Accel-ppp installation

In this article, I’ll give an example of how to build and install accel-ppp in Ubuntu Server.

The accel-ppp requirements are:
A modern Linux distribution
Kernel 2.6.25 or later
cmake is not younger than version 2.6
libcrypto-0.9.8+ (openssl-0.9.8)
libpcre
net-snmp-5.x (for snmp)
liblua5.1 (for IPoE DHCP option 82)

Let’s check the versions of the installed components:

sudo lsb_release -a
sudo uname -r
sudo openssl version
sudo apt show libpcre3-dev libssl-dev snmp liblua5.1

We will update the system and install the necessary components:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install linux-headers-`uname -r` build-essential cmake libnl-3-dev libnl-utils libssl-dev libpcre3-dev libnet-snmp-perl libtritonus-bin lua5.1 liblua5.1-0-dev snmp

Download the fresh source code accel-ppp:

sudo apt-get install git
cd /opt/
sudo git clone git://git.code.sf.net/p/accel-ppp/code accel-ppp-code

Or from here (depending where fresh):

sudo git clone https://github.com/xebd/accel-ppp.git

An example of adding a patch:

cd /opt/accel-ppp-code/
wget https://ixnfo.com/example_patch.diff
patch -p1 < example_patch.diff

Here is an example of how to build and install accel-ppp (VLAN_MON_DRIVER can not be installed if the server does not use VLANs):

sudo mkdir /opt/accel-ppp-code/build
cd /opt/accel-ppp-code/build
sudo cmake -DCMAKE_INSTALL_PREFIX=/usr -DKDIR=/usr/src/linux-headers-`uname -r` -DRADIUS=TRUE -DSHAPER=TRUE -DLOG_PGSQL=FALSE -DNETSNMP=FALSE -DLUA=TRUE -DBUILD_IPOE_DRIVER=TRUE -DBUILD_VLAN_MON_DRIVER=TRUE -DCPACK_TYPE=Ubuntu18 -DCMAKE_BUILD_TYPE=Release /opt/accel-ppp-code
sudo make
sudo make install

I would like to note that new versions of acel-ppp use new versions of libraries, which, for example, are newer than those in Ubuntu 16, which can cause problems, so I recommend installing acel-ppp on new operating systems.
For example, in Ubuntu 16, a new accel-ppp is not installed with an error:

dpkg: package dependencies do not allow to configure the accel-ppp package:
accel-ppp depends on libc6 (> = 2.24), however:
The libc6 version: amd64 in the system is 2.23-0ubuntu11.
accel-ppp depends on libssl1.0.0 (> = 1.0.2t), however:
The libssl1.0.0 version: amd64 in the system is 1.0.2g-1ubuntu4.15.

If the LUA is not version 5.1, then we indicate the version instead of “TRUE”, for example:

-DLUA=5.3

You can add optimization (you can read about optimization here https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html):

-DCMAKE_C_FLAGS="-g -O2"

After the installation command to /usr/local/, I have the following information:

