Unix/Linux Go Back    


SuSE 11.3 - man page for pptpd.conf (suse section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


PPTPD.CONF(5)									    PPTPD.CONF(5)

NAME
       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION
       pptpd(8) reads options from this file, usually /etc/pptpd.conf.	Most options can be over-
       ridden by the command line.  The local and remote IP addresses for clients must come  from
       the configuration file or from pppd(8) configuration files.

OPTIONS
       option option-file
	      the  name  of  an  option  file  to  be  passed  to pppd(8) in place of the default
	      /etc/ppp/options so that PPTP specific options can be  given.   Equivalent  to  the
	      command line --option option.

       stimeout seconds
	      number  of seconds to wait for a PPTP packet before forking the pptpctrl(8) program
	      to handle the client.  The default is 10 seconds.  This is a denial of service pro-
	      tection feature.	Equivalent to the command line --stimeout option.

       debug  turns on debugging mode, sending debugging information to syslog(3).  Has no effect
	      on pppd(8) debugging.  Equivalent to the command line --debug option.

       bcrelay internal-interface
	      turns on broadcast relay mode, sending all  broadcasts  received	on  the  server's
	      internal	interface  to  the  clients.   Equivalent  to  the command line --bcrelay
	      option.

       connections n
	      limits the number of client connections that may be accepted.  If pptpd is allocat-
	      ing  IP  addresses  (e.g.   delegate is not used) then the number of connections is
	      also limited by the remoteip option.  The default is 100.

       delegate
	      delegates the allocation of client IP addresses to pppd(8).  Without  this  option,
	      which is the default, pptpd manages the list of IP addresses for clients and passes
	      the next free address to pppd.  With this option, pptpd does not pass  an  address,
	      and so pppd may use radius or chap-secrets to allocate an address.

       localip ip-specification
	      one  or  many  IP  addresses to be used at the local end of the tunnelled PPP links
	      between the server and the client.  If one address only is given, this  address  is
	      used  for  all  clients.	 Otherwise,  one address per client must be given, and if
	      there are no free addresses then any new clients will be refused.  localip will  be
	      ignored if the delegate option is used.

       remoteip ip-specification
	      a list of IP addresses to assign to remote PPTP clients. Each connected client must
	      have a different address, so there must be at least as many addresses as	you  have
	      simultaneous  clients, and preferably some spare, since you cannot change this list
	      without restarting pptpd. A warning will be sent to syslog(3) when the  IP  address
	      pool is exhausted.  remoteip will be ignored if the delegate option is used.

       noipparam
	      by  default,  the  original  client  IP address is given to ip-up scripts using the
	      pppd(8) option ipparam.  The noipparam option prevents  this.   Equivalent  to  the
	      command line --noipparam option.

       listen ip-address
	      the local interface IP address to listen on for incoming PPTP connections (TCP port
	      1723). Equivalent to the command line --listen option.

       pidfile pid-file
	      specifies  an  alternate	location  to  store  the   process   ID   file	 (default
	      /var/run/pptpd.pid).  Equivalent to the command line --pidfile option.

       speed speed
	      specifies  a  speed (in bits per second) to pass to the PPP daemon as the interface
	      speed for the tty/pty pair.  This is ignored by some PPP daemons, such  as  Linux's
	      pppd(8).	The default is 115200 bytes per second, which some implementations inter-
	      pret as meaning "no limit".  Equivalent to the command line --speed option.

NOTES
       An ip-specification above (for the localip  and	remoteip  tags)  may  be  a  list  of  IP
       addresses  (for	example 192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or
       192.168.0-255.2) or some combination (for example  192.168.0.2,192.168.0.5-8).	For  some
       valid pairs might be (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP
       Allocate a section of your LAN addresses for use by clients.

       In  /etc/ppp/options.pptpd.   set  the  proxyarp option.  In pptpd.conf do not set localip
       option, but set remoteip to the allocated address  range.   Enable  kernel  forwarding  of
       packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).

       The  server  will  advertise the clients to the LAN using ARP, providing it's own ethernet
       address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING
       Allocate a subnet for the clients that is routable from your LAN, but is not part of  your
       LAN.

       In  pptpd.conf  set  localip  to  a  single  address or range in the allocated subnet, set
       remoteip to a range in the allocated subnet.  Enable kernel forwarding of  packets,  (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  The LAN must have a route to the clients using the
       server as gateway.

       The server will forward the packets unchanged between the clients and the LAN.  bcrelay(8)
       will be required to support broadcast protocols such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE
       Allocate  a  subnet  for the clients that is not routable from your LAN, and not otherwise
       routable from the server (e.g. 10.0.0.0/24).

       Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for
       the  rest  of the subnet, (e.g. 10.0.0.2-200).  Enable kernel forwarding of packets, (e.g.
       using /proc/sys/net/ipv4/ip_forward ).  Enable masquerading on eth0 (e.g.  iptables -t nat
       -A POSTROUTING -o eth0 -j MASQUERADE ).

       The  server  will translate the packets between the clients and the LAN.  The clients will
       appear to the LAN as having the address corresponding to the server.   The  LAN	need  not
       have  an  explicit route to the clients.  bcrelay(8) will be required to support broadcast
       protocols such as NETBIOS.

FIREWALL RULES
       pptpd(8) accepts control connections on TCP port 1723, and then uses GRE (protocol 47)  to
       exchange  data packets.	Add these rules to your iptables(8) configuration, or use them as
       the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp \
		--destination-port 1723 --jump ACCEPT

SEE ALSO
       pppd(8), pptpd(8), pptpd.conf(5).

					 29 December 2005			    PPTPD.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 01:44 AM.