VPN HOWTO

VPN HOWTO
Matthew D. Wilson, [email protected]
<mailto:[email protected]>
v 1.0, Dec 1999
�{�c ��, [email protected] <mailto:[email protected]
net.ne.jp>
v1.0j, 18 August 2000

�� HOWTO �́A��ɂ�� Linux �ŉ��z�v��C�x�[�g�l�b�g��[�N (VPN)
��\�z��邩�Ƃ��Ƃɂ��ċL�q��ꂽ��̂ł��B
______________________________________________________________________

�ڎ�

1. ��
1.1 �Ȃ�� HOWTO ��
1.2 ��ӂƂ��
1.3 ��̃h�L��g�̌`��
1.4 ��쌠��іƐӎ��
1.5 ��
1.6 �֘A�h�L��g

2. ��_
2.1 VPN�Ƃ͉��H
2.1.1 �ŁA��ۂ̂Ƃ��AVPN �Ƃ́H
2.1.2 ��łǂ��ɓ��삷��́H
2.2 SSH��PPP
2.3 ��̑�� VPN �V�X�e��
2.3.1 PPTP
2.3.2 IP Sec
2.3.3 CIPE

3. �T�[�o
3.1 �Z�L��e�B �| �l�X��ߏo��
3.1.1 �f�[��点
3.1.2 �p�X��[�h��
3.2 ��[�U�A�N�Z�X - �݂�Ȃ𒆂�
3.2.1 sshd ��ݒ肷��
3.3 ��[�U�𐧌��
3.3.1 sudo ��ۂ�
3.4 �l�b�g��[�L��O
3.4.1 �J�[�l��
3.4.2 �t�B��^�K��
3.4.3 ��[�e�B��O

4. �N��C�A��g
4.1 �J�[�l��
4.2 ��N��m��
4.3 �X�N��v�g��
4.4 LRP - Linux ��[�^�v��W�F�N�g

5. ��s
5.1 �v��
5.2 �c�[��W�߂�
5.2.1 �T�[�o�ɑ΂�� -
5.2.2 �N��C�A��g�ɑ΂�� -
5.3 �T�[�o - �J�[�l��\�z��
5.4 �T�[�o - �l�b�g��[�N��ݒ肷��
5.4.1 �C��^�[�t�F�[�X��ݒ肷��
5.4.2 �o�H��ݒ肷��
5.4.3 �t�B��^�K��쐬��
5.4.4 �o�H��ݒ肷��
5.5 �T�[�o - pppd ��ݒ肷��
5.5.1 /etc/ppp/
5.5.2 /etc/ppp/options
5.5.3 �Փ˂��
5.6 �T�[�o - sshd ��ݒ肷��
5.7 �T�[�o - ��[�U�A�J�E��g��ݒ肷��
5.7.1 vpn-users �O��[�v��ǉ��
5.7.2 vpn-users �̃z�[��f�B��N�g��
5.7.3 .ssh �f�B��N�g��
5.7.4 ��[�U��ǉ��
5.8 �T�[�o - �Ǘ��
5.9 �N��C�A��g - �J�[�l��\�z��
5.10 �N��C�A��g - �l�b�g��[�N��ݒ肷��
5.10.1 �C��^�[�t�F�[�X
5.10.2 �t�B��^�K��
5.10.3 �o�H��ݒ肷��
5.11 �N��C�A��g - pppd��ݒ肷��
5.12 �N��C�A��g - ssh ��ݒ肷��
5.13 �N��C�A��g - �ڑ��m��
5.14 �N��C�A��g - �o�H��ݒ肷��
5.15 �N��C�A��g - �X�N��v�g��
5.15.1 ��s��

6. �t�L
6.1 ��Ƃ��
6.1.1 read: I/O error (�ǂݍ�� - I/O �G��[)
6.1.2 SIOCADDRT: Network is unreachable (SIOCADDRT - �l�b�g��[�N�͓��B�s�\)
6.1.3 IPv4 �t�H��[�f�B��O�� 2.2 �J�[�l��
6.1.4 �o�H��ݒ肷��
6.2 �n�[�h�E�F�A��у\�t�g�E�F�A�v��
6.2.1 �Œ��̃n�[�h�E�F�A�v��
6.2.2 �\�t�g�E�F�A�v��

______________________________________________________________________

1. ��

1.1. �Ȃ�� HOWTO ��

��̓��A��l�b�g��[�N�X�ɋΖ��Ă�� VPN �T�[�r�X��K�v�Ƃ��Ă��܂�
��B��͎��ɂƂ��ď��߂Ă̌��̃v��W�F�N�g�ŁA��̎d��ɔ�ׂ�ƁA
�� Linux �ɂ��Ė{��ɑ��w�т܂��B��́A�w�񂾂��Ƃ𑼂�
�݂�ȂƋ��L��A�ނ��܂� Linux �łƂĂ�f��炵��Ƃ��o��悤�A
��̃v��W�F�N�g�ɂ��o��g��Ă��̃h�L��g��M��܂��B

1.2. ��ӂƂ��

�܂��A�^��ɉ䂪�� Julie �Ɋ��ӂ��܂��B�ޏ��Ȃ��č��̎��͖��
��ł��傤�B�܂��A��̑S�Ă�\�ɂ��A�ŏ�� VPN mini-howto and
pty-redir �̎��M�҂ł�� Arpad Magosanyi �ɂ��Ǝv��
��BJerry, Rod, Glen, Mark V., Mark W., ��ꂩ�� David, �C��Ă邺�B
�݂Ȃ��̋��͂Ɋ��ӂ��܂��B

1.3. ��̃h�L��g�̌`��

��̃h�L��g�� 5�̃Z�N�V��ɕ��Ă��܂��B

�Z�N�V��1 - ��
��̃Z�N�V��

�Z�N�V��2 - ��_
VPN �̊�{�I��_�ł��BVPN �Ƃ͉��A�ǂ̂悤�ɓ��삷��̂��B��
VPN �ɂ��đS��̏��߂ĂȂ�A��ǂ�ł��B

�Z�N�V��3 - �T�[�o
��̃Z�N�V��ł� VPN �T�[�o�̐ݒ�@�ɂ��ďq�ׂ܂��B

�Z�N�V��4 - �N��C�A��g
��̃Z�N�V��ł� VPN �N��C�A��g�̐ݒ�@�ɂ��ďq�ׂ܂��B

�Z�N�V��5 - ��s
�T��v��ƂȂ� VPN �̐ݒ��菇�𓥂�Ŏ��s��Ă݂܂��B

�Z�N�V��6 - �t�L
��Ȃ��̏��ɂȂ邩��Ȃ��A��̑��̂��Ƃ��ł��B

1.4. ��쌠��іƐӎ��

�ȉ��̕��͎Q�l�̂��ߖ󕶂��܂��A��D�悳��܂��B

Copyright (c) by Matthew Wilson. This document may be distributed only
subject to the terms and conditions set forth in the LDP License at
http://www.linuxdoc.org/COPYRIGHT.html
<http://www.linuxdoc.org/COPYRIGHT.html>, except that this document
must not be distributed in modified form without the author's consent.

��쌠�� Matthew Wilson �ɂ��܂��B��̃h�L��g
��http://www.linuxdoc.org/COPYRIGHT.html
<http://www.linuxdoc.org/COPYRIGHT.html>�ɂ�� LDP ��C�Z��X�̔z�z��
��і��ɏ]��ꍇ�ɂ̂݁A�z�z��邱�Ƃ��ł��܂��A��҂̓��ӂȂ�
��ς��ꂽ�ꍇ�ɂ͔z�z��邱�Ƃ͏o��܂��B

The author assumes no responsibility for anything done with this
document, nor does he make any warranty, implied or explicit. If you
break it, it's not my fault. Remember, what you do here could make
very large holes in the security model of your network. You've been
warned.

��҂́A�Öقł��邩��ł��邩�̔@��ɂ��炸�A��̃h�L��g��
��ǂ̂悤�Ȏ��ۂɑ΂��Ă�ӔC�𕉂��܂��񂵁A�܂��@��Ȃ�ۏ؂��
��B��Ȃ��Q��Ƃ��Ă�A��͎��̎��s�ł͂��܂��B��
��ł�邱�Ƃ��A�l�b�g��[�N�̃Z�L��e�B��f��ɔ��ɑ傫�Ȍ�
��J��Ƃ��Ƃ�o��Ă��Ă��B�x��܂��ˁH

1.5. ��

�ȉ��̕��͎Q�l�̂��ߖ󕶂��܂��A��D�悳��܂��B

The original VPN mini-HOWTO was written by Arpad Magosanyi
<[email protected]> in 1997. He has since allowed me to take up
the document and extend it into a full HOWTO. All of this would not
be possible without his original document. Thanks again Arpad. :)

�I��W�i�� VPN mini-HOWTO �� Arpad Magosanyi
<[email protected]> �ɂ�� 1997 �N�ɋL�q��܂��B�ނ͎��
�̃h�L��g��グ�A��S�� HOWTO �Ɋg��邱�Ƃ��Ă��܂�
��B�S�Ă͔ނ̃I��W�i��̃h�L��g��Ăׂ͈��Ȃ��Ƃ�
��傤�B�ēx Arpad �Ɋ��ӂ��܂��B:)

�� HOWTO �̃o�[�W�� 1.0 �� 1999 �N 12 �� 10 ��Ɋ��܂��B

1.6. �֘A�h�L��g

o Networking Overview HOWTO
<http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html>

o Networking HOWTO <http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html>
[�󒍁F��{��
<http://www.linux.or.jp/JF/JFdocs/NET3-4-HOWTO.html> �ɂ��܂��B]

o VPN-Masquerade HOWTO <http://www.linuxdoc.org/HOWTO/VPN-Masquerade-
HOWTO.html>

2. ��_

2.1. VPN�Ƃ͉��H

VPN �Ƃ͉��z�v��C�x�[�g�l�b�g��[�N (Virtual Private Network) ��Ӗ�
��Ă��܂��B VPN �̓f�[�^�̈��S��m�ۂ��A��̗A��@�\�Ƃ��ăC��
�^�[�l�b�g�𗘗p��܂��B

