コンテンツにスキップ

accel-ppp PPPoE Server

Introduction

PPPoE is a protocol used primarily by DSL and fiber-to-the-home ISPs where customers are authenticated with a username and password combo. PPPoE is used in countries where an incumbent ISP is required to share their network with other ISPs as customers can be routed via a domain name to the desired ISP.

accel-ppp is a Linux kernel-accelerated implementation of PPPoE and related protocols such as PPTP, L2TP, and others.

Prerequisites

  • A server with two network interfaces
  • A client router or machine speaking PPPoE

Installing accel-ppp

As accel-ppp is not in the default Rocky or EPEL repositories, we first install the required packages to build it:

dnf install -y rpm-build make cmake gcc git openssl-devel pcre-devel kernel-modules-extra

Subsequently, clone the accel-ppp source code to a folder:

git clone https://github.com/accel-ppp/accel-ppp.git /opt/accel-ppp
mkdir /opt/accel-ppp/build
cd /opt/accel-ppp/build/

Next, we need to build accel-ppp (Note: If you're running Rocky Linux 8.x substitute in Centos8 for Centos9):

cmake -DCMAKE_INSTALL_PREFIX=/usr -DCPACK_TYPE=Centos9 ..
make

Finally, we will build an rpm package and install it:

cpack -G RPM
rpm -ivh accel-ppp.rpm

Setting up accel-ppp

First, we need to enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

Then, add the following to /etc/accel-ppp.conf:

[modules]
log_file
pppoe
auth_mschap_v2
auth_mschap_v1
auth_chap_md5
auth_pap
chap-secrets
ippool

[core]
log-error=/var/log/accel-ppp/core.log
thread-count=4

[ppp]
ipv4=require

[pppoe]
interface=YOUR_INTERFACE

[dns]
dns1=YOUR_DNS1
dns2=YOUR_DNS2

[ip-pool]
gw-ip-address=YOUR_GW
YOUR_IP_RANGE

[chap-secrets]
gw-ip-address=YOUR_GW
chap-secrets=/etc/chap-secrets

Replace the following information:

  • YOUR_INTERFACE with the interface listening for PPPoE clients.
  • YOUR_DNS1 and YOUR_DNS2 with the DNS servers to hand out to clients.
  • YOUR_GW is the server's IP address for PPPoE clients. This must be different from the server's WAN-facing IP address or default gateway.
  • YOUR_IP_RANGE with the IP ranges to hand out to clients. This can be an IP range like X.X.X.Y-Z or in CDIR format such as X.X.X.X/MASK.

Subsequently, let us add a barebones /etc/chap-secrets file:

user    *   password    *

You can add more users with additional lines by replacing user and password with the desired username and password.

Configuring a PPPoE client

Once the PPPoE server is set up, we can start adding PPPoE clients. The author likes to use MikroTik CHR as their go-to testing PPPoE client so we will use that.

Once we installed MikroTik CHR onto a system connected to the same Ethernet network as the PPPoE server's listening interface, we will configure PPPoE:

[admin@MikroTik] > /interface pppoe-client
[admin@MikroTik] > add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=password user=user

If everything is working properly we should get an IPv4 address:

[admin@MikroTik] > /ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS      NETWORK   INTERFACE 
0 D 10.0.0.1/32  10.0.0.0  pppoe-out1

Conclusion

PPPoE often gets a bad rap and it's easy to see why: you need to configure usernames and passwords manually. Despite that, it allows for security when connecting to a Layer 2 broadcast domain in ISP scenarios where requiring 802.1X or MACsec would be undesirable, for instance to allow customer-owned routers or static IP addresses. And now you are your own mini-ISP, congratulations!

Author: Neel Chauhan