pptpd.conf.5 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. .TH PPTPD.CONF 5 "29 December 2005"
  2. .SH NAME
  3. .B pptpd.conf
  4. - PPTP VPN daemon configuration
  5. .SH DESCRIPTION
  6. .BR pptpd (8)
  7. reads options from this file, usually
  8. .IR /etc/pptpd.conf .
  9. Most options can be overridden by the command line. The local and
  10. remote IP addresses for clients must come from the configuration file
  11. or from
  12. .BR pppd (8)
  13. configuration files.
  14. .SH OPTIONS
  15. .TP
  16. .BI "option " option-file
  17. the name of an option file to be passed to
  18. .BR pppd (8)
  19. in place of the default
  20. .IR /etc/ppp/options
  21. so that PPTP specific options can be given.
  22. Equivalent to the command line
  23. .B --option
  24. option.
  25. .TP
  26. .BI "stimeout " seconds
  27. number of seconds to wait for a PPTP packet before forking the
  28. .BR pptpctrl (8)
  29. program to handle the client. The default is 10 seconds. This is a
  30. denial of service protection feature.
  31. Equivalent to the command line
  32. .B --stimeout
  33. option.
  34. .TP
  35. .B debug
  36. turns on debugging mode, sending debugging information to
  37. .BR syslog (3).
  38. Has no effect on
  39. .BR pppd (8)
  40. debugging. Equivalent to the command line
  41. .B --debug
  42. option.
  43. .TP
  44. .BI "bcrelay " internal-interface
  45. turns on broadcast relay mode, sending all broadcasts received on the server's
  46. internal interface to the clients.
  47. Equivalent to the command line
  48. .B --bcrelay
  49. option.
  50. .TP
  51. .BI "connections " n
  52. limits the number of client connections that may be accepted.
  53. If pptpd is allocating IP addresses (e.g.
  54. .BR delegate
  55. is not used) then the number of connections is also limited by the
  56. .BR remoteip
  57. option. The default is 100.
  58. .TP
  59. .BI "delegate"
  60. delegates the allocation of client IP addresses to
  61. .BR pppd (8).
  62. Without this option, which is the default, pptpd manages the list of
  63. IP addresses for clients and passes the next free address to pppd.
  64. With this option, pptpd does not pass an address, and so pppd may use
  65. radius or chap-secrets to allocate an address.
  66. .TP
  67. .BI "localip " ip-specification
  68. one or many IP addresses to be used at the local end of the
  69. tunnelled PPP links between the server and the client. If one address only
  70. is given, this address is used for all clients. Otherwise, one address
  71. per client must be given, and if there are no free addresses then any new
  72. clients will be refused.
  73. .B localip
  74. will be ignored if the
  75. .B delegate
  76. option is used.
  77. .TP
  78. .BI "remoteip " ip-specification
  79. a list of IP addresses to assign to remote PPTP clients. Each
  80. connected client must have a different address, so there must be
  81. at least as many addresses as you have simultaneous clients,
  82. and preferably some spare, since you cannot change this list
  83. without restarting pptpd. A warning will be sent to
  84. .BR syslog (3)
  85. when the IP address pool is exhausted.
  86. .B remoteip
  87. will be ignored if the
  88. .B delegate
  89. option is used.
  90. .TP
  91. .B noipparam
  92. by default, the original client IP address is given to
  93. ip-up scripts using the
  94. .BR pppd (8)
  95. option
  96. .B ipparam.
  97. The
  98. .B noipparam
  99. option prevents this.
  100. Equivalent to the command line
  101. .B --noipparam
  102. option.
  103. .TP
  104. .BI "listen " ip-address
  105. the local interface IP address to listen on for incoming PPTP
  106. connections (TCP port 1723). Equivalent to the command line
  107. .B --listen
  108. option.
  109. .TP
  110. .BI "pidfile " pid-file
  111. specifies an alternate location to store the process ID file
  112. (default /var/run/pptpd.pid). Equivalent to the command line
  113. .B --pidfile
  114. option.
