Provided by: pptpd_1.2.3-1_i386 bug

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads  options from this file, usually /etc/pptpd.conf.  Most
       options can be overridden by the command line.  The local and remote IP
       addresses  for  clients  must  come from the configuration file or from
       pppd(8) configuration files.

OPTIONS

       option option-file
              the name of an option file to be passed to pppd(8) in  place  of
              the  default  /etc/ppp/options so that PPTP specific options can
              be given.  Equivalent to the command line --option option.

       stimeout seconds
              number of seconds to wait for a PPTP packet before  forking  the
              pptpctrl(8)  program  to  handle  the client.  The default is 10
              seconds.  This  is  a  denial  of  service  protection  feature.
              Equivalent to the command line --stimeout option.

       debug  turns  on  debugging  mode,  sending  debugging  information  to
              syslog(3).  Has no effect on pppd(8) debugging.   Equivalent  to
              the command line --debug option.

       bcrelay internal-interface
              turns  on  broadcast relay mode, sending all broadcasts received
              on the server’s internal interface to the  clients.   Equivalent
              to the command line --bcrelay option.

       localip ip-specification
              one  or  many  IP  addresses  to be used at the local end of the
              tunnelled PPP links between the server and the client.   If  one
              address  only  is  given,  this address is used for all clients.
              Otherwise, one address per client must be given,  and  if  there
              are  no  free  addresses  then  any new clients will be refused.
              localip will be ignored if pptpd(8) was  compiled  with  --with-
              pppd-ip-alloc.

       remoteip ip-specification
              a  list  of  IP addresses to assign to remote PPTP clients. Each
              connected client must have a different address, so there must be
              at least as many addresses as you have simultaneous clients, and
              preferably some spare, since you cannot change this list without
              restarting  pptpd.  A warning will be sent to syslog(3) when the
              IP address pool is  exhausted.   remoteip  will  be  ignored  if
              pptpd(8) was compiled with --with-pppd-ip-alloc.

       noipparam
              by  default,  the  original  client IP address is given to ip-up
              scripts using the pppd(8) option ipparam.  The noipparam  option
              prevents  this.   Equivalent  to  the  command  line --noipparam
              option.

       listen ip-address
              the local interface IP address to listen on  for  incoming  PPTP
              connections  (TCP  port  1723).  Equivalent  to the command line
              --listen option.

       pidfile pid-file
              specifies an alternate location to store  the  process  ID  file
              (default  /var/run/pptpd.pid).   Equivalent  to the command line
              --pidfile option.

       speed speed
              specifies a speed (in bits per second) to pass to the PPP daemon
              as the interface speed for the tty/pty pair.  This is ignored by
              some PPP daemons, such  as  Linux’s  pppd(8).   The  default  is
              115200 bytes per second, which some implementations interpret as
              meaning "no limit".  Equivalent  to  the  command  line  --speed
              option.

NOTES

       An  ip-specification above (for the localip and remoteip tags) may be a
       list of IP addresses (for  example  192.168.0.2,192.168.0.3),  a  range
       (for  example  192.168.0.1-254  or 192.168.0-255.2) or some combination
       (for example 192.168.0.2,192.168.0.5-8).  For some valid pairs might be
       (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

       Allocate a section of your LAN addresses for use by clients.

       In  /etc/ppp/options.pptpd.  set the proxyarp option.  In pptpd.conf do
       not set localip option, but  set  remoteip  to  the  allocated  address
       range.     Enable   kernel   forwarding   of   packets,   (e.g.   using
       /proc/sys/net/ipv4/ip_forward ).

       The server will advertise the clients to the LAN using  ARP,  providing
       it’s own ethernet address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

       Allocate  a  subnet for the clients that is routable from your LAN, but
       is not part of your LAN.

       In pptpd.conf set localip to a single address or range in the allocated
       subnet, set remoteip to a range in the allocated subnet.  Enable kernel
       forwarding of packets,  (e.g.  using  /proc/sys/net/ipv4/ip_forward  ).
       The LAN must have a route to the clients using the server as gateway.

       The  server  will forward the packets unchanged between the clients and
       the LAN.  bcrelay(8) will be required to  support  broadcast  protocols
       such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

       Allocate  a  subnet for the clients that is not routable from your LAN,
       and not otherwise routable from the server (e.g. 10.0.0.0/24).

       Set localip to a single address in  the  subnet  (e.g.  10.0.0.1),  set
       remoteip  to  a  range for the rest of the subnet, (e.g. 10.0.0.2-200).
       Enable    kernel     forwarding     of     packets,     (e.g.     using
       /proc/sys/net/ipv4/ip_forward  ).   Enable  masquerading  on eth0 (e.g.
       iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).

       The server will translate the packets between the clients and the  LAN.
       The  clients will appear to the LAN as having the address corresponding
       to the server.  The LAN need not have an explicit route to the clients.
       bcrelay(8)  will  be  required  to  support broadcast protocols such as
       NETBIOS.

FIREWALL RULES

       pptpd(8) accepts control connections on TCP port 1723,  and  then  uses
       GRE  (protocol  47)  to exchange data packets.  Add these rules to your
       iptables(8) configuration, or use them as the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
                --destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

                                  24 May 2004                    PPTPD.CONF(5)