npppd.conf(5) – NPPP daemon configuration file

NAME

npppd.conf — NPPP daemon configuration file

DESCRIPTION

npppd.conf is the configuration file for the PPP daemon npppd(8).

npppd.conf is divided into the following main sections:

Global: Global settings.
Tunnel: Tunneling protocol and PPP settings.
IPCP: Internet Protocol Configuration Protocol (IPCP) of PPP.
Interface: Interface settings.
Authentication: Authentication settings.
Bind: Bind settings.
RADIUS: RADIUS settings.

Global

The global options are as follows:

set max-session number: Specify the maximum number of sessions. ‘0’ means no limit. The default value is 0.
set user-max-session number: Specify the maximum number of sessions for each user. ‘0’ means no limit. The default value is 0.

Tunnel

The tunnel setting is described below:

tunnel name protocol protocol [option ...]

Specify the tunnel protocol:

l2tp: Layer Two Tunneling Protocol (RFC 2661)
pppoe: PPP Over Ethernet (RFC 2516)
pptp: Point-to-Point Tunneling Protocol (RFC 2637)

The supported options are as follows:

listen on address [port port]

Specify the IP address that this tunnel listens on. Both IPv4 and IPv6 addresses can be used for L2TP. Only IPv4 address can be used for PPTP. If the port is omitted, the default port numbers are used. The default port numbers are 1723 for PPTP and 1701 for L2TP. The default value is 0.0.0.0. This option is for PPTP and L2TP only. This option can be used multiple times.

listen on interface interface-name

Specify the interface name that this PPPoE tunnel listens on. The interface must be an Ethernet interface. This option is for PPPoE only.

l2tp-hostname string

Specify an L2TP hostname. The default value is the value that is returned by gethostname(3). This option is for L2TP only.

l2tp-vendor-name string

Specify an L2TP vendor name. The default value is "" (an empty string). This option is for L2TP only.

l2tp-hello-interval number

Specify the interval time between L2TP hello requests, in seconds. The default value is 60. This option is for L2TP only.

l2tp-hello-timeout number

Specify the maximum time that npppd(8) waits for L2TP hello responses, in seconds. The default value is 30. This option is for L2TP only.

l2tp-accept-dialin yes | no

If “yes” is specified, npppd(8) accepts Proxy-LCP and Proxy-Authentication AVPs from LAC to do “compulsory tunneling mode”. The default is “no”. This option is for L2TP only.

l2tp-lcp-renegotiation yes | no

If “yes” is specified, npppd(8) will basically use the LCP that is received by Proxied-LCP AVPs, but if the LCP is not acceptable npppd(8) will negotiate LCP again. The default is “yes”. This option is for L2TP only.

l2tp-force-lcp-renegotiation yes | no

If “yes” is specified, npppd(8) will not use the LCP that is received by Proxied-LCP AVPs, it will negotiate LCP again. The default is “no”. This option is for L2TP only.

l2tp-data-use-seq yes | no

Specify “yes” to use sequencing for L2TP Data communications. The default is “yes”. This option is for L2TP only.

l2tp-require-ipsec yes | no

Specify “yes” to refuse L2TP connections without IPsec encapsulation. The default is “no”. This option is for L2TP only.

pptp-hostname string

Specify a PPTP hostname. The default value is "" (an empty string). This option is for PPTP only.

pptp-vendor-name string

Specify a PPTP vendor name. The default value is "" (an empty string). This option is for PPTP only.

pptp-echo-interval number

Specify the interval time between PPTP echo requests, in seconds. The default value is 60. This option is for PPTP only.

pptp-echo-timeout number

Specify the maximum time that npppd(8) waits for PPTP echo replies, in seconds. The default value is 60. This option is for PPTP only.

pppoe-service-name string

Specify a service name. The default is "" (an empty string). This option is for PPPoE only.

pppoe-accept-any-service yes | no

If “yes” is specified, npppd(8) accepts requests from clients that are accepting any service names. The default value is “yes”. This option is for PPPoE only.

