man pptpd.conf (Formats) - pptpd.conf - PPTP VPN daemon configuration

NAME

pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

pptpd(8) reads options from this file, usually /etc/pptpd.conf. Most options can be overridden by the command line. The local and remote IP addresses for clients must come from the configuration file or from pppd(8) configuration files.

OPTIONS

option option-file
the name of an option file to be passed to pppd(8) in place of the default /etc/ppp/options so that PPTP specific options can be given. Equivalent to the command line --option option.
stimeout seconds
number of seconds to wait for a PPTP packet before forking the pptpctrl(8) program to handle the client. The default is 10 seconds. This is a denial of service protection feature. Equivalent to the command line --stimeout option.
debug
turns on debugging mode, sending debugging information to syslog(3). Has no effect on pppd(8) debugging. Equivalent to the command line --debug option.
bcrelay internal-interface
turns on broadcast relay mode, sending all broadcasts received on the server's internal interface to the clients. Equivalent to the command line --bcrelay option.
localip ip-specification
one or many IP addresses to be used at the local end of the tunnelled PPP links between the server and the client. If one address only is given, this address is used for all clients. Otherwise, one address per client must be given, and if there are no free addresses then any new clients will be refused. localip will be ignored if pptpd(8) was compiled with --with-pppd-ip-alloc.
remoteip ip-specification
a list of IP addresses to assign to remote PPTP clients. Each connected client must have a different address, so there must be at least as many addresses as you have simultaneous clients, and preferably some spare, since you cannot change this list without restarting pptpd. A warning will be sent to syslog(3) when the IP address pool is exhausted. remoteip will be ignored if pptpd(8) was compiled with --with-pppd-ip-alloc.
noipparam
by default, the original client IP address is given to ip-up scripts using the pppd(8) option ipparam. The noipparam option prevents this. Equivalent to the command line --noipparam option.
listen ip-address
the local interface IP address to listen on for incoming PPTP connections (TCP port 1723). Equivalent to the command line --listen option.
pidfile pid-file
specifies an alternate location to store the process ID file (default /var/run/pptpd.pid). Equivalent to the command line --pidfile option.
speed speed
specifies a speed (in bits per second) to pass to the PPP daemon as the interface speed for the tty/pty pair. This is ignored by some PPP daemons, such as Linux's pppd(8). The default is 115200 bytes per second, which some implementations interpret as meaning "no limit". Equivalent to the command line --speed option.

NOTES

An ip-specification above (for the localip and remoteip tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination (for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be (depending on use of the VPN):

localip 192.168.0.1

remoteip 192.168.0.2-254

or

localip 192.168.1.2-254

remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP

Allocate a section of your LAN addresses for use by clients.

In /etc/ppp/options.pptpd. set the proxyarp option. In pptpd.conf do not set localip option, but set remoteip to the allocated address range. Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).

The server will advertise the clients to the LAN using ARP, providing it's own ethernet address. bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING

Allocate a subnet for the clients that is routable from your LAN, but is not part of your LAN.

In pptpd.conf set localip to a single address or range in the allocated subnet, set remoteip to a range in the allocated subnet. Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ). The LAN must have a route to the clients using the server as gateway.

The server will forward the packets unchanged between the clients and the LAN. bcrelay(8) will be required to support broadcast protocols such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE

Allocate a subnet for the clients that is not routable from your LAN, and not otherwise routable from the server (e.g. 10.0.0.0/24).

Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200). Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ). Enable masquerading on eth0 (e.g. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).

The server will translate the packets between the clients and the LAN. The clients will appear to the LAN as having the address corresponding to the server. The LAN need not have an explicit route to the clients. bcrelay(8) will be required to support broadcast protocols such as NETBIOS.

FIREWALL RULES

pptpd(8) accepts control connections on TCP port 1723, and then uses GRE (protocol 47) to exchange data packets. Add these rules to your iptables(8) configuration, or use them as the basis for your own rules:

iptables --append INPUT --protocol 47 --jump ACCEPT

iptables --append INPUT --protocol tcp --match tcp \


--destination-port 1723 --jump ACCEPT

SEE ALSO