git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
pptpd
1
0
Fork 0
Files
Tree: 90545b0833
Branches Tags
pptpd
/
pptpd.conf.5

pptpd.conf.5 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250 
  1. .TH PPTPD.CONF 5 "29 December 2005"
    2. 

  2. .SH NAME
    3. 

  3. .B pptpd.conf
    4. 

  4. - PPTP VPN daemon configuration
    5. 

  5. .SH DESCRIPTION
    6. 

  6. .BR pptpd (8)
    7. 

  7. reads options from this file, usually
    8. 

  8. .IR /etc/pptpd.conf .
    9. 

  9. Most options can be overridden by the command line.  The local and
    10. 

  10. remote IP addresses for clients must come from the configuration file
    11. 

  11. or from
    12. 

  12. .BR pppd (8)
    13. 

  13. configuration files.
    14. 

  14. .SH OPTIONS
    15. 

  15. .TP
    16. 

  16. .BI "option " option-file
    17. 

  17. the name of an option file to be passed to
    18. 

  18. .BR pppd (8)
    19. 

  19. in place of the default
    20. 

  20. .IR /etc/ppp/options 
    21. 

  21. so that PPTP specific options can be given.
    22. 

  22. Equivalent to the command line
    23. 

  23. .B --option
    24. 

  24. option.
    25. 

  25. 

  26. .TP
    27. 

  27. .BI "stimeout " seconds
    28. 

  28. number of seconds to wait for a PPTP packet before forking the
    29. 

  29. .BR pptpctrl (8)
    30. 

  30. program to handle the client.  The default is 10 seconds.  This is a
    31. 

  31. denial of service protection feature.
    32. 

  32. Equivalent to the command line 
    33. 

  33. .B --stimeout
    34. 

  34. option.
    35. 

  35. .TP
    36. 

  36. .BI "logwtmp"
    37. 

  37. update
    38. 

  38. .BR wtmp (5)
    39. 

  39. as users connect and disconnect.  See
    40. 

  40. .BR wtmp (1).
    41. 

  41. .TP
    42. 

  42. .B debug
    43. 

  43. turns on debugging mode, sending debugging information to 
    44. 

  44. .BR syslog (3).
    45. 

  45. Has no effect on
    46. 

  46. .BR pppd (8)
    47. 

  47. debugging.  Equivalent to the command line 
    48. 

  48. .B --debug
    49. 

  49. option.
    50. 

  50. .TP
    51. 

  51. .BI "bcrelay " internal-interface
    52. 

  52. turns on broadcast relay mode, sending all broadcasts received on the server's
    53. 

  53. internal interface to the clients.
    54. 

  54. Equivalent to the command line 
    55. 

  55. .B --bcrelay
    56. 

  56. option.
    57. 

  57. 

  58. .TP
    59. 

  59. .BI "connections " n
    60. 

  60. limits the number of client connections that may be accepted.
    61. 

  61. If pptpd is allocating IP addresses (e.g. 
    62. 

  62. .BR delegate
    63. 

  63. is not used) then the number of connections is also limited by the
    64. 

  64. .BR remoteip
    65. 

  65. option.  The default is 100.
    66. 

  66. 

  67. .TP
    68. 

  68. .BI "delegate"
    69. 

  69. delegates the allocation of client IP addresses to 
    70. 

  70. .BR pppd (8).
    71. 

  71. Without this option, which is the default, pptpd manages the list of
    72. 

  72. IP addresses for clients and passes the next free address to pppd.
    73. 

  73. With this option, pptpd does not pass an address, and so pppd may use
    74. 

  74. radius or chap-secrets to allocate an address.
    75. 

  75. 

  76. .TP
    77. 

  77. .BI "localip " ip-specification
    78. 

  78. one or many IP addresses to be used at the local end of the
    79. 

  79. tunnelled PPP links between the server and the client.  If one address only
    80. 

  80. is given, this address is used for all clients.  Otherwise, one address
    81. 

  81. per client must be given, and if there are no free addresses then any new
    82. 