  115. .TP
  116. .BI "speed " speed
  117. specifies a speed (in bits per second) to pass to the PPP daemon as
  118. the interface speed for the tty/pty pair. This is ignored by some PPP
  119. daemons, such as Linux's
  120. .BR pppd (8).
  121. The default is 115200 bytes per second, which some implementations
  122. interpret as meaning "no limit". Equivalent to the command line
  123. .B --speed
  124. option.
  125. .SH NOTES
  126. An
  127. .I ip-specification
  128. above (for the
  129. .B localip
  130. and
  131. .B remoteip
  132. tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3),
  133. a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination
  134. (for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be
  135. (depending on use of the VPN):
  136. .P
  137. .BI "localip " 192.168.0.1
  138. .br
  139. .BI "remoteip " 192.168.0.2-254
  140. .P
  141. or
  142. .P
  143. .BI "localip " 192.168.1.2-254
  144. .br
  145. .BI "remoteip " 192.168.0.2-254
  146. .SH ROUTING CHECKLIST - PROXYARP
  147. Allocate a section of your LAN addresses for use by clients.
  148. .P
  149. In
  150. .IR /etc/ppp/options.pptpd.
  151. set the
  152. .B proxyarp
  153. option.
  154. In
  155. .IR pptpd.conf
  156. do not set
  157. .B localip
  158. option, but set
  159. .B remoteip
  160. to the allocated address range.
  161. Enable kernel forwarding of packets, (e.g. using
  162. .IR /proc/sys/net/ipv4/ip_forward
  163. ).
  164. .P
  165. The server will advertise the clients to the LAN using ARP, providing
  166. it's own ethernet address.
  167. .BR bcrelay (8)
  168. should not be required.
  169. .SH ROUTING CHECKLIST - FORWARDING
  170. Allocate a subnet for the clients that is routable from your LAN, but
  171. is not part of your LAN.
  172. .P
  173. In
  174. .IR pptpd.conf
  175. set
  176. .B localip
  177. to a single address or range in the allocated subnet, set
  178. .B remoteip
  179. to a range in the allocated subnet.
  180. Enable kernel forwarding of packets, (e.g. using
  181. .IR /proc/sys/net/ipv4/ip_forward
  182. ).
  183. The LAN must have a route to the clients using the server as gateway.
  184. .P
  185. The server will forward the packets unchanged between the clients and the LAN.
  186. .BR bcrelay (8)
  187. will be required to support broadcast protocols such as NETBIOS.
  188. .SH ROUTING CHECKLIST - MASQUERADE
  189. Allocate a subnet for the clients that is not routable from your LAN,
  190. and not otherwise routable from the server (e.g. 10.0.0.0/24).
  191. .P
  192. Set
  193. .B localip
  194. to a single address in the subnet (e.g. 10.0.0.1), set
  195. .B remoteip
  196. to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
  197. Enable kernel forwarding of packets, (e.g. using
  198. .IR /proc/sys/net/ipv4/ip_forward
  199. ).
  200. Enable masquerading on eth0 (e.g.
  201. .I
  202. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  203. ).
  204. .P
  205. The server will translate the packets between the clients and the LAN.
  206. The clients will appear to the LAN as having the address
  207. corresponding to the server. The LAN need not have an explicit route
  208. to the clients.
  209. .BR bcrelay (8)
  210. will be required to support broadcast protocols such as NETBIOS.
  211. .SH FIREWALL RULES
  212. .BR pptpd (8)
  213. accepts control connections on TCP port 1723, and then uses GRE
  214. (protocol 47) to exchange data packets. Add these rules to your
  215. .BR iptables (8)
  216. configuration, or use them as the basis for your own rules:
  217. .P
  218. iptables --append INPUT --protocol 47 --jump ACCEPT
  219. .br
  220. .nf
  221. iptables --append INPUT --protocol tcp --match tcp \\
  222. .br
  223. --destination-port 1723 --jump ACCEPT
  224. .fi
  225. .P
  226. .SH "SEE ALSO"
  227. .BR pppd (8),
  228. .BR pptpd (8),
  229. .BR pptpd.conf (5).