2.1.1. �ŁA��ۂ̂Ƃ��AVPN �Ƃ́H

��̎��ɂ͂��̓��܂��B��͐��Ƀl�b�g��[�N��C�A�E�g
��ł��B��Ƃ��ʓI�ȍ\��́A�ЂƂ̃��C��l�b�g��[�N��
��A VPN ��g��ꂽ��ɂ��m�[�h�𒆉��l�b�g��[�N�֊��S�ɃA�N�Z
�X�ł��悤�ɂ��̂ł��B��ꂽ��ɂ��m�[�h�Ƃ��̂́A�ʏ�A��
��I�t�B�X����Ƃ�s��]�ƈ��Ȃǂł��B��́A��菬�� (��
��͑傫��!) �l�b�g��[�N��q��ŁA��ɑ傫�ȒP��̃l�b�g��[�N�Ƃ�
�邱�Ƃ�o��܂��B

2.1.2. ��łǂ��ɓ��삷��́H

VPN ��\�z��邽�߂ɂ͒P�ɁA��̃l�b�g��[�N�ԂɈ��S�̊m�ۂ��ꂽ�g��
�l��A��ʂ�悤�� IP �̌o�H��߂܂��B��A��Ɏ��̌��
�Ƃ��ł��Ȃ��̂ł��AThe Linux Networking Overview HOWTO
<http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html> ��ǂ�
�� Linux �ɂ��l�b�g��[�N�ɂ��ĕ׋��Ă��B

�䖝��Ă��B��̃A�X�L�[�A�[�g�͉��Ɏg��܂��B

\ \
-------------- / / --------
��[�g ___| �N��C�A��g |____\ �C��^�[ \___| �T�[�o |______ �v��C�x�[�g
�l�b�g��[�N | ��[�^ | / �l�b�g / | ��[�^ | �l�b�g��[�N
-------------- \ \ --------
/ /

�N��C�A��g��[�^
-----------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
��[�g | |--> 172.16.0.0/255.240.0.0 |--> �g��l�� >--\ |
�l�b�g��[�N>--|--|--> 192.168.0.0/255.255.0.0 / |--|----> �C��^�[�l�b�g
192.168.12.0 | | | |
| \-----> 0.0.0.0/0.0.0.0 --> IP�}�X�J��[�h >--/ |
-----------------------------------------------------

�T�[�o��[�^
------------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
| /--> �g��l�� >--|--> 172.16.0.0/255.240.0.0 |--|--> �v��C�x�[�g
�C��^�[�l�b�g >--|--| \--> 192.168.0.0/255.255.0.0 / | �l�b�g��[�N
| | | 172.16.0.0/12
| \-----> 0.0.0.0/0.0.0.0 -----> /dev/null | 192.168.0.0/16
------------------------------------------------------

��̐}�̓l�b�g��[�N��ǂ̗l�ɍ\�z��邩��Ă��܂��B�� IP �}�X
�J��[�h��ł��邩��Ȃ��̂Ȃ�A��ɂ��ׂ��ł͂��܂��B
The Linux Networking Overview HOWTO
<http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html>��ǂ�
�ŁA��𗝉�Ă��߂��ė��Ă��B

�N��C�A��g��[�^�̓��[�g�l�b�g��[�N�ɑ΂��Q�[�g�E�F�C/�t�@�C�A
�E�H�[��Ƃ��ē��삷�� Linux �{�b�N�X�ł��B��ĕ��悤�ɁA��[�g
�l�b�g��[�N�̓��[�J��l�b�g��[�N 192.168.12.0 ��g�p��Ă��܂��B�}��
�ȗ��邽�߁A��[�^��̃��[�J��ȃ��[�e�B��O��\�ɏo��܂��B
��{�I�ȍl��́A�v��C�x�[�g�l�b�g��[�N�S�� (10.0.0.0, 172.16.0.0,
192.168.0.0) �ɑ΂��g��t�B�b�N��g��l��ʂ�悤�Ɍo�H��߂��
��Ƃł��B��Ŏ��͈̂��ʍs�ł��B�܂�A��[�g�l�b�g��
�[�N��v��C�x�[�g�l�b�g��[�N��邩��Ƃ��āA�v��C�x�[�g�l�b
�g��[�N��烊��[�g�l�b�g��[�N��Ƃ͌��܂��B��邽�߂�
�͌o�H��o��ƂȂ�悤�w�肵�Ȃ��Ă͂Ȃ�܂��B

�}��A�N��C�A��g��[�^��ʂ��ďo��g��t�B�b�N�S�Ă̓N��C�A��g��
�[�^��痈�Ă��A�܂�S�Ă�� IP �A�h��X��痈�Ă��邱�Ƃ��
��ł��傤�B��ۂ̂��Ȃ��̃l�b�g��[�N��̐��o�H��ݒ肷�邱��
��o��܂��A��Ƃ��ނ̃Z�L��e�B��肪��邱�Ƃ�
�Ȃ�܂��B

2.2. SSH��PPP

VPN �Ƃ��āASSH �� PPP ��p��V�X�e��ɂ��Ă�L��Ă��܂��B
��{�I�Ɏ��̓g��l��ڑ��邽�߂� ssh ��g��A��ʂ�� TCP/IP ��
��M��s��߂ɁApppd ��g��Ă��܂��B��ꂪ�g��l��̍��ł��B

ssh �� pppd ��ꏏ�ɓ��ۂ̂��܂��@�́AArpad Magosanyi �ɂ��
��ꂽ��ɂ��ŁA��ɏ]��΋^��[��̕W��o�͂�_�C��N�g
��邱�Ƃ��o��܂��B��ɂ�� pppd �́A ssh��ʂ��Ă��ꂪ�V
��A��ł��邩�̂悤�ɒʐM��邱�Ƃ��o��悤�ɂȂ�܂��B�T�[�o��
�ł́Apppd �� ssh �Z�b�V��ɂ��郆�[�U�̃V�F��̂悤�ɓ��삵�Ă�
��A��N��m��Ă��܂��B��Ƃ͌o�H�̐ݒ��s��ł��B

2.3. ��̑�� VPN �V�X�e��

��AVPN ��\�z��邽�߂̑��̕��@��܂��B��ł͑��̃V�X�e��
�̂�� 3��܂��B

2.3.1. PPTP

PPTP �̓}�C�N��\�t�g�� VPN �̂��߂̃v��g�R��ł��B�� Linux �ŃT
�|�[�g��Ă��܂��A�[��ȃZ�L��e�B��̖��Ă��邱�Ƃ��
��Ă��܂��B�ǂ̂悤�Ɏg�p��邩�� Linux VPN Masquerade HOWTO
<http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html> �Ɏ��Ă�
��̂ŁA��ł͐��܂��B

2.3.2. IP Sec

IP Sec �� SSH �Ƃ͈قȂ�v��g�R��̃Z�b�g�ł��B��́A��͂��ɂ��
��܂�悭�m��Ȃ��̂ŁA�N��̎菕��Ă��Ȃ��ɂ��肪
��ł��B�ēx�A��̎g��ɂ��Ă�Linux VPN Masquerade HOWTO
<http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html>�Ɏ��Ă�
��̂ŁA��ł͐��Ȃ��Ƃɂ��܂��B

2.3.3. CIPE

CIPE �́A��ƌ��̐ݒ�ɓK��A�J�[�l��x��̃l�b�g��[�N�Í��V
�X�e��ł��B��ڂ��e��the CIPE homepage
<http://sites.inka.de/sites/bigred/devel/cipe.html>�ɂ��܂��B��
��Ă͂��ڂ��ׂ悤�Ǝv��Ă��̂ŁA��ŏ��
��Ƃ��ł��ł��傤�B

3. �T�[�o

�T�[�o��ł̓N��C�A��g�͉��̖�ɂ��Ȃ��̂ŁA��̃Z�N�V��ł�
�ŏ��ɂ��ׂ��̂��Ƃ�A�T�[�o��ł��ɐݒ肷�邩�q�ׂ邱�Ƃ�
��܂��B

3.1. �Z�L��e�B �| �l�X��ߏo��

VPN �ɂƂ��ăZ�L��e�B�͔��ɏd�v�ł��B��A��炱�� VPN ��\�z
��Ă��ł��ˁH �T�[�o��ݒ肷��ɂ��ẮA��̂��Ƃ�S
�ɗ��߂Ă��K�v��܂��B

3.1.1. �f�[��点

��̃T�[�o�̓t�@�C�A�E�H�[��̗��ɒu��A�g��t�B�b�N��l�b�g��[�N
�̒��֓]��悤�ɐݒ肳��Ă��̂ŁA�\�Ȍ��肻�̔��S�ɂ��
��̂͗ǂ��l��ł��BLinux �̃Z�L��e�B�ɂ��Ă� Linux Security
HOWTO <http://www.linuxdoc.org/HOWTO/Security-HOWTO.html> �ł��ɒ��
�邱�Ƃ��ł��܂��B [ �󒍁F��{��
<http://www.linux.or.jp/JF/JFdocs/Security-HOWTO.html> �ɂ��܂��B]
�ړI�̂��߂ɁA�� sshd �� Roxen Web server �ȊO�̑S�Ă� kill ��܂�
��BVPN �ɃA�N�Z�X��V��}�V��ݒ肷�邽�߁A 2�̃t�@�C��i�X�N
��v�g�A��̑��j��_�E��[�h��ړI�ŃE�F�u�T�[�o�𗘗p��Ă��܂��B
FTP �T�[�o�͎g��܂��B��́A�E�F�u�T�[�o�o�R�ő��̃t�@�C��
��悤�ɂ��̂ɔ�ׁAFTP �T�[�o�o�R�œ��Ƃ�S�ɂł��悤�ɐݒ�
��͓̂��ł��B��ɁA�P�Ƀt�@�C��_�E��[�h�ł��΂��
�̂ł��B��{��ɃQ�[�g�E�F�C�ŕʁX�̃T�[�o�𑖂点��Ǝv��Ă��
�ł��΁A�v��C�x�[�g�l�b�g��[�N�ɂ��}�V��ȊO�A��̃T�[�o�ɃA
�N�Z�X�ł��Ȃ��悤��ׂ��m��܂��B

3.1.2. �p�X��[�h��

��A��͔n��Ƃɕ��܂��B��ǂ�C�ɂȂ�ł��傤�H�p�X��
�[�h�͎g�킸�A��S�ɖ��ɂ��Ă��܂��̂ł��B��̃}�V��̑S�Ă̔F
�؂� ssh �̌��J��F�؃V�X�e��ʂ��čs��ׂ��ł��B��̕��@�ł̓L
�[��҂��邱�Ƃ��ł��܂��A530 ��̒��̃o�C�i��̃L
�[��o��邱�Ƃ́A�w�Ǖs�\�ł��B

�ł́A��̂��߂ɂ͂ǂ��Ηǂ��̂ł��傤�H/etc/passwd �t�@�C��ҏW
��邱�Ƃ��K�v�ł��B2 �Ԗڂ̃t�B�[��h�̓p�X��[�h�n�b�V��A��邢�͔F
�؃V�X�e�� /etc/shadow �t�@�C��悤�w�� 'x' �̂��ꂩ��
�܂�Ă��܂��B��Ȃ��Ă͂Ȃ�Ȃ��Ƃ́A��̃t�B�[��h��
��łȂ��Ƃ��Ƃ��܂��B

�T�^�I�� /etc/passwd �t�@�C��̌`��Ɏ��܂��B

....
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:504:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:504:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:504:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
....

