Provided by: pptpd_1.3.4-5ubuntu2_amd64 bug

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads  options  from  this  file,  usually /etc/pptpd.conf.  Most options can be
       overridden by the command line.  The local and remote IP addresses for clients  must  come
       from the configuration file or from pppd(8) configuration files.

OPTIONS

       option option-file
              the  name  of  an  option  file  to  be  passed  to pppd(8) in place of the default
              /etc/ppp/options so that PPTP specific options can be  given.   Equivalent  to  the
              command line --option option.

       stimeout seconds
              number  of seconds to wait for a PPTP packet before forking the pptpctrl(8) program
              to handle the client.  The default is 10 seconds.  This  is  a  denial  of  service
              protection feature.  Equivalent to the command line --stimeout option.

       debug  turns on debugging mode, sending debugging information to syslog(3).  Has no effect
              on pppd(8) debugging.  Equivalent to the command line --debug option.

       bcrelay internal-interface
              turns on broadcast relay mode, sending all  broadcasts  received  on  the  server's
              internal  interface  to  the  clients.   Equivalent  to  the command line --bcrelay
              option.

       connections n
              limits the number of  client  connections  that  may  be  accepted.   If  pptpd  is
              allocating IP addresses (e.g.  delegate is not used) then the number of connections
              is also limited by the remoteip option.  The default is 100.

       delegate
              delegates the allocation of client IP addresses to pppd(8).  Without  this  option,
              which is the default, pptpd manages the list of IP addresses for clients and passes
              the next free address to pppd.  With this option, pptpd does not pass  an  address,
              and so pppd may use radius or chap-secrets to allocate an address.

       localip ip-specification
              one  or  many  IP  addresses to be used at the local end of the tunnelled PPP links
              between the server and the client.  If one address only is given, this  address  is
              used  for  all  clients.   Otherwise,  one address per client must be given, and if
              there are no free addresses then any new clients will be refused.  localip will  be
              ignored if the delegate option is used.

       remoteip ip-specification
              a list of IP addresses to assign to remote PPTP clients. Each connected client must
              have a different address, so there must be at least as many addresses as  you  have
              simultaneous  clients, and preferably some spare, since you cannot change this list
              without restarting pptpd. A warning will be sent to syslog(3) when the  IP  address
              pool is exhausted.  remoteip will be ignored if the delegate option is used.

       noipparam
              by  default,  the  original  client  IP address is given to ip-up scripts using the
              pppd(8) option ipparam.  The noipparam option prevents  this.   Equivalent  to  the
              command line --noipparam option.

       listen ip-address
              the local interface IP address to listen on for incoming PPTP connections (TCP port
              1723). Equivalent to the command line --listen option.

       pidfile pid-file
              specifies  an  alternate  location  to  store  the   process   ID   file   (default
              /var/run/pptpd.pid).  Equivalent to the command line --pidfile option.

       speed speed
              specifies  a  speed (in bits per second) to pass to the PPP daemon as the interface
              speed for the tty/pty pair.  This is ignored by some PPP daemons, such  as  Linux's
              pppd(8).   The  default  is  115200  bytes  per  second, which some implementations
              interpret as meaning "no limit".  Equivalent to the command line --speed option.

NOTES

       An ip-specification above (for the localip  and  remoteip  tags)  may  be  a  list  of  IP
       addresses  (for  example 192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or
       192.168.0-255.2) or some combination (for example  192.168.0.2,192.168.0.5-8).   For  some
       valid pairs might be (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

       Allocate a section of your LAN addresses for use by clients.

       In  /etc/ppp/options.pptpd.   set  the  proxyarp option.  In pptpd.conf do not set localip
       option, but set remoteip to the allocated address  range.   Enable  kernel  forwarding  of
       packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).

       The  server  will  advertise the clients to the LAN using ARP, providing it's own ethernet
       address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

       Allocate a subnet for the clients that is routable from your LAN, but is not part of  your
       LAN.

       In  pptpd.conf  set  localip  to  a  single  address or range in the allocated subnet, set
       remoteip to a range in the allocated subnet.  Enable kernel forwarding of  packets,  (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  The LAN must have a route to the clients using the
       server as gateway.

       The server will forward the packets unchanged between the clients and the LAN.  bcrelay(8)
       will be required to support broadcast protocols such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

       Allocate  a  subnet  for the clients that is not routable from your LAN, and not otherwise
       routable from the server (e.g. 10.0.0.0/24).

       Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for
       the  rest  of the subnet, (e.g. 10.0.0.2-200).  Enable kernel forwarding of packets, (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  Enable masquerading on eth0 (e.g.  iptables -t nat
       -A POSTROUTING -o eth0 -j MASQUERADE ).

       The  server  will translate the packets between the clients and the LAN.  The clients will
       appear to the LAN as having the address corresponding to the server.   The  LAN  need  not
       have  an  explicit route to the clients.  bcrelay(8) will be required to support broadcast
       protocols such as NETBIOS.

FIREWALL RULES

       pptpd(8) accepts control connections on TCP port 1723, and then uses GRE (protocol 47)  to
       exchange  data packets.  Add these rules to your iptables(8) configuration, or use them as
       the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
                --destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

                                         29 December 2005                           PPTPD.CONF(5)