fBOLɂĂ
  Kv܂BNCAgP̃}VłȂAppp ŏ\
  B

  4.2.  Nm

  ŃA[[ʂē삵Ă pppd ɂĐ܂Bi
  ̋[[́jpty-redir ɂĐAssh ɐڑĂ܂B
  ͎Ɏ悤ȃR}hɂĎ܂ -

  # /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l joe > /tmp/vpn-device
  # sleep 10

  # /usr/sbin/pppd `cat /tmp/vpn-device`
  # sleep 15

  # /sbin/route add -net 172.16.0.0 gw vpn-internal.mycompany.com netmask 255.240.0.0
  # /sbin/route add -net 192.168.0.0 gw vpn-internal.mycompany.com netmask 255.255.0.0

  Pɂꂪ̂ ssh sA̓o͂ pppd Ƀ_CNg
  ƂƂłBssh ɓnIvV́AGXP[vLN^
  Ȃœ삵 (-e) A blowfish ÍASYg (-c)Aw肵
  F؃t@Cg (-i)A^[~i[h (-t)A 'Batchmode
  yes' IvV (-o) s悤ݒ肵܂B sleep R}h́A
  ꂼꂪ̎̃R}h̎sOɋNł悤ɁAR}h
  s̊Ԋu邽߂Ɏgp܂B

  4.3.  XNvg

  AȂ̓glʉ߂ƂɁA̓sx̃R}
  h͂͂Ȃł傤B̓gl̂܂ܒʂ悤ɂĂ
  悤 bash XNvg̃Zbg܂BpbP[W͂
  <http://www.shinythings.com/vpnd/vpnd.tar.gz>_E[hł
  B_E[h /usr/local/vpn ɐLĂB̒ɂ 3
  ̃t@C܂ -

  o  vpnd - glڑ𐧌䂷XNvg

  o  check-vpnd - vpnd NĂ邩ǂ`FbN邽߂ cron
     ɂĎsXNvg

  o  pty-redir - gl邽߂ɕKvȁAȎst@C

  NCAg̃[UT[o̖OƂ悤ȂƂݒ肷邽߂ɂ
  vpnd ҏWKvł傤B܂pĂlbg[Nw
  邽߂ɁAXNvg starttunnel ZNVҏWKv
  傤Bȉ͂ȂɊœǂł炤߂́AXNvg̃Rs[
  BXNvg͕ʂȃfBNgɓĂƂłÂ߂ɂ
  VPN_DIR ϐύX΂悢ƂƂoĂĂB

  #! /bin/bash
  #
  # vpnd: Monitor the tunnel, bring it up and down as necessary
  #

  USERNAME=vpn-username
  IDENTITY=/root/.ssh/identity.vpn

  VPN_DIR=/usr/local/vpn
  LOCK_DIR=/var/run
  VPN_EXTERNAL=vpn.mycompany.com
  VPN_INTERNAL=vpn-internal.mycompany.com
  PTY_REDIR=${VPN_DIR}/pty-redir
  SSH=${VPN_DIR}/${VPN_EXTERNAL}
  PPPD=/usr/sbin/pppd
  ROUTE=/sbin/route
  CRYPTO=blowfish
  PPP_OPTIONS="noipdefault ipcp-accept-local ipcp-accept-remote local noauth nocrtscts lock nodefaultroute"
  ORIG_SSH=/usr/bin/ssh

  starttunnel () {
     $PTY_REDIR $SSH -t -e none -o 'Batchmode yes' -c $CRYPTO -i $IDENTITY -l $USERNAME > /tmp/vpn-device
     sleep 15

     $PPPD `cat /tmp/vpn-device` $PPP_OPTIONS
     sleep 15

     # Add routes (modify these lines as necessary)
     /sbin/route add -net 10.0.0.0 gw $VPN_INTERNAL netmask 255.0.0.0
     /sbin/route add -net 172.16.0.0 gw $VPN_INTERNAL netmask 255.240.0.0
     /sbin/route add -net 192.168.0.0 gw $VPN_INTERNAL netmask 255.255.0.0
  }

  stoptunnel () {
     kill `ps ax | grep $SSH | grep -v grep | awk '{print $1}'`
  }

  resettunnel () {
     echo "reseting tunnel."
     date >> ${VPN_DIR}/restart.log
     eval stoptunnel
     sleep 5
     eval starttunnel
  }

  checktunnel () {
     ping -c 4 $VPN_EXTERNAL 2>/dev/null 1>/dev/null

     if [ $? -eq 0 ]; then
        ping -c 4 $VPN_INTERNAL 2>/dev/null 1>/dev/null
        if [ $? -ne 0 ]; then
           eval resettunnel
        fi
     fi
  }

  settraps () {
     trap "eval stoptunnel; exit 0" INT TERM
     trap "eval resettunnel" HUP
     trap "eval checktunnel" USR1
  }