�� 2�Ԗڂ̃t�B�[��h��ҏW��邾��łȂ��A��Ǝ��Ƃ��
��o��Ă��Ă��B��̃t�B�[��h�ɂ��Ă͌�q��܂��B

3.2. ��[�U�A�N�Z�X - �݂�Ȃ𒆂�

��[�U�A�N�Z�X�� ssh �̔F�؃X�L�[��ʂ��Ĉׂ��܂��B��ŏq�ׂ��悤
�ɁA��ꂪ��x��̃Z�L��e�B��ێ��A��[�U��V�X�e��ɃA�N�Z
�X��@�ł��B�� ssh �ɓ��݂��Ȃ��΁Ahttp://www.ssh.org/
<http://www.ssh.org/>��`�F�b�N��Ă݂Ă��B�� ssh �̃o�[�W��
2 �łȂ��o�[�W�� 1 ��g��Ă��Ƃ��Ƃɒ��ӂ��Ă��B��ɁA
�o�[�W�� 1 �̓t��[�ŁA2 �͂��łȂ��Ƃ��傫�ȈႢ��܂��B

3.2.1. sshd ��ݒ肷��

��Ȃ�� sshd ��ݒ肷��K�v��ł��傤�B�I�v�V��ɂ͎��̂悤�Ȃ�
�̂��܂��B�Ӑ}��Ă��̂̓p�X��[�h�F�؂�� rhosts �F�؂�s��
��Ƃ��Ƃł��B/etc/sshd_config �t�@�C��ɂ́A��ɋ��悤�ȃI
�v�V��܂��B

PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode no
CheckMail no
IdleTimeout 3d
X11Forwarding no
PrintMotd no
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no

3.3. ��[�U�𐧌��

��ň��l��͒��ߏo��A�ǂ��l��A�N�Z�X��悤�ɂȂ�
��̂ŁA��x�͗ǂ��l��Ȃ��悤�Ɏ��ł��Ă��ׂ��
�܂��B��͔ނ�� pppd �ȊO�̂�̂�N��Ȃ��Ƃ��ƂŁA�ɂ߂�
�ȒP�Ɏ��s�ł��܂��B��͕K�v��܂��񂵁A�K�v�łȂ��܂�
��B��̓��[�U�𐧌��Ă��܂��B��́A�ێ炵�Ă��V�X�e�� VPN ��
�p�ł��A��[�U�͂��̏�ł��̑��̂��Ƃ��K�v��Ȃ��߂ł��B

3.3.1. sudo ��ۂ�

Unix �V�X�e��̊Ǘ��҂��A��郆�[�U��̃v��O�� root ��Ŏ�
�s�ł��悤��^��A sudo �ƌĂ΂�鏬��đf�G�ȃv��O��
��܂��Bpppd �� root �Ƃ��Ď��s��K�v��̂ŁA��̏ꍇ�ɂ͕K�v��
��B��[�U�ɃV�F��A�N�Z�X��悤�Ƃ��ꍇ�ɂ́A��̕��@��g��K
�v��ł��傤�Bsudo ��ǂ̂悤�ɐݒ肵�Asudo ��ǂ̂悤�Ɏg��
sudo �̃}�j��A��y�[�W�Œ��ׂĂ��B�T��āA��̐M��ł��郆�[
�U�Ɏg��悤�ȕ��p�V�X�e��ɂ��āAsudo ��g��Ƃ͍őP�̕�
�@�ł��B

��[�U�ɃV�F��A�N�Z�X��Ȃ��Ƃ�߂��Ȃ�΁A��ɐN��
�ɂ��Ƃ�ǂ��@�́A�ނ�̃V�F�� pppd �ɂ��邱�Ƃł��B��
/etc/passwd �t�@�C��ɂ��Ď��ł��܂��B��Ō�� 3 �l�̃��[�U�ɂ�
��Ƃ� ``��ɂ��L�q'' �Ō��邱�Ƃ��o��܂��B/etc/passwd �̍Ō��
�t�B�[��h�̓��[�U�̃V�F��ł��Bpppd �𓮂��߂ɓ��ʂȂ��Ƃ��K
�v�͂��܂��B��̓��[�U��ڑ�� root �Ƃ��Ď��s��܂��B��
�͍ł��S�ł��Ɠ��ɁA�ׂ��邤��̊ԈႢ�Ȃ��ł�P��Ȑݒ��@��
��B��͑�K�͂ł܂Ƃ܂��V�X�e��ɑ΂��Ă͗��z�I�ł��B��ׂ��
�͂��̃h�L��g�̌�̕��ł��Ɛ��܂��B��]�݂ł�� ``��
��ɓǂ�'' ��Ƃ�ł��܂��B

3.4. �l�b�g��[�L��O

��Ń��[�U�̓V�X�e��ɃA�N�Z�X�o��悤�ɂȂ��킯�ł��A�ނ炪
�l�b�g��[�N�ɃA�N�Z�X�ł��邱�Ƃ͊m�F��K�v��܂��B��
Linux �J�[�l��̃t�@�C�A�E�H�[��̃��[��ƃ��[�e�B��O�e�[�u��ɂ��
��s��܂��Broute �� ipfwadm �R�}��h��g��ƁA�l�b�g��[�N�g
��t�B�b�N��K�؂ȕ��@�ň��悤�J�[�l��ݒ肷�邱�Ƃ��ł��܂��B��
�ȏ�� ipfwadm, ipchains ��ꂩ�� route �ɂ��Ă̏��̂��߂ɂ�Linux
Networking HOWTO <http://www.linuxdoc.org/HOWTO/Linux-Networking-
HOWTO.html> ��Q�Ƃ��Ă��B

3.4.1. �J�[�l��

��̂��𓮍삳��邽�߂ɂ́A�J�[�l��𐳂��ݒ肵�Ȃ��Ă͂Ȃ��
��B��̃J�[�l��ǂ̂悤�ɍ\�z��΂悢��Ȃ��
��AKernel HOWTO <http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>��
�ނׂ��ł��B��{�l�b�g��[�N�ɉ��āA��Ɏ��J�[�l��I�v�V��I��
�ɂȂ��Ă��邱�Ƃ�m�F��K�v��ł��傤�B��͎��̃V�X�e��
2.0.38 �J�[�l��g��Ă��܂��B

2.0 �J�[�l��ɂ�� -

o CONFIG_FIREWALL

o CONFIG_IP_FORWARD

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_IP_MASQUERADE (optional)

o CONFIG_IP_MASQUERADE_ICMP (optional)

o CONFIG_PPP

2.2 �J�[�l��ɂ�� -

o CONFIG_FIREWALL

o CONFIG_IP_ADVANCED_ROUTER

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_IP_MASQUERADE (optional)

o CONFIG_IP_MASQUERADE_ICMP (optional)

o CONFIG_PPP

3.4.2. �t�B��^�K��

�܂��A�O��̃C��^�[�l�b�g�ւ̃A�N�Z�X�𐧌��A��[�U��l�b�g
��[�N�փA�N�Z�X�o��悤�A�t�@�C�A�E�H�[��̃t�B��^�K��L�q��
��傤�B��ꂪ��ɕ��Ȃ�A��ɂ��Ă͂��l��Ă݂Ă��
�� - �ނ�͊��ɃC��^�[�l�b�g�ɃA�N�Z�X�ł��Ԃɂ��A��łȂ�
�ނ炪�l�b�g�ɃA�N�Z�X��ۂɃg��l��g�킹��̂��B��͑ш敝�ƃv
��Z�b�T�̖��ʌ��ł��B

�K�p��t�B��^�K��͗��p��l�b�g��[�N�Ɉˑ��Ă��܂��B��
��ہA��[�U�͌��܂� - "VPN �̊O��A��l�b�g�Ɍ��ė��Ă�
��g��t�B�b�N��Ȃ��"�B�ł͂ǂ��ǂ��̂ł��傤��H��
�̂悤�ɁA��͏ꍇ�ɂ��̂ł��B�� 2.0 �J�[�l��𓮂��Ă��Ȃ�
�΁Aipfwadm �ƌĂ΂��c�[��g��܂��B��A�� 2.2 �J�[�l��𓮂�
��Ă��̂Ȃ�Aipchains �ƌĂ΂�郆�[�e�B��e�B��g��܂��B

ipfwadm �ŋK��ݒ肷�邽�߂ɂ́A��Ɏ��悤�ȃI�v�V��ł��s
��Ă��B

# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12

ipchains �ŋK��ݒ肷�邽�߂ɂ́A��Ɏ��悤�ȃI�v�V��ł��
�s��Ă��B

# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12

2.2 �J�[�l��g��Ă��l��``��''��ǂ�ł��B

3.4.3. ��[�e�B��O

��[�U�̓l�b�g�ւ̃A�N�Z�X��܂��̂ŁA��x�̓J�[�l��ɁA�p�P�b�g
�𑗂�ꏊ��w��Ȃ��΂Ȃ�܂��B�V�X�e��ɂ��āA�� 2 �̃C
�[�T�l�b�g�J�[�h��Ă��܂��B��͊O��l�b�g��[�N�ɑ΂��́A��
��͓��l�b�g��[�N�ɑ΂��̂ł��B��̂��Ƃ́A�O�Ɍ��g��
�t�B�b�N�̓Q�[�g�E�F�C�Ń}�X�J��[�h��A��ɓ��Ă��S�Ẵg��
�t�B�b�N�� Cisco �Ŏ�菜�� o�H��߂��̂ŁA��S��ۂ̂ɖ�
��܂��B�啔��̐ݒ�ɂ��āA�o�H�ݒ�̓V��v��ł��ׂ��ł��B