pppoe-ac-name string

Specify the access concentrator (AC) name. The default value is created by the MAC address of the listening interface. This option is for PPPoE only.

mru number

Specify the Maximum Receive Unit (MRU). This value is used for LCP negotiation to ask the peer not to send packets greater than the MRU octets. The peer may use the MRU to decide its MTU, but this depends on the implementation. The default values are 1360 for L2TP, 1400 for PPTP, and 1492 for PPPoE.

lcp-keepalive yes | no

Specify whether npppd(8) uses LCP keepalive. The default value is “no” for L2TP and “yes” for PPTP and PPPoE.

lcp-keepalive-interval number

Specify the interval time between LCP echo requests, in seconds. The default value is 300.

lcp-keepalive-retry-interval number

Specify the interval time between retrying LCP echo requests without receiving the echo reply from the peer. The value must be specified in seconds. The default value is 60.

lcp-keepalive-max-retries number

Specify the maximum number of LCP echo retries. If the peer doesn't respond and the number of retries reaches this value, npppd(8) treats the link as dead and closes it. The default value is 3.

lcp-timeout number

Specify the timeout value for LCP retransmission in seconds. The default value is 3.

lcp-max-configure number

Specify the maximum number of LCP configure request transmissions. The default value is 10.

lcp-max-terminate number

Specify the maximum number of LCP terminate request transmissions. The default value is 2.

lcp-max-nak-loop number

Specify the maximum number of LCP configure NAK loops. The default value is 5.

authentication-method authentication-method ...

Specify an authentication method:

pap: Password Authentication Protocol.
chap: PPP Challenge Handshake Authentication Protocol (RFC 1994).
mschapv2: Microsoft PPP CHAP Extensions, Version 2 (RFC 2749).

mschapv2 is used as the default for PPTP; pap chap mschapv2 is used as the default for other protocols.

ccp-timeout number

Specify the timeout value for CCP retransmission, in seconds. The default value is 3.

ccp-max-configure number

Specify the maximum number of CCP configure request transmissions. The default value is 10.

ccp-max-terminate number

Specify the maximum number of CCP terminate request transmissions. The default value is 2.

ccp-max-nak-loop number

Specify the maximum number of CCP configure NAK loops. The default value is 5.

ipcp-timeout number

Specify the timeout value for IPCP retransmission, in seconds. The default value is 3.

ipcp-max-configure number

Specify the maximum number of IPCP configure request transmissions. The default value is 10.

ipcp-max-terminate number

Specify the maximum number of IPCP terminate request transmissions. The default value is 2.

ipcp-max-nak-loop number

Specify the maximum number of IPCP configure NAK loops. The default value is 5.

mppe yes | no | required

If “yes” is specified, npppd(8) will negotiate to use Microsoft Point-to-Point Encryption (MPPE), and it will continue the PPP even if the negotiation fails. If “required” is specified, npppd(8) will negotiate to use MPPE, and it will not continue the PPP if the negotiation fails. If “no” is specified, npppd(8) will negotiate not to use MPPE and it will refuse to use MPPE. The default value is “required” for PPTP and “yes” for L2TP and PPPoE.

mppe-key-length key-length ...

Specify key lengths for this configuration. The following key lengths can be used:

128: 128-bit encryption.
56: 56-bit encryption.
40: 40-bit encryption.

mppe-key-state mode ...

Specify the key change modes that this configuration supports. The following modes can be used:

stateful: Stateful mode key changes.
stateless: Stateless mode key changes.

idle-timeout number

Specify the value for the idle timer, in seconds. The link is disconnected if there are no data packets sent or received for more than the amount of the idle-timeout. The default is 0, which disables the idle timer. This value must be 0 for pppx(4) sessions.

tcp-mss-adjust yes | no

If “yes” is specified, npppd(8) adjusts TCP SYN packets so that the value of TCP maximum segment size (MSS) is less than the value calculated from the link MTU. The default value is “no”.

ingress-filter yes | no

If “yes” is specified, npppd(8) applies an ingress filter for incoming packets. The ingress filter drops all packets whose source address does not match the address assigned by npppd(8) for the link. The default value is “no”.

pipex yes | no

Specify whether npppd(8) uses pipex(4). The default is “yes”. The sysctl(8) variable net.pipex.enable should also be enabled to use pipex(4). This value must be “yes” for pppx(4) interfaces.

debug-dump-pktin protocol ...

