With the working RADIUS authentication server setup in the last post it’s time to install and set up the PPPoE server for the users to connect to. As well as the pppoe
package we will need the libradcli4
as this provides the RADIUS client library.
$ sudo apt-get install pppoe libradcli4
First we need to stop the dhcpcd
daemon from trying to allocate a IP address for the interface we are going to use for PPPoE. As I’m running this on a Rasperry Pi 4 I’ll be using the eth0
port and then using wlan0
for the back haul. To get dhcpcd
to ignore eth0
we add the following to /etc/dhcpcd.conf
denyinterfaces eth0
With that out of the way we can start setting things up for the pppoe-server. We will start by editing the /etc/ppp/options
file. We need to add the plugins to link it to the RADIUS server and tweak a couple of settings.
mtu 1492
proxyarp
...
plugin radius.so
plugin radattr.so
radius-config-file /etc/radcli/radiusclient.conf
next up create /etc/ppp/pppoe-server-options
and make sure it outputs logs
# PPP options for the PPPoE server
# LIC: GPL
require-pap
login
lcp-echo-interval 10
lcp-echo-failure 2
debug
logfile /var/log/pppoe/pppoe-server.log
and finally /etc/ppp/pap-secrets
we need to add the following:
# INBOUND connections
# Every regular user can use PPP and has to use passwords from /etc/passwd
#* hostname "" *
* * "" *
That’s it for PPP options, just need to finish settings up radcli. Here we need to add the password for the RADIUS server in the /etc/radcli/servers
file
localhost/localhost testing123
and then we can update /etc/radcli/radiusclient.conf
to point to the RADIUS server on localhost
authserver localhost
acctserver localhost
The current version of PPP available with Raspbian Buster has been built against an older version of the radius client library so to get things to work we have to also add the following 2 lines and run touch /etc/ppp/radius-port-id-map
seqfile /var/run/radius.seq
mapfile /etc/ppp/radius-port-id-map
And we need to edit the /etc/radcli/dictionary
file to comment out all the lines that include ipv6addr
and also change all instances of ipv4addr
to ipaddr
. There is a patch which fixes some of this but requires a rebuild of all of PPP. I’m going to give that a go later to get IPv6 working properly.
We should now be able to start the pppoe-server
.
# pppoe-server -I eth0 -T 60 -N 127 -C PPPoE -S PPPoE -L 192.168.5.1 -R 192.168.5.128 -F
- -I sets the port to listen on
- -T sets the timeout for a connection
- -N sets the maximum number of connections
- -C sets the “name” of the server instance
- -S sets the “name” of the PPP Service
- -L sets the IP address for the server
- -R sets the first address of the range for the remote device
- -F tells pppoe-server to run in the foreground (only used for testing)
If we make sure the server is set to masquerade and forward IP packets then any client that connects should now be able reach the internet via the server.
In the next post I’ll cover how to customise connections for different users by adding data to their LDAP entry. And also how to do traffic shaping to ensure equal use of the available bandwidth along with basic accounting so we know what to bill each user.