1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
|
.TH ACCEL-PPP.CONF 5 "23 August 2011"
.SH NAME
.B accel-ppp.conf
- ACCEL-PPP VPN daemon configuration
.SH DESCRIPTION
.BR accel-pppd (8)
reads options from this file, usually
.IR /etc/accel-ppp.conf
.TP
Configuration file consists of sections in form:
.TP
[section1]
.br
name1=val1
.br
name2=val2
.br
name3
.TP
[section2]
.br
....
.br
.SH SECTIONS
.SH [modules]
containes list of modules to load
.TP
.BI log_file
This is logging target which logs messages to files. It support per-session/per-user features.
.TP
.BI log_syslog
This is logging target which logs messages to syslog.
.TP
.BI log_tcp
This is logging target which logs messages over TCP/IP.
.TP
.BI log_pgsql
This is logging target which logs messages to PostgreSQL.
.TP
.BI pptp
.br
PPTP controlling connection handling module.
.TP
.BI pppoe
.br
PPPoE discovery stage handling module.
.TP
.BI sstp
.br
SSTP controlling connection handling module.
.TP
.BI auth_pap
PAP authentication module.
.TP
.BI auth_chap_md5
CHAP (md5) authentication module.
.TP
.BI auth_mschap_v1
Microsoft CHAP (version 1) authentication module.
.TP
.BI auth_mschap_v2
Microsoft CHAP (version 2) authentication module.
.TP
.BI radius
.br
RADIUS interaction module.
.TP
.BI ippool
.br
IPv4 address assigning module.
.TP
.BI ipv6pool
.br
IPv6 address assigning module.
.TP
.BI sigchld
Helper module to manage child processes, required by pppd_compat
.TP
.BI pppd_compat
This module starts pppd compatible ip-up/ip-down scripts and ip-change to handle RADIUS CoA request.
.SH [core]
Configuration of core module
.TP
.BI "log-error=" path
Path to file for core module error logging.
.TP
.BI "thread-count=" n
number of working threads, optimal - number of processors/cores
.SH [common]
Containes common params for all connection types
.TP
.BI "single-session=" replace|deny
Specifies whether accel-ppp should control sessions count.
.br
If this option is absent session count control is turned off.
.br
If this option is
.B replace
then accel-ppp will terminate first session when second is authorized.
.br
If this option is
.B deny
then accel-ppp will deny second session authorization.
.TP
.BI "sid-case=" upper|lower
Specifies in which case generate session identifier (default lower).
.TP
.BI "sid-source=" urandom|seq
Specifies method assign session id (default urandom).
.br
.B urandom
Assign session id by random method
.br
.B seq
Assign session id by sequence method
.TP
.BI "seq-file=" path
Path to file for sessions sequence number. Start sequence number may be set there (default /var/lib/accel-ppp/seq).
.TP
.BI "max-sessions=" n
Specifies maximum sessions which server may processed (default 0, disabled)
.SH [ppp]
.br
PPP module configuration.
.TP
.BI "verbose=" n
If n is not zero ppp module will produce verbose logging.
.TP
.BI "min-mtu=" n
Minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU.
.TP
.BI "mtu=" n
MTU which will be negotiated if client's MRU will be not acceptable.
.TP
.BI "mru=" n
Prefered MRU.
.TP
.BI "accomp=" allow|deny|n
Address/Control compression negotiation.
.br
.B allow
- prefere in send and don't deny in receive directions
.br
.B deny
- disable in both directions, default behavior
.TP
.BI "pcomp=" allow|deny|n
Protocol field compression negotiation.
.br
.B allow
- prefere in send and don't deny in receive directions
.br
.B deny
- disable in both directions, default behavior
.TP
.BI "ccp=" n
Disable CCP negotiation if this parameter is zero.
.TP
.BI "check-ip=" 0|1
Specifies whether accel-ppp should check if IP already assigned to other ppp interface (default 0).
.TP
.BI "mppe=" require|prefer|deny
Specifies mppe negotioation preference.
.br
.B require
- ask client for mppe, if it rejects drop connection
.br
.B prefer
- ask client for mppe, if it rejects don't fail.
.br
.B deny
- deny mppe.
.br
Default behavior - don't ask client for mppe, but allow it if client wants.
Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute.
.TP
.BI "ipv4=" deny|allow|prefer|require
Specify IPv4 (IPCP) negotioation algorithm:
.br
.B deny
- don't negotiate IPv4.