If this option is specified, npppd(8) dumps received packets which match the specified protocol. The following protocols can be specified:

ip: Internet Protocol (IP)
lcp: Link Configuration Protocol (LCP)
pap: Password Authentication Protocol (PAP)
chap: Challenge Handshake Authentication Protocol (CHAP)
mppe: Microsoft Point-to-Point Encryption (MPPE)
ccp: Compression Control Protocol (CCP)
ipcp: IP Configuration Protocol (IPCP)

debug-dump-pktout protocol ...

If this option is specified, npppd(8) dumps sent packets which match the specified protocol. See debug-dump-pktin section for protocol.

l2tp-ctrl-in-pktdump yes | no

Specify whether npppd(8) dumps received L2TP control packets for debugging. The default is “no”.

l2tp-ctrl-out-pktdump yes | no

Specify whether npppd(8) dumps sent L2TP control packets for debugging. The default is “no”.

l2tp-data-in-pktdump yes | no

Specify whether npppd(8) dumps received L2TP data packets for debugging. The default is “no”.

l2tp-data-out-pktdump yes | no

Specify whether npppd(8) dumps sent L2TP data packets for debugging. The default is “no”.

pptp-ctrl-in-pktdump yes | no

Specify whether npppd(8) dumps received PPTP control packets for debugging. The default is “no”.

pptp-ctrl-out-pktdump yes | no

Specify whether npppd(8) dumps sent PPTP control packets for debugging. The default is “no”.

pptp-data-in-pktdump yes | no

Specify whether npppd(8) dumps received PPTP data packets for debugging. The default is “no”.

pptp-data-out-pktdump yes | no

Specify whether npppd(8) dumps sent PPTP data packets for debugging. The default is “no”.

pppoe-desc-in-pktdump yes | no

Specify whether npppd(8) dumps received PPPoE discovery packets for debugging. The default is “no”.

pppoe-desc-out-pktdump yes | no

Specify whether npppd(8) dumps sent PPPoE discovery packets for debugging. The default is “no”.

pppoe-session-in-pktdump yes | no

Specify whether npppd(8) dumps received PPPoE session packets for debug. The default is “no”.

pppoe-session-out-pktdump yes | no

Specify whether npppd(8) dumps sent PPPoE session packets for debug. The default is “no”.

IPCP

The ipcp setting is described below:

ipcp name [option ...]

name specifies the name of this ipcp setting. The maximum number of ipcp settings is 8.

The supported options are as follows:

pool-address address-range | address-mask [for dynamic | static]: Specify the IP address space that is pooled for this IPCP setting. The address space can be specified by address-range (e.g. 192.168.0.2-192.168.0.254) or address-mask (e.g. 192.168.0.0/24). dynamic means the address space is reserved for dynamic allocation; static means the address space is reserved for static allocation. The default is dynamic. This option can be used multiple times.
dns-servers primary-server-address [secondary-server-address]: Specify the DNS servers' IP addresses. When this option is not specified and the authenticated realm (the RADIUS server) specifies the DNS servers' addresses, they are used as the default. To stop using them, set this option to "0.0.0.0".
nbns-servers primary-server-address [secondary-server-address]: Specify the NetBIOS name servers' IP addresses. When this option is not specified and the authenticated realm (the RADIUS server) specifies the NetBIOS servers' addresses, they are used as the default. To stop using them, set this option to "0.0.0.0".
allow-user-selected-address yes | no: Specify whether npppd(8) is allowed to assign an address selected by the user. The default is “yes”.
max-session number: Specify the maximum number of sessions for this ipcp setting. ‘0’ means no limit. The default value is 0.

