unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-5.7)
Page:
Section:
Apropos / Subsearch:
optional field

NPPPD.CONF(5)               BSD File Formats Manual              NPPPD.CONF(5)

NAME
     npppd.conf -- npppd configuration file

DESCRIPTION
     npppd.conf is the configuration file for the PPP daemon npppd(8).

SECTIONS
     npppd.conf is divided into six sections:

           Global             Global settings.
           Tunnel             Tunneling protocol and PPP settings.
           IPCP               Internet Protocol Configuration Protocol (IPCP)
                              of PPP.
           Interface          Interface settings.
           Authentication     Authenticaton settings.
           Bind               Bind settings.

GLOBAL
     The global options are as follows:

     set max-session number
             Specify the maximum number of sessions.  '0' means no limit.  The
             default value is 0.

     set user-max-session number
             Specify the maximum number of sessions for each user.  '0' means
             no limit.  The default value is 0.

TUNNEL
     The tunnel setting is described below:

     tunnel name protocol protocol [option ...]

     Specify the tunnel protocol:

           l2tp      Layer Two Tunneling Protocol (RFC 2661)
           pppoe     PPP Over Ethernet (RFC 2516)
           pptp      Point-to-Point Tunneling Protocol (RFC 2637)

     The supported options are as follows:

     listen on address [port port]
             Specify the IP address that this tunnel listens on.  Both IPv4
             and IPv6 addresses can be used for L2TP.  Only IPv4 address can
             be used for PPTP.  If the port is omitted, the default port num-
             bers are used.  The default port numbers are 1723 for PPTP and
             1701 for L2TP.  The default value is 0.0.0.0.  This option is for
             PPTP and L2TP only.  This option can be used multiple times.

     listen on interface interface-name
             Specify the interface name that this PPPoE tunnel listens on.
             The interface must be an Ethernet interface.  This option is for
             PPPoE only.

     l2tp-hostname string
             Specify an L2TP hostname.  The default value is the value that is
             returned by gethostname(3).  This option is for L2TP only.

     l2tp-vendor-name string
             Specify an L2TP vendor name.  The default value is "" (an empty
             string).  This option is for L2TP only.

     l2tp-hello-interval number
             Specify the interval time between L2TP hello requests, in sec-
             onds.  The default value is 60.  This option is for L2TP only.

     l2tp-hello-timeout number
             Specify the maximum time that npppd(8) waits for L2TP hello
             responses, in seconds.  This option is for L2TP only.

     l2tp-accept-dialin yes | no
             If ``yes'' is specified, npppd(8) accepts Proxy-LCP and Proxy-
             Authentication AVPs from LAC to do `compulsory tunneling mode'.
             The default is ``no''.  This option is for L2TP only.

     l2tp-lcp-renegotiation yes | no
             If ``yes'' is specified, npppd(8) will basically use the LCP that
             is received by Proxied-LCP AVPs, but if the LCP is not acceptable
             npppd(8) will negotiate LCP again.  The default is ``yes''.  This
             option is for L2TP only.

     l2tp-force-lcp-renegotiation yes | no
             If ``yes'' is specified, npppd(8) will not use the LCP that is
             received by Proxied-LCP AVPs, it will negotiate LCP again.  The
             default is ``no''.  This option is for L2TP only.

     l2tp-data-use-seq yes | no
             Specify ``yes'' to use sequencing for L2TP Data communications.
             The default is ``yes''.  This option is for L2TP only.

     l2tp-require-ipsec yes | no
             Specify ``yes'' to refuse L2TP connections without IPsec encapsu-
             lation.  The default is ``no''.  This option is for L2TP only.

     pptp-hostname string
             Specify a PPTP hostname.  The default value is the value that is
             returned by gethostname(3).  This option is for PPTP only.

     pptp-vendor-name string
             Specify a PPTP vendor name.  The default value is "" (an empty
             string).  This option is for PPTP only.

     pptp-echo-interval number
             Specify the interval time between PPTP echo requests, in seconds.
             The default value is 60.  This option is for PPTP only.

     pptp-echo-timeout number
             Specify the maximum time that npppd(8) waits for PPTP echo
             replies, in seconds.  The default value is 60.  This option is
             for PPTP only.