��ꂩ��̂́A��C��^�[�t�F�[�X��o�ăv��C�x�[�g�l�b�g��[�N
�Ɍ��ė��S�Ẵg��t�B�b�N�A��ꂩ��O��C��^�[�t�F�[�X��o��
��̑� �S�Ẵg��t�B�b�N�̌o�H��ݒ肷��Ƃ��Ƃł��B��̌o�H��
��R�}��h�͗��p��Ă��l�b�g�Ɉˑ��Ă��܂��B�ȉ��͂��ꂪ�ǂ̂�
��Ȃ�̂ł��邩�̈�̗�ł��B��̍s�͂��A��[�J��l�b�g��
��{�o�H�ɕt��܂��B��ɁA��Ȃ�� ԍ�� 3 �O��[�v�S��
��g��Ă��킯�ł͂Ȃ��ł��傤�B

172.16.254.254 ��Q�[�g�E�F�C�ł��Ƃ�� -

# /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1

�o�H�̐ݒ�ɂ��t��I�Ȓ��ӂł��B��A�Ⴆ�Η��ꂽ��ɂ��I�t�B�X
�ȂǑo��̌o�H�ݒ��g��Ă��̂Ȃ�A��Ȃ��Ă͂Ȃ�Ȃ��
��܂��B�T�[�o�ɂ��āA�N��C�A��g�֖߂�o�H��ݒ肷��K�v��
�܂��B��萋��ł�ȒP�ȕ��@�́A�Â��ɖ߂�̌o�H��ݒ肷��悤
�� cron �W��u�� 1 ��Ɏ��s��邱�Ƃł��B�N��C�A��g��ڑ��Ă��
��Ă��ł͂Ȃ��Aroute �̓G��[�i��Ȃ��s��̂��悤��
/dev/null �ɑ��j��f��ł��B

4. �N��C�A��g

��ăN��C�A��g�̕��𒲂ׂĂ݂܂��傤�B��ہA��[�g�l�b�g��[�N�ɑ�
��ď�ɃA�N�Z�X��Ƃ��ɂ́A��̔��͊ȒP�� Samba�iWindows �l�b�g��
�[�N�j�T�[�o�A DHCP �T�[�o�A��ꂩ��̃E�F�u�T�[�o�ɂł��܂��B�o��
�Ă��Ȃ��Ă͂Ȃ�Ȃ��d�v�Ȃ��Ƃ́A��̔��̓��[�g�l�b�g��[�N�S�̂�
��삷��̂ł��A�\�Ȍ��S�ł��ׂ��Ƃ��Ƃł��B

4.1. �J�[�l��

�d�v�Ȃ�̂��ɘb��Ă��ƁA��Ȃ��̓J�[�l��̒�� ppp ��L��ɂ�
�Ă��K�v��܂��B��̃}�V��ɑ΂��ăg��l��̎g�p��
��Ă��̂ł��΁A�t�@�C�A�E�H�[��A�t�H��[�f�B��O��L��ɂ��Ă��
�K�v��܂��B�N��C�A��g��P��̃}�V��ł��Ȃ�Appp ��ŏ\��
��B

4.2. ��N��m��

��N�́A�[��[��ʂ��ē��삵�Ă�� pppd �ɂ��Đ��܂��B�i��
�̋[��[��́jpty-redir �ɂ��Đ��Assh �ɐڑ��Ă��܂��B��
�͎��Ɏ��悤�ȃR�}��h��ɂ��Ď��܂� -

# /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l joe > /tmp/vpn-device
# sleep 10

# /usr/sbin/pppd `cat /tmp/vpn-device`
# sleep 15

# /sbin/route add -net 172.16.0.0 gw vpn-internal.mycompany.com netmask 255.240.0.0
# /sbin/route add -net 192.168.0.0 gw vpn-internal.mycompany.com netmask 255.255.0.0

�P�ɂ��ꂪ��̂� ssh ��s��A��̓��o�͂� pppd �Ƀ��_�C��N�g��
�Ƃ��Ƃł��Bssh �ɓn��I�v�V��́A��G�X�P�[�v�L��N�^
�Ȃ��œ��삵 (-e) �A blowfish �Í��A��S��Y��g�� (-c)�A�w�肵��
�F�؃t�@�C��g�� (-i)�A�^�[�~�i��[�h�� (-t)�A�� 'Batchmode
yes' �I�v�V�� (-o) ��s��悤�ݒ肵�܂��B sleep �R�}��h�́A
��ꂼ�ꂪ��̎��̃R�}��h�̎��s�O�ɋN��ł��悤�ɁA�R�}��h��
��s�̊Ԋu��邽�߂Ɏg�p��܂��B

4.3. �X�N��v�g��

��A��Ȃ��̓g��l��ʉ߂��Ƃ��ɁA��̓s�x��̃R�}��
�h��͂��͂Ȃ��ł��傤�B��̓g��l��̂܂ܒʂ��悤�ɂ��Ă�
��悤�� bash �X�N��v�g�̃Z�b�g��܂��B�p�b�P�[�W�͂��
<http://www.shinythings.com/vpnd/vpnd.tar.gz>��_�E��[�h�ł��
��B�_�E��[�h�� /usr/local/vpn �ɐL��Ă��B��̒��ɂ� 3
�̃t�@�C��܂� -

o vpnd - �g��l��ڑ��𐧌䂷��X�N��v�g

o check-vpnd - vpnd ��N��Ă��邩�ǂ��`�F�b�N��邽�߂� cron
�ɂ��Ď��s��X�N��v�g

o pty-redir - �g��l��邽�߂ɕK�v�ȁA��Ȏ��s�t�@�C��

�N��C�A��g�̃��[�U��T�[�o�̖��O�Ƃ��悤�Ȃ��Ƃ�ݒ肷�邽�߂ɂ�
vpnd ��ҏW��K�v��ł��傤�B�܂��p��Ă��l�b�g��[�N��w��
��邽�߂ɁA�X�N��v�g�� starttunnel �Z�N�V��ҏW��K�v��
��傤�B�ȉ��͂��Ȃ��Ɋ��œǂ�ł�炤��߂́A�X�N��v�g�̃R�s�[��
��B�X�N��v�g�͕ʂȃf�B��N�g��ɓ��Ă��Ƃ��ł��A��̂��߂ɂ�
VPN_DIR �ϐ��ύX��΂悢�Ƃ��Ƃ�o��Ă��Ă��B

#! /bin/bash
#
# vpnd: Monitor the tunnel, bring it up and down as necessary
#

USERNAME=vpn-username
IDENTITY=/root/.ssh/identity.vpn

VPN_DIR=/usr/local/vpn
LOCK_DIR=/var/run
VPN_EXTERNAL=vpn.mycompany.com
VPN_INTERNAL=vpn-internal.mycompany.com
PTY_REDIR=${VPN_DIR}/pty-redir
SSH=${VPN_DIR}/${VPN_EXTERNAL}
PPPD=/usr/sbin/pppd
ROUTE=/sbin/route
CRYPTO=blowfish
PPP_OPTIONS="noipdefault ipcp-accept-local ipcp-accept-remote local noauth nocrtscts lock nodefaultroute"
ORIG_SSH=/usr/bin/ssh

starttunnel () {
$PTY_REDIR $SSH -t -e none -o 'Batchmode yes' -c $CRYPTO -i $IDENTITY -l $USERNAME > /tmp/vpn-device
sleep 15

$PPPD `cat /tmp/vpn-device` $PPP_OPTIONS
sleep 15

# Add routes (modify these lines as necessary)
/sbin/route add -net 10.0.0.0 gw $VPN_INTERNAL netmask 255.0.0.0
/sbin/route add -net 172.16.0.0 gw $VPN_INTERNAL netmask 255.240.0.0
/sbin/route add -net 192.168.0.0 gw $VPN_INTERNAL netmask 255.255.0.0
}

stoptunnel () {
kill `ps ax | grep $SSH | grep -v grep | awk '{print $1}'`
}

resettunnel () {
echo "reseting tunnel."
date >> ${VPN_DIR}/restart.log
eval stoptunnel
sleep 5
eval starttunnel
}

checktunnel () {
ping -c 4 $VPN_EXTERNAL 2>/dev/null 1>/dev/null

if [ $? -eq 0 ]; then
ping -c 4 $VPN_INTERNAL 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
eval resettunnel
fi
fi
}

settraps () {
trap "eval stoptunnel; exit 0" INT TERM
trap "eval resettunnel" HUP
trap "eval checktunnel" USR1
}

runchecks () {
if [ -f ${LOCK_DIR}/tunnel.pid ]; then
OLD_PID=`cat ${LOCK_DIR}/vpnd.pid`
if [ -d /proc/${OLD_PID} ]; then
echo "vpnd is already running on process ${OLD_PID}."
exit 1
else
echo "removing stale pid file."
rm -rf ${LOCK_DIR}/vpnd.pid
echo $$ > ${LOCK_DIR}/vpnd.pid
echo "checking tunnel state."
eval checktunnel
fi
else
echo $$ > ${LOCK_DIR}/vpnd.pid
eval starttunnel
fi
}

case $1 in
check) if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
kill -USR1 `cat ${LOCK_DIR}/vpnd.pid`
exit 0
else
echo "vpnd is not running."
exit 1
fi ;;

reset) if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
kill -HUP `cat ${LOCK_DIR}/vpnd.pid`
exit 0
else
echo "vpnd is not running."
exit 1
fi ;;

--help | -h)
echo "Usage: vpnd [ check | reset ]"
echo "Options:"
echo " check Sends running vpnd a USR1 signal, telling it to check"
echo " the tunnel state, and restart if neccesary."
echo " reset Sends running vpnd a HUP signal, telling it to reset"
echo " it's tunnel connection." ;;
esac

ln -sf $ORIG_SSH $SSH
settraps
runchecks

while true; do
i=0
while [ $i -lt 600 ]; do
i=((i+1))
sleep 1
done
eval checktunnel
done

4.4. LRP - Linux ��[�^�v��W�F�N�g

��ہA��͂��̊�� Linux �� LRP �f�B�X�g��r��[�V�� pentium
90MHz �̏�œ��삳��Ă��܂��BLRP�� 1 ��̃t��b�s�[�f�B�X�N�Ɏ��܂�A
�N�� Linux �f�B�X�g��r��[�V��ł��B��ȏ�̂��Ƃɂ��Ă�
http://www.linuxrouter.org/ <http://www.linuxrouter.org/> �Ŋw�Ԃ��Ƃ�
�ł��܂��B�� VPN �N��C�A��g�p�� LRP �p�b�P�[�W�́A��
<http://www.shinythings.com/vpnd/vpnd.lrp>��_�E��[�h�ł��܂��B��
�ꂩ�� ppp �� ssh �p�b�P�[�W�� LRP �T�C�g��瓾��K�v��ł��
��B