  runchecks () {
     if [ -f ${LOCK_DIR}/tunnel.pid ]; then
        OLD_PID=`cat ${LOCK_DIR}/vpnd.pid`
        if [ -d /proc/${OLD_PID} ]; then
           echo "vpnd is already running on process ${OLD_PID}."
           exit 1
        else
           echo "removing stale pid file."
           rm -rf ${LOCK_DIR}/vpnd.pid
           echo $$ > ${LOCK_DIR}/vpnd.pid
           echo "checking tunnel state."
           eval checktunnel
        fi
     else
        echo $$ > ${LOCK_DIR}/vpnd.pid
        eval starttunnel
     fi
  }

  case $1 in
      check)  if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
                 kill -USR1 `cat ${LOCK_DIR}/vpnd.pid`
                 exit 0
              else
                 echo "vpnd is not running."
                 exit 1
              fi ;;

      reset)  if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
                 kill -HUP `cat ${LOCK_DIR}/vpnd.pid`
                 exit 0
              else
                 echo "vpnd is not running."
                 exit 1
              fi ;;

     --help | -h)
              echo "Usage: vpnd [ check | reset ]"
              echo "Options:"
              echo "     check    Sends running vpnd a USR1 signal, telling it to check"
              echo "              the tunnel state, and restart if neccesary."
              echo "     reset    Sends running vpnd a HUP signal, telling it to reset"
              echo "              it's tunnel connection." ;;
  esac

  ln -sf $ORIG_SSH $SSH
  settraps
  runchecks

  while true; do
     i=0
     while [ $i -lt 600 ]; do
        i=((i+1))
        sleep 1
     done
     eval checktunnel
  done

  4.4.  LRP - Linux [^vWFNg

  ہA͂̊ Linux  LRP fBXgr[V pentium
  90MHz ̏œ삳Ă܂BLRP 1 ̃tbs[fBXNɎ܂A
  N Linux fBXgr[VłBȏ̂ƂɂĂ
  http://www.linuxrouter.org/ <http://www.linuxrouter.org/> ŊwԂƂ
  ł܂B VPN NCAgp LRP pbP[ẂA
  <http://www.shinythings.com/vpnd/vpnd.lrp>_E[hł܂B
  ꂩ ppp  ssh pbP[W LRP TCg瓾Kvł
  B

  5.  s

  ̃ZNVł VPN VXe̍\z@ɂďԂɐ܂B܂
  T[on߁AɃNCAgւƈڂĂ܂BƂ邽߂ɁA
  Ȃ 2 ނ VPN ݒKvƂ󋵂lĂ݂܂B

  5.1.  v

  mycompany.com ƂЂĂƑzĂ݂ĂB{ЃItB
  XŁA\񂳂ꂽlbg[N 192.168.0.0 gĂAoHݒ
  悤ɃNX B lbg[N 256 ̃NX C ɂĂ܂B傤 2
  ̏ȗꂽɂItBXݒ肵ƂŁAlbg[
  NɒǉƎvĂ܂B܂dĂ]ƈɁAނ炪
  _CAbv DSL  P[ufŐڑł悤ɂ
  ƂvĂ܂Bn߂邽߂ɂ͏΂v𗧂ĂȂĂ͂Ȃ
  B

  ꂼ̗ꂽɂItBXŕKvɉĊgł悤ANX C
  lbg[N͈̔͂蓖Ă邱Ƃɂ܂BŁA192.168.10.0 
  192.168.11.0 lbg\񂵂܂B[Uɑ΂Ă VPN T[oŃ}
  XJ[hKv̂Ȃ\Ȑmۂ邱Ƃɂ܂BeNCAg
  ͂ꎩg̓ IP 擾܂BŁÂ߂ɑ̃NX
  CA192.168.40.0 \񂷂Kv܂BȂĂ͂ȂȂ̂́A
  [^ɂ͈̔͂ǉ邱ƂłB̉ЂAOC1 ʉ߂
  gtBbNSĂ舵 Cisco (192.168.254.254) LĂ
  ƎvĂB̗\񂳂ꂽlbg VPN T[o
  (192.168.40.254) ֌gtBbN Cisco ŌoHݒ肵Ă
  B͌ŖR̂߁AVPN T[o[Ũlbgɑgݓ
  ܂BT[o̊OC^[tF[X vpn.mycompany.com AC^[
  tF[X vpn-internal.mycompany.com ƖÂ邱Ƃɂ܂B

  OԍɂāA͂ƒmĂKv͂܂B ISP ɂ
  蓖Ăꂽg̔ԍmĂׂłB

  5.2.  c[W߂

  A\tgEFAKvɂȂĂ܂BɋpbP[W擾
  āAw肳ꂽꏊɃCXg[ĂB

  5.2.1.  T[oɑ΂ -

  o  pppd (o[W 2.3 ȍ~)

  o  ssh (o[W 1.2.26 ȍ~)

