Provided by: pptpd_1.4.0-11build1_amd64 bug

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads  options  from  this  file,  usually /etc/pptpd.conf.  Most options can be
       overridden by the command line.  The local and remote IP addresses for clients  must  come
       from the configuration file or from pppd(8) configuration files.

OPTIONS

       option option-file
              the  name  of  an  option  file  to  be  passed  to pppd(8) in place of the default
              /etc/ppp/options so that PPTP specific options can be  given.   Equivalent  to  the
              command line --option option.

       stimeout seconds
              number  of seconds to wait for a PPTP packet before forking the pptpctrl(8) program
              to handle the client.  The default is 10 seconds.  This  is  a  denial  of  service
              protection feature.  Equivalent to the command line --stimeout option.

       logwtmp
              update wtmp(5) as users connect and disconnect.  See wtmp(1).

       debug  turns on debugging mode, sending debugging information to syslog(3).  Has no effect
              on pppd(8) debugging.  Equivalent to the command line --debug option.

       bcrelay internal-interface
              turns on broadcast relay mode, sending all  broadcasts  received  on  the  server's
              internal  interface  to  the  clients.   Equivalent  to  the command line --bcrelay
              option.

       connections n
              limits the number of  client  connections  that  may  be  accepted.   If  pptpd  is
              allocating IP addresses (e.g.  delegate is not used) then the number of connections
              is also limited by the remoteip option.  The default is 100.

       delegate
              delegates the allocation of client IP addresses to pppd(8).  Without  this  option,
              which is the default, pptpd manages the list of IP addresses for clients and passes
              the next free address to pppd.  With this option, pptpd does not pass  an  address,
              and so pppd may use radius or chap-secrets to allocate an address.

       localip ip-specification
              one  or  many  IP  addresses to be used at the local end of the tunnelled PPP links
              between the server and the client.  If one address only is given, this  address  is
              used  for  all  clients.   Otherwise,  one address per client must be given, and if
              there are no free addresses then any new clients will be refused.  localip will  be
              ignored if the delegate option is used.

       remoteip ip-specification
              a list of IP addresses to assign to remote PPTP clients. Each connected client must
              have a different address, so there must be at least as many addresses as  you  have
              simultaneous  clients, and preferably some spare, since you cannot change this list
              without restarting pptpd. A warning will be sent to syslog(3) when the  IP  address
              pool is exhausted.  remoteip will be ignored if the delegate option is used.

       noipparam
              by  default,  the  original  client  IP address is given to ip-up scripts using the
              pppd(8) option ipparam.  The noipparam option prevents  this.   Equivalent  to  the
              command line --noipparam option.

       listen ip-address
              the local interface IP address to listen on for incoming PPTP connections (TCP port
              1723). Equivalent to the command line --listen option.

       vrf vrf-name
              VRF to use for the TCP listening socket as well as the GRE packets.  Equivalent  to
              the command line --vrf option.

       pidfile pid-file
              specifies   an   alternate   location   to  store  the  process  ID  file  (default
              /var/run/pptpd.pid).  Equivalent to the command line --pidfile option.

       speed speed
              specifies a speed (in bits per second) to pass to the PPP daemon as  the  interface
              speed  for  the tty/pty pair.  This is ignored by some PPP daemons, such as Linux's
              pppd(8).  The default is  115200  bytes  per  second,  which  some  implementations
              interpret as meaning "no limit".  Equivalent to the command line --speed option.

NOTES

       An  ip-specification  above  (for  the  localip  and  remoteip  tags)  may be a list of IP
       addresses (for example 192.168.0.2,192.168.0.3), a range (for example  192.168.0.1-254  or
       192.168.0-255.2)  or  some  combination (for example 192.168.0.2,192.168.0.5-8).  For some
       valid pairs might be (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

       Allocate a section of your LAN addresses for use by clients.

       In /etc/ppp/options.pptpd.  set the proxyarp option.  In pptpd.conf  do  not  set  localip
       option,  but  set  remoteip  to  the allocated address range.  Enable kernel forwarding of
       packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).

       The server will advertise the clients to the LAN using ARP, providing  it's  own  ethernet
       address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

       Allocate  a subnet for the clients that is routable from your LAN, but is not part of your
       LAN.

       In pptpd.conf set localip to a single address  or  range  in  the  allocated  subnet,  set
       remoteip  to  a range in the allocated subnet.  Enable kernel forwarding of packets, (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  The LAN must have a route to the clients using the
       server as gateway.

       The server will forward the packets unchanged between the clients and the LAN.  bcrelay(8)
       will be required to support broadcast protocols such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

       Allocate a subnet for the clients that is not routable from your LAN,  and  not  otherwise
       routable from the server (e.g. 10.0.0.0/24).

       Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for
       the rest of the subnet, (e.g. 10.0.0.2-200).  Enable kernel forwarding of  packets,  (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  Enable masquerading on eth0 (e.g.  iptables -t nat
       -A POSTROUTING -o eth0 -j MASQUERADE ).

       The server will translate the packets between the clients and the LAN.  The  clients  will
       appear  to  the  LAN  as having the address corresponding to the server.  The LAN need not
       have an explicit route to the clients.  bcrelay(8) will be required to  support  broadcast
       protocols such as NETBIOS.

FIREWALL RULES

       pptpd(8)  accepts control connections on TCP port 1723, and then uses GRE (protocol 47) to
       exchange data packets.  Add these rules to your iptables(8) configuration, or use them  as
       the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
                --destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

                                         29 December 2005                           PPTPD.CONF(5)