5. ��s

��̃Z�N�V��ł� VPN �V�X�e��̍\�z�@�ɂ��ď��Ԃɐ��܂��B�܂�
�T�[�o��n�߁A��ɃN��C�A��g�ւƈڂ��Ă��܂��B��Ƃ��邽�߂ɁA��
�Ȃ� 2 ��ނ� VPN �ݒ��K�v�Ƃ��󋵂�l��Ă݂܂��B

5.1. �v��

mycompany.com �Ƃ��Ђ��Ă��Ƒz��Ă݂Ă��B�{�ЃI�t�B
�X�ŁA�\�񂳂ꂽ�l�b�g��[�N 192.168.0.0 ��g��Ă��A�o�H�ݒ��
�悤�ɃN��X B �l�b�g��[�N�� 256 �̃N��X C �ɂ��Ă��܂��B��傤�� 2
�̏��ȗ��ꂽ��ɂ��I�t�B�X��ݒ肵��Ƃ��ŁA��l�b�g��[
�N�ɒǉ��Ǝv��Ă��܂��B�܂����d��Ă��]�ƈ��ɁA�ނ炪
�_�C��A�b�v�� DSL �� P�[�u��f��Őڑ��ł��悤�ɂ��
��Ƃ�v��Ă��܂��B�n�߂邽�߂ɂ͏��΂��v��𗧂ĂȂ��Ă͂Ȃ��
��B

��ꂼ��̗��ꂽ��ɂ��I�t�B�X�ŕK�v�ɉ��Ċg��ł��悤�A�N��X C
�l�b�g��[�N�͈̔͂�蓖�Ă邱�Ƃɂ��܂��B��ŁA192.168.10.0 ��
192.168.11.0 �l�b�g��\�񂵂܂��B���[�U�ɑ΂��Ă� VPN �T�[�o��Ń}
�X�J��[�h��K�v�̂Ȃ��\��Ȑ��m�ۂ��邱�Ƃɂ��܂��B�e�N��C�A��g
�͂��ꎩ�g�̓� IP ��擾��܂��B��ŁA��̂��߂ɑ��̃N��X
C�A192.168.40.0 ��\�񂷂�K�v��܂��B��Ȃ��Ă͂Ȃ�Ȃ��̂́A
��[�^�ɂ��͈̔͂�ǉ��邱�Ƃł��B��̉�Ђ��AOC1 ��ʉ߂��
�g��t�B�b�N�S�Ă��舵�� Cisco (192.168.254.254) ��L��Ă�
��Ǝv��Ă��B��̗\�񂳂ꂽ�l�b�g�� VPN �T�[�o
(192.168.40.254) �֌��g��t�B�b�N�� Cisco ��Ōo�H�ݒ肵�Ă��
��B��͌�Ŗ��R�̂��߁AVPN �T�[�o���[�U�̃l�b�g�ɑg�ݓ��
�܂��B�T�[�o�̊O��C��^�[�t�F�[�X�� vpn.mycompany.com �A��C��^�[
�t�F�[�X�� vpn-internal.mycompany.com �Ɩ��Â��邱�Ƃɂ��܂��B

�O��ԍ��ɂ��āA�͂��ƒm��Ă��K�v�͂��܂��B ISP �ɂ��
��蓖�Ă�ꂽ��g�̔ԍ��m��Ă��ׂ��ł��B

5.2. �c�[��W�߂�

��A�\�t�g�E�F�A��K�v�ɂȂ��Ă��܂��B��ɋ��p�b�P�[�W��擾��
�āA�w�肳�ꂽ�ꏊ�ɃC��X�g�[��Ă��B

5.2.1. �T�[�o�ɑ΂�� -

o pppd (�o�[�W�� 2.3 �ȍ~)

o ssh (�o�[�W�� 1.2.26 �ȍ~)

5.2.2. �N��C�A��g�ɑ΂�� -

o pppd (�T�[�o�Ɠ��o�[�W��)

o ssh

o pty-redir <ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz>

5.3. �T�[�o - �J�[�l��\�z��

�ŏ��ɁA��A��Ȃ��̓T�[�o�̂��߂ɃJ�[�l��č\�z��K�v��
��傤�B��{�l�b�g��[�N�₻�̑��̕K�v�ȍ��ڂɉ��āA�K��ȉ��̃I�v
�V��I��ɂ��Ă��B��ȑO�ɃJ�[�l��\�z��Ƃ��Ȃ��
�΁AKernel HOWTO <http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>��
��ł��B [�󒍁F��{��
<http://www.linux.or.jp/JF/JFdocs/Kernel-HOWTO.html> �ɂ��܂��B]

2.0 �J�[�l��ɑ΂�� -

o CONFIG_FIREWALL

o CONFIG_IP_FORWARD

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_PPP

2.2 �J�[�l��ɑ΂�� -

o CONFIG_FIREWALL

o CONFIG_IP_ADVANCED_ROUTER

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_PPP

5.4. �T�[�o - �l�b�g��[�N��ݒ肷��

�l�b�g��[�N�J�[�h 1 ��Ȃ��T�[�o��\�z��悤�Ƃ��Ă��̂ł��
�΁A�� 1 ��āA�V��ɔz��邱�Ƃ��悤��߂܂��B�l�b�g
��[�N�̔�J��̂܂܂ɂ��Ă��ԗǂ��@�́A��ꎩ�g�̐�
�Ɋ��蓖�Ă邱�Ƃł��B�� 2 ��̃l�b�g��[�N�J�[�h��Ă��̂ł�
��΁A��ꂼ��̐ݒ��@��m��K�v��܂��B��͊O��C��^�[�t�F
�[�X�� eth0�A��C��^�[�t�F�[�X�� eth1 ��g��܂��B

5.4.1. �C��^�[�t�F�[�X��ݒ肷��

�ŏ��ɃT�[�o�̊O��C��^�[�t�F�[�X��ݒ肷��K�v��܂��B��ɂǂ��
��Ηǂ��m��Ă��͂��ł��A��A��ɐݒ肵�Ă��܂��ł��傤�B
�܂��ł��΁A��ɂ��Ă��B�ǂ��Ηǂ��Ȃ��΁A
�߂�� Networking HOWTO
<http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html> ��ǂ�ł��B

�ł͓��C��^�[�t�F�[�X��ݒ肵�܂��B�ԍ��͎��̑I��ɂ��āA�T�[
�o�̓��C��^�[�t�F�[�X�� 192.168.40.254 �ł��B�ł͂��̃C��^�[�t�F�[
�X��ݒ肵�܂��傤�B

2.0 �J�[�l��ł͎��g��Ă�� -

# /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255
# /sbin/route add -net 192.168.40.0 netmask 255.255.255.0 dev eth1

2.2 �J�[�l��ł͎��g��Ă�� -

# /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255

��Ŋ�{�C��^�[�t�F�[�X��p�ӂł��܂��B��ŗ��̃��[�J��l�b�g��
�[�N�ɂ��ăT�[�o�Ɍq��}�V��ɘb��邱�Ƃ��ł��܂��B

5.4.2. �o�H��ݒ肷��

��̓��[�J��l�b�g�ɂ��}�V��Ƙb��Ƃ͂ł��l�ɂȂ�܂��A
��l�b�g��[�N�̎c��Ƃ͘b��Ƃ��ł��܂��B��ɂ͂��s�R
�[�h��K�v�ł��B��̃T�u�l�b�g�ɂ��ق��̃}�V��ɓ��B��邽�߂ɂ́A�g
��t�B�b�N�� Cisco ��[�^�Ɍ��悤�Ȍo�H��m��K�v��܂��B��
�悤�ɂ��܂� -

# /sbin/route add -net 192.168.0.0 gw 192.168.254.254 netmask 255.255.0.0 dev eth1

��̍s�́A192.168.0.0 �l�b�g��[�N�ɍs��ƂɂȂ��Ă��邢��̃g��
�t�B�b�N�� eth1 ��o��ׂ��ŁA�� Cisco �ɓ`��ׂ��ł��Ƃ�
��Ƃ�J�[�l��ɓ`��܂��B��[�e�B��O�e�[�u��l�b�g�}�X�N�̃T�C�Y
�Ō��߂��邽�߁A��[�J��l�b�g�Ɍ��g��t�B�b�N�ɂ́A�܂��
��ꏊ��Ă��܂��B��ɂ�l�b�g��[�N�̒��ɓ��I�ȃl�b�g��[
�N��Ȃ�A��ꂼ��ɑ΂��āA��L�̂悤�Ȏw��邱�ƂɂȂ�܂��B

5.4.3. �t�B��^�K��쐬��

OK, �K�v�Ƃ��꓾��}�V��S�Ăɓ��B�ł��悤�ɂȂ�܂��B��x�́AVPN
�T�[�o��ʂ��ăA�N�Z�X��Ȃ��Ƃ��A�t�@�C�A�E�H�[��̃t�B
��^�K��L�q��Ȃ��Ă͂Ȃ�܂��B

ipfwadm �ŋK��w�肷��ɂ́A��̂悤�ɂ��܂� -

# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.40.0/24 -D 192.168.0.0/16
# /sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16
# /sbin/ipfwadm -F -a accept -b -S 192.168.11.0/24 -D 192.168.0.0/16

ipchains �ŋK��w�肷��ɂ́A��̂悤�ɂ��܂� -

# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.40.0/24 -d 192.168.0.0/16
# /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16
# /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.11.0/24 -d 192.168.0.0/16

��̓J�[�l��ɁA192.168.40.0/24 �l�b�g��[�N��痈�� 192.168.0.0/16
�l�b�g��[�N�Ɍ��̂��A�S�Ẵg��t�B�b�N��₷��悤�ɓ`
��܂��B��͂܂��A192.168.10.0/24 �� 192.168.0.0/16 �l�b�g�Ƃ̊Ԃł�
��Ƃ肳��g��t�B�b�N��Ƃ��Ƃ��`��܂��B
192.168.11.0 �l�b�g�ɑ΂��Ă��l�ł��B��̍Ō� 2 �͑o��̋K��
�ŁA��͑o��ɂ��Ƃ�ł��悤�o�H��߂邽�߂ɂ͏d�v�Ȃ��Ƃ�
��B