  5.2.2.  NCAgɑ΂ -

  o  pppd (T[oƓo[W)

  o  ssh

  o  pty-redir <ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz>

  5.3.  T[o - J[l\z

  ŏɁAAȂ̓T[ô߂ɃJ[lč\zKv
  傤B{lbg[N₻̑̕KvȍڂɉāAKȉ̃Iv
  VIɂĂBȑOɃJ[l\zƂȂ
  ΁AKernel HOWTO <http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>
  łB [󒍁F{
  <http://www.linux.or.jp/JF/JFdocs/Kernel-HOWTO.html> ɂ܂B]

  2.0 J[lɑ΂ -

  o  CONFIG_FIREWALL

  o  CONFIG_IP_FORWARD

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_PPP

  2.2 J[lɑ΂ -

  o  CONFIG_FIREWALL

  o  CONFIG_IP_ADVANCED_ROUTER

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_PPP

  5.4.  T[o - lbg[Nݒ肷

  lbg[NJ[h 1 ȂT[o\z悤ƂĂ̂ł
  ΁A 1 āAVɔz邱Ƃ悤߂܂Blbg
  [N̔Ĵ܂܂ɂĂԗǂ@́Aꎩg̐
  Ɋ蓖Ă邱ƂłB 2 ̃lbg[NJ[hĂ̂ł
  ΁Aꂼ̐ݒ@mKv܂B͊OC^[tF
  [X eth0AC^[tF[X eth1 g܂B

  5.4.1.  C^[tF[Xݒ肷

  ŏɃT[o̊OC^[tF[Xݒ肷Kv܂Bɂǂ
  ΗǂmĂ͂łAAɐݒ肵Ă܂ł傤B
  ܂ł΁AɂĂBǂΗǂȂ΁A
  ߂ Networking HOWTO
  <http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html> ǂłB

  ł͓C^[tF[Xݒ肵܂Bԍ͎̑IɂāAT[
  o̓C^[tF[X 192.168.40.254 łBł͂̃C^[tF[
  Xݒ肵܂傤B

  2.0 J[lł͎gĂ -

  # /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255
  # /sbin/route add -net 192.168.40.0 netmask 255.255.255.0 dev eth1

  2.2 J[lł͎gĂ -

  # /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255

  Ŋ{C^[tF[Xpӂł܂Bŗ̃[Jlbg
  [NɂăT[oɌq}Vɘb邱Ƃł܂B

  5.4.2.  oHݒ肷

  ̓[Jlbgɂ}VƘbƂ͂łlɂȂ܂A
  lbg[N̎cƂ͘bƂł܂Bɂ͂sR
  [hKvłB̃Tulbgɂق̃}VɓB邽߂ɂ́Ag
  tBbN Cisco [^Ɍ悤ȌoHmKv܂B
  悤ɂ܂ -

  # /sbin/route add -net 192.168.0.0 gw 192.168.254.254 netmask 255.255.0.0 dev eth1

  ̍śA192.168.0.0 lbg[NɍsƂɂȂĂ邢̃g
  tBbN eth1 oׂŁA Cisco ɓ`ׂłƂ
  ƂJ[lɓ`܂B[eBOe[ulbg}XÑTCY
  Ō߂邽߁A[JlbgɌgtBbNɂ́A܂
  ꏊĂ܂Bɂlbg[N̒ɓIȃlbg[
  NȂAꂼɑ΂āAL̂悤Ȏw邱ƂɂȂ܂B

  5.4.3.  tB^K쐬

  OK, KvƂ꓾}VSĂɓBł悤ɂȂ܂Bx́AVPN
  T[oʂăANZXȂƂAt@CAEH[̃tB
  ^KLqȂĂ͂Ȃ܂B

  ipfwadm ŋKw肷ɂ́Â悤ɂ܂ -

  # /sbin/ipfwadm -F -f
  # /sbin/ipfwadm -F -p deny
  # /sbin/ipfwadm -F -a accept -S 192.168.40.0/24 -D 192.168.0.0/16
  # /sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16
  # /sbin/ipfwadm -F -a accept -b -S 192.168.11.0/24 -D 192.168.0.0/16

  ipchains ŋKw肷ɂ́Â悤ɂ܂ -

  # /sbin/ipchains -F forward
  # /sbin/ipchains -P forward DENY
  # /sbin/ipchains -A forward -j ACCEPT -s 192.168.40.0/24 -d 192.168.0.0/16
  # /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16
  # /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.11.0/24 -d 192.168.0.0/16