.br
.B allow
- negotiate IPv4 only if client requests.
.br
.B prefer
- ask client for IPv4 negotiation, don't fail if he rejects.
.br
.B require
- require IPv4 negotiation.
.TP
.BI "ipv6=" deny|allow|prefer|require
Parameters are same as above.
.TP
.BI "ipv6-intf-id=" x:x:x:x|random
Specify fixed or random interface identifier for IPv6.
.TP
.BI "ipv6-peer-intf-id=" x:x:x:x|random|ipv4|calling-sid
Specify peer interface identifier for IPv6.
.br
.B ipv4
- calculate interface identifier from IPv4 address, for example 192:168:0:1.
.br
.B calling-sid
- calculate interface identifier from Calling-Station-Id.
.TP
.BI "ipv6-accept-peer-intf-id=" 0|1
Specify whether to accept peer's interface identifier.
.TP
.BI "lcp-echo-interval=" n
If this option is given and greater then 0 then lcp module will send echo-request every
.B n
seconds.
.TP
.BI "lcp-echo-failure=" n
Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated.
.TP
.BI "lcp-echo-timeout=" sec
Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used.
.TP
.BI "unit-cache=" n
Specifies number of interfaces to keep in cache. It means that don't destory interface after corresponding session is destoyed, instead place it to cache and use it later for new sessions repeatedly.
This should reduce kernel-level interface creation/deletion rate lack.
.TP
.BI "unit-preallocate=" 0|1
If set to 1 then allocate ppp unit (interface) before authorization, so Nas-Port and Nas-Port-Id would be defined in Access-Request phase.
.SH [ipoe]
.TP
.BI "verbose=" n
If n is not zero ipoe module will produce verbose logging.
.TP
.BI "username=" ifname|lua:function
Specifies how to determine username of user.
.br
If username=
.B ifname
then interface name from which packet was arrived will be used as username.
.br
If username=
.B lua:username
then lua function with name
.B username
will be called to construct username from dhcp packet fields.
.TP
.BI "password=" username|csid|empty|<string>
Specifies how to generate password.
.br
If password=
.B username
then password will be same as username.
.br
If password=
.B empty
then password will be empty string.
.br
If password=
.B csid
then password will be same as Calling-Station-Id.
.br
Or you can specify fixed password in
.B <string>.
.TP
.BI "lease-time=" n
Specifies lease time in seconds to be sent to dhcp client.
.TP
.BI "renew-time=" n
Specifies lease renew time (option 58) in seconds to be sent to dhcp client.
.TP
.BI "max-lease-time=" n
Specifies max lease time in seconds, after this time session will be terminated if client won't renew it.
.TP
.BI "unit-cache=" n
Specifies number of interfaces to keep in cache. It means that don't destory interface after corresponding session is destoyed, instead place it to cache and use it later for new sessions repeatedly.
This should reduce kernel-level interface creation/deletion rate lack.
.TP
.BI "l4-redirect-table=" n
Specifies number of table. If L4-Redirect radius attribute is received and it's value is not 0 or '0' then accel-ppp will add following rule: ip rule add from client_ip table
.B n
.TP
.BI "l4-redirect-ipset=" name
Specifies name of ipset list. If L4-Redirect radius attribute is received and it's value is not 0 or '0' then accel-ppp will add client's ip to that ipset name.
.TP
.BI "l4-redirect-on-reject=" n
If specified then if radius rejects access 'ip rule add from ip_addr table l4-redirect-table' rule will be created for time
.B n
seconds.
.TP
.BI "l4-redirect-ip-pool=" name
If specified then if radius rejects access and session is DHCP then ip will be allocated from specified pool name.
.TP
.BI "gw-ip-address="x.x.x.x/mask
Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options.
.TP
.BI "shared=" 0|1
Specifies default value for per-interface
.B shared
parameter.
.TP
.BI "mode=" L2|L3
Specifies default value for per-interface
.B mode
parameter.
.TP
.BI "start=" dhcpv4|up|auto
Specifies default value for per-interface
.B start
parameter.
.TP
.BI "ifcfg=" 0|1
Specifies default value for per-interface
.B ifcfg
parameter.
.TP
.BI "relay=" ipv4_address
Specifies default value for per-interface
.B relay
parameter.
.TP
.BI "proxy-arp=" n
Specifies default value for per-interface
.B proxy-arp
parameter.
.TP
.BI "weight=" n
Specifies global weight of this server (used for load balancing)
.TP
.BI "ip-unnumbered=" 0|1
Specifies default value for per-interface
.B ip-unnumbered
parameter.