     pppoe-service-name string
             Specify a service name.  The default is "" (an empty string).
             This option is for PPPoE only.

     pppoe-accept-any-service yes | no
             If ``yes'' is specified npppd(8) accepts requests from clients
             that are accepting any service names.  The default value is
             ``yes''.  This option is for PPPoE only.

     pppoe-ac-name string
             Specify the access concentrator (AC) name.  The default value is
             created by the MAC address of the listening interface.  This
             option is for PPPoE only.

     mru number
             Specify the Maximum Receive Unit (MRU).  This value is used for
             LCP negotiation to ask the peer not to send packets greater than
             the MRU octets.  The peer may use the MRU to decide its MTU, but
             this depends on the implementation.  The default values are 1360
             for L2TP, 1400 for PPTP, and 1492 for PPPoE.

     lcp-keepalive yes | no
             Specify whether npppd(8) uses LCP keepalive.  The default value
             is ``no'' for L2TP and ``yes'' for PPTP and PPPoE.

     lcp-keepalive-interval number
             Specify the interval time between LCP echo requests, in seconds.
             The default value is 300.

     lcp-keepalive-retry-interval number
             Specify the interval time between retrying LCP echo requests
             without receiving the echo reply from the peer.  The value must
             be specified in seconds.  The default value is 60.

     lcp-keepalive-max-retries number
             Specify the maximum number of LCP echo retries.  If the peer
             doesn't respond and the number of retries reaches this value,
             npppd(8) treats the link as dead and closes it.  The default
             value is 3.

     lcp-timeout number
             Specify the timeout value for LCP retransmission in seconds.  The
             default value is 3.

     lcp-max-configure number
             Specify the maximum number of LCP configure request transmis-
             sions.  The default value is 10.

     lcp-max-terminate number
             Specify the maximum number of LCP terminate request transmis-
             sions.  The default value is 2.

     lcp-max-nak-loop number
             Specify the maximum number of LCP configure NAK loops.  The
             default value is 5.

     authentication-method authentication-method ...
             Specify an authentication method:

             pap       Password Authentication Protocol.
             chap      PPP Challenge Handshake Authentication Protocol (RFC
                       1994).
             mschapv2  Microsoft PPP CHAP Extensions, Version 2 (RFC 2749).

             mschapv2 is used as the default for PPTP; pap chap mschapv2 is
             used as the default for other protocols.

     ccp-timeout number
             Specify the timeout value for CCP retransmission, in seconds.
             The default value is 3.

     ccp-max-configure number
             Specify the maximum number of CCP configure request transmis-
             sions.  The default value is 10.

     ccp-max-terminate number
             Specify the maximum number of CCP terminate request transmis-
             sions.  The default value is 2.

     ccp-max-nak-loop number
             Specify the maximum number of CCP configure NAK loops.  The
             default value is 5.

     ipcp-timeout number
             Specify the timeout value for IPCP retransmission, in seconds.
             The default value is 3.

     ipcp-max-configure number
             Specify the maximum number of IPCP configure request transmis-
             sions.  The default value is 10.

     ipcp-max-terminate number
             Specify the maximum number of IPCP terminate request transmis-
             sions.  The default value is 2.

     ipcp-max-nak-loop number
             Specify the maximum number of IPCP configure NAK loops.  The
             default value is 5.

     mppe yes | no | required
             If ``yes'' is specified, npppd(8) will negotiate to use Microsoft
             Point-to-Point Encryption (MPPE), and it will continue the PPP
             even if the negotiation fails.  If ``required'' is specified,
             npppd(8) will negotiate to use MPPE, and it will not continue the
             PPP if the negotiation fails.  If ``no'' is specified, npppd(8)
             will negotiate not to use MPPE and it will refuse to use MPPE.
             The default value is ``required'' for PPTP and ``yes'' for L2TP
             and PPPoE.

     mppe-key-length key-length ...
             Specify key lengths for this configuration.  The following key
             lengths can be used:

             128     128-bit encryption.
             56      56-bit encryption.
             40      40-bit encryption.

     mppe-key-state mode ...
             Specify the key change modes that this configuration supports.
             The following modes can be used:

             stateful      Stateful mode key changes.
             stateless     Stateless mode key changes.