  82. clients will be refused.
    83. 

  83. .B localip
    84. 

  84. will be ignored if the
    85. 

  85. .B delegate
    86. 

  86. option is used.
    87. 

  87. .TP
    88. 

  88. .BI "remoteip " ip-specification
    89. 

  89. a list of IP addresses to assign to remote PPTP clients. Each
    90. 

  90. connected client must have a different address, so there must be
    91. 

  91. at least as many addresses as you have simultaneous clients,
    92. 

  92. and preferably some spare, since you cannot change this list
    93. 

  93. without restarting pptpd. A warning will be sent to
    94. 

  94. .BR syslog (3)
    95. 

  95. when the IP address pool is exhausted.
    96. 

  96. .B remoteip
    97. 

  97. will be ignored if the
    98. 

  98. .B delegate
    99. 

  99. option is used.
    100. 

  100. .TP
    101. 

  101. .B noipparam
    102. 

  102. by default, the original client IP address is given to
    103. 

  103. ip-up scripts using the 
    104. 

  104. .BR pppd (8) 
    105. 

  105. option
    106. 

  106. .B ipparam.
    107. 

  107. The
    108. 

  108. .B noipparam
    109. 

  109. option prevents this.
    110. 

  110. Equivalent to the command line
    111. 

  111. .B --noipparam
    112. 

  112. option.
    113. 

  113. .TP
    114. 

  114. .BI "listen " ip-address
    115. 

  115. the local interface IP address to listen on for incoming PPTP
    116. 

  116. connections (TCP port 1723). Equivalent to the command line
    117. 

  117. .B --listen
    118. 

  118. option.
    119. 

  119. .TP
    120. 

  120. .BI "vrf " vrf-name
    121. 

  121. VRF to use for the TCP listening socket as well as the GRE
    122. 

  122. packets. Equivalent to the command line
    123. 

  123. .B --vrf
    124. 

  124. option.
    125. 

  125. .TP
    126. 

  126. .BI "pidfile " pid-file
    127. 

  127. specifies an alternate location to store the process ID file
    128. 

  128. (default /var/run/pptpd.pid).  Equivalent to the command line
    129. 

  129. .B --pidfile
    130. 

  130. option.
    131. 

  131. .TP
    132. 

  132. .BI "speed " speed
    133. 

  133. specifies a speed (in bits per second) to pass to the PPP daemon as
    134. 

  134. the interface speed for the tty/pty pair.  This is ignored by some PPP
    135. 

  135. daemons, such as Linux's
    136. 

  136. .BR pppd (8).
    137. 

  137. The default is 115200 bytes per second, which some implementations
    138. 

  138. interpret as meaning "no limit".  Equivalent to the command line
    139. 

  139. .B --speed
    140. 

  140. option.
    141. 

  141. .SH NOTES
    142. 

  142. An
    143. 

  143. .I ip-specification
    144. 

  144. above (for the
    145. 

  145. .B localip
    146. 

  146. and
    147. 

  147. .B remoteip
    148. 

  148. tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3),
    149. 

  149. a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination
    150. 

  150. (for example 192.168.0.2,192.168.0.5-8).  For some valid pairs might be
    151. 

  151. (depending on use of the VPN):
    152. 

  152. .P
    153. 

  153. .BI "localip " 192.168.0.1
    154. 

  154. .br
    155. 

  155. .BI "remoteip " 192.168.0.2-254
    156. 

  156. .P
    157. 

  157. or
    158. 

  158. .P
    159. 

  159. .BI "localip " 192.168.1.2-254
    160. 

  160. .br
    161. 

  161. .BI "remoteip " 192.168.0.2-254
    162. 

  162. 

  163. .SH ROUTING CHECKLIST - PROXYARP
    164. 

  164. Allocate a section of your LAN addresses for use by clients.
    165. 

  165. .P
    166. 

  166. In 
    167. 

  167. .IR /etc/ppp/options.pptpd.
    168. 

  168. set the
    169. 

