pptpd.conf.5 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
  1. .TH PPTPD.CONF 5 "29 December 2005"
  2. .SH NAME
  3. .B pptpd.conf
  4. - PPTP VPN daemon configuration
  5. .SH DESCRIPTION
  6. .BR pptpd (8)
  7. reads options from this file, usually
  8. .IR /etc/pptpd.conf .
  9. Most options can be overridden by the command line. The local and
  10. remote IP addresses for clients must come from the configuration file
  11. or from
  12. .BR pppd (8)
  13. configuration files.
  14. .SH OPTIONS
  15. .TP
  16. .BI "option " option-file
  17. the name of an option file to be passed to
  18. .BR pppd (8)
  19. in place of the default
  20. .IR /etc/ppp/options
  21. so that PPTP specific options can be given.
  22. Equivalent to the command line
  23. .B --option
  24. option.
  25. .TP
  26. .BI "stimeout " seconds
  27. number of seconds to wait for a PPTP packet before forking the
  28. .BR pptpctrl (8)
  29. program to handle the client. The default is 10 seconds. This is a
  30. denial of service protection feature.
  31. Equivalent to the command line
  32. .B --stimeout
  33. option.
  34. .TP
  35. .BI "logwtmp"
  36. update
  37. .BR wtmp (5)
  38. as users connect and disconnect. See
  39. .BR wtmp (1).
  40. .TP
  41. .B debug
  42. turns on debugging mode, sending debugging information to
  43. .BR syslog (3).
  44. Has no effect on
  45. .BR pppd (8)
  46. debugging. Equivalent to the command line
  47. .B --debug
  48. option.
  49. .TP
  50. .BI "bcrelay " internal-interface
  51. turns on broadcast relay mode, sending all broadcasts received on the server's
  52. internal interface to the clients.
  53. Equivalent to the command line
  54. .B --bcrelay
  55. option.
  56. .TP
  57. .BI "connections " n
  58. limits the number of client connections that may be accepted.
  59. If pptpd is allocating IP addresses (e.g.
  60. .BR delegate
  61. is not used) then the number of connections is also limited by the
  62. .BR remoteip
  63. option. The default is 100.
  64. .TP
  65. .BI "delegate"
  66. delegates the allocation of client IP addresses to
  67. .BR pppd (8).
  68. Without this option, which is the default, pptpd manages the list of
  69. IP addresses for clients and passes the next free address to pppd.
  70. With this option, pptpd does not pass an address, and so pppd may use
  71. radius or chap-secrets to allocate an address.
  72. .TP
  73. .BI "localip " ip-specification
  74. one or many IP addresses to be used at the local end of the
  75. tunnelled PPP links between the server and the client. If one address only
  76. is given, this address is used for all clients. Otherwise, one address
  77. per client must be given, and if there are no free addresses then any new
  78. clients will be refused.
  79. .B localip
  80. will be ignored if the
  81. .B delegate
  82. option is used.
  83. .TP
  84. .BI "remoteip " ip-specification
  85. a list of IP addresses to assign to remote PPTP clients. Each
  86. connected client must have a different address, so there must be
  87. at least as many addresses as you have simultaneous clients,
  88. and preferably some spare, since you cannot change this list
  89. without restarting pptpd. A warning will be sent to
  90. .BR syslog (3)
  91. when the IP address pool is exhausted.
  92. .B remoteip
  93. will be ignored if the
  94. .B delegate
  95. option is used.
  96. .TP
  97. .B noipparam
  98. by default, the original client IP address is given to
  99. ip-up scripts using the
  100. .BR pppd (8)
  101. option
  102. .B ipparam.
  103. The
  104. .B noipparam
  105. option prevents this.
  106. Equivalent to the command line
  107. .B --noipparam
  108. option.
  109. .TP
  110. .BI "listen " ip-address
  111. the local interface IP address to listen on for incoming PPTP
  112. connections (TCP port 1723). Equivalent to the command line
  113. .B --listen
  114. option.
  115. .TP
  116. .BI "vrf " vrf-name
  117. VRF to use for the TCP listening socket as well as the GRE
  118. packets. Equivalent to the command line
  119. .B --vrf
  120. option.
