npppd.conf — npppd
configuration file
npppd.conf is the configuration file for
the PPP daemon npppd(8).
npppd.conf is divided into the following
main sections:
- Global
- Global settings.
- Tunnel
- Tunneling protocol and PPP settings.
- IPCP
- Internet Protocol Configuration Protocol (IPCP) of PPP.
- Interface
- Interface settings.
- Authentication
- Authentication settings.
- Bind
- Bind settings.
The global options are as follows:
set
max-session number- Specify the maximum number of sessions. ‘0’ means no limit.
The default value is 0.
set
user-max-session number- Specify the maximum number of sessions for each user. ‘0’
means no limit. The default value is 0.
The tunnel setting is described below:
tunnel name
protocol protocol
[option ...]
Specify the tunnel protocol:
l2tp- Layer Two Tunneling Protocol (RFC 2661)
pppoe- PPP Over Ethernet (RFC 2516)
pptp- Point-to-Point Tunneling Protocol (RFC 2637)
The supported options are as follows:
listen
on address [port
port]- Specify the IP address that this tunnel listens on. Both IPv4 and IPv6
addresses can be used for L2TP. Only IPv4 address can be used for PPTP. If
the port is omitted, the default port numbers are used. The default port
numbers are 1723 for PPTP and 1701 for L2TP. The default value is 0.0.0.0.
This option is for PPTP and L2TP only. This option can be used multiple
times.
listen
on interface interface-name- Specify the interface name that this PPPoE tunnel listens on. The
interface must be an Ethernet interface. This option is for PPPoE
only.
l2tp-hostname
string- Specify an L2TP hostname. The default value is the value that is returned
by gethostname(3). This option is
for L2TP only.
l2tp-vendor-name
string- Specify an L2TP vendor name. The default value is "" (an empty
string). This option is for L2TP only.
l2tp-hello-interval
number- Specify the interval time between L2TP hello requests, in seconds. The
default value is 60. This option is for L2TP only.
l2tp-hello-timeout
number- Specify the maximum time that npppd(8)
waits for L2TP hello responses, in seconds. The default value is 30. This
option is for L2TP only.
l2tp-accept-dialin
yes | no- If “yes” is specified,
npppd(8) accepts Proxy-LCP and
Proxy-Authentication AVPs from LAC to do “compulsory tunneling
mode”. The default is “no”. This option is for L2TP
only.
l2tp-lcp-renegotiation
yes | no- If “yes” is specified,
npppd(8) will basically use the LCP that
is received by Proxied-LCP AVPs, but if the LCP is not acceptable
npppd(8) will negotiate LCP again. The
default is “yes”. This option is for L2TP only.
l2tp-force-lcp-renegotiation
yes | no- If “yes” is specified,
npppd(8) will not use the LCP that is
received by Proxied-LCP AVPs, it will negotiate LCP again. The default is
“no”. This option is for L2TP only.
l2tp-data-use-seq
yes | no- Specify “yes” to use sequencing for L2TP Data
communications. The default is “yes”. This option is for
L2TP only.
l2tp-require-ipsec
yes | no- Specify “yes” to refuse L2TP connections without IPsec
encapsulation. The default is “no”. This option is for L2TP
only.
pptp-hostname
string- Specify a PPTP hostname. The default value is "" (an empty
string). This option is for PPTP only.
pptp-vendor-name
string- Specify a PPTP vendor name. The default value is "" (an empty
string). This option is for PPTP only.
pptp-echo-interval
number- Specify the interval time between PPTP echo requests, in seconds. The
default value is 60. This option is for PPTP only.
pptp-echo-timeout
number- Specify the maximum time that npppd(8)
waits for PPTP echo replies, in seconds. The default value is 60. This
option is for PPTP only.
pppoe-service-name
string- Specify a service name. The default is "" (an empty string).
This option is for PPPoE only.
pppoe-accept-any-service
yes | no- If “yes” is specified,
npppd(8) accepts requests from clients
that are accepting any service names. The default value is
“yes”. This option is for PPPoE only.
pppoe-ac-name
string- Specify the access concentrator (AC) name. The default value is created by
the MAC address of the listening interface. This option is for PPPoE
only.
mru
number- Specify the Maximum Receive Unit (MRU). This value is used for LCP
negotiation to ask the peer not to send packets greater than the MRU
octets. The peer may use the MRU to decide its MTU, but this depends on
the implementation. The default values are 1360 for L2TP, 1400 for PPTP,
and 1492 for PPPoE.
lcp-keepalive
yes | no- Specify whether npppd(8) uses LCP
keepalive. The default value is “no” for L2TP and
“yes” for PPTP and PPPoE.
lcp-keepalive-interval
number- Specify the interval time between LCP echo requests, in seconds. The
default value is 300.
lcp-keepalive-retry-interval
number- Specify the interval time between retrying LCP echo requests without
receiving the echo reply from the peer. The value must be specified in
seconds. The default value is 60.
lcp-keepalive-max-retries
number- Specify the maximum number of LCP echo retries. If the peer doesn't
respond and the number of retries reaches this value,
npppd(8) treats the link as dead and
closes it. The default value is 3.