  ̓J[lɁA192.168.40.0/24 lbg[N痈 192.168.0.0/16
  lbg[NɌ̂ASẴgtBbN₷悤ɓ`
  ܂B͂܂A192.168.10.0/24  192.168.0.0/16 lbgƂ̊Ԃł
  Ƃ肳gtBbNƂƂ`܂B
  192.168.11.0 lbgɑ΂ĂlłB̍Ō 2 ͑őK
  ŁA͑oɂƂł悤oH߂邽߂ɂ͏dvȂƂ
  B

  5.4.4.  oHݒ肷

  [UɂƂẮA܂łőSĂ܂삷ł傤BA
  ꂽɂItBX̂߂ɂ͂炩oHݒ肵ȂĂ͂Ȃ܂
  B܂ŏɁAC[^AȂ킿 Cisco ɁAꂽɂItB
  X VPN T[ỏeɉBĂƂƂĂKv܂B
  ł Cisco ɑ΂āAꂽɂItBXs̃gtBbN
  VPN T[oɑ悤ȌoHw肵ĂBꂪ񂾂Ax͗
  ꂽItBXɌgtBbNǂׂ VPN T[oɋĂ
  ȂĂ͂Ȃ܂Bɂ route R}hT[oŎs
  B route R}h𓮍삳ł̗B̖́AN͊m
  ȂĂ͂Ȃ炸A؂Ă܂ƌoHĂ܂ƂƂ
  B́ANCAgڑĂoHǉĂA邢
  ́Aroute R}h͕KvȏɎsĂ薳̂ŁAȒPȕ@
  ẮAxXsĂ邱ƂłBł́AXNvg쐬āA
  Ɏs悤 crontab ɉĂB̒ɂ͎̂
  ɏĂ -

  /sbin/route add -net 192.168.11.0 gw 192.168.10.253 netmask 255.255.255.0
  /sbin/route add -net 192.168.10.0 gw 192.168.11.253 netmask 255.255.255.0

  5.5.  T[o - pppd  ݒ肷

  čx VPN ڑ舵߂ɃT[o pppd ݒ肵܂傤B
  ̃T[oA_CAbv[ÛɎgĂA邢
  Ȃg_ĈɎgĂ̂ł΁A̕ύX
  ̃T[rXɉe^邩ȂƂƂoĂׂłB
  ̃ZNV̍ŌŁAɂďՓ˂邩܂B

  5.5.1.  /etc/ppp/

  ̃fBNgɂ͂̃t@C邩܂BȂ
  ͊ɁAoptions ƌĂ΂t@CĂł傤B̃t@C
   pppd ɑ΂IȃIvV̑SĂĂ܂B̃Iv
  V pppd ̃R}hCŖɂ邱Ƃ͂ł܂B

  5.5.2.  /etc/ppp/options

  options t@C͏ȂƂ̂悤ȋLq܂ł͂ł -

  ipcp-accept-local
  ipcp-accept-remote
  proxyarp
  noauth

  ŏ 2 s pppd ɁA̒[ IP AhXƂĎw肵̂󂯓
  悤w܂B͗ꂽɂItBXɐڑƂɂ͕Kv
  łÃ[UɐڑĂ̂ȂΖɂ邱Ƃł
  B̓T[oAhX蓖Ă邱ƂW͂܂̂ŗLɂ
  Ăč\܂B̓NCAg߂ĂƂ󂯓ėǂ
  ƂƂ`邾łB

  3 sڂ͔ɏdvłBpppd ̃}jAy[Wɂ -

  proxyarp
         ̃VXe ARP [Address Resolution Protocol] e[uɑ΂
         sA IP AhXƂ̃VXẽC[TlbgAhXt܂B
         ɂāAsÃVXe猩ă[JȃC[Tlbg
         悤ɌƂʂ炳܂B

  ꂪׂĂȂ [JȃgtBbNglʂĖ߂
  ėȂȂ邽߁A͔ɏdvłB

  Ō̍sdvłB pppd Ƀ[UƃpX[hŐڑ
  悤w܂B sshd ɂĊɔF؂ׂĂ̂ň
  SłB

  5.5.3.  Փ˂

  Ȃ pppd ő̃T[rXĂȂȂ̃T[rX
  ̐ݒ VPN VXeKvƂĂ̂Ƃ͈قȂĂ邩mȂ
  ƂƂlĂׂ݂łBpppd  /etc/ppp/options CIv
  Vt@C̒̃IvV͎sɎw肳ꂽIvVɂĖ
  ɂłȂ悤ɐ݌vĂ܂B̓ZLeB̗Rɋ
  BՓ˂邽߁Aǂ̃IvVՓ˂NĂ邩肵ĉ
  BĂCt@C pppd ̓̃AvP[Vs
  Ƀ[h镪ꂽIvVt@CɈڂĂB

