7. Integrating the VPN into your system

Bringing up the link by hand gets tiring after a while. You probably want your VPN to come up either at boot time or when your dial-up connection comes up.

7.1. Connecting at Boot Time

It's quite easy to get this script to run at boot time. I assume you're using the very common System V initscript setup. If not, you'll have to figure out how to integrate this with your system on your own.

  1. Either copy or symlink the vpn-pppssh script to /etc/init.d.

    cp /usr/local/bin/vpn-pppssh /etc/init.d/vpn-pppssh
  2. Uncomment the echo lines in the start and stop clauses in the vpn-pppssh script to enable the boot-time "Starting" and "done." messages.

  3. Put "> /dev/null 2>&1" after the line beginning "${PPPD}" in the start section of the script. This just prevents pppd's verbose messages from mucking up your boot screen. You could also redirect pppd's messages (which may include a very informative error) to a log file or, if you're not aesthetically inclined, leave it alone and let your screen get all mucked up.

  4. Now, you simply link your script in to each of the six runlevels.

    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc0.d/K10vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc1.d/K10vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc2.d/S99vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc3.d/S99vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc4.d/S99vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc5.d/S99vpn-pppssh
    client$ ln -s /etc/init.d/vpn-pppssh /etc/rc6.d/K10vpn-pppssh

Now, when you reboot your machine, the vpn should come up near the end of the boot process. When it hits this script, your machine will wait until the VPN is up before it continues booting. If this is an issue, you can write your own /etc/init.d/vpn-pppssh script that calls the /usr/local/bin/vpn-pppssh script in the background. The link will come up as your machine finishes booting.

To manually bring the link down or up, just run the vpn-pppssh script directly from /etc/init.d:

client$ /etc/init.d/vpn-pppssh stop
client$ /etc/init.d/vpn-pppssh start

7.2. Connecting via Dial-Up

If you're dialing into the internet with PPP, you can bring the VPN up every time you bring up the dial-up connection. This is not difficult, but it does require a fairly recent version of pppd, one that supports both the ipparam option, and the ip-up.d and ip-down.d directories.

  1. Create the "vpn-up" file in /etc/ppp/ip-up.d:

    #!/bin/sh
    
    if [ "$PPP_IPPARAM" = "vpn" ]; then
            # Don't bring up the vpn if we're bringing up the vpn.
            exit 0
    fi
    
    /usr/local/bin/vpn start

    There's a re-entrancy here that the if statement takes care of. If we're bringing up the regular PPP link, we want to bring up the VPN. But, the VPN is a PPP link itself! If we didn't do anything about this, PPP would recursively spawn itself until it ground your machine to a halt.

    The secret is the "ipparam vpn" parameter in the vpn-pppssh script. This sets the IPPARAM variable for this invocation to "vpn", which we then check in the startup script. If it's set to vpn, then we know we're in the middle of bringing up the vpn, so we just exit without error. Otherwise, we fire it up.

  2. If you want to punch a hole in your firewall for your VPN when you bring it up, you can simply create an /etc/ppp/ip-up.d/vpn-fw file with the following contents. All the shell variables below are supplied by pppd, so you should be able to use this script unmodified.

    #!/bin/sh
    
    # Punch a hole in the firewall for the VPN
    
    if [ "$PPP_IPPARAM" = "vpn" ]; then
            ipchains -I input 1 -i $PPP_IFACE -s $PPP_REMOTE -d $PPP_LOCAL -j ACCEPT
            ipchains -I output 1 -i $PPP_IFACE -s $PPP_LOCAL -d $PPP_REMOTE -j ACCEPT
    fi
  3. Create the "vpn-down" file in /etc/ppp/ip-down.d/vpn-pppssh:

    #!/bin/sh
    
    if [ "$PPP_IPPARAM" = "vpn" ]; then
            # Don't bring down the VPN if we're bringing down the vpn.
            exit 0
    fi
    
    /usr/local/bin/vpn stop

Make sure to make all the scripts above executable (chmod a+x /etc/ppp/ip-up.d/vpn-pppssh). Now, when you bring up your PPP link, the VPN should come up with it. And, when you shut it down, the VPN will disappear. Easy as pie.