Install the project…
— Install configuration: “Debug”
— Installing: /lib/modules/4.4.0-116-generic/extra/ipoe.ko
— Installing: /lib/modules/4.4.0-116-generic/extra/vlan_mon.ko
— Installing: /etc/accel-ppp.conf.dist
— Installing: /etc/init.d/accel-ppp
— Installing: /etc/default/accel-ppp
— Installing: /usr/lib/systemd/system/accel-ppp.service
— Installing: /var/log/accel-ppp
— Installing: /usr/local/sbin/accel-pppd
— Set runtime path of “/usr/local/sbin/accel-pppd” to “/usr/local/lib64/accel-ppp”
— Installing: /usr/local/share/man/man5/accel-ppp.conf.5
— Installing: /usr/local/lib64/accel-ppp/libluasupp.so
— Installing: /usr/local/lib64/accel-ppp/libradius.so
— Set runtime path of “/usr/local/lib64/accel-ppp/libradius.so” to “/usr/local/lib64/accel-ppp”
— Installing: /usr/local/share/accel-ppp/radius/dictionary.alcatel
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4818
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc2868
— Installing: /usr/local/share/accel-ppp/radius/dictionary.dhcp
— Installing: /usr/local/share/accel-ppp/radius/dictionary
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc3580
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc2867
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc2865
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc2866
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4675
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4679
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc3576
— Installing: /usr/local/share/accel-ppp/radius/dictionary.cisco
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4072
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc5176
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc2869
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4849
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc3162
— Installing: /usr/local/share/accel-ppp/radius/dictionary.rfc4372
— Installing: /usr/local/share/accel-ppp/radius/dictionary.microsoft
— Installing: /usr/local/lib64/accel-ppp/libtriton.so
— Installing: /usr/local/lib64/accel-ppp/libvlan-mon.so
— Installing: /usr/local/lib64/accel-ppp/libpptp.so
— Installing: /usr/local/lib64/accel-ppp/libpppoe.so
— Set runtime path of “/usr/local/lib64/accel-ppp/libpppoe.so” to “/usr/local/lib64/accel-ppp”
— Installing: /usr/local/lib64/accel-ppp/libl2tp.so
— Installing: /usr/local/share/accel-ppp/l2tp/dictionary.rfc2661
— Installing: /usr/local/share/accel-ppp/l2tp/dictionary
— Installing: /usr/local/share/accel-ppp/l2tp/dictionary.rfc3931
— Installing: /usr/local/lib64/accel-ppp/libsstp.so
— Installing: /usr/local/lib64/accel-ppp/libipoe.so
— Set runtime path of “/usr/local/lib64/accel-ppp/libipoe.so” to “/usr/local/lib64/accel-ppp”
— Installing: /usr/local/lib64/accel-ppp/libauth_pap.so
— Installing: /usr/local/lib64/accel-ppp/libauth_chap_md5.so
— Installing: /usr/local/lib64/accel-ppp/libauth_mschap_v1.so
— Installing: /usr/local/lib64/accel-ppp/libauth_mschap_v2.so
— Installing: /usr/local/lib64/accel-ppp/liblog_file.so
— Installing: /usr/local/lib64/accel-ppp/liblog_tcp.so
— Installing: /usr/local/lib64/accel-ppp/liblog_syslog.so
— Installing: /usr/local/lib64/accel-ppp/libpppd_compat.so
— Set runtime path of “/usr/local/lib64/accel-ppp/libpppd_compat.so” to “/usr/local/lib64/accel-ppp”
— Installing: /usr/local/lib64/accel-ppp/libippool.so
— Installing: /usr/local/lib64/accel-ppp/libipv6pool.so
— Installing: /usr/local/lib64/accel-ppp/libsigchld.so
— Installing: /usr/local/lib64/accel-ppp/libchap-secrets.so
— Installing: /usr/local/lib64/accel-ppp/liblogwtmp.so
— Installing: /usr/local/lib64/accel-ppp/libconnlimit.so
— Installing: /usr/local/lib64/accel-ppp/libipv6_dhcp.so
— Installing: /usr/local/lib64/accel-ppp/libipv6_nd.so
— Installing: /usr/local/lib64/accel-ppp/libshaper.so
— Installing: /usr/local/bin/accel-cmd
— Installing: /usr/local/share/man/man1/accel-cmd.1

If necessary, load the modules:

lsmod | grep ipoe
sudo modprobe ipoe
sudo cp ./drivers/ipoe/driver/ipoe.ko /lib/modules/`uname -r`/kernel/net
sudo depmod -a
sudo cp ./drivers/vlan_mon/driver/vlan_mon.ko /lib/modules/`uname -r`/kernel/net
sudo depmod -a
sudo modprobe ipoe
sudo modprobe vlan_mon
lsmod | grep ipoe
lsmod | grep vlan_mon

In order for the modules ipoe and vlan_mon to be loaded at system startup, open the /etc/modules file in the text editor:

sudo nano /etc/modules

And add:

ipoe
vlan_mon

Copy the example of the accel-ppp configuration file and fill the content according to the needs:

sudo cp /etc/accel-ppp.conf.dist /etc/accel-ppp.conf
sudo nano /etc/accel-ppp.conf
sudo nano /etc/accel-ppp.lua
sudo nano /usr/share/accel-ppp/radius/dictionary