     idle-timeout number
             Specify the timeout value for the idle timer, in seconds.  The
             idle timer disconnects the link if the link is idle for the time
             specified by this value.  The link is treated as idle if no data
             packets are sent or received.  0 means disable the idle timer.
             The default value is 0.

     tcp-mss-adjust yes | no
             If ``yes'' is specified, npppd(8) adjusts TCP SYN packets so that
             the value of TCP maximum segment size (MSS) is less than the
             value calculated from the link MTU.  The default value is ``no''.

     ingress-filter yes | no
             If ``yes'' is specified, npppd(8) applies an ingress filter for
             incoming packets.  The ingress filter drops all packets whose
             source address does not match the address assigned by npppd(8)
             for the link.  The default value is ``no''.

     pipex yes | no
             Specify whether npppd(8) uses pipex(4).  The default is ``yes''.

     debug-dump-pktin protocol ...
             If this option is specified, npppd(8) dumps received packets
             which match the specified protocol.  The following protocols can
             be specified:

                   ip       Internet Protocol (IP)
                   lcp      Link Configuration Protocol (LCP)
                   pap      Password Authentication Protocol (PAP)
                   chap     Challenge Handshake Authentication Protocol (CHAP)
                   mppe     Microsoft Point-to-Point Encryption (MPPE)
                   ccp      Compression Control Protocol (CCP)
                   ipcp     IP Configuration Protocol (IPCP)

     debug-dump-pktout protocol ...
             If this option is specified, npppd(8) dumps sent packets which
             match the specified protocol.  See debug-dump-pktin section for
             protocol.

     l2tp-ctrl-in-pktdump yes | no
             Specify whether npppd(8) dumps received L2TP control packets for
             debugging.  The default is ``no''.

     l2tp-ctrl-out-pktdump yes | no
             Specify whether npppd(8) dumps sent L2TP control packets for
             debugging.  The default is ``no''.

     l2tp-data-in-pktdump yes | no
             Specify whether npppd(8) dumps received L2TP data packets for
             debugging.  The default is ``no''.

     l2tp-data-out-pktdump yes | no
             Specify whether npppd(8) dumps sent L2TP data packets for debug-
             ging.  The default is ``no''.

     pptp-ctrl-in-pktdump yes | no
             Specify whether npppd(8) dumps received PPTP control packets for
             debugging.  The default is ``no''.

     pptp-ctrl-out-pktdump yes | no
             Specify whether npppd(8) dumps sent PPTP control packets for
             debugging.  The default is ``no''.

     pptp-data-in-pktdump yes | no
             Specify whether npppd(8) dumps received PPTP data packets for
             debugging.  The default is ``no''.

     pptp-data-out-pktdump yes | no
             Specify whether npppd(8) dumps sent PPTP data packets for debug-
             ging.  The default is ``no''.

     pppoe-desc-in-pktdump yes | no
             Specify whether npppd(8) dumps received PPPoE discovery packets
             for debugging.  The default is ``no''.

     pppoe-desc-out-pktdump yes | no
             Specify whether npppd(8) dumps sent PPPoE discovery packets for
             debugging.  The default is ``no''.

     pppoe-session-in-pktdump yes | no
             Specify whether npppd(8) dumps received PPPoE session packets for
             debug.  The default is ``no''.

     pppoe-session-out-pktdump yes | no
             Specify whether npppd(8) dumps sent PPPoE session packets for
             debug.  The default is ``no''.

IPCP
     The ipcp setting is described below:

     ipcp name [option ...]

     name specifies the name of this ipcp setting.  The maximum number of ipcp
     settings is 8.

     The supported options are as follows:

     pool-address address-range | address-mask [for dynamic | static]
             Specify the IP address space that is pooled for this IPCP set-
             ting.  The address space can be specified by address-range (e.g.
             192.168.0.2-192.168.0.254) or address-mask (e.g. 192.168.0.0/24)
             .  dynamic means the address space is reserved for dynamic allo-
             cation; static means the address space is reserved for static
             allocation.  The default is dynamic.  This option can be used
             multiple times.

     dns-servers primary-server-address [secondary-server-address]
             Specify the DNS servers' IP addresses.

     nbns-servers primary-server-address [secondary-server-address]
             Specify the NetBIOS name servers' IP addresses.

     allow-user-selected-address yes | no
             Specify whether npppd(8) is allowed to assign an address selected
             by the user.  The default is ``yes''.