  5.6.  T[o - sshd  ݒ肷

  ɋ͎̂ /etc/sshd_configt@C̓ełBȂ̃t@C
  AA܂͎`Ă͂ł -

  # This is the ssh server system wide configuration file.

  Port 22
  ListenAddress 0.0.0.0
  HostKey /etc/ssh_host_key
  RandomSeed /etc/ssh_random_seed
  ServerKeyBits 768
  LoginGraceTime 600
  KeyRegenerationInterval 3600
  PermitRootLogin yes
  IgnoreRhosts yes
  StrictModes yes
  QuietMode no
  FascistLogging yes
  CheckMail no
  IdleTimeout 3d
  X11Forwarding no
  PrintMotd no
  KeepAlive yes
  SyslogFacility DAEMON
  RhostsAuthentication no
  RhostsRSAAuthentication no
  RSAAuthentication yes
  PasswordAuthentication no
  PermitEmptyPasswords no
  UseLogin no

  CĂׂdvȓ_́ApX[hF؂ "r" T[rXSĂɂ
  ĖɂȂĂƂƂłB́A[`FbN₻̓̃bZ
  [WANCAg pppd ̂ŖɂĂ
  Broot OC͋Ă܂A̓L[Ȃɂ͎słȂ
  ߁A\ɈSłB

  5.7.  T[o - [UAJEgݒ肷

  ̓[UAJEgݒ肵܂B

  5.7.1.  vpn-users  O[vǉ

  sĂB

  # /usr/sbin/groupadd vpn-users

  ł /etc/group t@C cat čŌ̍sĂB vpn-
  users O[v̂߂̃GgɂȂĂ͂łB 3 Ԗڂ̃tB[
  hɒӂĂB̓O[v ID (GID) łBɕKvɂȂ
  ł߂ĂĂB̗ł GID  101 łB

  5.7.2.  vpn-users  ̃z[fBNg

  ̓[USĂ̂߂Ɉ̃z[fBNggƂĂ
  Bł͎sĂ -

  # mkdir /home/vpn-users

  5.7.3.  .ssh  fBNg

  .ssh fBNg vpn-users z[fBNg̒ɍ쐬܂B

  # mkdir /home/vpn-users/.ssh

  5.7.4.  [Uǉ

  ĖʔɂĂ܂Bꂩ /etc/passwd t@Cŕ
  W킯łB:) ʏ̓VXeɑ삳t@CȂ̂łA
  ςݒsƂɂ͎ŏȒPłBŏ
  /etc/passwd t@CJĂɉ邩Ă݂܂傤B͎
  ̂悤ɂȂĂ͂ł -

  ....
  nobody:x:65534:100:nobody:/dev/null:
  mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
  joe:*:1020:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
  bill:*:1020:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
  frank:*:1020:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
  ....

  wǂ̃VXeɍŏ̍s̃[Uł傤B 2 Ԗڂ̃[U
  łB:) ͉̎l̍쐬ꂽ vpn-user łBŏ̃tB[h
  ̓[UŁA2 Ԗڂ̓pX[h̃tB[hłB 3 Ԗڂ̓[U ID
  (UID)  4 Ԗڂ̓O[v ID (GID) łBÂ 5 Ԗڂ̃tB[h͊e
  [ǓlłB 6 Ԗڂ̃tB[h̓[Ũz[fBNg
  ŁAŌ͔ނ̃VFłB̂ƂAetB[h̓Rŋ؂
  Ă܂BŌ 3 sĂB̊Ԃł̗B̈Ⴂ́A
  ̃tB[h̃[UƁA5 Ԗڂ̃tB[h̃[UłB肽
  ̂́Ae[Uɑ΂Ă̂悤ȍs쐬邱ƂłBڑSĂɒP
  ̃[UgȂłBƁAނX邱Ƃ
  łȂȂ܂BŁAɎ悤ȓeɂȂ悤Ãt@C
  ̍Ō̍sRs[ĂҏWĂB2 Ԗڂ̃tB[hɃAX
  ^XN (*) 邱ƂmFĂB3 Ԗڂ̃tB[h́A
  t@C̑ ID SĂƈĂׂłB 1020 g܂B
   1000 ̓VXe̗p̂߂ɗ\񂳂Ă܂̂ŁAȏg
  ׂłB 4 Ԗڂ̃tB[h vpn-user ̃O[v ID ̂͂łB
  ͏߂Ă悤܂BꂪKvȂƂĂ܂B
  ̓O[v ID ɓĂBŌɁAz[fBNg
  /home/vpn-users AVF /usr/sbin/pppd ɕύXĂBł܂
  Bł͂̍s𑼂̃[U쐬邽߂ɃRs[ĂB1 Ԗڂ
  5 Ԗڂ̃tB[hҏWĐݒ肷邾łB