.br
If ip-unnumbered=1 accel-ppp will always assign /32 mask.
.br
Default value is 1.
.TP
.BI "interface=" [re:]name[,mode=L2|L3][,shared=0|1][,start=dhcpv4|up|auto]
.BI "" [,range=x.x.x.x/mask][,ifcfg=0|1]
.BI "" [,relay=x.x.x.x]
.BI "" [,giaddr=x.x.x.x]
.BI "" [,src=x.x.x.x]
.BI "" [,proxy-arp=0|1|2]
.BI "" [,username=ifname|lua:function]
.BI "" [,ipv6=0|1]
.BI "" [,mtu=N]
.BI "" [,weight=N]
.BI "" [,ip-unnumbered=0|1]
.br
Specifies interface to listen dhcp or unclassified packets. You may specify multiple
.B interface
options.
.br
If
.B name
is prefixed with
.B re:
then
.B name
is treated as regular expression.
.br
The
.B mode
parameter specifies client connectivity mode. If mode=
.B L2
then it means that clients are on same network where interface is.
.B L3
means that client are behind some router.
.br
The
.B shared
parameter specifies where interface is shared by multiple users or it is vlan-per-user.
.br
The
.B start
parameter specifies which way session starts (up - unclassified packet).
.br
auto - means automatically start session with username = interface name. Use it with conjuction vlan_mon.
.br
The
.B range
parameter specifies local range of ip address to give to dhcp clients. First IP in range is router IP.
.br
The
.B ifcfg
parameter specifies whether accel-ppp should add router IP address and route to client to interface or it is explicitly configured.
.br
The
.B relay
parameter specifies DHCPv4 relay IP address to pass requests to. If specified
.B giaddr
is also needed.
.br
The
.B giaddr
parameter specifies relay agent IP address.
.br
The
.B src
parameter specifies ip address to use as source when adding route to client.
.br
The
.B proxy-arp
parameter specifies whether accel-ppp should reply to arp requests.
.TP
.BI "local-net=" x.x.x.x/mask
Specifies networks from which packets will be treated as unclassified. You may specify multiple local-net options.
.TP
.BI "proto=" n
Specifies number of protocol to be used for inserted routes.
.TP
.BI "offer-delay=" delay[,delay1:count1[,delay2:count2[,...]]]
Specifies delays (also in condition of connection count) to send DHCPOFFER (ms).
Last delay in list may be -1 which means don't accept new connections.
List must to be sorted by count key.
.TP
.BI "offer-timeout=" n
Specified timeout waiting DHCP-Request from client in seconds (default 10).
.TP
.BI "vlan-mon=" [re:]name[,filter]
Starts vlan monitor on specified interface (requires ipoe kernel module).
.br
The
.B filter
parameter specifies list of vlans or ranges of vlans to monitor for and may be in following form:
.br
vlan-mon=eth1,2,5,10,20-30
.TP
.BI "vlan-timeout=" n
Specifies time of vlan inactivity before it will be removed (seconds).
.TP
.BI "vlan-name=" pattern
Specifies pattern of vlan interface name. Pattern may contain following macros:
.br
.B %I
- name of patern interface.
.br
.B %N
- number of vlan.
.br
.B %P
- number of vlan of parent interface.
.br
By default vlan-name=%I.%N.
.TP
.BI "soft-terminate=" 0|1
Turns on soft terminate mode. Soft terminate means that session won't be terminated immediately, but when next lease renewal request will be received.
.TP
.BI "check-mac-change=" 0|1
If enabled accel-ppp will terminate session when detects change of mac address of client (by default it is enabled).
.TP
.BI "calling-sid=" mac|ip
Specifies value of Calling-Station-Id attribute.
.SH [dns]
.TP
.BI "dns1=" x.x.x.x
Specifies primary DNS to be sent to peer.
.TP
.BI "dns2=" x.x.x.x
Specifies secondary DNS to be sent to peer.
.SH [wins]
.TP
.BI "wins1=" x.x.x.x
Specifies primary NBNS to be sent to peer.
.TP
.BI "wins2=" x.x.x.x
Specifies secondary NBNS to be sent to peer.
.SH [dnsv6]
.TP
.BI "dns=" IPv6_address
Specifies IPv6 DNS to be sent to peer. You may specify up to 3 dns options.
.TP
.BI "dnssl=" name
Specify DNS Search List. You may specify multiple dns and dnssl options.
