.TH ACCEL-PPP.CONF 5 "23 August 2011" .SH NAME .B accel-ppp.conf - ACCEL-PPP VPN daemon configuration .SH DESCRIPTION .BR accel-pppd (8) reads options from this file, usually .IR /etc/accel-ppp.conf .TP Configuration file consists of sections in form: .TP [section1] .br name1=val1 .br name2=val2 .br name3 .TP [section2] .br .... .br .SH SECTIONS .SH [modules] containes list of modules to load .TP .BI log_file This is logging target which logs messages to files. It support per-session/per-user features. .TP .BI log_tcp This is logging target which logs messages over TCP/IP. .TP .BI log_pgsql This is logging target which logs messages to PostgreSQL. .TP .BI pptp .br PPTP controlling connection handling module. .TP .BI pppoe .br PPPoE discovery stage handling module. .TP .BI auth_pap PAP authentication module. .TP .BI auth_chap CHAP (md5) authentication module. .TP .BI auth_mschap_v1 Microsoft CHAP (version 1) authentication module. .TP .BI auth_mschap_v2 Microsoft CHAP (version 2) authentication module. .TP .BI radius .br RADIUS interaction module. .TP .BI ippool .br IPv4 address assigning module. .TP .BI ipv6pool .br IPv6 address assigning module. .TP .BI sigchld Helper module to manage child processes, required by pppd_compat .TP .BI pppd_compat This module starts pppd compatible ip-up/ip-down scripts and ip-change to handle RADIUS CoA request. .SH [core] Configuration of core module .TP .BI "log-error=" path Path to file for core module error logging. .TP .BI "thread-count=" n number of working threads, optimal - number of processors/cores .SH [ppp] .br PPP module configuration. .TP .BI "verbose=" n If n is not zero ppp module will produce verbose logging. .TP .BI "min-mtu=" n Minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU. .TP .BI "mtu=" n MTU which will be negotiated if client's MRU will be not acceptable. .TP .BI "mru=" n Prefered MRU. .TP .BI "ccp=" n Disable CCP negotiation if this parameter is zero. .TP .BI "sid-case=" upper|lower Specifies in which case generate session identifier (default lower). .TP .BI "check-ip=" 0|1 Specifies whether accel-ppp should check if IP already assigned to other ppp interface (default 0). .TP .BI "single-session=" replace|deny Specifies whether accel-ppp should control sessions count. .br If this option is absent session count control is turned off. If this option is .B replace then accel-ppp will terminate first session when second is authorized. If this option is .B deny then accel-ppp will deny second session authorization. .TP .BI "mppe=" require|prefer|deny Specifies mppe negotioation preference. .br .B require - ask client for mppe, if it rejects drop connection .br .B prefer - ask client for mppe, if it rejects don't fail. .br .B deny - deny mppe. .br Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute. .TP .BI "ipv4=" deny|allow|prefer|require Specify IPv4 (IPCP) negotioation algorithm: .br .B deny - don't negotiate IPv4. .br .B allow - negotiate IPv4 only if client requests. .br .B prefer - ask client for IPv4 negotiation, don't fail if he rejects. .br .B require - require IPv4 negotiation. .TP .BI "ipv6=" deny|allow|prefer|require Parameters are same as above. .TP .BI "ipv6-intf-id=" x:x:x:x|random Specify fixed or random interface identifier for IPv6. .TP .BI "ipv6-peer-intf-id=" x:x:x:x|random|ipv4|calling-sid Specify peer interface identifier for IPv6. .br .B ipv4 - calculate interface identifier from IPv4 address, for example 192:168:0:1. .br .B calling-sid - calculate interface identifier from Calling-Station-Id. .TP .BI "ipv6-accept-peer-intf-id=" 0|1 Specify whether to accept peer's interface identifier. .TP .BI "lcp-echo-interval=" n If this option is given and greater then 0 then lcp module will send echo-request every .B n seconds. .TP .BI "lcp-echo-failure=" n Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated. .TP .BI "lcp-echo-timeout=" sec Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. .TP .BI "unit-cache=" n Specifies number of interfaces to keep in cache. It means that don't destory interface after corresponding session is destoyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. .SH [ipoe] .TP .BI "verbose=" n If n is not zero ipoe module will produce verbose logging. .TP .BI "username=" ifname|lua:function Specifies how to determine username of DHCP user. .br If username= .B ifname then interface name from which packet was arrived will be used as username. .br If username= .B lua:username then lua function with name .B username will be called to construct username from dhcp packet fields. .TP .BI "lease-time=" n Specifies lease time in seconds to be sent to dhcp client. .TP .BI "max-lease-time=" n Specifies max lease time in seconds, after this time session will be terminated if client won't renew it. .TP .BI "unit-cache=" n Specifies number of interfaces to keep in cache. It means that don't destory interface after corresponding session is destoyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack. .TP .BI "l4-redirect-table=" n Specifies number of table. If L4-Redirect radius attribute is received and it's value is not 0 or '0' then accel-ppp will add following rule: ip rule add from client_ip table .B n .TP .BI "l4-redirect-on-reject=" n If specified then if radius rejects access 'ip rule add from ip_addr table l4-redirect-table' rule will be created for time .B n seconds. .TP .BI "shared=" 0|1 Specifies default value for per-interface .B shared parameter. .TP .BI "mode=" L2|L3 Specifies default value for per-interface .B mode parameter. .TP .BI "start=" dhcpv4|up Specifies default value for per-interface .B start parameter. .TP .BI "ifcfg=" 0|1 Specifies default value for per-interface .B ifcfg parameter. .TP .BI "relay=" ipv4_address Specifies default value for per-interface .B relay parameter. .TP .BI "interface=" [re:]name[,mode=L2|L3][,shared=0|1][,start=dhcpv4|up] .BI "" [,range=x.x.x.x/mask][,ifcfg=0|1] .BI "" [,relay=x.x.x.x] .BI "" [,giaddr=x.x.x.x] .br Specifies interface to listen dhcp or unclassified packets. You may specify multiple .B interface options. .br If .B name is prefixed with .B re: then .B name is treated as regular expression. .br The .B mode parameter specifies client connectivity mode. If mode= .B L2 then it means that clients are on same network where interface is. .B L3 means that client are behind some router. .br The .B shared parameter specifies where interface is shared by multiple users or it is vlan-per-user. .br The .B start parameter specifies which way session starts (up - unclassified packet). .br The .B range parameter specifies local range of ip address to give to dhcp clients. First IP in range is router IP. .br The .B ifcfg parameter specifies whether accel-ppp should add router IP address and route to client to interface or it is explicitly configured. .br The .B relay parameter specifies DHCPv4 relay IP address to pass requests to. If specified .B giaddr is also needed. .br The .B giaddr parameter specifies relay agent IP address. .TP .BI "local-net=" x.x.x.x/mask Specifies networks from which packets will be treated as unclassified. You may specify multiple local-net options. .SH [dns] .TP .BI "dns1=" x.x.x.x Specifies primary DNS to be sent to peer. .TP .BI "dns2=" x.x.x.x Specifies secondary DNS to be sent to peer. .SH [wins] .TP .BI "wins1=" x.x.x.x Specifies primary NBNS to be sent to peer. .TP .BI "wins2=" x.x.x.x Specifies secondary NBNS to be sent to peer. .SH [dnsv6] .TP .BI "dns=" IPv6_address Specifies IPv6 DNS to be sent to peer. You may specify up to 3 dns options. .TP .BI "dnssl=" name Specify DNS Search List. You may specify multiple dns and dnssl options. .SH [client-ip-range] You have to explicitly specify range of ip address from which clients can connect to server in form: .br .B x.x.x.x/mask (for example 10.0.0.0/8) .br .B x.x.x.x-y (for example 10.0.0.1-254) .SH [pptp] .br Configuration of PPTP module. .TP .BI "bind=" x.x.x.x If this option is given then pptp server will bind to specified IP address. .TP .BI "verbose=" n If this option is given and .B n is greater of zero then pptp module will produce verbose logging. .TP .BI "echo-interval=" n If this option is given and greater then zero then pptp module will send echo-request every .B n seconds. .TP .BI "echo-failure=" n Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated. .TP .BI "timeout=" n Timeout waiting reply from client in seconds (default 5). .TP .BI "mppe=" deny|allow|prefer|require .SH [pppoe] .br Configuration of PPPoE module. .TP .BI "interface=" [re:]ifname[,padi-limit=n] Specifies interface name to listen/send discovery packets. You may specify multiple .B interface options. If .B ifname is prefixed with .B re: then ifname is considered as regular expression. Optional .B padi-limit parameter specifies limit of PADI packets to reply on this interface in 1 second period. .TP .BI "ac-name=" ac-name Specifies AC-Name tag value. If absent tag will not be sent. .TP .BI "service-name=" service-name Specifies Service-Name to respond. If absent any Service-Name is acceptable and client's Service-Name will be sent back. .TP .BI "pado-delay=" delay[,delay1:count1[,delay2:count2[,...]]] Specifies delays (also in condition of connection count) to send PADO (ms). Last delay in list may be -1 which means don't accept new connections. List have to be sorted by count key. .TP .BI "mac-filter=" filename,type Specifies mac-filter filename and type, type maybe .B allow or .B deny .TP .BI "ifname-in-sid=" called-sid|calling-sid|both Specifies that interface name should be present in Called-Station-ID or in Calling-Station-ID or in both attributes. .TP .BI "verbose=" n If this option is given and .B n is greater of zero then pppoe module will produce verbose logging. .TP .BI "tr101=" 0|1 Specifies whether to handle TR101 tags. .TP .BI "padi-limit=" n Specifies overall limit of PADI packets to reply in 1 second period (default 0 - unlimited). Rate of per-mac PADI packets is limited to no more than 1 packet per second. .TP .BI "mppe=" deny|allow|prefer|require .SH [l2tp] .br Configuration of L2TP module. .TP .BI "bind=" x.x.x.x Specifies IP address to bind. .TP .BI "host-name=" string This name will be sent to clients in Host-Name attribute. .TP .BI "hello-interval=" n Specifies interval (in seconds) to send Hello control message. Its used for keep alive connection. If peer will not respond to Hello connection will be terminated. .TP .BI "timeout=" n Specifies timeout (in seconds) to wait peer completes tunnel and session negotiation. .TP .BI "rtimeout=" n Specifies timeout (in seconds) to wait message acknowledge, if elapsed message retransmition will be performed. .TP .BI "retransmit=" n Specifies maximum number of message retransmission, if exceeds connection will be terminated. .TP .BI "verbose=" n If this option is given and .B n is greater of zero then l2tp module will produce verbose logging. .TP .BI "mppe=" deny|allow|prefer|require .TP .TP .BI "secret=" string Specifies secret to connect to server. .SH [radius] .br Configuration of RADIUS module. .TP .BI "nas-identifier=" identifier Specifies value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. .TP .BI "nas-ip-address=" x.x.x.x Specifies value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. .TP .BI "gw-ip-address=" x.x.x.x Specifies address to use as local address of ppp interfaces if Framed-IP-Address received from RADIUS server. .TP .BI "auth-server=" x.x.x.x:port,secret Specifies IP address, port and secret of authentication RADIUS server. (obsolete) .TP .BI "acct-server=" x.x.x.x:port,secret Specifies IP address, port and secret of accounting RADIUS server. (obsolete) .TP .BI "server=" address,secret[,auth-port=1812][,acct-port=1813][,req-limit=0][,fail-time=0] Specifies IP address, secret, ports of RADIUS server. .br .B req-limit - number of simultaneous requests to server (0 - unlimited). .br .B fail-time - if server doesn't responds mark it as unavailable for this time (sec). .br If you want to specify only authentication or accounting server then set auth-port/acct-port to zero. You may specify multiple radius servers. .TP .BI "dae-server=" x.x.x.x:port,secret Specifies IP address, port to bind and secret for Dynamic Authorization Extension server (DM/CoA). .TP .BI "dm_coa_secret=" secret (deprecated, use dae-server instead) Specifies secret to use in DM/CoA communication. .TP .BI "acct-interim-interval=" n Specifies interval in seconds to send accounting information (may be overriden by radius Acct-Interim-Interval attribute) .TP .BI "verbose=" n If this option is given and .B n is greater of zero then radius module will produce verbose logging. .TP .BI "interim-verbose=" n If this option is given and .B n is greater of zero then radius module will produce verbose logging of interim radius packets. .TP .BI "timeout=" n Timeout to wait response from server (sec) .TP .BI "max-try=" n Specifies number of tries to send Access-Request/Accounting-Request queries. .TP .BI "acct-timeout=" n Specifies timeout of accounting interim update. .TP .BI "acct-delay-time=" 0|1 Specifies whether radius client should include Acct-Delay-Time attribute to accounting requests (default 0). .TP .BI "default-realme=" realm Append specified realm to username. .TP .SH [log] .br Configuration of log and log_file modules. .TP .BI "log-file=" file Path to file to write general log. .TP .BI "log-emerg=" file Path to file to write emergency messages. .TP .BI "log-fail-file=" file Path to file to write authentication failed session log. .TP .BI "log-tcp=" x.x.x.x:port Send logs to specified host. .TP .BI "syslog=" ident[,facility] Send logs to system logger. Facility may be: daemon, local0-local7 or numeric value. .TP .BI "copy=" n If this options is given and greater then zero logging engine will duplicate session log in general log. (Useful when per-session/per-user logs are not used) .TP .BI "per-session-dir=" dir Directory for session logs. If specified each session will be logged separately to file which name is unique session identifier. .TP .BI "per-user-dir=" dir Directory for user logs. If specified all sessions of same user will be logged to file which name is user name. .TP .BI "per-session=" n If specified and n is greater then zero each session of same user will be logger separately to directory specified by "per-user-dir" and subdirectory which name is user name and to file which name os unique session identifier. .TP .BI "level=" n Specifies log level which values are: .br .B 0 turn off all logging .br .B 1 log only error messages .br .B 2 log error and warning messages .br .B 3 log error, warning and minimum information messages (use this level in conjuction with verbose option of other modules if you need verbose logging) .br .B 4 log error, warning and full information messages (use this level in conjuction with verbose option of other modules if you need verbose logging) .br .B 5 log all messages including debug messages .SH [log-pgsql] .br Configuration of log_pgsql module. .TP .BI "conninfo=" conninfo Conninfo to connect to PostgreSQL server. .TP .BI "log-table=" table Table to send log messages. Table must contain following field: .br .B timestamp timestamp .br .B username text .br .B sessionid text .br .B msg text .SH [pppd_compat] .br Configuration of pppd_compat module. .TP .BI "ip-pre-up=" file Path to ip-pre-up script which is executed before ppp interface comes up, useful to setup firewall rules before any traffic can pass through the interface. .TP .BI "ip-up=" file Path to ip-up script which is executed when ppp interfaces is completly configured and started. .TP .BI "ip-down=" file Path to ip-down script which is executed when session is about to terminate. .TP .BI "ip-change=" file Path to ip-change script which is executed for RADIUS CoA handling. .TP .BI "radattr=" prefix Prefix of radattr files (for example /var/run/radattr, resulting files will be /var/run/radattr.pppX) .TP .BI "verbose=" n If specified and greated then zero pppd_module will produce verbose logging. .SH [chap-secrets] .br Configuration of chap-secrets module. .TP .BI "gw-ip-address=" x.x.x.x Specifies address to use as local address of ppp interfaces if chap-secrets is used for IP address assignment. .TP .BI "chap-secrets=" file Specifies alternate chap-secrets file location (default is /etc/ppp/chap-secrets). .TP .BI "encrypted=" 0|1 Specifies either chap-secrets is encrypted (read README). .TP .BI "username-hash=" hash1[,hash2] Specifies hash chain to calculate username hash. .br .B