  5.8.  T[o - Ǘ

  [UAJEgɑ΂ẴVXe𗘗p邱Ƃ̗_̈́A
  UNIX [UǗR}h𗘗p邱ƂłƂƂłBNCA
  g̓[UƂăOCĂ܂̂ŁAȂ̓[U̓v𓾂邽
  ߂ɕWIȕ@gƂł܂Bɋ̂́ASĂǂȂ
  ̂邽߂ɎDŎgĂÃR}hłB

     who
        ݃OCĂ郆[UAꂩނ炪Aǂ (O IP)
        Aǂ̃|[gŃOC\܂B

     w  ̃R}h͌݃OCĂlɂĂL͈͂ȃXg
        \܂B̓VXe̗pԂƕϕׂm点Ă
        B܂[ÚAAChԂ܂ތ݂̃vZX (VPN NCA
        gɂƂĂ -pppd ̂͂ł)Aꂩ猻݂̃vZX܂ޑS
        ẴvZX CPU p@\܂Bȏ̏ɂ
         w ̃}jAy[WǂłB

     last [username]
        ͎w肳ꂽ[UA邢̓[Uw肳ȂΑSĂ
        [ŨOC\܂B̓[UOCĂ
        ԁA邢̓[U܂OCĂ邱Ƃ̂ŁAgl
        ɂ܂삵Ă邩m߂ɂ͍ł֗ȕ@łBV
        Xe NÂĂƁÃXg͔ɒ
        蓾ƂƂxĂ܂BpCv grep 邢 head
        ʂāAm肽ƂmɌ܂B

  /home/vpn-users/.ssh/authorized_keys t@CύXāAڑ
  郆[U𐧌䂷邱Ƃł܂B̃[ǓJL[̍s
  t@C폜ƁAނ̓OC邱ƂłȂȂł傤B

  5.9.  NCAg - J[l\z

  NCAgɈڂ܂傤BŏɁAKvƂ@\SĂT|[gł
  悤ɁAJ[lč\zȂĂ͂Ȃ܂BŒ߂̂́AJ
  [l ppp gݍނƂłB̌Ã}Vɑ΂ăgl
  ւ̃ANZX悤ƂĂꍇɌƁAtH[fBOAt@
  CAEH[AQ[gEFC@\KvƂȂł傤B̗ł́AƂ
  ĎCAEg̒́AꂽƂɂItBX̃}V̂̈
  ݒ肷邱Ƃɂ܂BɋIvVǉĂBJ
  ԂɂȂ܂AȂȑOɃJ[l\zƂȂ̂ł
  ΁A Kernel HOWTO
  <http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>ǂłB
  [󒍁F{  <http://www.linux.or.jp/JF/JFdocs/Kernel-
  HOWTO.html> ɂ܂B]

  2.0 J[lɑ΂ -

  o  CONFIG_PPP

  o  CONFIG_FIREWALL

  o  CONFIG_IP_FORWARD

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_IP_MASQUERADE

  o  CONFIG_IP_MASQUERADE_ICMP

  2.2 J[lɑ΂ -

  o  CONFIG_PPP

  o  CONFIG_FIREWALL

  o  CONFIG_IP_ADVANCED_ROUTER

  o  CONFIG_IP_FIREWALL

  o  CONFIG_IP_ROUTER

  o  CONFIG_IP_MASQUERADE

  o  CONFIG_IP_MASQUERADE_ICMP

  5.10.  NCAg - lbg[Nݒ肷

  āANCAg{bNXݒ肵܂傤BOlbg[N̐ݒ肪
  ŁAꂪ삵ĂƑz܂傤Bx́ACglbgT[
  rX邽߂ɃNCAg̓C^[tF[Xݒ肷邱ƂɂȂ
  傤B

  5.10.1.  C^[tF[X

  ܂ŏɓlbg[NC^[tF[Xݒ肷Kv܂B
  ɂ͎ /etc/rc.d/rc.inet1 (邢͂ɑ) t@C
  ɒǉĂ -

  2.0 J[lɑ΂ -

  /sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0
  /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 dev eth1

  2.2 J[lɑ΂ -

  /sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0

  5.10.2.  tB^K

  ꂽɂItBXݒ肷邽߂ɁAglʂđoɃg
  tBbNs邱Ƃ悤ȃtB^Kݒ肵悢
  傤Bɋs /etc/rc.d/rc.inet1 (܂͂ɑ) t@
  CɒǉĂ -

  2.0 J[lɑ΂ -

  /sbin/ipfwadm -F -f
  /sbin/ipfwadm -F -p deny
  /sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16

  2.2 J[lɑ΂ -

  /sbin/ipchains -F forward
  /sbin/ipchains -P forward DENY
  /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16