5.4.4. �o�H��ݒ肷��

���[�U�ɂƂ��ẮA��܂łőS�Ă��܂��삷��ł��傤�B��A
��ꂽ��ɂ��I�t�B�X�̂��߂ɂ͂��炩�o�H��ݒ肵�Ȃ��Ă͂Ȃ�܂�
��B�܂��ŏ��ɁA��C��[�^�A��Ȃ킿 Cisco �ɁA��ꂽ��ɂ��I�t�B
�X�� VPN �T�[�o�̉e�ɉB��Ă��Ƃ��Ƃ��Ă��K�v��܂��B
�ł�� Cisco �ɑ΂��āA��ꂽ��ɂ��I�t�B�X�s��̃g��t�B�b�N��
VPN �T�[�o�ɑ��悤�Ȍo�H��w�肵�Ă��B��ꂪ��񂾂�A��x�͗�
�ꂽ�I�t�B�X�Ɍ��g��t�B�b�N��ǂ��ׂ�� VPN �T�[�o�ɋ��Ă��
�Ȃ��Ă͂Ȃ�܂��B��ɂ� route �R�}��h��T�[�o�Ŏ��s��
��B route �R�}��h�𓮍삳��ł̗B��̖��́A��N�͊m��
��Ȃ��Ă͂Ȃ炸�A��؂�Ă��܂��ƌo�H��Ă��܂��Ƃ��Ƃ�
��B��́A�N��C�A��g��ڑ��Ă��o�H��ǉ��Ă��A��邢
�́Aroute �R�}��h�͕K�v�ȏ�Ɏ��s��Ă��薳��̂ŁA��ȒP�ȕ��@��
��ẮA��x�X��s��Ă�邱�Ƃł��B�ł́A�X�N��v�g��쐬��āA��
��Ɏ��s��悤�� crontab �ɉ��Ă��B��̒��ɂ͎��̂�
��ɏ��Ă�� -

/sbin/route add -net 192.168.11.0 gw 192.168.10.253 netmask 255.255.255.0
/sbin/route add -net 192.168.10.0 gw 192.168.11.253 netmask 255.255.255.0

5.5. �T�[�o - pppd ��ݒ肷��

��č��x�� VPN �ڑ��舵��߂ɃT�[�o�� pppd ��ݒ肵�܂��傤�B��
��̃T�[�o��A�_�C��A�b�v��[�U��̂Ɏg��Ă��A��邢��
��Ȃ��g��_�C��̂Ɏg��Ă��̂ł��΁A��̕ύX��
�̃T�[�r�X�ɉe��^��邩��Ȃ��Ƃ��Ƃ�o��Ă��ׂ��ł��B��
�̃Z�N�V��̍Ō�ŁA��ɂ��ďՓ˂��邩��܂��B

5.5.1. /etc/ppp/

��̃f�B��N�g��ɂ͂��̃t�@�C��邩��܂��B��Ȃ�
�͊��ɁAoptions �ƌĂ΂��t�@�C��Ă��ł��傤�B��̃t�@�C��
�� pppd �ɑ΂��I�ȃI�v�V��̑S�Ă��Ă��܂��B��̃I�v
�V�� pppd �̃R�}��h��C��Ŗ��ɂ��邱�Ƃ͂ł��܂��B

5.5.2. /etc/ppp/options

options �t�@�C��͏��Ȃ��Ƃ��̂悤�ȋL�q��܂�ł��͂��ł� -

ipcp-accept-local
ipcp-accept-remote
proxyarp
noauth

�ŏ�� 2 �s�� pppd �ɁA��̒[�� IP �A�h��X�Ƃ��Ďw�肵��̂�󂯓�
��悤�w��܂��B��͗��ꂽ��ɂ��I�t�B�X�ɐڑ��Ƃ��ɂ͕K�v
�ł��A��̃��[�U�ɐڑ��Ă��̂Ȃ�Ζ��ɂ��邱�Ƃ��ł��
��B��̓T�[�o��A�h��X��蓖�Ă邱�Ƃ�W��͂��܂��̂ŗL��ɂ�
�Ă��č\��܂��B��̓N��C�A��g��߂Ă��Ƃ�󂯓��ėǂ�
�Ƃ��Ƃ�`��邾��ł��B

3 �s�ڂ͔��ɏd�v�ł��Bpppd �̃}�j��A��y�[�W�ɂ�� -

proxyarp
��̃V�X�e�� ARP [Address Resolution Protocol] �e�[�u��ɑ΂��
�s�A�� IP �A�h��X�Ƃ��̃V�X�e��̃C�[�T�l�b�g�A�h��X��t��܂��B
��ɂ��āA�s�A��̃V�X�e��猩�ă��[�J��ȃC�[�T�l�b�g��
��悤�Ɍ��Ƃ��ʂ��炳��܂��B

��ꂪ�ׂ��Ă��Ȃ�� [�J��ȃg��t�B�b�N��g��l��ʂ��Ė߂�
�ė��Ȃ��Ȃ邽�߁A��͔��ɏd�v�ł��B

�Ō�̍s��d�v�ł��B�� pppd �Ƀ��[�U��ƃp�X��[�h��Őڑ�
��悤�w��܂��B�� sshd �ɂ��Ċ��ɔF�؂��ׂ��Ă��̂ň�
�S�ł��B

5.5.3. �Փ˂��

��Ȃ�� pppd �ő��̃T�[�r�X��Ă��Ȃ�A��̑��̃T�[�r�X
�̐ݒ�� VPN �V�X�e��K�v�Ƃ��Ă��̂Ƃ͈قȂ��Ă��邩��m��Ȃ�
�Ƃ��Ƃ�l��Ă݂�ׂ��ł��Bpppd �� /etc/ppp/options ��C��I�v
�V��t�@�C��̒��̃I�v�V��͎��s��Ɏw�肳�ꂽ�I�v�V��ɂ��Ė�
��ɂł��Ȃ��悤�ɐ݌v��Ă��܂��B��̓Z�L��e�B��̗��R�ɋ��
��B�Փ˂��邽�߁A�ǂ̃I�v�V��Փ˂�N��Ă��邩��肵�ĉ��
��B��Ă��C��t�@�C�� pppd �̓��̃A�v��P�[�V��s
��Ƀ��[�h��镪��ꂽ�I�v�V��t�@�C��Ɉڂ��Ă��B

5.6. �T�[�o - sshd ��ݒ肷��

��ɋ��͎̂�� /etc/sshd_config�t�@�C��̓�e�ł��B��Ȃ��̃t�@�C
��A��A�܂��͎��`��Ă��͂��ł� -

# This is the ssh server system wide configuration file.

Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
CheckMail no
IdleTimeout 3d
X11Forwarding no
PrintMotd no
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no

�C��Ă��ׂ��d�v�ȓ_�́A�p�X��[�h�F�؂� "r" �T�[�r�X�S�Ăɂ��
�Ė��ɂȂ��Ă��Ƃ��Ƃł��B��́A��[��`�F�b�N�₻�̓��̃��b�Z
�[�W��A�N��C�A��g�� pppd ��̂Ŗ��ɂ��Ă��
��Broot ��O�C��͋��Ă��܂��A��̓L�[�Ȃ��ɂ͎��s�ł��Ȃ��
�߁A�\��Ɉ��S�ł��B

5.7. �T�[�o - ��[�U�A�J�E��g��ݒ肷��

��̓��[�U�A�J�E��g��ݒ肵�܂��B

5.7.1. vpn-users �O��[�v��ǉ��

��s��Ă��B

# /usr/sbin/groupadd vpn-users

�ł� /etc/group �t�@�C�� cat ��čŌ�̍s��Ă��B�� vpn-
users �O��[�v�̂��߂̃G��g��ɂȂ��Ă��͂��ł��B 3 �Ԗڂ̃t�B�[��
�h�ɒ��ӂ��Ă��B��̓O��[�v ID (GID) �ł��B��ɕK�v�ɂȂ��
�ł��߂Ă��Ă��B��̗�ł� GID �� 101 �ł��B

5.7.2. vpn-users �̃z�[��f�B��N�g��

��̓��[�U�S�Ă̂��߂Ɉ�̃z�[��f�B��N�g��g��Ƃ��Ă��
��B�ł͎��s��Ă�� -

# mkdir /home/vpn-users

5.7.3. .ssh �f�B��N�g��

.ssh �f�B��N�g�� vpn-users �z�[��f�B��N�g��̒��ɍ쐬��܂��B

# mkdir /home/vpn-users/.ssh

5.7.4. ��[�U��ǉ��

��Ėʔ��ɂ��Ă��܂��B��ꂩ�� /etc/passwd �t�@�C��ŕ�
�W��킯�ł��B:) �ʏ�̓V�X�e��ɑ��삳��t�@�C��Ȃ̂ł��A��
��ς��ݒ��s��Ƃ��ɂ͎��ŏ��ȒP�ł��B�ŏ��
/etc/passwd �t�@�C��J��Ă��ɉ��邩��Ă݂܂��傤�B��͎��
��̂悤�ɂȂ��Ă��͂��ł� -

....
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:1020:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:1020:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:1020:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
....

�w�ǂ̃V�X�e��ɍŏ��̍s�̃��[�U��ł��傤�B 2 �Ԗڂ̃��[�U��
��ł��B:) ��̎��͉��l��̍쐬��ꂽ vpn-user �ł��B�ŏ��̃t�B�[��h
�̓��[�U��ŁA2 �Ԗڂ̓p�X��[�h�̃t�B�[��h�ł��B 3 �Ԗڂ̓��[�U ID
(UID) �� 4 �Ԗڂ̓O��[�v ID (GID) �ł��B�Â� 5 �Ԗڂ̃t�B�[��h�͊e
��[�U�̌l��ł��B 6 �Ԗڂ̃t�B�[��h�̓��[�U�̃z�[��f�B��N�g��
�ŁA�Ō�͔ނ�̃V�F��ł��B��̂Ƃ��A�e�t�B�[��h�̓R��ŋ�؂�
��Ă��܂��B�Ō�� 3 �s��Ă��B��̊Ԃł̗B��̈Ⴂ�́A��
��̃t�B�[��h�̃��[�U��ƁA5 �Ԗڂ̃t�B�[��h�̃��[�U��ł��B��肽
��̂́A�e��[�U�ɑ΂��Ă��̂悤�ȍs��쐬��邱�Ƃł��B�ڑ��S�ĂɒP��
�̃��[�U��g��Ȃ��ł��B��ƁA�ނ�X��邱�Ƃ�
�ł��Ȃ��Ȃ�܂��B��ŁA��Ɏ��悤�ȓ�e�ɂȂ�悤�A��̃t�@�C��
�̍Ō�̍s��R�s�[��Ă��ҏW��Ă��B2 �Ԗڂ̃t�B�[��h�ɃA�X
�^��X�N (*) ��邱�Ƃ�m�F��Ă��B3 �Ԗڂ̃t�B�[��h�́A��
�t�@�C��̑�� ID �S�Ăƈ��Ă��ׂ��ł��B�� 1020 ��g��܂��B��
�� 1000 ��̓V�X�e��̗��p�̂��߂ɗ\�񂳂�Ă��܂��̂ŁA��ȏ��g
��ׂ��ł��B 4 �Ԗڂ̃t�B�[��h�� vpn-user �̃O��[�v ID �̂͂��ł��B
��͏��߂Ă��悤��܂��B��ꂪ�K�v�ȂƂ��Ă��܂��B��
�̓O��[�v ID ��ɓ��Ă��B�Ō�ɁA�z�[��f�B��N�g��
/home/vpn-users �A�V�F�� /usr/sbin/pppd �ɕύX��Ă��B�ł��܂�
��B�ł͂��̍s�𑼂̃��[�U��쐬��邽�߂ɃR�s�[��Ă��B1 �Ԗڂ�
5 �Ԗڂ̃t�B�[��h��ҏW��Đݒ肷�邾��ł��B