lcp-timeout
number- Specify the timeout value for LCP retransmission in seconds. The default
value is 3.
lcp-max-configure
number- Specify the maximum number of LCP configure request transmissions. The
default value is 10.
lcp-max-terminate
number- Specify the maximum number of LCP terminate request transmissions. The
default value is 2.
lcp-max-nak-loop
number- Specify the maximum number of LCP configure NAK loops. The default value
is 5.
authentication-method
authentication-method ...- Specify an authentication method:
pap- Password Authentication Protocol.
chap- PPP Challenge Handshake Authentication Protocol (RFC 1994).
mschapv2- Microsoft PPP CHAP Extensions, Version 2 (RFC 2749).
mschapv2 is used as the default for
PPTP; pap chap mschapv2 is used as the default
for other protocols.
ccp-timeout
number- Specify the timeout value for CCP retransmission, in seconds. The default
value is 3.
ccp-max-configure
number- Specify the maximum number of CCP configure request transmissions. The
default value is 10.
ccp-max-terminate
number- Specify the maximum number of CCP terminate request transmissions. The
default value is 2.
ccp-max-nak-loop
number- Specify the maximum number of CCP configure NAK loops. The default value
is 5.
ipcp-timeout
number- Specify the timeout value for IPCP retransmission, in seconds. The default
value is 3.
ipcp-max-configure
number- Specify the maximum number of IPCP configure request transmissions. The
default value is 10.
ipcp-max-terminate
number- Specify the maximum number of IPCP terminate request transmissions. The
default value is 2.
ipcp-max-nak-loop
number- Specify the maximum number of IPCP configure NAK loops. The default value
is 5.
mppe
yes | no |
required- If “yes” is specified,
npppd(8) will negotiate to use Microsoft
Point-to-Point Encryption (MPPE), and it will continue the PPP even if the
negotiation fails. If “required” is specified,
npppd(8) will negotiate to use MPPE, and
it will not continue the PPP if the negotiation fails. If
“no” is specified,
npppd(8) will negotiate not to use MPPE
and it will refuse to use MPPE. The default value is
“required” for PPTP and “yes” for L2TP and
PPPoE.
mppe-key-length
key-length ...- Specify key lengths for this configuration. The following key lengths can
be used:
128- 128-bit encryption.
56- 56-bit encryption.
40- 40-bit encryption.
mppe-key-state
mode ...- Specify the key change modes that this configuration supports. The
following modes can be used:
stateful- Stateful mode key changes.
stateless- Stateless mode key changes.
idle-timeout
number- Specify the value for the idle timer, in seconds. The link is disconnected
if there are no data packets sent or received for more than the amount of
the idle-timeout. The default is 0, which disables
the idle timer. This value must be 0 for
pppx(4) sessions.
tcp-mss-adjust
yes | no- If “yes” is specified,
npppd(8) adjusts TCP SYN packets so that
the value of TCP maximum segment size (MSS) is less than the value
calculated from the link MTU. The default value is
“no”.
ingress-filter
yes | no- If “yes” is specified,
npppd(8) applies an ingress filter for
incoming packets. The ingress filter drops all packets whose source
address does not match the address assigned by
npppd(8) for the link. The default value
is “no”.
pipex
yes | no- Specify whether npppd(8) uses
pipex(4). The default is
“yes”. The sysctl(8)
variable net.pipex.enable should also be enabled to
use pipex(4).
debug-dump-pktin
protocol ...- If this option is specified, npppd(8)
dumps received packets which match the specified protocol. The following
protocols can be specified:
ip- Internet Protocol (IP)
lcp- Link Configuration Protocol (LCP)
pap- Password Authentication Protocol (PAP)
chap- Challenge Handshake Authentication Protocol (CHAP)
mppe- Microsoft Point-to-Point Encryption (MPPE)
ccp- Compression Control Protocol (CCP)
ipcp- IP Configuration Protocol (IPCP)
debug-dump-pktout
protocol ...- If this option is specified, npppd(8)
dumps sent packets which match the specified protocol. See
debug-dump-pktin section for
protocol.
l2tp-ctrl-in-pktdump
yes | no- Specify whether npppd(8) dumps received
L2TP control packets for debugging. The default is
“no”.
l2tp-ctrl-out-pktdump
yes | no- Specify whether npppd(8) dumps sent L2TP
control packets for debugging. The default is “no”.
l2tp-data-in-pktdump
yes | no- Specify whether npppd(8) dumps received
L2TP data packets for debugging. The default is “no”.
l2tp-data-out-pktdump
yes | no- Specify whether npppd(8) dumps sent L2TP
data packets for debugging. The default is “no”.
pptp-ctrl-in-pktdump
yes | no- Specify whether npppd(8) dumps received
PPTP control packets for debugging. The default is
“no”.
pptp-ctrl-out-pktdump
yes | no- Specify whether npppd(8) dumps sent PPTP
control packets for debugging. The default is “no”.
pptp-data-in-pktdump
yes | no- Specify whether npppd(8) dumps received
PPTP data packets for debugging. The default is “no”.
pptp-data-out-pktdump
yes | no- Specify whether npppd(8) dumps sent PPTP
data packets for debugging. The default is “no”.
pppoe-desc-in-pktdump
yes | no- Specify whether npppd(8) dumps received
PPPoE discovery packets for debugging. The default is
“no”.
pppoe-desc-out-pktdump
yes | no- Specify whether npppd(8) dumps sent
PPPoE discovery packets for debugging. The default is
“no”.
pppoe-session-in-pktdump
yes | no- Specify whether npppd(8) dumps received
PPPoE session packets for debug. The default is “no”.
pppoe-session-out-pktdump
yes | no- Specify whether npppd(8) dumps sent
PPPoE session packets for debug. The default is “no”.