  Ȃ́A̍sT[oɂ̂ƎĂ邱ƂɋCÂ
  ܂BȂƂƂ͓̂łB̋K͂܂ɁA
   2 ̃lbg[N̊ԂŃgtBbNƂłꏊq
  ׂĂ܂B

  5.10.3.  oHݒ肷

  BKvȓʂ̌oH̓gl\zXNvgɂč܂B

  5.11.  NCAg - pppd ݒ肷

  NCAg /etc/ppp/options t@CҏWKv͑SȂ
  ܂B"auth" IvVA邢͑̓IvV^ꂽ
  ͂̕Kvł傤BĂ݂đʖڂAs
  /etc/ppp/options 삷ł傤Bǂ(ꂪłȂ)
  ̂邽߂ɁAÂt@CIvVǉ
  ÂAł邩ǂɂ߂ĂB͑SKvȂ
  ܂BȂ pppd 𑼂̂ƂɎgĂȂ΁AKvȂ
  ł傤B

  5.12.  NCAg - ssh  ݒ肷

  NCAg root Ŏ̍ssĂ -

  # mkdir /root/.ssh
  # ssh-keygen -f /root/.ssh/identity.vpn -P ""

   .ssh fBNg identity.vpn  identity.vpn.pub  2 
  t@C쐬ł傤Bŏ͂Ȃ̃vCx[gL[ŁÂ܂
  ɂĂׂłBÍꂽZbVʂ̂łȂAlbg
  ł΂ɑMȂłB2 Ԗڂ̃t@C͂Ȃ̌JL[
  ŁAȂ̃VXeɃANZX邱Ƃ邾ŁAȂ̃V
  Xeɓ邽߂ɎgƂ͂łȂ̂ŁA͉łDȂƂ
  邱Ƃł܂B͎ۂ̃L[ 1 s܂ރeLXgt@CłB
  s̍ṒAL[󂷂Ƃ|炸ɕύXłRgtB[h
  BႦ΃L[͎̂悤Ȃ̂ł -

  1024 35 1430723736674162619588314275167.......250872101150654839 root@vpn-client.mycompany.com

  ۂɂ͂肩Ȃ蒷łASƂĂy[Wɂ͂
  Ȃł傤BT[o /home/vpn-users/.ssh/authorized_keys t@C
  L[Rs[ĂB1 s 1 ̃L[AeL[s
  ɂ܂ĉĂȂƂmFĂBǂ̍sǂ̃[Uɑ
  ̂voɂȂ悤ARgtB[hSĂDȂ悤
  ύX邱Ƃł܂B͂邱Ƃ߂܂B

  5.13.  NCAg - ڑm

  ł VPN T[oɎۂɐڑĂ݂܂傤B܂AP̐ڑsA
  ssh known_hosts t@C̐ݒKv܂BsĂ
   -

  # ssh vpn.mycompany.com

  ڑ𑱂ǂ₳ꂽƂ ''yes'' ƓĂBT[
  o ''permission denied'' ƌm܂񂪁AvłBT[o
  ɑ΂āAڑXNvg̒ŎgĂ̂ƓOgƂƂ
  dvłBł́A̍ssĂBƁAݒK邽
  ɃIvV̖wǂύXKvł傤B

  # /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l vpn-user vpn.mycompany.com > /tmp/vpn-device

  (10 bقǑ҂܂傤)

  # /usr/sbin/pppd `cat /tmp/vpn-device` 192.168.10.254:192.168.40.254

  pppd ̍sŎw肳Ă IP AhXɒӂĂBŏ̓gl
  ̃NCAg̒[̃AhXłB2 Ԗڂ̓gl̃T[o̒[
  AhXł̓T[o̓AhXɂȂĂ܂B̑SĂ
  삵Ă悤ȂAĂBłȂȂAw肵Iv
  VSĂɑ΂āA炪ÂĂ邩`FbNĂ
  B܂܂ȂȂA``Ƃ ZNV''`Fb
  NĂ݂ĂB

  5.14.  NCAg - oHݒ肷

  ł́AoHAglʂăgtBbN𑗂悤ɐݒ肵Ă
  Bs邾ł -

  # /sbin/route add -net 192.168.0.0 gw vpn-internal.mycompany.com netmask 255.255.0.0

  Ńgl̑[ɂ}VƒʐMł悤ɂȂĂ͂łB
  Ă݂ĂBȂ肢H ܂ȂȂAǂɖ
  肪̂˂~߂邽߂ping  traceroute gĂ݂Ă
  B͓ĂȂAXNvgȂ̂߂ɂ̎dĂ
  悤ݒ𑱂ĂB

