
PPPTCP			Thu Aug 14 09:33:37 PDT 1997

Author: Sam Lantinga	<slouken@devolution.com>


This program allows you to set up IP tunnels over an arbitrary TCP connection.
It requires PPP enabled in your kernel and pppd installed as /usr/sbin/pppd

You can run with or without random-key DES encryption.

Usage:
	ppptcp [-keyring <ringfile>] [hostname] <port> [-- <pppd options>]

Generally, one host will set up as a server, and other hosts will connect
as clients.  If the hostname is omitted, ppptcp will run in server mode
on the specified port.  If the hostname is specified, then ppptcp will
initiate a connection to the specified host and port.

The -keyring option allows you to set up IP hostname based wildcard rules
that deny access or set ppp options for certain hosts.  If you compile
ppptcp with encryption, you can also use the "./auth.crypt/genkeys" program
to generate RSA public/private keys for authentication and encryption.
The file "README.keyring" has more detailed information on how to set up
the keyring file.  I highly recommend using it as it is the only way of 
authenticating connections to a ppptcp server.

You can set default options for pppd on the command line, just put them
after the port, separating them from the rest of the command line with "--".
These options are overridden by options specified in the keyring file.

A common senario might look like this:

Network A                                               Network B
       IP=A.15   IP=A.16                 IP=A.17   IP=B.123
           Host A <PPP>-------------------<PPP> Host B

The host A on network A has an IP address A.15, and wants to allow
any machine on network B to appear on network A.  Host A needs to
reserve two IP addresses on network A, one for it's end of the PPP
connection, and one for the host on network B.  In this case, host A
reserves A.16 for itself, and A.17 for the machine on network B.

Suppose network A is 243.126.23.0 and network B is 250.101.150.0

A sample keyring file for the client, host B, might be:
---
# Alter this pattern to match your host/port combinations
243.126.23.15:4545 defaultroute
# RSA public key
AAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAC9vsjfJMl7Cev1H32rWXQvgg/2Q7vD1ebw03EV
KapFndr2llu73zEOB9dOHakkNg6P7UuMPPfK65QxWwiHCuXXAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAABAAE=
# RSA private key (only used by client)
AAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAC9vsjfJMl7Cev1H32rWXQvgg/2Q7vD1ebw03EV
KapFndr2llu73zEOB9dOHakkNg6P7UuMPPfK65QxWwiHCuXXAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAABAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO5NIfI+PVzthQ6B0
k7VNfpEms9rGfJGPpjOtQMjJNnvzwQR9Q567EFIloXBVDRICP78o7ReYMDqnOaXM
yXFKWQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8eRmhFNKmUcRgghk
4dw7Qgtwnnww9sEhoc8qZm0UHg0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAMjPzFvt8uZxBESIJSizxLasjfxSVsJM0sY597jqU35zAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAsxz9DF7gjj8hp7eve88n0e/GpJQxbYX08WwFa
XK7wsQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtbBNll+Uhit7UQZd
mJYORbmaPdHB7crUacXI/OYG5UEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAMbYOIdCk+H/aH/RfduiN5VPcUqLd1HfPDiq2GebML51
###
---

A sample keyring for the server, host A, might be:
---
250.101.150.*:4545 silent 243.126.23.16:243.126.23.17 proxyarp
# RSA public key
AAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAC9vsjfJMl7Cev1H32rWXQvgg/2Q7vD1ebw03EV
KapFndr2llu73zEOB9dOHakkNg6P7UuMPPfK65QxWwiHCuXXAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAABAAE=
# RSA private key (empty since host A doesn't initiate a connection)

###
# This useful line denies connections from all other clients.
*:* DENY
---

In this senario, the pppd options are set so Host A will set the 
IP addresses for both sides of the connections, advertise itself
as a route to host B's address on network A, and Host B will set
it's default route through this encrypted PPP interface.  Note that
Host B will need to have a distinct route to Host A already, otherwise
it will try to route tunnel packets back through the tunnel.

Host A will only allow connections from hosts on network B, and will
only allow encrypted sessions, which must use the given public key. 
Keyring files for unencrypted connections would look much the same, 
but the keys would be blank lines.

If the keyrings are installed as /etc/ppptcp.ring on both machines,
Host A would run:
	ppptcp -keyring /etc/ppptcp.ring 4545
Host B would run:
	ppptcp -keyring /etc/ppptcp.ring 243.126.23.15 4545

The encrypted IP tunnel would then be set up. :-)

