Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
PPTPD.CONF(5)		      File Formats Manual		 PPTPD.CONF(5)

NAME
       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION
       pptpd(8)	   reads    options   from   this   file,   usually   /usr/lo-
       cal/etc/pptpd.conf.  Most options can  be  overridden  by  the  command
       line.  The local	and remote IP addresses	for clients must come from the
       configuration file or from pppd(8) configuration	files.

OPTIONS
       option option-file
	      the name of an option file to be passed to pppd(8) in  place  of
	      the  default  /etc/ppp/options so	that PPTP specific options can
	      be given.	 Equivalent to the command line	--option option.

       stimeout	seconds
	      number of	seconds	to wait	for a PPTP packet before  forking  the
	      pptpctrl(8)  program  to	handle	the client.  The default is 10
	      seconds.	This  is  a  denial  of	 service  protection  feature.
	      Equivalent to the	command	line --stimeout	option.

       logwtmp
	      update wtmp(5) as	users connect and disconnect.  See wtmp(1).

       debug  turns  on	 debugging mode, sending debugging information to sys-
	      log(3).  Has no effect on	pppd(8)	debugging.  Equivalent to  the
	      command line --debug option.

       bcrelay internal-interface
	      turns  on	 broadcast relay mode, sending all broadcasts received
	      on the server's internal interface to the	 clients.   Equivalent
	      to the command line --bcrelay option.

       connections n
	      limits  the  number  of client connections that may be accepted.
	      If pptpd is allocating IP	addresses (e.g.	 delegate is not used)
	      then  the	 number	of connections is also limited by the remoteip
	      option.  The default is 100.

       delegate
	      delegates	the allocation of  client  IP  addresses  to  pppd(8).
	      Without  this  option,  which  is	the default, pptpd manages the
	      list of IP addresses for clients and passes the  next  free  ad-
	      dress  to	 pppd.	 With  this option, pptpd does not pass	an ad-
	      dress, and so pppd may use radius	or chap-secrets	to allocate an
	      address.

       localip ip-specification
	      one or many IP addresses to be used at the local end of the tun-
	      nelled PPP links between the server and the client.  If one  ad-
	      dress only is given, this	address	is used	for all	clients.  Oth-
	      erwise, one address per client must be given, and	if  there  are
	      no free addresses	then any new clients will be refused.  localip
	      will be ignored if the delegate option is	used.

       remoteip	ip-specification
	      a	list of	IP addresses to	assign to remote  PPTP	clients.  Each
	      connected	client must have a different address, so there must be
	      at least as many addresses as you	have simultaneous clients, and
	      preferably some spare, since you cannot change this list without
	      restarting pptpd.	A warning will be sent to syslog(3)  when  the
	      IP  address  pool	is exhausted.  remoteip	will be	ignored	if the
	      delegate option is used.

       noipparam
	      by default, the original client IP address  is  given  to	 ip-up
	      scripts  using the pppd(8) option	ipparam.  The noipparam	option
	      prevents this.  Equivalent to the	command	line  --noipparam  op-
	      tion.

       listen ip-address
	      the  local  interface  IP	address	to listen on for incoming PPTP
	      connections (TCP port 1723).  Equivalent	to  the	 command  line
	      --listen option.

       vrf vrf-name
	      VRF to use for the TCP listening socket as well as the GRE pack-
	      ets. Equivalent to the command line --vrf	option.

       pidfile pid-file
	      specifies	an alternate location to store	the  process  ID  file
	      (default	/var/run/pptpd.pid).   Equivalent  to the command line
	      --pidfile	option.

       speed speed
	      specifies	a speed	(in bits per second) to	pass to	the PPP	daemon
	      as the interface speed for the tty/pty pair.  This is ignored by
	      some PPP daemons,	such  as  Linux's  pppd(8).   The  default  is
	      115200 bytes per second, which some implementations interpret as
	      meaning "no limit".  Equivalent to the command line --speed  op-
	      tion.

NOTES
       An  ip-specification above (for the localip and remoteip	tags) may be a
       list of IP addresses (for  example  192.168.0.2,192.168.0.3),  a	 range
       (for  example  192.168.0.1-254  or 192.168.0-255.2) or some combination
       (for example 192.168.0.2,192.168.0.5-8).	 For some valid	pairs might be
       (depending on use of the	VPN):

       localip 192.168.0.1
       remoteip	192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip	192.168.0.2-254

ROUTING	CHECKLIST - PROXYARP
       Allocate	a section of your LAN addresses	for use	by clients.

       In  /etc/ppp/options.pptpd.  set	the proxyarp option.  In pptpd.conf do
       not set localip option, but  set	 remoteip  to  the  allocated  address
       range.	  Enable   kernel   forwarding	 of   packets,	 (e.g.	 using
       /proc/sys/net/ipv4/ip_forward ).

       The server will advertise the clients to	the LAN	using  ARP,  providing
       it's own	ethernet address.  bcrelay(8) should not be required.

ROUTING	CHECKLIST - FORWARDING
       Allocate	 a  subnet for the clients that	is routable from your LAN, but
       is not part of your LAN.

       In pptpd.conf set localip to a single address or	range in the allocated
       subnet, set remoteip to a range in the allocated	subnet.	 Enable	kernel
       forwarding of packets,  (e.g.  using  /proc/sys/net/ipv4/ip_forward  ).
       The LAN must have a route to the	clients	using the server as gateway.

       The  server  will forward the packets unchanged between the clients and
       the LAN.	 bcrelay(8) will be required to	 support  broadcast  protocols
       such as NETBIOS.

ROUTING	CHECKLIST - MASQUERADE
       Allocate	 a  subnet for the clients that	is not routable	from your LAN,
       and not otherwise routable from the server (e.g.	10.0.0.0/24).

       Set localip to a	single address in the subnet (e.g. 10.0.0.1), set  re-
       moteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200).  En-
       able	kernel	   forwarding	  of	 packets,     (e.g.	 using
       /proc/sys/net/ipv4/ip_forward  ).   Enable  masquerading	 on eth0 (e.g.
       iptables	-t nat -A POSTROUTING -o eth0 -j MASQUERADE ).

       The server will translate the packets between the clients and the  LAN.
       The  clients will appear	to the LAN as having the address corresponding
       to the server.  The LAN need not	have an	explicit route to the clients.
       bcrelay(8) will be required to support broadcast	protocols such as NET-
       BIOS.

FIREWALL RULES
       pptpd(8)	accepts	control	connections on TCP port	1723,  and  then  uses
       GRE  (protocol  47)  to exchange	data packets.  Add these rules to your
       iptables(8) configuration, or use them as the basis for your own	rules:

       iptables	--append INPUT --protocol 47 --jump ACCEPT
       iptables	--append INPUT --protocol tcp --match tcp \
		--destination-port 1723	--jump ACCEPT

SEE ALSO
       pppd(8),	pptpd(8), pptpd.conf(5).

			       29 December 2005			 PPTPD.CONF(5)

NAME | DESCRIPTION | OPTIONS | NOTES | ROUTING CHECKLIST - PROXYARP | ROUTING CHECKLIST - FORWARDING | ROUTING CHECKLIST - MASQUERADE | FIREWALL RULES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=pptpd.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help