Man Linux: Main Page and Category List

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads  options from this file, usually /etc/pptpd.conf.  Most
       options can be overridden by the command line.  The local and remote IP
       addresses  for  clients  must  come from the configuration file or from
       pppd(8) configuration files.

OPTIONS

       option option-file
              the name of an option file to be passed to pppd(8) in  place  of
              the  default  /etc/ppp/options so that PPTP specific options can
              be given.  Equivalent to the command line --option option.

       stimeout seconds
              number of seconds to wait for a PPTP packet before  forking  the
              pptpctrl(8)  program  to  handle  the client.  The default is 10
              seconds.  This  is  a  denial  of  service  protection  feature.
              Equivalent to the command line --stimeout option.

       debug  turns  on  debugging  mode,  sending  debugging  information  to
              syslog(3).  Has no effect on pppd(8) debugging.   Equivalent  to
              the command line --debug option.

       bcrelay internal-interface
              turns  on  broadcast relay mode, sending all broadcasts received
              on the server’s internal interface to the  clients.   Equivalent
              to the command line --bcrelay option.

       connections n
              limits  the  number  of client connections that may be accepted.
              If pptpd is allocating IP addresses (e.g.  delegate is not used)
              then  the  number of connections is also limited by the remoteip
              option.  The default is 100.

       delegate
              delegates the allocation of  client  IP  addresses  to  pppd(8).
              Without  this  option,  which  is the default, pptpd manages the
              list of IP addresses  for  clients  and  passes  the  next  free
              address  to  pppd.   With  this  option,  pptpd does not pass an
              address, and so pppd may use radius or chap-secrets to  allocate
              an address.

       localip ip-specification
              one  or  many  IP  addresses  to be used at the local end of the
              tunnelled PPP links between the server and the client.   If  one
              address  only  is  given,  this address is used for all clients.
              Otherwise, one address per client must be given,  and  if  there
              are  no  free  addresses  then  any new clients will be refused.
              localip will be ignored if the delegate option is used.

       remoteip ip-specification
              a list of IP addresses to assign to remote  PPTP  clients.  Each
              connected client must have a different address, so there must be
              at least as many addresses as you have simultaneous clients, and
              preferably some spare, since you cannot change this list without
              restarting pptpd. A warning will be sent to syslog(3)  when  the
              IP  address  pool is exhausted.  remoteip will be ignored if the
              delegate option is used.

       noipparam
              by default, the original client IP address  is  given  to  ip-up
              scripts  using the pppd(8) option ipparam.  The noipparam option
              prevents this.   Equivalent  to  the  command  line  --noipparam
              option.

       listen ip-address
              the  local  interface  IP address to listen on for incoming PPTP
              connections (TCP port 1723).  Equivalent  to  the  command  line
              --listen option.

       pidfile pid-file
              specifies  an  alternate  location  to store the process ID file
              (default /var/run/pptpd.pid).  Equivalent to  the  command  line
              --pidfile option.

       speed speed
              specifies a speed (in bits per second) to pass to the PPP daemon
              as the interface speed for the tty/pty pair.  This is ignored by
              some  PPP  daemons,  such  as  Linux’s  pppd(8).  The default is
              115200 bytes per second, which some implementations interpret as
              meaning  "no  limit".   Equivalent  to  the command line --speed
              option.

NOTES

       An ip-specification above (for the localip and remoteip tags) may be  a
       list  of  IP  addresses  (for example 192.168.0.2,192.168.0.3), a range
       (for example 192.168.0.1-254 or 192.168.0-255.2)  or  some  combination
       (for example 192.168.0.2,192.168.0.5-8).  For some valid pairs might be
       (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

       Allocate a section of your LAN addresses for use by clients.

       In /etc/ppp/options.pptpd.  set the proxyarp option.  In pptpd.conf  do
       not  set  localip  option,  but  set  remoteip to the allocated address
       range.    Enable   kernel   forwarding   of   packets,   (e.g.    using
       /proc/sys/net/ipv4/ip_forward ).

       The  server  will advertise the clients to the LAN using ARP, providing
       it’s own ethernet address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

       Allocate a subnet for the clients that is routable from your  LAN,  but
       is not part of your LAN.

       In pptpd.conf set localip to a single address or range in the allocated
       subnet, set remoteip to a range in the allocated subnet.  Enable kernel
       forwarding  of  packets,  (e.g.  using /proc/sys/net/ipv4/ip_forward ).
       The LAN must have a route to the clients using the server as gateway.

       The server will forward the packets unchanged between the  clients  and
       the  LAN.   bcrelay(8)  will be required to support broadcast protocols
       such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

       Allocate a subnet for the clients that is not routable from  your  LAN,
       and not otherwise routable from the server (e.g. 10.0.0.0/24).

       Set  localip  to  a  single  address in the subnet (e.g. 10.0.0.1), set
       remoteip to a range for the rest of the  subnet,  (e.g.  10.0.0.2-200).
       Enable     kernel     forwarding     of     packets,     (e.g.    using
       /proc/sys/net/ipv4/ip_forward ).  Enable  masquerading  on  eth0  (e.g.
       iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).

       The  server will translate the packets between the clients and the LAN.
       The clients will appear to the LAN as having the address  corresponding
       to the server.  The LAN need not have an explicit route to the clients.
       bcrelay(8) will be required to  support  broadcast  protocols  such  as
       NETBIOS.

FIREWALL RULES

       pptpd(8)  accepts  control  connections on TCP port 1723, and then uses
       GRE (protocol 47) to exchange data packets.  Add these  rules  to  your
       iptables(8) configuration, or use them as the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
                --destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

                               29 December 2005