pptpd.conf - PPTP VPN daemon configuration
pptpd(8) reads options from this file, usually /etc/pptpd.conf. Most
options can be overridden by the command line. The local and remote IP
addresses for clients must come from the configuration file or from
pppd(8) configuration files.
the name of an option file to be passed to pppd(8) in place of
the default /etc/ppp/options so that PPTP specific options can
be given. Equivalent to the command line --option option.
number of seconds to wait for a PPTP packet before forking the
pptpctrl(8) program to handle the client. The default is 10
seconds. This is a denial of service protection feature.
Equivalent to the command line --stimeout option.
debug turns on debugging mode, sending debugging information to
syslog(3). Has no effect on pppd(8) debugging. Equivalent to
the command line --debug option.
turns on broadcast relay mode, sending all broadcasts received
on the server’s internal interface to the clients. Equivalent
to the command line --bcrelay option.
limits the number of client connections that may be accepted.
If pptpd is allocating IP addresses (e.g. delegate is not used)
then the number of connections is also limited by the remoteip
option. The default is 100.
delegates the allocation of client IP addresses to pppd(8).
Without this option, which is the default, pptpd manages the
list of IP addresses for clients and passes the next free
address to pppd. With this option, pptpd does not pass an
address, and so pppd may use radius or chap-secrets to allocate
one or many IP addresses to be used at the local end of the
tunnelled PPP links between the server and the client. If one
address only is given, this address is used for all clients.
Otherwise, one address per client must be given, and if there
are no free addresses then any new clients will be refused.
localip will be ignored if the delegate option is used.
a list of IP addresses to assign to remote PPTP clients. Each
connected client must have a different address, so there must be
at least as many addresses as you have simultaneous clients, and
preferably some spare, since you cannot change this list without
restarting pptpd. A warning will be sent to syslog(3) when the
IP address pool is exhausted. remoteip will be ignored if the
delegate option is used.
by default, the original client IP address is given to ip-up
scripts using the pppd(8) option ipparam. The noipparam option
prevents this. Equivalent to the command line --noipparam
the local interface IP address to listen on for incoming PPTP
connections (TCP port 1723). Equivalent to the command line
specifies an alternate location to store the process ID file
(default /var/run/pptpd.pid). Equivalent to the command line
specifies a speed (in bits per second) to pass to the PPP daemon
as the interface speed for the tty/pty pair. This is ignored by
some PPP daemons, such as Linux’s pppd(8). The default is
115200 bytes per second, which some implementations interpret as
meaning "no limit". Equivalent to the command line --speed
An ip-specification above (for the localip and remoteip tags) may be a
list of IP addresses (for example 192.168.0.2,192.168.0.3), a range
(for example 192.168.0.1-254 or 192.168.0-255.2) or some combination
(for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be
(depending on use of the VPN):
ROUTING CHECKLIST - PROXYARP
Allocate a section of your LAN addresses for use by clients.
In /etc/ppp/options.pptpd. set the proxyarp option. In pptpd.conf do
not set localip option, but set remoteip to the allocated address
range. Enable kernel forwarding of packets, (e.g. using
The server will advertise the clients to the LAN using ARP, providing
it’s own ethernet address. bcrelay(8) should not be required.
ROUTING CHECKLIST - FORWARDING
Allocate a subnet for the clients that is routable from your LAN, but
is not part of your LAN.
In pptpd.conf set localip to a single address or range in the allocated
subnet, set remoteip to a range in the allocated subnet. Enable kernel
forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).
The LAN must have a route to the clients using the server as gateway.
The server will forward the packets unchanged between the clients and
the LAN. bcrelay(8) will be required to support broadcast protocols
such as NETBIOS.
ROUTING CHECKLIST - MASQUERADE
Allocate a subnet for the clients that is not routable from your LAN,
and not otherwise routable from the server (e.g. 10.0.0.0/24).
Set localip to a single address in the subnet (e.g. 10.0.0.1), set
remoteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
Enable kernel forwarding of packets, (e.g. using
/proc/sys/net/ipv4/ip_forward ). Enable masquerading on eth0 (e.g.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).
The server will translate the packets between the clients and the LAN.
The clients will appear to the LAN as having the address corresponding
to the server. The LAN need not have an explicit route to the clients.
bcrelay(8) will be required to support broadcast protocols such as
pptpd(8) accepts control connections on TCP port 1723, and then uses
GRE (protocol 47) to exchange data packets. Add these rules to your
iptables(8) configuration, or use them as the basis for your own rules:
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp \
--destination-port 1723 --jump ACCEPT
pppd(8), pptpd(8), pptpd.conf(5).
29 December 2005