hash1 , .B hash2 are openssl known digest names (md5, sha1, etc). .TP .SH [ip-pool] .br Configuration of ippool module. .TP .BI "gw-ip-address=" x.x.x.x Specifies single IP address to be used as local address of ppp interfaces. .TP .BI "gw=" range Specifies range of local address of ppp interfaces if form: .br .B x.x.x.x/mask[,pool_name] (for example 10.0.0.0/8) .br .B x.x.x.x-y[,pool_name] (for example 10.0.0.1-254) .TP .BI "tunnel=" range Specifies range of remote address of ppp interfaces if form: .br .B x.x.x.x/mask[,pool_name] .br .B x.x.x.x-y[,pool_name] .TP .BI "x.x.x.x/mask[,pool_name] or x.x.x.x-y[,pool_name]" Also specifies range of remote address of ppp interfaces. .TP .BI "attr=" attribute Specifies which Radius attribute containes pool name. .TP .BI "vendor=" vendor If attribute is vendor-specific then specify vendor name in this option. .SH [ipv6-pool] .br Configuration of ipv6pool module. .br Format of each row is .br .B ipv6prefix/mask,prefix_len for example: .br .B fc00:0:1::/48,64 - specifies pool of address by dividing prefix fc00:0:1::/48 to networks with 64 prefix len, e.g: .br fc00:0:1:0::/64 .br fc00:0:1:1::/64 .br ... fc00:0:1:ffff::/64 .TP .BI "delegate=" ipv6prefix/mask,prefix_len Specifies range of prefixes to delegate to clients through DHCPv6 prefix delegation (rfc3633). Format is same as described above. .SH [connlimit] .br This module limits connection rate from single source. .TP .BI "limit=" count/time Specifies acceptable rate of connections, for example limit=1/s or limit=10/m. .TP .BI "burst=" count .TP .BI "timeout=" n Specifies timeout in seconds after which module doesn't check rate until burst number of connections will be arrived. .SH [shaper] .br This module controls shaper. .TP .BI "attr=" name Specifies which radius attribute contains rate information. Default - Filter-ID. .TP .BI "attr-up=" name .TP .BI "attr-down=" name Specifies which radius attributes contains rate information for upstream and downstream respectively. .TP .BI "burst-factor=" n Burst will be calculated as rate multyply burst-factor. .TP .BI "up-burst-factor=" n .TP .BI "down-burst-factor=" n Specifies burst factor for upstream and downstream respectively. .TP .BI "latency=" n Specifies latency (in miliseconds) parameter of tbf qdisc. .TP .BI "mpu=" n Specifies mpu parameter of tbf qdisc and policer. .TP .BI "r2q=" n Specifies r2q parameter of root htb qdisc. .TP .BI "quantum=" n Specifies quantum parameter of htb classes. .TP .BI "up-limiter=" police|htb Specifes upstream rate limiting method. .TP .BI "down-limiter=" tbf|htb Specifies downstream rate limiting method. .TP .BI "leaf-qdisc=" "qdisc parameters" In case if htb is used as up-limiter or down-limiter specified leaf qdisc can be attached automaticaly. At present only sfq qdisc is implemented. Parameters are same as for tc: [ limit NUMBER ] [ perturn SECS ] [ quantum BYTES ]. .SH [cli] .br Configuration of the command line interface. .TP .BI "tcp=" host:port Defines on which IP address and port the TCP module will listen for incoming connections. When \fIhost\fR is empty, the TCP module listens on all local interfaces. It isn't loaded if this option isn't defined. .TP .BI "telnet=" host:port Defines on which IP address and port the Telnet module will listen for incoming connections. When \fIhost\fR is empty, the Telnet module listens on all local interfaces. It isn't loaded if this option isn't defined. .TP .BI "password=" passwd Defines the password to be used by the TCP and Telnet modules for authenticating clients. No authentication is performed if this option isn't defined. .TP .BI "prompt=" prompt Defines the prompt string used by the Telnet module (defaults to \fIaccel-ppp\fR). .TP .BI "history-file=" filename Defines the file used by the Telnet module for loading and storing its command history (defaults to \fI/var/run/accel-ppp/history\fR). .TP .BI "sessions-columns=" column_list Defines the default set of columns to be displayed by the "show sessions" command (defaults to \fIifname,username,calling-sid,ip,rate-limit,type,comp,state,uptime\fR). Invalid column names are silently discarded.