The ipcp setting is described below:
ipcp name
[option ...]
name specifies the name of this
ipcp setting. The maximum number of
ipcp settings is 8.
The supported options are as follows:
pool-address
address-range | address-mask
[for dynamic |
static]- Specify the IP address space that is pooled for this IPCP setting. The
address space can be specified by address-range
(e.g. 192.168.0.2-192.168.0.254) or address-mask
(e.g. 192.168.0.0/24). dynamic means the address
space is reserved for dynamic allocation; static
means the address space is reserved for static allocation. The default is
dynamic. This option can be used multiple
times.
dns-servers
primary-server-address
[secondary-server-address]- Specify the DNS servers' IP addresses.
nbns-servers
primary-server-address
[secondary-server-address]- Specify the NetBIOS name servers' IP addresses.
allow-user-selected-address
yes | no- Specify whether npppd(8) is allowed to
assign an address selected by the user. The default is
“yes”.
max-session
number- Specify the maximum number of sessions for this
ipcp setting. ‘0’ means no limit.
The default value is 0.
The interface setting is described
below:
interface ifname
address address
ipcp ipcp
Use pppac(4) or
pppx(4) and specify its name to
ifname. address is the IP
address of this interface, and it is used as the tunnel address to the
tunnel peer. ipcp specifies the setting name that is
used with this interface. The maximum number of
interface settings is 8.
The authentication setting is described
below:
authentication name
type type
{ option ...
}
Specify a name for this authentication
setting. For type, one of the following can be
specified:
local- Authenticates using local file.
radius- Authenticates using remote RADIUS servers.
The supported options are as follows:
username-suffix
string- Specify the suffix of the username so that
npppd(8) selects this authentication
setting only for a user who has the username that matches this suffix
pattern.
strip-nt-domain
yes | no- Specify whether npppd(8) removes the NT
domain prefix, such as '\\NTDOMAIN\', from the username before contacting
the authentication server. The default is “yes”.
strip-atmark-realm
yes | no- Specify whether npppd(8) removes the
realm part that begins with an at sign ('@') from the username before
contacting the authentication server. The default is
“no”.
users-file
string- Specify the path for
npppd-users(5) that describes
users' account information. The path must be under
/etc/npppd/ because
npppd(8) is restricted to accessing
files only in certain directories.
authentication-server
[radius-config]- This option describes the settings for a RADIUS authentication server.
address
address [port
port] [secret
secret]- Specify the IP address and
port of the RADIUS server, using shared
secret. secret must be
less than 127 characters. The default port is 1812 for
authentication-server; 1813 for
accounting-server. This option can be
specified multiple times (maximum 16) in a
radius-config.
timeout
number- Specify the maximum time for waiting for a response, in seconds. The
default is 9.
max-tries
number- Specify the maximum number of retransmissions. The default is 3.
max-failovers
number- Specify the maximum number of failovers. The default is 1.
accounting-server
{ radius-config
}- This option describes the settings for a RADIUS accounting server. See
authentication-server section for details of
radius-config.
user-max-session
number- Specify the maximum number of sessions for each user for this
authentication setting.
bind describes a group of
tunnel, authentication, and
interface settings so that they are used together.
bind tunnel from
tunnel authenticated by
authentication to
ifname
A very simple configuration example is below:
tunnel L2TP protocol l2tp
tunnel PPTP protocol pptp
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
interface pppx0 address 10.0.0.1 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
bind tunnel from L2TP authenticated by LOCAL to pppx0
bind tunnel from PPTP authenticated by LOCAL to pppx0
Another simple configuration, but with two authentication
realms:
tunnel L2TP protocol l2tp {
listen on 203.0.113.100
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
interface pppac0 address 10.0.0.1 ipcp IPCP
interface pppac1 address 10.0.0.1 ipcp IPCP
authentication RADIUS type radius {
username-suffix "@example.com"
authentication-server {
address 192.168.0.1 secret "hogehoge"
}
accounting-server {
address 192.168.0.1 secret "hogehoge"
}
}
authentication LOCAL type local {
username-suffix "@local"
users-file "/etc/npppd/npppd-users"
}
bind tunnel from L2TP authenticated by RADIUS to pppac0
bind tunnel from L2TP authenticated by LOCAL to pppac1
The current version of npppd(8)
does not support adding or removing tunnel settings or changing listener
settings (listen address, port and l2tp-ipsec-require).