29 December 2005
pptpd.conf - PPTP VPN daemon configuration
|the name of an option file to be passed to pppd(8) in place of the default /etc/ppp/options so that PPTP specific options can be given. Equivalent to the command line --option option.|
|number of seconds to wait for a PPTP packet before forking the pptpctrl(8) program to handle the client. The default is 10 seconds. This is a denial of service protection feature. Equivalent to the command line --stimeout option.|
|update wtmp(5) as users connect and disconnect. See wtmp(1).|
|debug||turns on debugging mode, sending debugging information to syslog(3). Has no effect on pppd(8) debugging. Equivalent to the command line --debug option.|
|turns on broadcast relay mode, sending all broadcasts received on the server’s internal interface to the clients. Equivalent to the command line --bcrelay option.|
|limits the number of client connections that may be accepted. If pptpd is allocating IP addresses (e.g. delegate is not used) then the number of connections is also limited by the remoteip option. The default is 100.|
|delegates the allocation of client IP addresses to pppd(8). Without this option, which is the default, pptpd manages the list of IP addresses for clients and passes the next free address to pppd. With this option, pptpd does not pass an address, and so pppd may use radius or chap-secrets to allocate an address.|
|one or many IP addresses to be used at the local end of the tunnelled PPP links between the server and the client. If one address only is given, this address is used for all clients. Otherwise, one address per client must be given, and if there are no free addresses then any new clients will be refused. localip will be ignored if the delegate option is used.|
|a list of IP addresses to assign to remote PPTP clients. Each connected client must have a different address, so there must be at least as many addresses as you have simultaneous clients, and preferably some spare, since you cannot change this list without restarting pptpd. A warning will be sent to syslog(3) when the IP address pool is exhausted. remoteip will be ignored if the delegate option is used.|
|by default, the original client IP address is given to ip-up scripts using the pppd(8) option ipparam. The noipparam option prevents this. Equivalent to the command line --noipparam option.|
|the local interface IP address to listen on for incoming PPTP connections (TCP port 1723). Equivalent to the command line --listen option.|
|VRF to use for the TCP listening socket as well as the GRE packets. Equivalent to the command line --vrf option.|
|specifies an alternate location to store the process ID file (default /var/run/pptpd.pid). Equivalent to the command line --pidfile option.|
|specifies a speed (in bits per second) to pass to the PPP daemon as the interface speed for the tty/pty pair. This is ignored by some PPP daemons, such as Linux’s pppd(8). The default is 115200 bytes per second, which some implementations interpret as meaning "no limit". Equivalent to the command line --speed option.|
An ip-specification above (for the localip and remoteip tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3), a range (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination (for example 192.168.0.2,192.168.0.5-8). For some valid pairs might be (depending on use of the VPN):
ROUTING CHECKLIST - PROXYARP
Allocate a section of your LAN addresses for use by clients.
In /etc/ppp/options.pptpd. set the proxyarp option. In pptpd.conf do not set localip option, but set remoteip to the allocated address range. Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).
The server will advertise the clients to the LAN using ARP, providing it’s own ethernet address. bcrelay(8) should not be required.
ROUTING CHECKLIST - FORWARDING
Allocate a subnet for the clients that is routable from your LAN, but is not part of your LAN.
In pptpd.conf set localip to a single address or range in the allocated subnet, set remoteip to a range in the allocated subnet. Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ). The LAN must have a route to the clients using the server as gateway.
The server will forward the packets unchanged between the clients and the LAN. bcrelay(8) will be required to support broadcast protocols such as NETBIOS.
ROUTING CHECKLIST - MASQUERADE
Allocate a subnet for the clients that is not routable from your LAN, and not otherwise routable from the server (e.g. 10.0.0.0/24).
Set localip to a single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200). Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ). Enable masquerading on eth0 (e.g. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ).
The server will translate the packets between the clients and the LAN. The clients will appear to the LAN as having the address corresponding to the server. The LAN need not have an explicit route to the clients. bcrelay(8) will be required to support broadcast protocols such as NETBIOS.
pptpd(8) accepts control connections on TCP port 1723, and then uses GRE (protocol 47) to exchange data packets. Add these rules to your iptables(8) configuration, or use them as the basis for your own rules:
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp \
--destination-port 1723 --jump ACCEPT