5.8. �T�[�o - �Ǘ��

��[�U�A�J�E��g�ɑ΂��Ă��̃V�X�e��𗘗p��邱�Ƃ̗��_�̈�́A
UNIX ��[�U�Ǘ��R�}��h�𗘗p��邱�Ƃ��ł��Ƃ��Ƃł��B�N��C�A
��g�̓��[�U�Ƃ��ă��O�C��Ă��܂��̂ŁA��Ȃ��̓��[�U�̓��v�𓾂邽
�߂ɕW��I�ȕ��@��g��Ƃ��ł��܂��B��ɋ��̂́A�S�Ă��ǂ��Ȃ��
��̂��邽�߂Ɏ��D��Ŏg��Ă��A��̃R�}��h�ł��B

who
��݃��O�C��Ă��郆�[�U�A��ꂩ��ނ炪��A�ǂ� (��O�� IP)
��A�ǂ̃|�[�g�Ń��O�C��\��܂��B

w ��̃R�}��h�͌��݃��O�C��Ă��l�ɂ��Ă��L�͈͂ȃ��X�g��
�\��܂��B��̓V�X�e��̗��p��Ԃƕ��ϕ��ׂ�m�点�Ă��
��B�܂��[�U�́A�A�C�h��Ԃ�܂ތ��݂̃v��Z�X (VPN �N��C�A
��g�ɂƂ��Ă� -pppd �̂͂��ł�)�A��ꂩ�猻�݂̃v��Z�X��܂ޑS
�Ẵv��Z�X�� CPU ��p��@��\��܂��B��ȏ�̏��ɂ��
�� w �̃}�j��A��y�[�W��ǂ�ł��B

last [username]
��͎w�肳�ꂽ��[�U�A��邢�̓��[�U��w�肳��Ȃ��ΑS�Ă�
��[�U�̃��O�C��\��܂��B��̓��[�U��O�C��Ă��
��ԁA��邢�̓��[�U��܂��O�C��Ă��邱�Ƃ��̂ŁA�g��l
��ɂ��܂��삵�Ă��邩�m��߂�ɂ͍ł�֗��ȕ��@�ł��B�V
�X�e�� N��Â��Ă��ƁA��̃��X�g�͔��ɒ��
�蓾��Ƃ��Ƃ�x��Ă��܂��B�p�C�v�� grep ��邢�� head
��ʂ��āA�m�肽��Ƃ�m��Ɍ��܂��B

/home/vpn-users/.ssh/authorized_keys �t�@�C��ύX��āA�ڑ��
�郆�[�U�𐧌䂷�邱�Ƃ�ł��܂��B��̃��[�U�̌��J�L�[�̍s��
�t�@�C��폜��ƁA�ނ�̓��O�C��邱�Ƃ��ł��Ȃ��Ȃ�ł��傤�B

5.9. �N��C�A��g - �J�[�l��\�z��

�N��C�A��g�Ɉڂ�܂��傤�B�ŏ��ɁA�K�v�Ƃ��@�\�S�Ă�T�|�[�g�ł��
�悤�ɁA�J�[�l��č\�z��Ȃ��Ă͂Ȃ�܂��B�Œ��߂��̂́A�J
�[�l�� ppp ��g�ݍ��ނ��Ƃł��B��̌�A��̃}�V��ɑ΂��ăg��l��
�ւ̃A�N�Z�X��悤�Ƃ��Ă��ꍇ�Ɍ��ƁA�t�H��[�f�B��O�A�t�@
�C�A�E�H�[��A�Q�[�g�E�F�C�@�\��K�v�ƂȂ�ł��傤�B��̗�ł́A��Ƃ�
�Ď��C�A�E�g�̒��́A��ꂽ�Ƃ��ɂ��I�t�B�X�̃}�V��̂��̈�
��ݒ肷�邱�Ƃɂ��܂��B��ɋ��I�v�V��ǉ��Ă��B�J��
�Ԃ��ɂȂ�܂��A��Ȃ��ȑO�ɃJ�[�l��\�z��Ƃ��Ȃ��̂ł�
��΁A Kernel HOWTO
<http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html>��ǂ�ł��B
[�󒍁F��{�� <http://www.linux.or.jp/JF/JFdocs/Kernel-
HOWTO.html> �ɂ��܂��B]

2.0 �J�[�l��ɑ΂�� -

o CONFIG_PPP

o CONFIG_FIREWALL

o CONFIG_IP_FORWARD

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_IP_MASQUERADE

o CONFIG_IP_MASQUERADE_ICMP

2.2 �J�[�l��ɑ΂�� -

o CONFIG_PPP

o CONFIG_FIREWALL

o CONFIG_IP_ADVANCED_ROUTER

o CONFIG_IP_FIREWALL

o CONFIG_IP_ROUTER

o CONFIG_IP_MASQUERADE

o CONFIG_IP_MASQUERADE_ICMP

5.10. �N��C�A��g - �l�b�g��[�N��ݒ肷��

��āA�N��C�A��g�{�b�N�X��ݒ肵�܂��傤�B�O��l�b�g��[�N�̐ݒ肪��
��ŁA��ꂪ��삵�Ă��Ƒz��܂��傤�B��x�́A�C��g��l�b�g��T�[
�r�X��邽�߂ɃN��C�A��g�̓��C��^�[�t�F�[�X��ݒ肷�邱�ƂɂȂ��
��傤�B

5.10.1. �C��^�[�t�F�[�X

�܂��ŏ��ɓ��l�b�g��[�N�C��^�[�t�F�[�X��ݒ肷��K�v��܂��B��
��ɂ͎�� /etc/rc.d/rc.inet1 (��邢�͂��ɑ��) �t�@�C��
�ɒǉ��Ă�� -

2.0 �J�[�l��ɑ΂�� -

/sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0
/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 dev eth1

2.2 �J�[�l��ɑ΂�� -

/sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0

5.10.2. �t�B��^�K��

��ꂽ��ɂ��I�t�B�X��ݒ肷�邽�߂ɁA�g��l��ʂ��đo��Ƀg��
�t�B�b�N��s��邱�Ƃ��悤�ȃt�B��^�K��ݒ肵��悢��
��傤�B��ɋ��s�� /etc/rc.d/rc.inet1 (�܂��͂��ɑ��) �t�@
�C��ɒǉ��Ă�� -

2.0 �J�[�l��ɑ΂�� -

/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16

2.2 �J�[�l��ɑ΂�� -

/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16

��Ȃ��́A��̍s��T�[�o�ɂ��̂Ǝ��Ă��邱�ƂɋC�Â��
�܂��B�Ȃ��Ƃ��Ƃ��͓��̂��ł��B��̋K��͂܂��ɁA��
�� 2 �̃l�b�g��[�N�̊ԂŃg��t�B�b�N��Ƃ��ł��ꏊ��q
�ׂĂ��܂��B

5.10.3. �o�H��ݒ肷��

�B��K�v�ȓ��ʂ̌o�H�̓g��l��\�z��X�N��v�g�ɂ��č��܂��B

5.11. �N��C�A��g - pppd ��ݒ肷��

�N��C�A��g�� /etc/ppp/options �t�@�C��ҏW��K�v�͑S��Ȃ��
��܂��B"auth" �I�v�V��A��邢�͑��̓��I�v�V��^��ꂽ��
��͂��̕K�v��ł��傤�B��Ă݂đʖڂ��A�s��
/etc/ppp/options ��삷��ł��傤�B�ǂ�(��ꂪ��łȂ��)��
��̂��邽�߂ɁA�Â��t�@�C��I�v�V��ǉ��
�Â��A��ł��邩�ǂ��ɂ߂Ă��B��͑S��K�v�Ȃ��
��܂��B��Ȃ�� pppd �𑼂̂��ƂɎg��Ă��Ȃ��΁A��K�v�Ȃ�
�ł��傤�B

5.12. �N��C�A��g - ssh ��ݒ肷��

�N��C�A��g�� root �Ŏ��̍s��s��Ă�� -

# mkdir /root/.ssh
# ssh-keygen -f /root/.ssh/identity.vpn -P ""

�� .ssh �f�B��N�g�� identity.vpn �� identity.vpn.pub �� 2 ��
�t�@�C��쐬��ł��傤�B�ŏ��͂��Ȃ��̃v��C�x�[�g�L�[�ŁA��̂܂�
�ɂ��Ă��ׂ��ł��B�Í��ꂽ�Z�b�V��ʂ��̂łȂ��A�l�b�g��
�ł��΂ɑ��M��Ȃ��ł��B2 �Ԗڂ̃t�@�C��͂��Ȃ��̌��J�L�[
�ŁA��Ȃ��̃V�X�e��ɃA�N�Z�X��邱�Ƃ��邾��ŁA��Ȃ��̃V
�X�e��ɓ��邽�߂Ɏg��Ƃ͂ł��Ȃ��̂ŁA��͉��ł�D��ȂƂ��
��邱�Ƃ��ł��܂��B��͎��ۂ̃L�[�� 1 �s�܂ރe�L�X�g�t�@�C��ł��B
�s�̍Ō�́A�L�[��󂷂��Ƃ�|��炸�ɕύX�ł��R��g�t�B�[��h��
��B�Ⴆ�΃L�[�͎��̂悤�Ȃ�̂ł� -

1024 35 1430723736674162619588314275167.......250872101150654839 [email protected]

