1 .TH PPTPD.CONF 5 "29 December 2005"
4 - PPTP VPN daemon configuration
7 reads options from this file, usually
9 Most options can be overridden by the command line. The local and
10 remote IP addresses for clients must come from the configuration file
16 .BI "option " option-file
17 the name of an option file to be passed to
19 in place of the default
21 so that PPTP specific options can be given.
22 Equivalent to the command line
27 .BI "stimeout " seconds
28 number of seconds to wait for a PPTP packet before forking the
30 program to handle the client. The default is 10 seconds. This is a
31 denial of service protection feature.
32 Equivalent to the command line
37 turns on debugging mode, sending debugging information to
41 debugging. Equivalent to the command line
45 .BI "bcrelay " internal-interface
46 turns on broadcast relay mode, sending all broadcasts received on the server's
47 internal interface to the clients.
48 Equivalent to the command line
54 limits the number of client connections that may be accepted.
55 If pptpd is allocating IP addresses (e.g.
57 is not used) then the number of connections is also limited by the
59 option. The default is 100.
63 delegates the allocation of client IP addresses to
65 Without this option, which is the default, pptpd manages the list of
66 IP addresses for clients and passes the next free address to pppd.
67 With this option, pptpd does not pass an address, and so pppd may use
68 radius or chap-secrets to allocate an address.
71 .BI "localip " ip-specification
72 one or many IP addresses to be used at the local end of the
73 tunnelled PPP links between the server and the client. If one address only
74 is given, this address is used for all clients. Otherwise, one address
75 per client must be given, and if there are no free addresses then any new
76 clients will be refused.
78 will be ignored if the
82 .BI "remoteip " ip-specification
83 a list of IP addresses to assign to remote PPTP clients. Each
84 connected client must have a different address, so there must be
85 at least as many addresses as you have simultaneous clients,
86 and preferably some spare, since you cannot change this list
87 without restarting pptpd. A warning will be sent to
89 when the IP address pool is exhausted.
91 will be ignored if the
96 by default, the original client IP address is given to
97 ip-up scripts using the
103 option prevents this.
104 Equivalent to the command line
108 .BI "listen " ip-address
109 the local interface IP address to listen on for incoming PPTP
110 connections (TCP port 1723). Equivalent to the command line
114 .BI "pidfile " pid-file
115 specifies an alternate location to store the process ID file
116 (default /var/run/pptpd.pid). Equivalent to the command line
121 specifies a speed (in bits per second) to pass to the PPP daemon as
122 the interface speed for the tty/pty pair. This is ignored by some PPP
123 daemons, such as Linux's
125 The default is 115200 bytes per second, which some implementations
126 interpret as meaning "no limit". Equivalent to the command line
136 tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3),
137 a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination
138 (for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be
139 (depending on use of the VPN):
141 .BI "localip " 192.168.0.1
143 .BI "remoteip " 192.168.0.2-254
147 .BI "localip " 192.168.1.2-254
149 .BI "remoteip " 192.168.0.2-254
151 .SH ROUTING CHECKLIST - PROXYARP
152 Allocate a section of your LAN addresses for use by clients.
155 .IR /etc/ppp/options.pptpd.
165 to the allocated address range.
166 Enable kernel forwarding of packets, (e.g. using
167 .IR /proc/sys/net/ipv4/ip_forward
170 The server will advertise the clients to the LAN using ARP, providing
171 it's own ethernet address.
173 should not be required.
175 .SH ROUTING CHECKLIST - FORWARDING
176 Allocate a subnet for the clients that is routable from your LAN, but
177 is not part of your LAN.
183 to a single address or range in the allocated subnet, set
185 to a range in the allocated subnet.
186 Enable kernel forwarding of packets, (e.g. using
187 .IR /proc/sys/net/ipv4/ip_forward
189 The LAN must have a route to the clients using the server as gateway.
191 The server will forward the packets unchanged between the clients and the LAN.
193 will be required to support broadcast protocols such as NETBIOS.
195 .SH ROUTING CHECKLIST - MASQUERADE
196 Allocate a subnet for the clients that is not routable from your LAN,
197 and not otherwise routable from the server (e.g. 10.0.0.0/24).
201 to a single address in the subnet (e.g. 10.0.0.1), set
203 to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
204 Enable kernel forwarding of packets, (e.g. using
205 .IR /proc/sys/net/ipv4/ip_forward
207 Enable masquerading on eth0 (e.g.
209 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
212 The server will translate the packets between the clients and the LAN.
213 The clients will appear to the LAN as having the address
214 corresponding to the server. The LAN need not have an explicit route
217 will be required to support broadcast protocols such as NETBIOS.
221 accepts control connections on TCP port 1723, and then uses GRE
222 (protocol 47) to exchange data packets. Add these rules to your
224 configuration, or use them as the basis for your own rules:
226 iptables --append INPUT --protocol 47 --jump ACCEPT
229 iptables --append INPUT --protocol tcp --match tcp \\
231 --destination-port 1723 --jump ACCEPT