.SH [client-ip-range]
You have to explicitly specify range of ip address from which clients can connect to server in form:
.br
.B x.x.x.x/mask
(for example 10.0.0.0/8)
.br
.B x.x.x.x-y
(for example 10.0.0.1-254)
.SH [pptp]
.br
Configuration of PPTP module.
.TP
.BI "bind=" x.x.x.x
If this option is given then pptp server will bind to specified IP address.
.TP
.BI "port=" n
If this option is given then pptp server will bind to specified port.
.TP
.BI "verbose=" n
If this option is given and
.B n
is greater of zero then pptp module will produce verbose logging.
.TP
.BI "echo-interval=" n
If this option is given and greater then zero then pptp module will send echo-request every
.B n
seconds.
.TP
.BI "echo-failure=" n
Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated.
.TP
.BI "timeout=" n
Timeout waiting reply from client in seconds (default 5).
.TP
.BI "mppe=" deny|allow|prefer|require
.TP
.BI "ifname=" ifname
If this option is given ppp interface will be renamed using
.B ifname
as a template, i.e pptp%d => pptp0.
.TP
.BI "ppp-max-mtu=" n
Set the maximun MTU value that can be negociated for PPP over PPTP
sessions. Default value is 1436.
.SH [pppoe]
.br
Configuration of PPPoE module.
.TP
.BI "interface=" [re:]ifname[,padi-limit=n]
Specifies interface name to listen/send discovery packets. You may specify multiple
.B interface
options. If
.B ifname
is prefixed with
.B re:
then ifname is considered as regular expression. Optional
.B padi-limit
parameter specifies limit of PADI packets to reply on this interface in 1 second period.
.TP
.BI "ac-name=" ac-name
Specifies AC-Name tag value. If absent tag will not be sent.
.TP
.BI "service-name=" service-name
Specifies Service-Name to respond. If absent any Service-Name is acceptable and client's Service-Name will be sent back.
.TP
.BI "accept-any-service=" n
If service-name specified still will answer with service names, but accepts any service name in PADR request. Useful
for scenarios, where selection of PPPoE done by client, based on service names in PADO.
.TP
.BI "pado-delay=" delay[,delay1:count1[,delay2:count2[,...]]]
Specifies delays (also in condition of connection count) to send PADO (ms).
Last delay in list may be -1 which means don't accept new connections.
List have to be sorted by count key.
.TP
.BI "mac-filter=" filename,type
Specifies mac-filter filename and type, type maybe
.B allow
or
.B deny
.TP
.BI "called-sid=" ifname|mac|ifname:mac
Specifies how to represent Called-Station-ID.
.br
.B ifname
- Called-Station-ID will contain name of interface accepted request.
.br
.B mac
- Called-Station-ID will contain mac address of interface accepted request.
.br
.B ifname:mac
- Called-Station-Id will contain both name and mac of interface.
.TP
.BI "verbose=" n
If this option is given and
.B n
is greater of zero then pppoe module will produce verbose logging.
.TP
.BI "tr101=" 0|1
Specifies whether to handle TR101 tags.
.TP
.BI "padi-limit=" n
Specifies overall limit of PADI packets to reply in 1 second period (default 0 - unlimited). Rate of per-mac PADI packets is limited to no more than 1 packet per second.
.TP
.BI "mppe=" deny|allow|prefer|require
.TP
.BI "ifname=" ifname
If this option is given ppp interface will be renamed using
.B ifname
as a template, i.e pppoe%d => pppoe0.
.SH [l2tp]
.br
Configuration of L2TP module.
.TP
.BI "bind=" x.x.x.x
Specifies IP address to bind.
.TP
.BI "port=" n
Specifies port to bind.
.TP
.BI "host-name=" string
This name will be sent to clients in Host-Name attribute.
.TP
.BI "hello-interval=" n
Specifies interval (in seconds) to send Hello control message. Its used for keep alive connection. If peer will not respond to Hello connection will be terminated.
.TP
.BI "recv-window=" n
Set the size of the local receive window. Only received messages whose sequence
number is in the range [last-Nr + 1, last-Nr + recv-window] are accepted
(where last-Nr is the sequence number of the last acknowledged message).
Minimum value is 1, maximum is 32768, default is 16.
.TP
.BI "timeout=" n
Specifies timeout (in seconds) to wait peer completes tunnel and session negotiation.
.TP
.BI "rtimeout=" n
Specifies timeout (in seconds) to wait message acknowledge, if elapsed message retransmition will be performed.