Interface

The interface setting is described below:

interface ifname address address ipcp ipcp

Use pppac(4) or pppx(4) and specify its name to ifname. address is the IP address of this interface, and it is used as the tunnel address to the tunnel peer. ipcp specifies the setting name that is used with this interface. The maximum number of interface settings is 8.

Authentication

The authentication setting is described below:

authentication name type type { option ... }

Specify a name for this authentication setting. For type, one of the following can be specified:

local: Authenticates using local file.
radius: Authenticates using remote RADIUS servers.

The supported options are as follows:

username-suffix string

Specify the suffix of the username so that npppd(8) selects this authentication setting only for a user who has the username that matches this suffix pattern.

strip-nt-domain yes | no

Specify whether npppd(8) removes the NT domain prefix, such as '\\NTDOMAIN\', from the username before contacting the authentication server. The default is “yes”.

strip-atmark-realm yes | no

Specify whether npppd(8) removes the realm part that begins with an at sign ('@') from the username before contacting the authentication server. The default is “no”.

users-file string

Specify the path for npppd-users(5) that describes users' account information. The path must be under /etc/npppd/ because npppd(8) is restricted to accessing files only in certain directories.

authentication-server [radius-config]

This option describes the settings for a RADIUS authentication server.

address address [port port] [secret secret]: Specify the IP address and port of the RADIUS server, using shared secret. secret must be less than 127 characters. The default port is 1812 for authentication-server; 1813 for accounting-server. This option can be specified multiple times (maximum 16) in a radius-config.
timeout number: Specify the maximum time for waiting for a response, in seconds. The default is 9.
max-tries number: Specify the maximum number of retransmissions. The default is 3.
max-failovers number: Specify the maximum number of failovers. The default is 1.

accounting-server { radius-config }

This option describes the settings for a RADIUS accounting server. See authentication-server section for details of radius-config.

user-max-session number

Specify the maximum number of sessions for each user for this authentication setting.

Bind

bind describes a group of tunnel, authentication, and interface settings so that they are used together.

bind tunnel from tunnel authenticated by authentication to ifname

RADIUS

radius configures the RADIUS features. The supported options are as follows:

radius nas-id identifier: Specify the identifier that is noticed to the RADIUS peers in the NAS-Identifier attribute.
radius dae listen on address [port number]: Enable the Dynamic Authorization Extensions for RADIUS (DAE, RFC 5176) server. Specify the local address npppd(8) should listen on for the DAE requests. Optionally specify a port number, the default port number is 3799.
radius dae client address secret secret: Specify address for a DAE client and secret.

EXAMPLES

A very simple configuration example is below:

tunnel L2TP protocol l2tp
tunnel PPTP protocol pptp
ipcp IPCP {
    pool-address 10.0.0.2-10.0.0.254
    dns-servers 8.8.8.8
}
interface pppx0 address 10.0.0.1 ipcp IPCP
authentication LOCAL type local {
    users-file "/etc/npppd/npppd-users"
}
bind tunnel from L2TP authenticated by LOCAL to pppx0
bind tunnel from PPTP authenticated by LOCAL to pppx0

Another simple configuration, but with two authentication realms:

tunnel L2TP protocol l2tp {
    listen on 203.0.113.100
}
ipcp IPCP {
    pool-address 10.0.0.2-10.0.0.254
    dns-servers 8.8.8.8
}
interface pppac0 address 10.0.0.1 ipcp IPCP
interface pppac1 address 10.0.0.1 ipcp IPCP
authentication RADIUS type radius {
    username-suffix "@example.com"
    authentication-server {
        address 192.168.0.1 secret "hogehoge"
    }
    accounting-server {
        address 192.168.0.1 secret "hogehoge"
    }
}
authentication LOCAL type local {
    username-suffix "@local"
    users-file "/etc/npppd/npppd-users"
}
bind tunnel from L2TP authenticated by RADIUS to pppac0
bind tunnel from L2TP authenticated by LOCAL to pppac1

BUGS

The current version of npppd(8) does not support adding or removing tunnel settings or changing listener settings (listen address, port and l2tp-ipsec-require).