Configuration help:

man accel-ppp.conf

Managed switch networks, etc. which Accel should skip when start=up, we specify in the “ipoe” section like this:

local-net=10.0.0.0/24

Networks for users we point out (for example, the gateway and mask is taken from here, IP from billing):

gw-ip-address=172.16.0.1/19

If you want to use req-limit only for auth, and remove the limit for acct so that there is no large queue, then you can specify the Radius server as follows:

server=127.0.0.1,pass,auth-port=0,req-limit=50,fail-timeout=0,max-fail=0,acct-timeout=0,weight=1
server=127.0.0.1,pass,acct-port=0,req-limit=0,fail-timeout=0,max-fail=0,acct-timeout=0,weight=1

DHCP lease time (renew-time=lease_time/2):

lease-time=600
max-lease-time=660
renew-time=300

Example for L3 scheme:

interface=eth1,mode=L3,start=dhcpv4,shared=1,ifcfg=1,proxy-arp=1

If I use the L3 scheme, I wrote routes to the IP gateways (vlan interfaces) on the switch and specified them in /etc/network/interfaces so that they were after the system restart (where 10.0.0.2 L3 is the switch and 10.0.0.1 is the server with the accel-ppp):

post-up /bin/ip route add 172.16.0.1 via 10.0.0.2
post-up /bin/ip route add 172.18.0.1 via 10.0.0.2

I note that if you use the L2 and L3 scheme with MAC authorization at the same time, and the client from the L3 network turns on his device in the L2 network, then the L3 network will stop working, since accel-ppp will raise the IP address of the gateway for the client.

An example of specifying VLAN interfaces from 200 to 1299 through regular expressions PCRE, VLAN interfaces must be created in the system in advance, you can create not everything that is specified in the accel-ppp configuration, but then when added to the system, you will need to execute accel-cmd reload (when if necessary, the correctness of regular expressions can be checked on special sites, for example regex101.com)

interface=re:^vlan[2-9][0-9][0-9]$,mode=L2,start=dhcpv4,shared=1,ifcfg=1,ip-unnumbered=1,proxy-arp=1
interface=re:^vlan1[0-2][0-9][0-9]$,mode=L2,start=dhcpv4,shared=1,ifcfg=1,ip-unnumbered=1,proxy-arp=1

You can exclude VLANs from a regular expression, such as VLAN 501 (thanks Dimka88 for an example):

interface=re:(?!(^vlan501$))(^vlan[2-9][0-9][0-9]+$),mode=L2,start=dhcpv4,shared=1,ifcfg=1,ip-unnumbered=1,proxy-arp=1
interface=vlan501,mode=L3,start=dhcpv4,shared=1,ifcfg=1,proxy-arp=1

proxy-arp=0 – disabled (default)
proxy-arp=1 – responds to arp requests if the requested IP does not belong to another session on the same interface (if shared=1)
proxy-arp=2 – responds to arp requests, if the requested IP belongs to a session on the same interface, it responds with the address of this session, otherwise the server address.
proxy-arp=3 – always responds to arp requests with the address of its interface (server), ie all traffic will go through accel-ppp.

Accel-ppp can start on DHCP and unclassified package, you can specify at the same time:

start=up,start=dhcp

If Abills billing is used, then Acct-Interim-Interval, usually transmitted from the access server’s Alive field, is 600 seconds by default.

If the start only on DHCP, and that after the Session-Timeout the client did not sit without the Internet until the session again rises, that is a very useful mode of soft end sessions:

soft-terminate=1

In the “core” section, let’s say thread-count is equal to the number of cores on one processor:

thread-count=8

If you need additional operations when starting and ending sessions, you can uncomment pppd_compat and write scripts:

sudo nano /etc/ppp/ip-up
sudo nano /etc/ppp/ip-down

Options that can be output via echo:

$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID

Run manually and finish accel-ppp as follows:

sudo /usr/sbin/accel-pppd -d -p /var/run/accel-pppd.pid -c /etc/accel-ppp.conf
sudo netstat -tulpn | grep accel
sudo ps ax|grep accel
sudo killall accel-pppd

When accel-ppp is installed, autorun scripts are created in /etc/init.d/accel-ppp and /usr/lib/systemdsystem/accel-ppp.service, in order to activate autorun at system startup, run:

sudo chmod +x /etc/init.d/accel-ppp
sudo systemctl is-enabled accel-ppp.service
sudo systemctl enable accel-ppp.service

By the way, in the script /usr/lib/systemd/system/accel-ppp.service it says “Restart=always” and if it is permissible to stop accel with session certification, then specify “Restart=on-failure” and run the command “systemctl daemon-reload”.