Timeout is multiplied by two after each retransmission. So if
.BR rtimeout " is set to 1, first retransmission will occur after one second,"
second retransmission two seconds later, third one four seconds later, and so
on, until a reply is received or the
.BR retransmit " value is reached. Default value is 1."
.TP
.BI "rtimeout-cap=" n
Set the maximum interval between retransmissions. The exponential backoff
.RB "interval used by " rtimeout " will never grow above " rtimeout-cap .
.BR rtimeout-cap " must be higher than " rtimeout " and, according to RFC 2661,
must be no less than 8 (though accel-ppp doesn't enforce this rule).
Default value is 16.
.TP
.BI "retransmit=" n
Specifies maximum number of message retransmission, if exceeds connection will be terminated.
.TP
.BI "verbose=" n
If this option is given and
.B n
is greater of zero then l2tp module will produce verbose logging.
.TP
.BI "mppe=" deny|allow|prefer|require
.TP
.BI "secret=" string
Specifies secret to connect to server.
.TP
.BI "hide-avps=" n
If this option is given and
.B n
is greater than 0, then attributes sent in L2TP packets will be hidden (for
AVPs that support it).
.TP
.BI "dataseq=" deny|allow|prefer|require
Specify data sequencing negotiation algorithm:
.br
.B deny
- don't send data packets with sequence numbers
.br
.B allow
- send data packets with sequence numbers if peer have requested so only
.br
.B prefer
- send data packets with sequence numbers and enable same for peer
.br
.B require
- send data packets with sequence numbers and enforce same for peer
.TP
.BI "reorder-timeout=" ms
Specifies timeout (in milliseconds) to wait for out-of-order packets. If 0, don't try to reorder.
.TP
.BI "use-ephemeral-ports=" 0|1
Specifies if an arbitrary source port is used when replying to a tunnel
establishment request. When this option is deactivated, the destination
port of the incoming request (SCCRQ) is used as source port for the
reply (SCCRP). Default value is 0.
.TP
.BI "ppp-max-mtu=" n
Set the maximun MTU value that can be negociated for PPP over L2TP
sessions. Default value is 1420.
.TP
.BI "ifname=" ifname
If this option is given ppp interface will be renamed using
.B ifname
as a template, i.e l2tp%d => l2tp0.
.SH [sstp]
.br
Configuration of SSTP module.
.TP
.BI "bind=" x.x.x.x|ipv6address|unix:pathname|unix:@abstract
If this option is given then sstp server will bind to specified IP address
or unix pathname/abstract socket.
.TP
.BI "port=" n
If this option is given then sstp server will bind to specified port.
Default is 443.
.TP
.BI "verbose=" n
If this option is given and
.B n
is greater of zero then sstp module will produce verbose logging.
.TP
.BI "timeout=" n
Timeout waiting reply from client in seconds.
Default is 60.
.TP
.BI "hello-interval=" n
If this option is given and greater then zero then sstp will send echo-request every
.B n
seconds and drop connection without a reply.
Default is 60.
.TP
.BI "accept=" ssl,proxy
Specifies incoming connection acceptance mode.
.br
.B ssl
- enable SSL/TLS support.
.br
.B proxy
- enable PROXY protocol 1 & 2 support.
.TP
.BI "ssl-dhparam=" pemfile
Specifies a file with DH parameters for DHE ciphers.
.TP
.BI "ssl-ecdh-curve=" string
Specifies a curves for ECDHE ciphers. Value is specified in the format understood by the OpenSSL library.
.TP
.BI "ssl-ciphers=" string
Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library.
.TP
.BI "ssl-prefer-server-ciphers=" n
If this option is given and
.B n
is greater of zero then server ciphers should be preferred over client ciphers.
Default is 0.
.TP
.BI "ssl-pemfile=" pemfile
Specifies a file with the certificate in the PEM format for sstp server.
Certificate is also used to compute initial SHA1 and SHA256 certificate hash.
.TP
.BI "ssl-keyfile=" keyfile
Specifies a file with the secret key in the PEM format for sstp server.
If not set, secret key will be loaded from the
.BI pemfile
certificate.
.TP
.BI "cert-hash-proto=" sha1,sha256
Specifies hashing methods that can be used to compute the Compound MAC in the Crypto Binding attribute.
Default is sha1 and sha256 both.