  5.15.  NCAg - XNvg

   ``'' Ŏ vpnd XNvggĂBAύX
  Kv܂B̕ύXsĂ -

  o  ɍ悤擪̕ϐύXĂBwǂ͂̂܂܂őv
     łAKvȂς邱Ƃł܂B

  o  27 s - [JAꂩ烊[g IP AhX $PPP_OPTIONS
     ̑OɉĂB

  o  31 s - ̍sƌ 2 sAlbǧoHݒ肷悤ɕύX
     ĂB

  5.15.1.  s

  bash XNvg͕ʈ肵Ă܂As邱ƂmĂ܂B
  vpnd XNvg𑱂Ă邱Ƃm߂邽߂ɂ́ANCAg
   crontab  check-vpnd XNvgNGgǉĂ
  B 5 疈Ɏ̂̂NĂ܂B vpnd {
  ɎsĂƂĂA check-vpnd ͂ CPU gp܂
  B
  6.  tL

  6.1.  Ƃ

  ̃VXegہAׂ̎vʏQ܂B킭
  ΂Ȃ邱Ƃł悤ɁAɎ܂B
  VȏQɊׂȂAAđ̐l
  邱Ƃł悤ɁAɂă[
  <mailto:matthew@shinythings.com>B

  6.1.1.  read: I/O error (ǂݍ - I/O G[)

  ̃G[͖炩 pppd 炫Ă܂B pppd ̃o[W̕s
  Ɋ֘AĂ܂BꂪNȂAڑ̗[ pppd ̍ŐṼo
  [WɃAbvO[hĂ݂ĂB pppd ̃o[W 2.2
  ̖͂肪邱ƂɋCÂ܂̂ŁAɃo[W 2.3.7 
   2.3.8 gĂB

  6.1.2.  SIOCADDRT: Network is unreachable (SIOCADDRT - lbg[N
  Bs\)

  ̖ route ɂĐݏo܂B ssh  pppd ̊Ԃ̃X[
  vԂ\ȂꍇɂꂪN邱Ƃm܂B̃G
  [ɑAifconfig sĂ݂ĉB pppX C^[tF[
  XȂ̂邩܂B́A ssh  pppd n߂O
  ɔF؂sĂ炸A pppd ڑsĂȂ߂łƂ
  ӖĂ܂BPɒxԂ΂ĂBΖ
  ͉ł傤B

  ̖C悤 pppd ̃IvV͖̂ł傤B

  6.1.3.  IPv4 tH[fBO 2.2 J[l

  V 2.2 J[lł́ANɃJ[l̒ IP tH[fBO
  ɗLɂKv܂B͎̃R}hōs܂ -

  # echo 1 > /proc/sys/net/ipv4/ip_forward

  ꖳł́AJ[l͔@ȂpPbg]ǍʃT[oA
  ɃQ[gEFCĂNCAĝ炩삵ȂƂɂȂ
  傤B

  6.1.4.  oHݒ肷

  ܂łȂƂłAۂ̐lݒ肷Ƃɂ́Aglʂ
   VPN T[o̊OAhXɌoHgtBbNɑ΂Đݒ肵
  悤ӂĂB͂܂Ȃł傤B (łB
  ͌lIȌo炫Ă܂B)

  6.2.  n[hEFAу\tgEFAv

  6.2.1.  Œ̃n[hEFAv

  M悤M܂ÃVXe 8 KoCg RAM  486SX33 œ
  삵Ă܂BƂ͂Ăʂ̃gtBbNŖ肪A
  قǂ܂Ă͂܂łB

  A悤ɂ̂ɂقǑ͕Kv܂B̃VXe̓t
  bs[œ삷 LRP fBXgr[VgA6 K
  RAMDISK  10 K̃CARAM 16 K Pentium 75 
  ŎɗǍDɓ삵܂B͂̊A700kbit  RealVideo  1 
  Ԉȏ㗬ăeXg܂B

  ۂ 100Mbit C[TlbgJ[h} PCI ǂ
  ł̂ŁA݂͌AT Pentium 90 ̏œĂ
  B

  6.2.2.  \tgEFAv

  ̃VXe 2.0  2.2 J[lɂē삵܂BglJ
  ܂܂ɂĂXNvǵAKxɐV bash KvƂ܂B
  ́AfBXgr[V bash ̃o[Wł́AXNvg
  ܂肤܂삵ȂƂƂɋCÂ܂B

  ꂩAÑXNvgP (邢͎st@C
  ł) 菕ĂȂAϏ܂BȂ bash XNv
  gKɏ]킸AM𐳂߂Ȃ̂Ă܂BȂ
  P̂ł΁Aǂdq[
  matthew@shinythings.com <mailto:matthew@shinythings.com> ɑĂ
  B

     [ : {ŉȉɎ܂B

     v1.0j, 2000 N 8  18 
        |: {c  <t-miya@rb3.so-net.ne.jp>

        eJ  <kikutani@galaxy.net>,  L <takei@kondara.org>, 
         Y <nakano@apm.seikei.ac.jp>, { _j
        <hmiyano@webjapan.com>, R `V <dica@eurus.dti.ne.jp> ]