  121. .TP
  122. .BI "pidfile " pid-file
  123. specifies an alternate location to store the process ID file
  124. (default /var/run/pptpd.pid). Equivalent to the command line
  125. .B --pidfile
  126. option.
  127. .TP
  128. .BI "speed " speed
  129. specifies a speed (in bits per second) to pass to the PPP daemon as
  130. the interface speed for the tty/pty pair. This is ignored by some PPP
  131. daemons, such as Linux's
  132. .BR pppd (8).
  133. The default is 115200 bytes per second, which some implementations
  134. interpret as meaning "no limit". Equivalent to the command line
  135. .B --speed
  136. option.
  137. .SH NOTES
  138. An
  139. .I ip-specification
  140. above (for the
  141. .B localip
  142. and
  143. .B remoteip
  144. tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3),
  145. a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination
  146. (for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be
  147. (depending on use of the VPN):
  148. .P
  149. .BI "localip " 192.168.0.1
  150. .br
  151. .BI "remoteip " 192.168.0.2-254
  152. .P
  153. or
  154. .P
  155. .BI "localip " 192.168.1.2-254
  156. .br
  157. .BI "remoteip " 192.168.0.2-254
  158. .SH ROUTING CHECKLIST - PROXYARP
  159. Allocate a section of your LAN addresses for use by clients.
  160. .P
  161. In
  162. .IR /etc/ppp/options.pptpd.
  163. set the
  164. .B proxyarp
  165. option.
  166. In
  167. .IR pptpd.conf
  168. do not set
  169. .B localip
  170. option, but set
  171. .B remoteip
  172. to the allocated address range.
  173. Enable kernel forwarding of packets, (e.g. using
  174. .IR /proc/sys/net/ipv4/ip_forward
  175. ).
  176. .P
  177. The server will advertise the clients to the LAN using ARP, providing
  178. it's own ethernet address.
  179. .BR bcrelay (8)
  180. should not be required.
  181. .SH ROUTING CHECKLIST - FORWARDING
  182. Allocate a subnet for the clients that is routable from your LAN, but
  183. is not part of your LAN.
  184. .P
  185. In
  186. .IR pptpd.conf
  187. set
  188. .B localip
  189. to a single address or range in the allocated subnet, set
  190. .B remoteip
  191. to a range in the allocated subnet.
  192. Enable kernel forwarding of packets, (e.g. using
  193. .IR /proc/sys/net/ipv4/ip_forward
  194. ).
  195. The LAN must have a route to the clients using the server as gateway.
  196. .P
  197. The server will forward the packets unchanged between the clients and the LAN.
  198. .BR bcrelay (8)
  199. will be required to support broadcast protocols such as NETBIOS.
  200. .SH ROUTING CHECKLIST - MASQUERADE
  201. Allocate a subnet for the clients that is not routable from your LAN,
  202. and not otherwise routable from the server (e.g. 10.0.0.0/24).
  203. .P
  204. Set
  205. .B localip
  206. to a single address in the subnet (e.g. 10.0.0.1), set
  207. .B remoteip
  208. to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
  209. Enable kernel forwarding of packets, (e.g. using
  210. .IR /proc/sys/net/ipv4/ip_forward
  211. ).
  212. Enable masquerading on eth0 (e.g.
  213. .I
  214. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  215. ).
  216. .P
  217. The server will translate the packets between the clients and the LAN.
  218. The clients will appear to the LAN as having the address
  219. corresponding to the server. The LAN need not have an explicit route
  220. to the clients.
  221. .BR bcrelay (8)
  222. will be required to support broadcast protocols such as NETBIOS.
  223. .SH FIREWALL RULES
  224. .BR pptpd (8)
  225. accepts control connections on TCP port 1723, and then uses GRE
  226. (protocol 47) to exchange data packets. Add these rules to your
  227. .BR iptables (8)
  228. configuration, or use them as the basis for your own rules:
  229. .P
  230. iptables --append INPUT --protocol 47 --jump ACCEPT
  231. .br
  232. .nf
  233. iptables --append INPUT --protocol tcp --match tcp \\
  234. .br
  235. --destination-port 1723 --jump ACCEPT
  236. .fi
  237. .P
  238. .SH "SEE ALSO"
  239. .BR pppd (8),
  240. .BR pptpd (8),
  241. .BR pptpd.conf (5).