Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
PPTPD.CONF(5)		      File Formats Manual		 PPTPD.CONF(5)

NAME
       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION
       pptpd(8)	   reads    options   from   this   file,   usually   /usr/lo-
       cal/etc/pptpd.conf.  Most options can  be  overridden  by  the  command
       line.  The local	and remote IP addresses	for clients must come from the
       configuration file or from pppd(8) configuration	files.

OPTIONS
       option option-file
	      the  name	 of an option file to be passed	to pppd(8) in place of
	      the default /etc/ppp/options so that PPTP	specific  options  can
	      be given.	 Equivalent to the command line	--option option.

       stimeout	seconds
	      number  of  seconds to wait for a	PPTP packet before forking the
	      pptpctrl(8) program to handle the	client.	  The  default	is  10
	      seconds.	 This  is  a  denial  of  service  protection feature.
	      Equivalent to the	command	line --stimeout	option.

       logwtmp
	      update wtmp(5) as	users connect and disconnect.  See wtmp(1).

       debug  turns on debugging mode, sending debugging information  to  sys-
	      log(3).	Has no effect on pppd(8) debugging.  Equivalent	to the
	      command line --debug option.

       bcrelay internal-interface
	      turns on broadcast relay mode, sending all  broadcasts  received
	      on  the  server's	internal interface to the clients.  Equivalent
	      to the command line --bcrelay option.

       connections n
	      limits the number	of client connections that  may	 be  accepted.
	      If pptpd is allocating IP	addresses (e.g.	 delegate is not used)
	      then  the	 number	of connections is also limited by the remoteip
	      option.  The default is 100.

       delegate
	      delegates	the allocation of  client  IP  addresses  to  pppd(8).
	      Without  this  option,  which  is	the default, pptpd manages the
	      list of IP addresses for clients and passes the  next  free  ad-
	      dress  to	 pppd.	 With  this option, pptpd does not pass	an ad-
	      dress, and so pppd may use radius	or chap-secrets	to allocate an
	      address.

       localip ip-specification
	      one or many IP addresses to be used at the local end of the tun-
	      nelled PPP links between the server and the client.  If one  ad-
	      dress only is given, this	address	is used	for all	clients.  Oth-
	      erwise,  one  address per	client must be given, and if there are
	      no free addresses	then any new clients will be refused.  localip
	      will be ignored if the delegate option is	used.

       remoteip	ip-specification
	      a	list of	IP addresses to	assign to remote  PPTP	clients.  Each
	      connected	client must have a different address, so there must be
	      at least as many addresses as you	have simultaneous clients, and
	      preferably some spare, since you cannot change this list without
	      restarting  pptpd.  A warning will be sent to syslog(3) when the
	      IP address pool is exhausted.  remoteip will be ignored  if  the
	      delegate option is used.

       noipparam
	      by  default,  the	 original  client IP address is	given to ip-up
	      scripts using the	pppd(8)	option ipparam.	 The noipparam	option
	      prevents	this.	Equivalent to the command line --noipparam op-
	      tion.

       listen ip-address
	      the local	interface IP address to	listen on  for	incoming  PPTP
	      connections  (TCP	 port  1723).  Equivalent  to the command line
	      --listen option.

       vrf vrf-name
	      VRF to use for the TCP listening socket as well as the GRE pack-
	      ets. Equivalent to the command line --vrf	option.

       pidfile pid-file
	      specifies	an alternate location to store	the  process  ID  file
	      (default	/var/run/pptpd.pid).   Equivalent  to the command line
	      --pidfile	option.

       speed speed
	      specifies	a speed	(in bits per second) to	pass to	the PPP	daemon
	      as the interface speed for the tty/pty pair.  This is ignored by
	      some PPP daemons,	such  as  Linux's  pppd(8).   The  default  is
	      115200 bytes per second, which some implementations interpret as
	      meaning  "no limit".  Equivalent to the command line --speed op-
	      tion.

NOTES
       An ip-specification above (for the localip and remoteip tags) may be  a
       list  of	 IP  addresses	(for example 192.168.0.2,192.168.0.3), a range
       (for example 192.168.0.1-254 or 192.168.0-255.2)	 or  some  combination
       (for example 192.168.0.2,192.168.0.5-8).	 For some valid	pairs might be
       (depending on use of the	VPN):

       localip 192.168.0.1
       remoteip	192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip	192.168.0.2-254

ROUTING	CHECKLIST - PROXYARP
       Allocate	a section of your LAN addresses	for use	by clients.

       In  /etc/ppp/options.pptpd.  set	the proxyarp option.  In pptpd.conf do
       not set localip option, but  set	 remoteip  to  the  allocated  address
       range.	  Enable   kernel   forwarding	 of   packets,	 (e.g.	 using
       /proc/sys/net/ipv4/ip_forward ).

       The server will advertise the clients to	the LAN	using  ARP,  providing
       it's own	ethernet address.  bcrelay(8) should not be required.

ROUTING	CHECKLIST - FORWARDING
       Allocate	 a  subnet for the clients that	is routable from your LAN, but
       is not part of your LAN.

       In pptpd.conf set localip to a single address or	range in the allocated
       subnet, set remoteip to a range in the allocated	subnet.	 Enable	kernel
       forwarding of packets,  (e.g.  using  /proc/sys/net/ipv4/ip_forward  ).
       The LAN must have a route to the	clients	using the server as gateway.

       The  server  will forward the packets unchanged between the clients and
       the LAN.	 bcrelay(8) will be required to	 support  broadcast  protocols
       such as NETBIOS.

ROUTING	CHECKLIST - MASQUERADE
       Allocate	 a  subnet for the clients that	is not routable	from your LAN,
       and not otherwise routable from the server (e.g.	10.0.0.0/24).

       Set localip to a	single address in the subnet (e.g. 10.0.0.1), set  re-
       moteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200).  En-
       able	 kernel	    forwarding	   of	  packets,     (e.g.	 using
       /proc/sys/net/ipv4/ip_forward ).	 Enable	 masquerading  on  eth0	 (e.g.
       iptables	-t nat -A POSTROUTING -o eth0 -j MASQUERADE ).

       The  server will	translate the packets between the clients and the LAN.
       The clients will	appear to the LAN as having the	address	 corresponding
       to the server.  The LAN need not	have an	explicit route to the clients.
       bcrelay(8) will be required to support broadcast	protocols such as NET-
       BIOS.

FIREWALL RULES
       pptpd(8)	 accepts  control  connections on TCP port 1723, and then uses
       GRE (protocol 47) to exchange data packets.  Add	these  rules  to  your
       iptables(8) configuration, or use them as the basis for your own	rules:

       iptables	--append INPUT --protocol 47 --jump ACCEPT
       iptables	--append INPUT --protocol tcp --match tcp \
		--destination-port 1723	--jump ACCEPT

SEE ALSO
       pppd(8),	pptpd(8), pptpd.conf(5).

			       29 December 2005			 PPTPD.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pptpd.conf&sektion=5&manpath=FreeBSD+Ports+15.0.quarterly>

home | help