.TP
.BI "cert-hash-sha1=" hexstring
Given hexadecimal value overrides SHA1 hash computed from the
.BI pemfile
certificate or used directly for non-ssl mode.
.TP
.BI "cert-hash-sha256=" hexstring
Given hexadecimal value overrides SHA256 hash computed from the
.BI pemfile
certificate or used directly for non-ssl mode.
.TP
.BI "host-name=" string
If this option is given, only sstp connection to specified host and with the same TLS SNI will be allowed.
.TP
.BI "http-error=" deny|allow|http[s]://host.tld[/path]
Specify http layer error behavior for non-sstp requests.
.br
.B deny
- reset connection without any error response.
.br
.B allow
- respond with http-specific status codes.
.br
.B http[s]://host.tld[/path]
- respond with http redirect to the specified location.
If
.B /path
is not specified, requested uri will be appended automatically
.br
Default value is allow.
.TP
.BI "ifname=" ifname
If this option is given ppp interface will be renamed using
.B ifname
as a template, i.e sstp%d => sstp0.
.TP
.BI "ppp-max-mtu=" n
Set the maximun MTU value that can be negociated for PPP over SSTP sessions.
Default value is 1452, maximum is 4087.
.SH [radius]
.br
Configuration of RADIUS module.
.TP
.BI "nas-identifier=" identifier
Specifies value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.
.TP
.BI "nas-ip-address=" x.x.x.x
Specifies value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests.
Also DM/CoA server will bind to that address.
.TP
.BI "gw-ip-address=" x.x.x.x
Specifies address to use as local address of ppp interfaces if Framed-IP-Address received from RADIUS server.
.TP
.BI "auth-server=" x.x.x.x:port,secret
Specifies IP address, port and secret of authentication RADIUS server. (obsolete)
.TP
.BI "acct-server=" x.x.x.x:port,secret
Specifies IP address, port and secret of accounting RADIUS server. (obsolete)
.TP
.BI "server=" address,secret[,auth-port=1812][,acct-port=1813][,req-limit=0][,fail-timeout=0,max-fail=0,][,weight=1][,backup]
Specifies IP address, secret, ports of RADIUS server.
.br
.B req-limit
- number of simultaneous requests to server (0 - unlimited).
.br
.B fail-time
- if server doesn't responds mark it as unavailable for this time (sec).
.br
.B max-fail
- number of unreplied requests in a row after that mark server as unavailable.
.br
.B weight
- specifies weight of server for multi-server configuration.
.br
.B backup
- mark server as backup server f.e. use this server only when all other servers are failed.
.br
If you want to specify only authentication or accounting server then set auth-port/acct-port to zero.
You may specify multiple radius servers.
.TP
.BI "dae-server=" x.x.x.x:port,secret
Specifies IP address, port to bind and secret for Dynamic Authorization Extension server (DM/CoA).
.TP
.BI "dm_coa_secret=" secret (deprecated, use dae-server instead)
Specifies secret to use in DM/CoA communication.
.TP
.BI "acct-interim-interval=" n
Specifies interval in seconds to send accounting information (may be overriden by radius Acct-Interim-Interval attribute)
.TP
.BI "verbose=" n
If this option is given and
.B n
is greater of zero then radius module will produce verbose logging.
.TP
.BI "interim-verbose=" n
If this option is given and
.B n
is greater of zero then radius module will produce verbose logging of interim radius packets.
.TP
.BI "timeout=" n
Timeout to wait response from server (sec)
.TP
.BI "max-try=" n
Specifies number of tries to send Access-Request/Accounting-Request queries.
.TP
.BI "acct-timeout=" n
Specifies timeout of accounting interim update.
.TP
.BI "acct-delay-time=" 0|1
Specifies whether radius client should include Acct-Delay-Time attribute to accounting requests (default 0).
.TP
.BI "default-realm=" realm
Append specified realm to username.
.TP
.BI "acct-on=" 0|1
Specifies whether radius client should send Account-Request with Acct-Status-Type=Accounting-On on startup and Acct-Status-Type=Accounting-Off on shutdown.
.TP
.BI "attr-tunnel-type=" name
Specifies custom attribute name to be used to send tunnel type (as string).
.SH [log]
.br
Configuration of log and log_file modules.
.TP
.BI "log-file=" file
Path to file to write general log.
.TP
.BI "log-emerg=" file
Path to file to write emergency messages.
.TP
.BI "log-fail-file=" file
Path to file to write authentication failed session log.
.TP
.BI "log-tcp=" x.x.x.x:port
Send logs to specified host.
.TP
.BI "syslog=" ident[,facility]
Send logs to system logger.
Facility may be: daemon, local0-local7 or numeric value.
.TP
.BI "copy=" n
If this options is given and greater then zero logging engine will duplicate session log in general log.
(Useful when per-session/per-user logs are not used)
.TP
.BI "per-session-dir=" dir
Directory for session logs. If specified each session will be logged separately to file which name is unique session identifier.
.TP
.BI "per-user-dir=" dir
Directory for user logs. If specified all sessions of same user will be logged to file which name is user name.
.TP
.BI "per-session=" n
If specified and n is greater then zero each session of same user will be logger separately to directory specified by "per-user-dir"
and subdirectory which name is user name and to file which name os unique session identifier.
.TP
.BI "level=" n
Specifies log level which values are:
.br
.B 0
turn off all logging
.br
.B 1
log only error messages
.br
.B 2
log error and warning messages
.br
.B 3
log error, warning and minimum information messages (use this level in conjuction with verbose option of other modules if you need verbose logging)
.br
.B 4
log error, warning and full information messages (use this level in conjuction with verbose option of other modules if you need verbose logging)
.br
.B 5
log all messages including debug messages
.SH [log-pgsql]
.br
Configuration of log_pgsql module.
.TP
.BI "conninfo=" conninfo
Conninfo to connect to PostgreSQL server.
.TP
.BI "log-table=" table
Table to send log messages. Table must contain following field:
.br
.B timestamp
timestamp
.br
.B username
text
.br
.B sessionid
text
.br
.B msg
text
.SH [pppd_compat]
.br
Configuration of pppd_compat module.
.TP
.BI "ip-pre-up=" file
Path to ip-pre-up script which is executed before ppp interface comes up, useful to setup firewall rules before any traffic can pass through the interface.
.TP
.BI "ip-up=" file
Path to ip-up script which is executed when ppp interfaces is completly configured and started.
.TP
.BI "ip-down=" file
Path to ip-down script which is executed when session is about to terminate.
.TP
.BI "ip-change=" file
Path to ip-change script which is executed for RADIUS CoA handling.
.TP
.BI "radattr=" prefix
Prefix of radattr files (for example /var/run/radattr, resulting files will be /var/run/radattr.pppX)
.TP
.BI "verbose=" n
If specified and greated then zero pppd_module will produce verbose logging.
.SH [chap-secrets]
.br
Configuration of chap-secrets module.
.TP
.BI "gw-ip-address=" x.x.x.x[/mask]
Specifies address to use as local address of ppp interfaces if chap-secrets is used for IP address assignment. Mask is used for IPoE.
.TP
.BI "chap-secrets=" file
Specifies alternate chap-secrets file location (default is /etc/ppp/chap-secrets).
.TP
.BI "encrypted=" 0|1
Specifies either chap-secrets is encrypted (read README).
.TP
.BI "username-hash=" hash1[,hash2]
Specifies hash chain to calculate username hash.
.br
.BR hash1 , \ hash2
are openssl known digest names (md5, sha1, etc).
.SH [ip-pool]
.br
Configuration of ippool module.
.TP
.BI "gw-ip-address=" x.x.x.x
Specifies single IP address to be used as local address of ppp interfaces.
.TP
.BI "shuffle=" 1|0
Specifies whether to shuffle initial address list.
.TP
.BI "gw=" range
Specifies range of local address of ppp interfaces if form:
.br
.B x.x.x.x/mask[,name=pool_name][,next=next_pool_name]
(for example 10.0.0.0/8)
.br
.B x.x.x.x-y[,name=pool_name][,next=next_pool_name]
(for example 10.0.0.1-254)
.TP
.BI "tunnel=" range
Specifies range of remote address of ppp interfaces if form:
.br
.B x.x.x.x/mask[,name=pool_name][,next=next_pool_name]
.br
.B x.x.x.x-y[,name=pool_name][,next=next_pool_name]
.TP
.BI "x.x.x.x/mask[,name=pool_name][,next=next_pool_name] or x.x.x.x-y[,name=pool_name][,next=next_pool_name]"
Also specifies range of remote address of ppp interfaces.
.TP
.BI "attr=" attribute
Specifies which Radius attribute containes pool name.
.TP
.BI "vendor=" vendor
If attribute is vendor-specific then specify vendor name in this option.
.SH [ipv6-pool]
.br
Configuration of ipv6pool module.
.br
Format of each row is
.br
.B ipv6prefix/mask,prefix_len
for example:
.br
.B fc00:0:1::/48,64
- specifies pool of address by dividing prefix fc00:0:1::/48 to networks with 64 prefix len, e.g:
.br
fc00:0:1:0::/64
.br
fc00:0:1:1::/64
.br
...
fc00:0:1:ffff::/64
.TP
.BI "delegate=" ipv6prefix/mask,prefix_len
Specifies range of prefixes to delegate to clients through DHCPv6 prefix delegation (rfc3633).
Format is same as described above.
.BI "gw-ip6-address=" ipv6address
Specifies gateway address (used only for /128 prefixes)
.SH [connlimit]
.br
This module limits connection rate from single source.
.TP
.BI "limit=" count/time
Specifies acceptable rate of connections, for example limit=1/s or limit=10/m.
.TP
.BI "burst=" count
.TP
.BI "timeout=" n
Specifies timeout in seconds after which module doesn't check rate until burst number of connections will be arrived.
.SH [shaper]
.br
This module controls shaper.
.TP
.BI "attr=" name
Specifies which radius attribute contains rate information. Default - Filter-ID.
.TP
.BI "attr-up=" name
.TP
.BI "attr-down=" name
Specifies which radius attributes contains rate information for upstream and downstream respectively.
.TP
.BI "burst-factor=" n
Burst will be calculated as rate multyply burst-factor.
.TP
.BI "up-burst-factor=" n
.TP
.BI "down-burst-factor=" n
Specifies burst factor for upstream and downstream respectively.
.TP
.BI "latency=" n
Specifies latency (in miliseconds) parameter of tbf qdisc.
.TP
.BI "mpu=" n
Specifies mpu parameter of tbf qdisc and policer.
.TP
.BI "r2q=" n
Specifies r2q parameter of root htb qdisc.
.TP
.BI "quantum=" n
Specifies quantum parameter of htb classes.
.TP
.BI "moderate-quantum=" 1|0
If fixed quantum is not specified and this option is specified then shaper module will check for quantum value is valid (in range 1000-200000).
.TP
.BI "fwmark=" n
Spicifies the fwmark for traffic that won't be passed through shaper.
.TP
.BI "up-limiter=" police|htb
Specifes upstream rate limiting method.
.TP
.BI "down-limiter=" tbf|htb
Specifies downstream rate limiting method.
.TP
.BI "leaf-qdisc=" "qdisc parameters"
In case if htb is used as up-limiter or down-limiter specified leaf qdisc can be attached automaticaly.
At present sfq and fq_codel qdiscs are implemented. Parameters are same as for tc:
.br
sfq [ limit NUMBER ] [ perturn SECS ] [ quantum BYTES ]
.br
fq_codel [ limit PACKETS ] [flows NUMBER ] [ target TIME ] [ interval TIME ] [quantum BYTES ] [ [no]ecn ]
.TP
.BI "rate-multiplier=" n
Due to accel-ppp operates with rates in kilobit basis if you send rates in different basis then you can use this option to bring your values to kilobits.
.SH [cli]
.br
Configuration of the command line interface.
.TP
.BI "verbose=" n
If \fIn\fR = 1 then cli module will log IP address of each connection.
.br
If \fIn\fR = 2 then cli module will also log passed commands.
.TP
.BI "tcp=" host:port
Defines on which IP address and port the TCP module will listen for incoming
connections. When \fIhost\fR is empty, the TCP module listens on all local
interfaces. It isn't loaded if this option isn't defined.
.TP
.BI "telnet=" host:port
Defines on which IP address and port the Telnet module will listen for incoming
connections. When \fIhost\fR is empty, the Telnet module listens on all local
interfaces. It isn't loaded if this option isn't defined.
.TP
.BI "password=" passwd
Defines the password to be used by the TCP and Telnet modules for
authenticating clients. No authentication is performed if this option
isn't defined.
.TP
.BI "prompt=" prompt
Defines the prompt string used by the Telnet module (defaults
to \fIaccel-ppp\fR).
.TP
.BI "history-file=" filename
Defines the file used by the Telnet module for loading and storing its
command history (defaults to \fI/var/lib/accel-ppp/history\fR).
.TP
.BI "sessions-columns=" column_list
Defines the default set of columns to be displayed by the "show sessions"
command (defaults to
\fIifname,username,calling-sid,ip,rate-limit,type,comp,state,uptime\fR).
Invalid column names are silently discarded.
|