INTERFACE
     The interface setting is described below:

     interface ifname address address ipcp ipcp

     Use tun(4) or pppx(4) and specify its name to ifname.  address is the IP
     address of this interface, and it is used as the tunnel address to the
     tunnel peer.  ipcp specifies the setting name that is used with this
     interface.  The maximum number of interface settings is 8.

AUTHENTICATION
     The authentication setting is described below:

     authentication name type type { option ... }

     Specify a name for this authentication setting.  For type, one of the
     following can be specified:

           local      Authenticates using local file.
           radius     Authenticates using remote RADIUS servers.

     The supported options are as follows:

     username-suffix string
             Specify the suffix of the username so that npppd(8) selects this
             authentication setting only for a user who has the username that
             matches this suffix pattern.

     strip-nt-domain yes | no
             Specify whether npppd(8) removes the NT domain prefix, such as
             '\\NTDOMAIN\', from the username before requesting the authenti-
             cation server.  The default is ``no''.

     strip-atmark-realm yes | no
             Specify whether npppd(8) removes the realm part that begins '@'
             (atmark) from the username before requesting the authentication
             server.  The default is ``no''.

     users-file string
             Specify the path for npppd-users(5) that describes users' account
             information.  The path must be under /etc/npppd/ because npppd(8)
             is restricted to accessing files only in certain directories.

     authentication-server [radius-config]
             This option describes the settings for a RADIUS authentication
             server.

             address address [port port] [secret secret]
                     Specify the IP address and port of the RADIUS server,
                     using shared secret.  secret must be less than 127 char-
                     acters.  The default port is 1812 for
                     authentication-server; 1813 for accounting-server.  This
                     option can be specified multiple times (maximum 16) in a
                     radius-config.

             timeout number
                     Specify the maximum time for waiting for a response, in
                     seconds.  The default is 9.

             max-tries number
                     Specify the maximum number of retransmissions.  The
                     default is 3.

             max-failovers number
                     Specify the maximum number of failovers.  The default is
                     1.

     accounting-server { radius-config }
             This option describes the settings for a RADIUS accounting
             server.  See authentication-server section for details of
             radius-config.

BIND
     bind describes a group of tunnel, authentication, and interface settings
     so that they are used together.

     bind tunnel from tunnel authenticated by authentication to ifname

EXAMPLES
     A very simple configuration example is below:

           tunnel L2TP protocol l2tp
           tunnel PPTP protocol pptp
           ipcp IPCP {
               pool-address 10.0.0.2-10.0.0.254
               dns-servers 8.8.8.8
           }
           interface pppx0 address 10.0.0.1 ipcp IPCP
           authentication LOCAL type local {
               users-file "/etc/npppd/npppd-users"
           }
           bind tunnel from L2TP authenticated by LOCAL to pppx0
           bind tunnel from PPTP authenticated by LOCAL to pppx0

     Another simple configuration, but with two authentication realms:

           tunnel L2TP protocol l2tp {
               listen on 203.0.113.100
           }
           ipcp IPCP {
               pool-address 10.0.0.2-10.0.0.254
               dns-servers 8.8.8.8
           }
           interface tun0 address 10.0.0.1 ipcp IPCP
           interface tun1 address 10.0.0.1 ipcp IPCP
           authentication RADIUS type radius {
               username-suffix "@example.com"
               authentication-server {
                   address 192.168.0.1 secret "hogehoge"
               }
               accounting-server {
                   address 192.168.0.1 secret "hogehoge"
               }
           }
           authentication LOCAL type local {
               username-suffix "@local"
               users-file "/etc/npppd/npppd-users"
           }
           bind tunnel from L2TP authenticated by RADIUS to tun0
           bind tunnel from L2TP authenticated by LOCAL to tun1

SEE ALSO
     pipex(4), pppx(4), tun(4), npppctl(8), npppd(8)

BUGS
     The current version of npppd(8) does not support adding or removing tun-
     nel settings or changing listener settings (listen address, port and
     l2tp-ipsec-require).

BSD                              May 23, 2017                              BSD