��ۂɂ͂��肩�Ȃ蒷��ł��A�S��Ƃ��Ă�y�[�W�ɂ͂��
�Ȃ��ł��傤�B�T�[�o�� /home/vpn-users/.ssh/authorized_keys �t�@�C��
�L�[��R�s�[��Ă��B1 �s�� 1 �̃L�[��A�e�L�[��s
�ɂ܂��ĉ��Ă��Ȃ��Ƃ�m�F��Ă��B�ǂ̍s��ǂ̃��[�U�ɑ�
��̂��v��o��ɂȂ�悤�A�R��g�t�B�[��h�S�Ă�D��Ȃ悤��
�ύX��邱�Ƃ��ł��܂��B��͂��邱�Ƃ��߂܂��B

5.13. �N��C�A��g - �ڑ��m��

�ł� VPN �T�[�o�Ɏ��ۂɐڑ��Ă݂܂��傤�B�܂��A�P��̐ڑ��s��A
ssh ��known_hosts �t�@�C��̐ݒ��K�v��܂��B��s��Ă�
�� -

# ssh vpn.mycompany.com

�ڑ��𑱂��ǂ��₳�ꂽ�Ƃ�� ''yes'' �Ɠ��Ă��B�T�[
�o�� ''permission denied'' �ƌ��m��܂��񂪁A��v�ł��B�T�[�o
�ɑ΂��āA�ڑ��X�N��v�g�̒��Ŏg��Ă��̂Ɠ��O��g��Ƃ��Ƃ�
�d�v�ł��B�ł́A��̍s��s��Ă��B��ƁA�ݒ��K��邽��
�ɃI�v�V��̖w�ǂ�ύX��K�v��ł��傤�B

# /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l vpn-user vpn.mycompany.com > /tmp/vpn-device

(10 �b�قǑ҂��܂��傤)

# /usr/sbin/pppd `cat /tmp/vpn-device` 192.168.10.254:192.168.40.254

pppd �̍s�Ŏw�肳��Ă�� IP �A�h��X�ɒ��ӂ��Ă��B�ŏ��̓g��l
��̃N��C�A��g��̒[�̃A�h��X�ł��B2 �Ԗڂ̓g��l��̃T�[�o��̒[��
�A�h��X�ł��̓T�[�o�̓��A�h��X�ɂȂ��Ă��܂��B��̑S�Ă�
��삵�Ă��悤�Ȃ�A��Ă��B��łȂ��Ȃ�A�w�肵��I�v
�V��S�Ăɑ΂��āA��炪��Â��Ă��邩�`�F�b�N��Ă��
��B��܂��܂��Ȃ��Ȃ�A``��Ƃ�� Z�N�V��''��`�F�b
�N��Ă݂Ă��B

5.14. �N��C�A��g - �o�H��ݒ肷��

�ł́A�o�H��A�g��l��ʂ��ăg��t�B�b�N�𑗂�悤�ɐݒ肵�Ă��
��B��s��邾��ł� -

# /sbin/route add -net 192.168.0.0 gw vpn-internal.mycompany.com netmask 255.255.0.0

��Ńg��l��̑��[�ɂ��}�V��ƒʐM�ł��悤�ɂȂ��Ă��͂��ł��B
��Ă݂Ă��B��Ȃ肢��H ��܂��Ȃ��Ȃ�A�ǂ��ɖ�
�肪��̂��˂��~�߂邽�߂�ping �� traceroute ��g��Ă݂Ă��
��B��͓��Ă��Ȃ�A�X�N��v�g��Ȃ��̂��߂ɂ��̎d��Ă�
��悤�ݒ�𑱂��Ă��B

5.15. �N��C�A��g - �X�N��v�g��

�� ``��'' �Ŏ�� vpnd �X�N��v�g��g��Ă��B��A��ύX
��K�v��܂��B��̕ύX��s��Ă�� -

o ��ɍ��悤�擪�̕ϐ��ύX��Ă��B�w�ǂ͂��̂܂܂ő��v
�ł��A�K�v�Ȃ�ς��邱�Ƃ��ł��܂��B

o 27 �s�� - ��[�J��A��ꂩ�烊��[�g�� IP �A�h��X�� $PPP_OPTIONS
�̑O�ɉ��Ă��B

o 31 �s�� - ��̍s�ƌ�� 2 �s��A��l�b�g�̌o�H��ݒ肷��悤�ɕύX
��Ă��B

5.15.1. ��s��

bash �X�N��v�g�͕��ʈ��肵�Ă��܂��A��s��邱�Ƃ��m��Ă��܂��B
vpnd �X�N��v�g��𑱂��Ă��邱�Ƃ�m��߂邽�߂ɂ́A�N��C�A��g
�� crontab �� check-vpnd �X�N��v�g��N��G��g��ǉ��Ă��
��B�� 5 ��疈�Ɏ��̂�̂�N��Ă��܂��B�� vpnd ��{��
�Ɏ��s��Ă��Ƃ��Ă�A check-vpnd �͂�� CPU ��g�p��܂�
��B
6. �t�L

6.1. ��Ƃ��

��̃V�X�e��g��ہA��ׂ��̎v��ʏ�Q��܂��B��킭
�΂��Ȃ��邱�Ƃ��ł��悤�ɁA��Ɏ��܂��B
��V��ȏ�Q�Ɋׂ��Ȃ�A��A��đ��̐l��
��邱�Ƃ��ł��悤�ɁA��ɂ��ă��[��
<mailto:[email protected]>��B

6.1.1. read: I/O error (�ǂݍ�� - I/O �G��[)

��̃G��[�͖��炩�� pppd ��炫�Ă��܂��B�� pppd �̃o�[�W��̕s
��Ɋ֘A��Ă��܂��B��ꂪ�N��Ȃ�A�ڑ��̗��[�� pppd �̍ŐV�̃o
�[�W��ɃA�b�v�O��[�h��Ă݂Ă��B�� pppd �̃o�[�W�� 2.2
�͂��̖�肪��邱�ƂɋC�Â��܂��̂ŁA��Ƀo�[�W�� 2.3.7 ��
�� 2.3.8 ��g��Ă��B

6.1.2. SIOCADDRT: Network is unreachable (SIOCADDRT - �l�b�g��[�N��
��B�s�\)

��̖�� route �ɂ��Đ��ݏo��܂��B�� ssh �� pppd �̊Ԃ̃X��[
�v��Ԃ��\��Ȃ��ꍇ�ɂ��ꂪ�N��邱�Ƃ�m��܂��B��̃G
��[�ɑ��Aifconfig ��s��Ă݂ĉ��B pppX �C��^�[�t�F�[
�X��Ȃ��̂��邩��܂��B��́A ssh �� pppd ��n�߂�O
�ɔF�؂�s��Ă��炸�A pppd ��ڑ��s��Ă��Ȃ��߂ł��Ƃ��
��Ӗ��Ă��܂��B�P��ɒx��Ԃ��΂��Ă��B��Ζ��
�͉��ł��傤�B

��̖��C��悤�� pppd �̃I�v�V��͖��̂ł��傤��B

6.1.3. IPv4 �t�H��[�f�B��O�� 2.2 �J�[�l��

�V�� 2.2 �J�[�l��ł́A�N��ɃJ�[�l��̒�� IP �t�H��[�f�B��O��
��ɗL��ɂ��K�v��܂��B��͎��̃R�}��h�ōs��܂� -

# echo 1 > /proc/sys/net/ipv4/ip_forward

��ꖳ��ł́A�J�[�l��͔@��Ȃ�p�P�b�g��]��A��̌��ʃT�[�o�A��
��ɃQ�[�g�E�F�C��Ă��N��C�A��g�̂��炩��삵�Ȃ��ƂɂȂ��
��傤�B

6.1.4. �o�H��ݒ肷��

��܂ł�Ȃ��Ƃł��A��ۂ̐��l��ݒ肷��Ƃ��ɂ́A�g��l��ʂ�
�� VPN �T�[�o�̊O��A�h��X�Ɍ��o�H��g��t�B�b�N�ɑ΂��Đݒ肵��
��悤��ӂ��Ă��B��͂��܂��Ȃ��ł��傤�B (��ł��B��
�͌l�I�Ȍo��炫�Ă��܂��B)

6.2. �n�[�h�E�F�A��у\�t�g�E�F�A�v��

6.2.1. �Œ��̃n�[�h�E�F�A�v��

�M��悤��M��܂��A��̃V�X�e�� 8 ��K�o�C�g RAM �� 486SX33 �œ�
�삵�Ă��܂��B�Ƃ͂��Ă��ʂ̃g��t�B�b�N��Ŗ�肪��A
��قǂ��܂��Ă͂��܂��ł��B

��A��悤�ɂ��̂ɂ��قǑ��͕K�v��܂��B��̃V�X�e��̓t
��b�s�[��œ��삷�� LRP �f�B�X�g��r��[�V��g��A6 ��K��
RAMDISK �� 10 ��K�̃��C��ARAM 16 ��K�� Pentium 75 ��
��Ŏ��ɗǍD�ɓ��삵�܂��B��͂��̊��A700kbit �� RealVideo �� 1 ��
�Ԉȏ㗬��ăe�X�g��܂��B

��ۂ� 100Mbit �C�[�T�l�b�g�J�[�h��}�� PCI ��ǂ��
��ł��̂ŁA��͌��݂��A�T�� Pentium 90 �̏�œ��Ă��
��B

6.2.2. �\�t�g�E�F�A�v��

��̃V�X�e�� 2.0 �� 2.2 �J�[�l��ɂ��ē��삵�܂��B�g��l��J
��܂܂ɂ��Ă��X�N��v�g�́A�K�x�ɐV�� bash ��K�v�Ƃ��܂��B��
��́A��f�B�X�g��r��[�V�� bash �̃o�[�W��ł́A�X�N��v�g
��܂肤�܂��삵�Ȃ��Ƃ��ƂɋC�Â��܂��B

��ꂩ��A�N��̃X�N��v�g��P�� (��邢�͎��s�t�@�C��
�ł�) �菕��Ă��Ȃ�A��Ϗ��܂��B�Ȃ�� bash �X�N��v
�g��K��ɏ]�킸�A�M��𐳂��߂��Ȃ��̂��Ă��܂��B��Ȃ�
��P��̂ł��΁A�ǂ��d�q��[��
[email protected] <mailto:[email protected]> ��ɑ��Ă�
��B

[�� : ��{��ŉ��ȉ��Ɏ��܂��B

v1.0j, 2000 �N 8 �� 18 ��
�|��: �{�c �� <[email protected]>

�e�J �� <[email protected]>, �� L�� <[email protected]>, ��
�� Y <[email protected]>, �{�� _�j
<[email protected]>, �R�� `�V <[email protected]> ]