pptpd.conf(5)

1PPTPD.CONF(5)                 File Formats Manual                PPTPD.CONF(5)
2
3
4

NAME

6       pptpd.conf - PPTP VPN daemon configuration
7

DESCRIPTION

9       pptpd(8)  reads  options from this file, usually /etc/pptpd.conf.  Most
10       options can be overridden by the command line.  The local and remote IP
11       addresses  for  clients  must  come from the configuration file or from
12       pppd(8) configuration files.
13

OPTIONS

15       option option-file
16              the name of an option file to be passed to pppd(8) in  place  of
17              the  default  /etc/ppp/options so that PPTP specific options can
18              be given.  Equivalent to the command line --option option.
19
20
21       stimeout seconds
22              number of seconds to wait for a PPTP packet before  forking  the
23              pptpctrl(8)  program  to  handle  the client.  The default is 10
24              seconds.  This  is  a  denial  of  service  protection  feature.
25              Equivalent to the command line --stimeout option.
26
27       logwtmp
28              update wtmp(5) as users connect and disconnect.  See wtmp(1).
29
30       debug  turns  on  debugging mode, sending debugging information to sys‐
31              log(3).  Has no effect on pppd(8) debugging.  Equivalent to  the
32              command line --debug option.
33
34       bcrelay internal-interface
35              turns  on  broadcast relay mode, sending all broadcasts received
36              on the server's internal interface to the  clients.   Equivalent
37              to the command line --bcrelay option.
38
39
40       connections n
41              limits  the  number  of client connections that may be accepted.
42              If pptpd is allocating IP addresses (e.g.  delegate is not used)
43              then  the  number of connections is also limited by the remoteip
44              option.  The default is 100.
45
46
47       delegate
48              delegates the allocation of  client  IP  addresses  to  pppd(8).
49              Without  this  option,  which  is the default, pptpd manages the
50              list of IP addresses  for  clients  and  passes  the  next  free
51              address  to  pppd.   With  this  option,  pptpd does not pass an
52              address, and so pppd may use radius or chap-secrets to  allocate
53              an address.
54
55
56       localip ip-specification
57              one or many IP addresses to be used at the local end of the tun‐
58              nelled PPP links between the server  and  the  client.   If  one
59              address  only  is  given,  this address is used for all clients.
60              Otherwise, one address per client must be given,  and  if  there
61              are  no  free  addresses  then  any new clients will be refused.
62              localip will be ignored if the delegate option is used.
63
64       remoteip ip-specification
65              a list of IP addresses to assign to remote  PPTP  clients.  Each
66              connected client must have a different address, so there must be
67              at least as many addresses as you have simultaneous clients, and
68              preferably some spare, since you cannot change this list without
69              restarting pptpd. A warning will be sent to syslog(3)  when  the
70              IP  address  pool is exhausted.  remoteip will be ignored if the
71              delegate option is used.
72
73       noipparam
74              by default, the original client IP address  is  given  to  ip-up
75              scripts  using the pppd(8) option ipparam.  The noipparam option
76              prevents this.   Equivalent  to  the  command  line  --noipparam
77              option.
78
79       listen ip-address
80              the  local  interface  IP address to listen on for incoming PPTP
81              connections (TCP port 1723).  Equivalent  to  the  command  line
82              --listen option.
83
84       vrf vrf-name
85              VRF to use for the TCP listening socket as well as the GRE pack‐
86              ets. Equivalent to the command line --vrf option.
87
88       pidfile pid-file
89              specifies an alternate location to store  the  process  ID  file
90              (default  /var/run/pptpd.pid).   Equivalent  to the command line
91              --pidfile option.
92
93       speed speed
94              specifies a speed (in bits per second) to pass to the PPP daemon
95              as the interface speed for the tty/pty pair.  This is ignored by
96              some PPP daemons, such  as  Linux's  pppd(8).   The  default  is
97              115200 bytes per second, which some implementations interpret as
98              meaning "no limit".  Equivalent  to  the  command  line  --speed
99              option.
100

NOTES

102       An  ip-specification above (for the localip and remoteip tags) may be a
103       list of IP addresses (for  example  192.168.0.2,192.168.0.3),  a  range
104       (for  example  192.168.0.1-254  or 192.168.0-255.2) or some combination
105       (for example 192.168.0.2,192.168.0.5-8).  For some valid pairs might be
106       (depending on use of the VPN):
107
108       localip 192.168.0.1
109       remoteip 192.168.0.2-254
110
111       or
112
113       localip 192.168.1.2-254
114       remoteip 192.168.0.2-254
115
116

ROUTING CHECKLIST - PROXYARP

118       Allocate a section of your LAN addresses for use by clients.
119
120       In  /etc/ppp/options.pptpd.  set the proxyarp option.  In pptpd.conf do
121       not set localip option, but  set  remoteip  to  the  allocated  address
122       range.     Enable   kernel   forwarding   of   packets,   (e.g.   using
123       /proc/sys/net/ipv4/ip_forward ).
124
125       The server will advertise the clients to the LAN using  ARP,  providing
126       it's own ethernet address.  bcrelay(8) should not be required.
127
128

ROUTING CHECKLIST - FORWARDING

130       Allocate  a  subnet for the clients that is routable from your LAN, but
131       is not part of your LAN.
132
133       In pptpd.conf set localip to a single address or range in the allocated
134       subnet, set remoteip to a range in the allocated subnet.  Enable kernel
135       forwarding of packets,  (e.g.  using  /proc/sys/net/ipv4/ip_forward  ).
136       The LAN must have a route to the clients using the server as gateway.
137
138       The  server  will forward the packets unchanged between the clients and
139       the LAN.  bcrelay(8) will be required to  support  broadcast  protocols
140       such as NETBIOS.
141
142

ROUTING CHECKLIST - MASQUERADE

144       Allocate  a  subnet for the clients that is not routable from your LAN,
145       and not otherwise routable from the server (e.g. 10.0.0.0/24).
146
147       Set localip to a single address in  the  subnet  (e.g.  10.0.0.1),  set
148       remoteip  to  a  range for the rest of the subnet, (e.g. 10.0.0.2-200).
149       Enable    kernel     forwarding     of     packets,     (e.g.     using
150       /proc/sys/net/ipv4/ip_forward  ).   Enable  masquerading  on eth0 (e.g.
151       iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).
152
153       The server will translate the packets between the clients and the  LAN.
154       The  clients will appear to the LAN as having the address corresponding
155       to the server.  The LAN need not have an explicit route to the clients.
156       bcrelay(8) will be required to support broadcast protocols such as NET‐
157       BIOS.
158
159

FIREWALL RULES

161       pptpd(8) accepts control connections on TCP port 1723,  and  then  uses
162       GRE  (protocol  47)  to exchange data packets.  Add these rules to your
163       iptables(8) configuration, or use them as the basis for your own rules:
164
165       iptables --append INPUT --protocol 47 --jump ACCEPT
166       iptables --append INPUT --protocol tcp --match tcp \
167                --destination-port 1723 --jump ACCEPT
168