pptpd.conf - PPTP VPN daemon configuration
pptpd(8) reads options from this file, usually /etc/pptpd.conf. Most options can be over-
ridden by the command line. The local and remote IP addresses for clients must come from
the configuration file or from pppd(8) configuration files.
the name of an option file to be passed to pppd(8) in place of the default
/etc/ppp/options so that PPTP specific options can be given. Equivalent to the
command line --option option.
number of seconds to wait for a PPTP packet before forking the pptpctrl(8) program
to handle the client. The default is 10 seconds. This is a denial of service pro-
tection feature. Equivalent to the command line --stimeout option.
debug turns on debugging mode, sending debugging information to syslog(3). Has no effect
on pppd(8) debugging. Equivalent to the command line --debug option.
turns on broadcast relay mode, sending all broadcasts received on the server's
internal interface to the clients. Equivalent to the command line --bcrelay
limits the number of client connections that may be accepted. If pptpd is allocat-
ing IP addresses (e.g. delegate is not used) then the number of connections is
also limited by the remoteip option. The default is 100.
delegates the allocation of client IP addresses to pppd(8). Without this option,
which is the default, pptpd manages the list of IP addresses for clients and passes
the next free address to pppd. With this option, pptpd does not pass an address,
and so pppd may use radius or chap-secrets to allocate an address.
one or many IP addresses to be used at the local end of the tunnelled PPP links
between the server and the client. If one address only is given, this address is
used for all clients. Otherwise, one address per client must be given, and if
there are no free addresses then any new clients will be refused. localip will be
ignored if the delegate option is used.
a list of IP addresses to assign to remote PPTP clients. Each connected client must
have a different address, so there must be at least as many addresses as you have
simultaneous clients, and preferably some spare, since you cannot change this list
without restarting pptpd. A warning will be sent to syslog(3) when the IP address
pool is exhausted. remoteip will be ignored if the delegate option is used.
by default, the original client IP address is given to ip-up scripts using the
pppd(8) option ipparam. The noipparam option prevents this. Equivalent to the
command line --noipparam option.
the local interface IP address to listen on for incoming PPTP connections (TCP port
1723). Equivalent to the command line --listen option.
specifies an alternate location to store the process ID file (default
/var/run/pptpd.pid). Equivalent to the command line --pidfile option.
specifies a speed (in bits per second) to pass to the PPP daemon as the interface
speed for the tty/pty pair. This is ignored by some PPP daemons, such as Linux's
pppd(8). The default is 115200 bytes per second, which some implementations inter-
pret as meaning "no limit". Equivalent to the command line --speed option.
An ip-specification above (for the localip and remoteip tags) may be a list of IP
addresses (for example 192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or
192.168.0-255.2) or some combination (for example 192.168.0.2,192.168.0.5-8). For some
valid pairs might be (depending on use of the VPN):
ROUTING CHECKLIST - PROXYARP
Allocate a section of your LAN addresses for use by clients.
In /etc/ppp/options.pptpd. set the proxyarp option. In pptpd.conf do not set localip
option, but set remoteip to the allocated address range. Enable kernel forwarding of
packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).
The server will advertise the clients to the LAN using ARP, providing it's own ethernet
address. bcrelay(8) should not be required.
ROUTING CHECKLIST - FORWARDING
Allocate a subnet for the clients that is routable from your LAN, but is not part of your
In pptpd.conf set localip to a single address or range in the allocated subnet, set
remoteip to a range in the allocated subnet. Enable kernel forwarding of packets, (e.g.
using /proc/sys/net/ipv4/ip_forward ). The LAN must have a route to the clients using the
server as gateway.
The server will forward the packets unchanged between the clients and the LAN. bcrelay(8)
will be required to support broadcast protocols such as NETBIOS.
ROUTING CHECKLIST - MASQUERADE
Allocate a subnet for the clients that is not routable from your LAN, and not otherwise
routable from the server (e.g. 10.0.0.0/24).
Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for
the rest of the subnet, (e.g. 10.0.0.2-200). Enable kernel forwarding of packets, (e.g.
using /proc/sys/net/ipv4/ip_forward ). Enable masquerading on eth0 (e.g. iptables -t nat
-A POSTROUTING -o eth0 -j MASQUERADE ).
The server will translate the packets between the clients and the LAN. The clients will
appear to the LAN as having the address corresponding to the server. The LAN need not
have an explicit route to the clients. bcrelay(8) will be required to support broadcast
protocols such as NETBIOS.
pptpd(8) accepts control connections on TCP port 1723, and then uses GRE (protocol 47) to
exchange data packets. Add these rules to your iptables(8) configuration, or use them as
the basis for your own rules:
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp \
--destination-port 1723 --jump ACCEPT
pppd(8), pptpd(8), pptpd.conf(5).
29 December 2005 PPTPD.CONF(5)