  169. .B proxyarp
    170. 

  170. option.
    171. 

  171. In
    172. 

  172. .IR pptpd.conf
    173. 

  173. do not set 
    174. 

  174. .B localip
    175. 

  175. option, but set
    176. 

  176. .B remoteip
    177. 

  177. to the allocated address range.
    178. 

  178. Enable kernel forwarding of packets, (e.g. using
    179. 

  179. .IR /proc/sys/net/ipv4/ip_forward
    180. 

  180. ).
    181. 

  181. .P
    182. 

  182. The server will advertise the clients to the LAN using ARP, providing
    183. 

  183. it's own ethernet address.
    184. 

  184. .BR bcrelay (8)
    185. 

  185. should not be required.
    186. 

  186. 

  187. .SH ROUTING CHECKLIST - FORWARDING
    188. 

  188. Allocate a subnet for the clients that is routable from your LAN, but
    189. 

  189. is not part of your LAN.
    190. 

  190. .P
    191. 

  191. In
    192. 

  192. .IR pptpd.conf
    193. 

  193. set
    194. 

  194. .B localip
    195. 

  195. to a single address or range in the allocated subnet, set
    196. 

  196. .B remoteip
    197. 

  197. to a range in the allocated subnet.
    198. 

  198. Enable kernel forwarding of packets, (e.g. using
    199. 

  199. .IR /proc/sys/net/ipv4/ip_forward
    200. 

  200. ).
    201. 

  201. The LAN must have a route to the clients using the server as gateway.
    202. 

  202. .P
    203. 

  203. The server will forward the packets unchanged between the clients and the LAN.
    204. 

  204. .BR bcrelay (8)
    205. 

  205. will be required to support broadcast protocols such as NETBIOS.
    206. 

  206. 

  207. .SH ROUTING CHECKLIST - MASQUERADE
    208. 

  208. Allocate a subnet for the clients that is not routable from your LAN,
    209. 

  209. and not otherwise routable from the server (e.g. 10.0.0.0/24).
    210. 

  210. .P
    211. 

  211. Set
    212. 

  212. .B localip
    213. 

  213. to a single address in the subnet (e.g. 10.0.0.1), set
    214. 

  214. .B remoteip
    215. 

  215. to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
    216. 

  216. Enable kernel forwarding of packets, (e.g. using
    217. 

  217. .IR /proc/sys/net/ipv4/ip_forward
    218. 

  218. ).
    219. 

  219. Enable masquerading on eth0 (e.g. 
    220. 

  220. .I
    221. 

  221. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    222. 

  222. ).
    223. 

  223. .P
    224. 

  224. The server will translate the packets between the clients and the LAN.
    225. 

  225. The clients will appear to the LAN as having the address
    226. 

  226. corresponding to the server.  The LAN need not have an explicit route
    227. 

  227. to the clients.
    228. 

  228. .BR bcrelay (8)
    229. 

  229. will be required to support broadcast protocols such as NETBIOS.
    230. 

  230. 

  231. .SH FIREWALL RULES
    232. 

  232. .BR pptpd (8)
    233. 

  233. accepts control connections on TCP port 1723, and then uses GRE
    234. 

  234. (protocol 47) to exchange data packets.  Add these rules to your
    235. 

  235. .BR iptables (8)
    236. 

  236. configuration, or use them as the basis for your own rules:
    237. 

  237. .P
    238. 

  238. iptables --append INPUT --protocol 47 --jump ACCEPT 
    239. 

  239. .br
    240. 

  240. .nf
    241. 

  241. iptables --append INPUT --protocol tcp --match tcp \\
    242. 

  242. .br
    243. 

  243.          --destination-port 1723 --jump ACCEPT 
    244. 

  244. .fi
    245. 

  245. .P
    246. 

  246. 

  247. .SH "SEE ALSO"
    248. 

  248. .BR pppd (8),
    249. 

  249. .BR pptpd (8),
    250. 

  250. .BR pptpd.conf (5).
    251.