Now we will configure pppd on the server to handle VPN connections. If
you are already using this server to handle dialup users or even dialing
out yourself, then you should note that these changes may affect those
services. I go over how to avoid conflicts at the end of this section.
Your options file should contain at least the following:
ipcp-accept-local
ipcp-accept-remote
proxyarp
noauth
The first two lines tell pppd to accept what the other end specifies
for IP addresses. This is necessary when hooking up remote offices, but can
be disabled if you are only connecting home users. It's okay to leave it on, as
it does not prevent the server from assigning addresses, it only says it that
it's okay to accept what the client asks for.
The third line is very important. From the pppd man page:
proxyarp
Add an entry to this system's ARP [Address Resolu-
tion Protocol] table with the IP address of the
peer and the Ethernet address of this system. This
will have the effect of making the peer appear to
other systems to be on the local ethernet.
This is important because if it is not done, local traffic will not be able
to get back through the tunnel.
The last line is just as important. This tells pppd to allow
connections without username and password. This is safe since authentication
is already handled by sshd.
If you are handling other services with pppd, you should
consider that the configurations for these other services may not be the
same as what the VPN system needs. pppd is designed such that
the options in the main options file /etc/ppp/options cannot be
overridden by options specified at runtime. This is done for security
reasons. In order to avoid conflict, determine which options cause the
conflict, and move them from the main file into a separate options file
that is loaded when the appropriate application of pppd is run.
