bionic (5) pptpd.conf.5.gz

Provided by: pptpd_1.4.0-11build1_amd64 bug

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads  options  from this file, usually /etc/pptpd.conf.  Most options can be overridden by the
       command line.  The local and remote IP addresses for clients must come from  the  configuration  file  or
       from pppd(8) configuration files.

OPTIONS

       option option-file
              the  name  of  an  option file to be passed to pppd(8) in place of the default /etc/ppp/options so
              that PPTP specific options can be given.  Equivalent to the command line --option option.

       stimeout seconds
              number of seconds to wait for a PPTP packet before forking the pptpctrl(8) program to  handle  the
              client.   The  default is 10 seconds.  This is a denial of service protection feature.  Equivalent
              to the command line --stimeout option.

       logwtmp
              update wtmp(5) as users connect and disconnect.  See wtmp(1).

       debug  turns on debugging mode, sending debugging information to syslog(3).  Has  no  effect  on  pppd(8)
              debugging.  Equivalent to the command line --debug option.

       bcrelay internal-interface
              turns  on broadcast relay mode, sending all broadcasts received on the server's internal interface
              to the clients.  Equivalent to the command line --bcrelay option.

       connections n
              limits the number of client connections that may be accepted.  If pptpd is allocating IP addresses
              (e.g.   delegate  is  not  used)  then  the  number of connections is also limited by the remoteip
              option.  The default is 100.

       delegate
              delegates the allocation of client IP addresses to pppd(8).  Without this  option,  which  is  the
              default,  pptpd  manages  the list of IP addresses for clients and passes the next free address to
              pppd.  With this option, pptpd does not pass an address, and so  pppd  may  use  radius  or  chap-
              secrets to allocate an address.

       localip ip-specification
              one or many IP addresses to be used at the local end of the tunnelled PPP links between the server
              and the client.  If one address only is given, this address is used for all  clients.   Otherwise,
              one address per client must be given, and if there are no free addresses then any new clients will
              be refused.  localip will be ignored if the delegate option is used.

       remoteip ip-specification
              a list of IP addresses to assign to remote  PPTP  clients.  Each  connected  client  must  have  a
              different  address,  so there must be at least as many addresses as you have simultaneous clients,
              and preferably some spare, since you cannot change this list without restarting pptpd.  A  warning
              will  be sent to syslog(3) when the IP address pool is exhausted.  remoteip will be ignored if the
              delegate option is used.

       noipparam
              by default, the original client IP address is given to ip-up  scripts  using  the  pppd(8)  option
              ipparam.  The noipparam option prevents this.  Equivalent to the command line --noipparam option.

       listen ip-address
              the  local  interface  IP  address  to  listen  on  for incoming PPTP connections (TCP port 1723).
              Equivalent to the command line --listen option.

       vrf vrf-name
              VRF to use for the TCP listening socket as well as the GRE packets. Equivalent to the command line
              --vrf option.

       pidfile pid-file
              specifies  an  alternate  location  to  store  the  process  ID file (default /var/run/pptpd.pid).
              Equivalent to the command line --pidfile option.

       speed speed
              specifies a speed (in bits per second) to pass to the PPP daemon as the interface  speed  for  the
              tty/pty  pair.   This  is  ignored  by  some PPP daemons, such as Linux's pppd(8).  The default is
              115200 bytes per second, which some implementations interpret as meaning "no  limit".   Equivalent
              to the command line --speed option.

NOTES

       An  ip-specification above (for the localip and remoteip tags) may be a list of IP addresses (for example
       192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or 192.168.0-255.2)  or  some  combination
       (for example 192.168.0.2,192.168.0.5-8).  For some valid pairs might be (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

       Allocate a section of your LAN addresses for use by clients.

       In  /etc/ppp/options.pptpd.   set  the proxyarp option.  In pptpd.conf do not set localip option, but set
       remoteip  to  the  allocated  address  range.   Enable  kernel  forwarding  of   packets,   (e.g.   using
       /proc/sys/net/ipv4/ip_forward ).

       The  server  will  advertise  the  clients  to  the  LAN  using ARP, providing it's own ethernet address.
       bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

       Allocate a subnet for the clients that is routable from your LAN, but is not part of your LAN.

       In pptpd.conf set localip to a single address or range in the allocated subnet, set remoteip to  a  range
       in  the allocated subnet.  Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward
       ).  The LAN must have a route to the clients using the server as gateway.

       The server will forward the packets unchanged between the  clients  and  the  LAN.   bcrelay(8)  will  be
       required to support broadcast protocols such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

       Allocate a subnet for the clients that is not routable from your LAN, and not otherwise routable from the
       server (e.g. 10.0.0.0/24).

       Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for  the  rest  of
       the    subnet,    (e.g.    10.0.0.2-200).    Enable   kernel   forwarding   of   packets,   (e.g.   using
       /proc/sys/net/ipv4/ip_forward ).  Enable masquerading on eth0 (e.g.  iptables -t nat  -A  POSTROUTING  -o
       eth0 -j MASQUERADE ).

       The  server  will  translate the packets between the clients and the LAN.  The clients will appear to the
       LAN as having the address corresponding to the server.  The LAN need not have an explicit  route  to  the
       clients.  bcrelay(8) will be required to support broadcast protocols such as NETBIOS.

FIREWALL RULES

       pptpd(8)  accepts  control connections on TCP port 1723, and then uses GRE (protocol 47) to exchange data
       packets.  Add these rules to your iptables(8) configuration, or use them as the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
                --destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

                                                29 December 2005                                   PPTPD.CONF(5)