In the following, accel-ppp can be stopped or restarted:

telnet 127.0.0.1 2000
shutdown hard
sudo /etc/init.d/accel-ppp stop
sudo /etc/init.d/accel-ppp start
sudo /etc/init.d/accel-ppp restart
sudo /etc/init.d/accel-ppp status

sudo systemctl stop accel-ppp.service
sudo systemctl start accel-ppp.service
sudo systemctl restart accel-ppp.service
sudo systemctl status accel-ppp.service

Let’s create a configuration for log rotation:

nano /etc/logrotate.d/accel-ppp

And add the content (after which, logs older than 3 days will be deleted automatically):

/var/log/accel-ppp/*.log {
daily
rotate 3
missingok
sharedscripts
postrotate
test -r /var/run/accel-pppd.pid && kill -HUP `cat /var/run/accel-pppd.pid`
endscript
}

If the log files are very large, then you can manually run logrotate:

logrotate --force /etc/logrotate.d/accel-ppp

Or clear like this:

echo "" > /var/log/accel-ppp/emerg.log
echo "" > /var/log/accel-ppp/auth-fail.log
echo "" > /var/log/accel-ppp/accel-ppp.log

If accel-ppp also works as a DHCP server, then you can check this, as well as cli and dae:

sudo netstat -tulpn | grep :67
sudo netstat -tulpn | grep :2000
sudo netstat -tulpn | grep :2001
sudo netstat -tulpn | grep :3799

An example of catching packets for analyzing problems via tcpdump and dhcpdump:

sudo tcpdump port 67 or port 68 -e -n
sudo tcpdump ether host e0:cb:4e:c3:7c:44
sudo tcpdump -n -i vlan501 -e -vv

sudo dhcpdump -i ens2f1 -h 00:26:18:f9:00:80
sudo dhcpdump -i vlan207 -h 00:30:4f:6e:00:47

I will give several examples of viewing logs, including in real time:

tail -F /var/log/accel-ppp/accel-ppp.log
tail -f /var/log/accel-ppp/accel-ppp.log | grep 192.168.1.5
tail -F /var/log/accel-ppp/accel-ppp.log | grep e0:00:4e:00:7c:44
less /var/log/accel-ppp/accel-ppp.log
less /var/log/accel-ppp/accel-ppp.log | grep 192.168.1.5
tail -F /var/log/accel-ppp/auth-fail.log
tail -F /var/log/accel-ppp/core.log
tail -F /var/log/accel-ppp/emerg.log

You can count the number of sessions:

ifconfig | grep ipoe | wc -l
tc class show dev ipoe0

You can connect to the accel-ppp console (when prompted for the password, enter the one specified in the configuration in the cli block):

telnet 127.0.0.1 2000

I will give an example of commands:

show sessions
show sessions match ip 10.55.
show sessions match username 2c:56:dc:3b:f6:00
terminate ip 10.10.0.179 soft
terminate ip 10.10.0.179 hard
show stat
help

If the configuration file has changed, some changes can be applied to new sessions without restarting accel-ppp by executing the command:

reload

You can get the result of a command from linux like this:

accel-cmd -P secret show sessions
accel-cmd -H192.168.2.1 -P password show sessions match ip 10.55.
accel-cmd -H192.168.2.1 -P password show stat
accel-cmd show sessions | grep 192.168.1.5

You can see the installed version of accel-ppp like this:

accel-cmd -V

We look at the command response and check on
https://sourceforge.net/p/accel-ppp/code/ci/6c514056471dfdf030d69fb9fda443047a8cc964/log/?path=
to understand for what number the code Accel-ppp, for example, I was shown (judging by Commit 890560, Accel-pp is collected from the code for 2018-03-06 10:09:36):

accel-cmd 89056070effd890afcefaefcd3ee257dc1a447ee

You can also see the version like this:

git describe --tags

On Debian 10, you may have to add ipoe* in the file /lib/udev/ifupdown-hotplug to get this:

# these interfaces generate hotplug events *after* they are brought up
case $INTERFACE in
        ppp*|ippp*|isdn*|plip*|lo|irda*|ipsec*|ipoe*)

See also my articles:

Leave a comment

Leave a Reply

Discover more from IT Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading