accel-ppp.conf - Man Page

ACCEL-PPP VPN daemon configuration

Description

accel-pppd(8) reads options from this file, usually /etc/accel-ppp.conf

Configuration file consists of sections in form:
[section1]

name1=val1
name2=val2
name3

[section2]

....

Sections

[modules]

contains list of modules to load

log_file

This is logging target which logs messages to files. It support per-session/per-user features.

log_syslog

This is logging target which logs messages to syslog.

log_tcp

This is logging target which logs messages over TCP/IP.

log_pgsql

This is logging target which logs messages to PostgreSQL.

pptp

PPTP controlling connection handling module.

pppoe

PPPoE discovery stage handling module.

sstp

SSTP controlling connection handling module.

auth_pap

PAP authentication module.

auth_chap_md5

CHAP (md5) authentication module.

auth_mschap_v1

Microsoft CHAP (version 1) authentication module.

auth_mschap_v2

Microsoft CHAP (version 2) authentication module.

radius

RADIUS interaction module.

ippool

IPv4 address assigning module.

ipv6pool

IPv6 address assigning module.

sigchld

Helper module to manage child processes, required by pppd_compat

pppd_compat

This module starts pppd compatible ip-up/ip-down scripts and ip-change to handle RADIUS CoA request.

connlimit

This module limits connection rate from single source.

[core]

Configuration of core module

log-error=path

Path to file for core module error logging.

thread-count=n

number of working threads, optimal - number of processors/cores

[common]

Contains common params for all connection types

single-session=replace|deny

Specifies whether accel-ppp should control sessions count.
If this option is absent session count control is turned off.
If this option is replace then accel-ppp will terminate first session when second is authorized.
If this option is deny then accel-ppp will deny second session authorization.

single-session-ignore-case=0|1

Specifies whether accel-ppp should ignore the case when comparing username within single-session validation (default 0).

sid-case=upper|lower

Specifies in which case generate session identifier (default lower).

sid-source=urandom|seq

Specifies method assign session id (default urandom).
urandom Assign session id by random method
seq Assign session id by sequence method

seq-file=path

Path to file for sessions sequence number. Start sequence number may be set there (default /var/lib/accel-ppp/seq).

max-sessions=n

Specifies maximum concurrent sessions which server may processed (default 0, disabled)

max-starting=n

Specifies maximum concurrent session attempts which server may processed (default 0, disabled)

check-ip=0|1

Specifies whether accel-ppp should check if IP already assigned to other client interface (default 0).

nl-snd-buffer=n

Specifies netlink maximum send buffer size (SO_SNDBUF option) (default 32768).

nl-rcv-buffer=n

Specifies netlink maximum receive buffer size (SO_RCVBUF option) (default 1048576).

session-timeout=n

Specifies max sessions time in seconds, after this time session will be terminated.
This timeout can be redefined with radius attribute Session-Timeout. 0 value means infinite timeout.

[ppp]

PPP module configuration.

verbose=n

If n is not zero ppp module will produce verbose logging.

min-mtu=n

Minimum acceptable MTU. If client will try to negotiate less then specified MTU then it will be NAKed or disconnected if rejects greater MTU.

mtu=n

MTU which will be negotiated if client's MRU will be not acceptable.

mru=n

Prefered MRU.

accomp=allow|deny|n

Address/Control compression negotiation.
allow - prefere in send and don't deny in receive directions
deny - disable in both directions, default behavior

pcomp=allow|deny|n

Protocol field compression negotiation.
allow - prefere in send and don't deny in receive directions
deny - disable in both directions, default behavior

ccp=n

Disable CCP negotiation if this parameter is zero.

mppe=require|prefer|deny

Specifies mppe negotiation preference.
require - ask client for mppe, if it rejects drop connection
prefer - ask client for mppe, if it rejects don't fail.
deny - deny mppe.
Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute.

ipv4=deny|allow|prefer|require

Specify IPv4 (IPCP) negotiation algorithm:
deny - don't negotiate IPv4.
allow - negotiate IPv4 only if client requests.
prefer - ask client for IPv4 negotiation, don't fail if he rejects.
require - require IPv4 negotiation.

ipv6=deny|allow|prefer|require

Parameters are same as above.

ipv6-intf-id=x:x:x:x|random

Specify fixed or random interface identifier for IPv6.

ipv6-peer-intf-id=x:x:x:x|random|ipv4|calling-sid

Specify peer interface identifier for IPv6.
ipv4 - calculate interface identifier from IPv4 address, for example 192:168:0:1.
calling-sid - calculate interface identifier from Calling-Station-Id.

ipv6-accept-peer-intf-id=0|1

Specify whether to accept peer's interface identifier.

lcp-echo-interval=n

If this option is given and greater than 0 then lcp module will send echo-request every n seconds.

lcp-echo-failure=n

Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated.

lcp-echo-timeout=sec

Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used.

unit-cache=n

Specifies number of interfaces to keep in cache. It means that don't destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack.

unit-preallocate=0|1

If set to 1 then allocate ppp unit (interface) before authorization, so Nas-Port and Nas-Port-Id would be defined in Access-Request phase.

[auth]

Contains authentication params

timeout=n

If n is not zero specifies timeout in seconds to wait for PAP, CHAP, Microsoft CHAP v1/v2 authentication.

interval=n

If n is not zero specifies timeout in seconds to restart CHAP and Microsoft CHAP v1/v2 authentication.

max-failure=n

If n is not zero specifies maximum number of CHAP and Microsoft CHAP v1/v2 authentication failures.

any-login=0|1

If set to 1 allows pass PAP, CHAP and Microsoft CHAP v1 authentication with any login.

noauth=0|1

If set to 1 skips any PPP and IPOE authentication.

challenge-name=name

Specifies challenge name for CHAP authentication.

[ipoe]

verbose=n

If n is not zero ipoe module will produce verbose logging.

username=ifname|lua:function

Specifies how to determine username of user.
If username= ifname then interface name from which packet was arrived will be used as username.
If username= lua:username then lua function with name username will be called to construct username from dhcp packet fields.

password=username|csid|empty|<string>

Specifies how to generate password.
If password= username then password will be same as username.
If password= empty then password will be empty string.
If password= csid then password will be same as Calling-Station-Id.
Or you can specify fixed password in <string>.

session-timeout=n

Specifies max sessions time in seconds. After this time session will be terminated. May redefine with radius attribute Session-Timeout

idle-timeout=n

Specifies timeout in seconds to wait for any packets from client, after this time session will terminated if client don`t send any packet. Often used with mode=L3.

lease-time=n

Specifies lease time in seconds to be sent to dhcp client.

renew-time=n

Specifies lease renew time (option 58) in seconds to be sent to dhcp client.

rebind-time=n

Specifies lease rebind time (option 59) in seconds to be sent to dhcp client.

max-lease-time=n

Specifies max lease time in seconds, after this time session will be terminated if client won't renew it.

unit-cache=n

Specifies number of interfaces to keep in cache. It means that don't destroy interface after corresponding session is destroyed, instead place it to cache and use it later for new sessions repeatedly. This should reduce kernel-level interface creation/deletion rate lack.

l4-redirect-table=n

Specifies number of table. If L4-Redirect radius attribute is received and it's value is not 0 or '0' then accel-ppp will add following rule: ip rule add from client_ip table n

l4-redirect-ipset=name

Specifies name of ipset list. If L4-Redirect radius attribute is received and it's value is not 0 or '0' then accel-ppp will add client's ip to that ipset name.

l4-redirect-on-reject=n

If specified then if radius rejects access 'ip rule add from ip_addr table l4-redirect-table' rule will be created for time n seconds.

l4-redirect-ip-pool=name

If specified then if radius rejects access and session is DHCP then ip will be allocated from specified pool name.

gw-ip-address=x.x.x.x/mask

Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options.

shared=0|1

Specifies default value for per-interface shared parameter.

mode=L2|L3

Specifies default value for per-interface mode parameter.

start=dhcpv4|up|auto

Specifies default value for per-interface start parameter.

ifcfg=0|1

Specifies default value for per-interface ifcfg parameter.

relay=ipv4_address

Specifies default value for per-interface relay parameter.

proxy-arp=n

Specifies default value for per-interface proxy-arp parameter.

weight=n

Specifies global weight of this server (used for load balancing)

ip-unnumbered=0|1

Specifies default value for per-interface ip-unnumbered parameter.
If ip-unnumbered=1 accel-ppp will always assign /32 mask.
Default value is 1.

agent-remote-id=string

Specifies the DCHP option 82 sub-option 2 to be inserted by the DHCP Relay.
The purpose of the sub-option is documented in section 3.2 of RFC3046.
If neither the link-selection option nor this option is present, option 82 is not inserted by the DCHP Relay Agent.

link-selection=ipv4_address

Specifies option 82 sub-option 5 as per RFC3527 to be added by dhcp relay. The value stands for the subnet to be selected by the DHCP server to associate the request to a specific subnet.
The purpose of the sub-option is documented in RFC3527.
If neither the agent-remote-id option nor this option is present, option 82 is not inserted by the DCHP Relay Agent.

interface=[re:]name[,mode=L2|L3][,shared=0|1][,start=dhcpv4|up|auto]

[,range=x.x.x.x/mask][,ifcfg=0|1] [,relay=x.x.x.x] [,giaddr=x.x.x.x] [,src=x.x.x.x] [,proxy-arp=0|1|2] [,username=ifname|lua:function] [,ipv6=0|1] [,mtu=N] [,weight=N] [,ip-unnumbered=0|1]
Specifies interface to listen dhcp or unclassified packets. You may specify multiple interface options.
If name is prefixed with re: then name is treated as regular expression.
The mode parameter specifies client connectivity mode. If mode= L2 then it means that clients are on same network where interface is. L3 means that client are behind some router.
The shared parameter specifies where interface is shared by multiple users or it is vlan-per-user.
The start parameter specifies which way session starts (up - unclassified packet).
auto - means automatically start session with username = interface name. Use it with conjunction vlan_mon.
The range parameter specifies local range of ip address to give to dhcp clients. First IP in range is router IP.
The ifcfg parameter specifies whether accel-ppp should add router IP address and route to client to interface or it is explicitly configured.
The relay parameter specifies DHCPv4 relay IP address to pass requests to. If specified giaddr is also needed.
The giaddr parameter specifies relay agent IP address.
The src parameter specifies ip address to use as source when adding route to client.
The proxy-arp parameter specifies whether accel-ppp should reply to arp requests.

local-net=x.x.x.x/mask

Specifies networks from which packets will be treated as unclassified. You may specify multiple local-net options.

proto=n

Specifies number of protocol to be used for inserted routes.

offer-delay=delay[,delay1:count1[,delay2:count2[,...]]]

Specifies delays (also in condition of connection count) to send DHCPOFFER (ms). Last delay in list may be -1 which means don't accept new connections. List must to be sorted by count key.

offer-timeout=n

Specified timeout waiting DHCP-Request from client in seconds (default 10).

vlan-mon=[re:]name[,filter]

Starts vlan monitor on specified interface (requires vlan_mon kernel module).
The filter parameter specifies list of vlans or ranges of vlans to monitor for and may be in following form:
vlan-mon=eth1,2,5,10,20-30

vlan-timeout=n

Specifies time of vlan inactivity before it will be removed in seconds (default 60). A value of 0 disables removal of inactive vlan.

vlan-name=pattern

Specifies pattern of vlan interface name. Pattern may contain following macros:
%I - name of pattern interface.
%N - number of vlan.
%P - number of vlan of parent interface.
By default vlan-name=%I.%N.

soft-terminate=0|1

Turns on soft terminate mode. Soft terminate means that session won't be terminated immediately, but when next lease renewal request will be received.

check-mac-change=0|1

If enabled accel-ppp will terminate session when detects change of mac address of client (by default it is enabled).

calling-sid=mac|ip

Specifies value of Calling-Station-Id attribute.

[dns]

dns1=x.x.x.x

Specifies primary DNS to be sent to peer.

dns2=x.x.x.x

Specifies secondary DNS to be sent to peer.

[wins]

wins1=x.x.x.x

Specifies primary NBNS to be sent to peer.

wins2=x.x.x.x

Specifies secondary NBNS to be sent to peer.

[ipv6-dns]

dns=IPv6_address

Specifies IPv6 DNS to be sent to peer. You may specify up to 3 dns options.

dnssl=name

Specify DNS Search List. You may specify multiple dns and dnssl options.

[client-ip-range]

You have to explicitly specify range of ip address from which clients can connect to server in form:
x.x.x.x/mask (for example 10.0.0.0/8)
x.x.x.x-y (for example 10.0.0.1-254)

[pptp]

Configuration of PPTP module.

bind=x.x.x.x

If this option is given then pptp server will bind to specified IP address.

port=n

If this option is given then pptp server will bind to specified port.

verbose=n

If this option is given and n is greater of zero then pptp module will produce verbose logging.

echo-interval=n

If this option is given and greater than zero then pptp module will send echo-request every n seconds.

echo-failure=n

Specifies maximum number of echo-requests may be sent without valid echo-reply, if exceeds connection will be terminated.

timeout=n

Timeout waiting reply from client in seconds (default 5).

mppe=deny|allow|prefer|require
ifname=ifname

If this option is given ppp interface will be renamed using ifname as a template, i.e pptp%d => pptp0.

ppp-max-mtu=n

Set the maximum MTU value that can be negotiated for PPP over PPTP sessions. Default value is 1436.

session-timeout=n

Specifies max sessions time in seconds, after this time session will be terminated.
This timeout can be redefined with radius attribute Session-Timeout. 0 value means infinite timeout.

[pppoe]

Configuration of PPPoE module.

interface=[re:]ifname[,padi-limit=n]

Specifies interface name to listen/send discovery packets. You may specify multiple interface options. If ifname is prefixed with re: then ifname is considered as regular expression. Optional padi-limit parameter specifies limit of PADI packets to reply on this interface in 1 second period.

vlan-mon=[re:]name[,filter]

Starts vlan monitor on specified interface (requires vlan_mon kernel module).
The filter parameter specifies list of vlans or ranges of vlans to monitor for and may be in following form:
vlan-mon=eth1,2,5,10,20-30

vlan-timeout=n

Specifies time of vlan inactivity before it will be removed in seconds (default 60). A value of 0 disables removal of inactive vlan.

vlan-name=pattern

Specifies pattern of vlan interface name. Pattern may contain following macros:
%I - name of pattern interface.
%N - number of vlan.
%P - number of vlan of parent interface.
By default vlan-name=%I.%N.

ac-name=ac-name

Specifies AC-Name tag value. If absent tag will not be sent.

service-name=service-name

Specifies Service-Name to respond. If absent any Service-Name is acceptable and client's Service-Name will be sent back.

accept-any-service=n

If service-name specified still will answer with service names, but accepts any service name in PADR request. Useful  for scenarios, where selection of PPPoE done by client, based on service names in PADO.

accept-blank-service=n

Allow answering on blank Service-Name even if Service-Name configured. Useful when needs to allow only Service-Names described in the config and also blank Service-Name.

pado-delay=delay[,delay1:count1[,delay2:count2[,...]]]

Specifies delays (also in condition of connection count) to send PADO (ms). Last delay in list may be -1 which means don't accept new connections. List have to be sorted by count key.

mac-filter=filename,type

Specifies mac-filter filename and type, type maybe allow or deny

called-sid=ifname|mac|ifname:mac

Specifies how to represent Called-Station-ID.
ifname - Called-Station-ID will contain name of interface accepted request.
mac - Called-Station-ID will contain mac address of interface accepted request.
ifname:mac - Called-Station-Id will contain both name and mac of interface.

verbose=n

If this option is given and n is greater of zero then pppoe module will produce verbose logging.

tr101=0|1

Specifies whether to handle TR101 tags.

padi-limit=n

Specifies overall limit of PADI packets to reply in 1 second period (default 0 - unlimited). Rate of per-mac PADI packets is limited to no more than 1 packet per second.

mppe=deny|allow|prefer|require
ifname=ifname

If this option is given ppp interface will be renamed using ifname as a template, i.e pppoe%d => pppoe0.

session-timeout=n

Specifies max sessions time in seconds, after this time session will be terminated.
This timeout can be redefined with radius attribute Session-Timeout. 0 value means infinite timeout.

[l2tp]

Configuration of L2TP module.

bind=x.x.x.x

Specifies IP address to bind.

port=n

Specifies port to bind.

host-name=string

This name will be sent to clients in Host-Name attribute.

hello-interval=n

Specifies interval (in seconds) to send Hello control message. Its used for keep alive connection. If peer will not respond to Hello connection will be terminated.

recv-window=n

Set the size of the local receive window. Only received messages whose sequence number is in the range [last-Nr + 1, last-Nr + recv-window] are accepted (where last-Nr is the sequence number of the last acknowledged message). Minimum value is 1, maximum is 32768, default is 16.

timeout=n

Specifies timeout (in seconds) to wait peer completes tunnel and session negotiation.

rtimeout=n

Specifies timeout (in seconds) to wait message acknowledge, if elapsed message retransmition will be performed. Timeout is multiplied by two after each retransmission. So if rtimeout is set to 1, first retransmission will occur after one second, second retransmission two seconds later, third one four seconds later, and so on, until a reply is received or the retransmit value is reached. Default value is 1.

rtimeout-cap=n

Set the maximum interval between retransmissions. The exponential backoff interval used by rtimeout will never grow above rtimeout-cap. rtimeout-cap must be higher than rtimeout and, according to RFC 2661, must be no less than 8 (though accel-ppp doesn't enforce this rule). Default value is 16.

retransmit=n

Specifies maximum number of message retransmission, if exceeds connection will be terminated.

verbose=n

If this option is given and n is greater of zero then l2tp module will produce verbose logging.

mppe=deny|allow|prefer|require
secret=string

Specifies secret to connect to server.

hide-avps=n

If this option is given and n is greater than 0, then attributes sent in L2TP packets will be hidden (for AVPs that support it).

dataseq=deny|allow|prefer|require

Specify data sequencing negotiation algorithm:
deny - don't send data packets with sequence numbers
allow - send data packets with sequence numbers if peer have requested so only
prefer - send data packets with sequence numbers and enable same for peer
require - send data packets with sequence numbers and enforce same for peer

reorder-timeout=ms

Specifies timeout (in milliseconds) to wait for out-of-order packets. If 0, don't try to reorder.

use-ephemeral-ports=0|1

Specifies if an arbitrary source port is used when replying to a tunnel establishment request. When this option is deactivated, the destination port of the incoming request (SCCRQ) is used as source port for the reply (SCCRP). Default value is 0.

ppp-max-mtu=n

Set the maximum MTU value that can be negotiated for PPP over L2TP sessions. Default value is 1420.

ifname=ifname

If this option is given ppp interface will be renamed using ifname as a template, i.e l2tp%d => l2tp0.

session-timeout=n

Specifies max sessions time in seconds, after this time session will be terminated.
This timeout can be redefined with radius attribute Session-Timeout. 0 value means infinite timeout.

[sstp]

Configuration of SSTP module.

bind=x.x.x.x|ipv6address|unix:pathname|unix:@abstract

If this option is given then sstp server will bind to specified IP address or unix pathname/abstract socket.

port=n

If this option is given then sstp server will bind to specified port. Default is 443.

verbose=n

If this option is given and n is greater of zero then sstp module will produce verbose logging.

timeout=n

Timeout waiting reply from client in seconds. Default is 60.

hello-interval=n

If this option is given and greater than zero then sstp will send echo-request every n seconds and drop connection without a reply. Default is 60.

accept=ssl,proxy

Specifies incoming connection acceptance mode.
ssl - enable SSL/TLS support.
proxy - enable PROXY protocol 1 & 2 support.

ssl-protocol=ssl2|ssl3|tls1|tls1.1|tls1.2|tls1.3

Specifies the enabled SSL/TLS protocols supported by OpenSSL library.

ssl-dhparam=pemfile

Specifies a file with DH parameters for DHE ciphers.

ssl-ecdh-curve=string

Specifies a curves for ECDHE ciphers. Value is specified in the format understood by the OpenSSL library.

ssl-ciphers=string

Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library.

ssl-prefer-server-ciphers=n

If this option is given and n is greater of zero then server ciphers should be preferred over client ciphers. Default is 0.

ssl-pemfile=pemfile

Specifies a file with the certificate in the PEM format for sstp server. Certificate is also used to compute initial SHA1 and SHA256 certificate hash.

ssl-keyfile=keyfile

Specifies a file with the secret key in the PEM format for sstp server. If not set, secret key will be loaded from the pemfile certificate.

cert-hash-proto=sha1,sha256

Specifies hashing methods that can be used to compute the Compound MAC in the Crypto Binding attribute. Default is sha1 and sha256 both.

cert-hash-sha1=hexstring

Given hexadecimal value overrides SHA1 hash computed from the pemfile certificate or used directly for non-ssl mode.

cert-hash-sha256=hexstring

Given hexadecimal value overrides SHA256 hash computed from the pemfile certificate or used directly for non-ssl mode.

host-name=string

If this option is given, only sstp connection to specified host and with the same TLS SNI will be allowed.

http-error=deny|allow|http[s]://host.tld[/path]

Specify http layer error behavior for non-sstp requests.
deny - reset connection without any error response.
allow - respond with http-specific status codes.
http[s]://host.tld[/path] - respond with http redirect to the specified location. If /path is not specified, requested uri will be appended automatically
Default value is allow.

ifname=ifname

If this option is given ppp interface will be renamed using ifname as a template, i.e sstp%d => sstp0.

ppp-max-mtu=n

Set the maximum MTU value that can be negotiated for PPP over SSTP sessions. Default value is 1452, maximum is 4087.

session-timeout=n

Specifies max sessions time in seconds, after this time session will be terminated.
This timeout can be redefined with radius attribute Session-Timeout. 0 value means infinite timeout.

[radius]

Configuration of RADIUS module.

nas-identifier=identifier

Specifies value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.

nas-ip-address=x.x.x.x

Specifies value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.

gw-ip-address=x.x.x.x

Specifies address to use as local address of ppp interfaces if Framed-IP-Address received from RADIUS server.

auth-server=x.x.x.x:port,secret

Specifies IP address, port and secret of authentication RADIUS server. (obsolete)

acct-server=x.x.x.x:port,secret

Specifies IP address, port and secret of accounting RADIUS server. (obsolete)

server=address,secret[,auth-port=1812][,acct-port=1813][,bind-device=][,req-limit=0][,fail-timeout=0,max-fail=0,][,weight=1][,backup]

Specifies IP address, secret, ports of RADIUS server.
bind-device - device name or VRF to bind the connection. By default, the device name is undefined.
req-limit - number of simultaneous requests to server (0 - unlimited).
fail-time - if server doesn't responds mark it as unavailable for this time (sec).
max-fail - number of unreplied requests in a row after that mark server as unavailable.
weight - specifies weight of server for multi-server configuration.
backup - mark server as backup server f.e. use this server only when all other servers are failed.
If you want to specify only authentication or accounting server then set auth-port/acct-port to zero. You may specify multiple radius servers.
dae-server=x.x.x.x:port,secret[,bind-device=] Specifies IP address, port to bind and secret for Dynamic Authorization Extension server (DM/CoA).
bind-device - device name or VRF to bind the connection. By default, the device name is undefined.

dm_coa_secret=secret(deprecated,usedae-serverinstead)

Specifies secret to use in DM/CoA communication.

acct-interim-interval=n

Specifies interval in seconds to send accounting information (may be overriden by radius Acct-Interim-Interval attribute)

acct-interim-jitter=n

Specifies absolute maximum jitter value in seconds to be applied to accounting information interval.

verbose=n

If this option is given and n is greater of zero then radius module will produce verbose logging.

interim-verbose=n

If this option is given and n is greater of zero then radius module will produce verbose logging of interim radius packets.

timeout=n

Timeout to wait response from server (sec)

max-try=n

Specifies number of tries to send Access-Request/Accounting-Request queries.

acct-timeout=n

Specifies timeout of accounting interim update.

acct-delay-time=0|1

Specifies whether radius client should include Acct-Delay-Time attribute to accounting requests (default 0).

acct-delay-start=n

Specifies delay to send accounting start packet (defaul 0).

acct-on=0|1

Specifies whether radius client should send Account-Request with Acct-Status-Type=Accounting-On on startup and Acct-Status-Type=Accounting-Off on shutdown.

attr-tunnel-type=name

Specifies custom attribute name to be used to send tunnel type (as string).

default-realm=realm

Appends specified realm to username if there was no realm already.

strip-realm=0|1

Strips realm from username, can be used along with default-realm option for realm substitution.

sid-in-auth=0|1

Specifies should accel-ppp generate and send Acct-Session-Id on Access-Request packet.

nas-port-id-in-req=0|1

Specifies should accel-ppp send NAS-Port-Id on Access-Request and Accounting-Request packets (default 1).

[log]

Configuration of log and log_file modules.

log-file=file

Path to file to write general log.

log-emerg=file

Path to file to write emergency messages.

log-fail-file=file

Path to file to write authentication failed session log.

log-tcp=x.x.x.x:port

Send logs to specified host.

syslog=ident[,facility]

Send logs to system logger. Facility may be: daemon, local0-local7 or numeric value.

copy=n

If this options is given and greater than zero logging engine will duplicate session log in general log. (Useful when per-session/per-user logs are not used)

per-session-dir=dir

Directory for session logs. If specified each session will be logged separately to file which name is unique session identifier.

per-user-dir=dir

Directory for user logs. If specified all sessions of same user will be logged to file which name is user name.

per-session=n

If specified and n is greater than zero each session of same user will be logger separately to directory specified by "per-user-dir"  and subdirectory which name is user name and to file which name os unique session identifier.

level=n

Specifies log level which values are:
0 turn off all logging
1 log only error messages
2 log error and warning messages
3 log error, warning and minimum information messages (use this level in conjunction with verbose option of other modules if you need verbose logging)
4 log error, warning and full information messages (use this level in conjunction with verbose option of other modules if you need verbose logging)
5 log all messages including debug messages

[log-pgsql]

Configuration of log_pgsql module.

conninfo=conninfo

Conninfo to connect to PostgreSQL server.

log-table=table

Table to send log messages. Table must contain following field:
timestamp timestamp
username text
sessionid text
msg text

[pppd_compat]

Configuration of pppd_compat module.

ip-pre-up=file

Path to ip-pre-up script which is executed before ppp interface comes up, useful to setup firewall rules before any traffic can pass through the interface.

ip-up=file

Path to ip-up script which is executed when ppp interfaces is completely configured and started.

ip-down=file

Path to ip-down script which is executed when session is about to terminate.

ip-change=file

Path to ip-change script which is executed for RADIUS CoA handling.

radattr-prefix=prefix

Prefix of radattr files (for example /var/run/radattr, resulting files will be /var/run/radattr.pppX)

verbose=n

If specified and greater than zero pppd_module will produce verbose logging.

[chap-secrets]

Configuration of chap-secrets module.

gw-ip-address=x.x.x.x[/mask]

Specifies address to use as local address of ppp interfaces if chap-secrets is used for IP address assignment. Mask is used for IPoE.

chap-secrets=file

Specifies alternate chap-secrets file location (default is /etc/ppp/chap-secrets).

encrypted=0|1

Specifies either chap-secrets is encrypted (read README).

username-hash=hash1[,hash2]

Specifies hash chain to calculate username hash.
hash1hash2 are openssl known digest names (md5, sha1, etc).

[ip-pool]

Configuration of ippool module.

gw-ip-address=x.x.x.x

Specifies single IP address to be used as local address of ppp interfaces.

shuffle=1|0

Specifies whether to shuffle initial address list.

gw=range

Specifies range of local address of ppp interfaces if form:
x.x.x.x/mask[,name=pool_name][,next=next_pool_name] (for example 10.0.0.0/8)
x.x.x.x-y[,name=pool_name][,next=next_pool_name] (for example 10.0.0.1-254)

tunnel=range

Specifies range of remote address of ppp interfaces if form:
x.x.x.x/mask[,name=pool_name][,next=next_pool_name]
x.x.x.x-y[,name=pool_name][,next=next_pool_name]

x.x.x.x/mask[,name=pool_name][,next=next_pool_name] or x.x.x.x-y[,name=pool_name][,next=next_pool_name]

Also specifies range of remote address of ppp interfaces.

attr=attribute

Specifies which Radius attribute contains pool name.

vendor=vendor

If attribute is vendor-specific then specify vendor name in this option.

[ipv6-pool]

Configuration of ipv6pool module.

ipv6prefix/mask,prefix_len[,name=pool_name][,next=next_pool_name]

fc00:0:1::/48,64 - specifies pool of address by dividing prefix fc00:0:1::/48 to networks with 64 prefix len, e.g:
fc00:0:1:0::/64
fc00:0:1:1::/64
...
fc00:0:1:ffff::/64

delegate=ipv6prefix/mask,prefix_len[,name=pool_name][,next=next_pool_name]

Specifies range of prefixes to delegate to clients through DHCPv6 prefix delegation (rfc3633). Format is same as described above.

gw-ip6-address=ipv6address

Specifies gateway address (used only for /128 prefixes)

attr-prefix=attribute

Specifies which Radius attribute contains delegated prefix pool name.

attr-address=attribute

Specifies which Radius attribute contains stateful address pool name.

vendor=vendor

If attribute is vendor-specific then specify vendor name in this option.

[connlimit]

This module limits connection rate from single source.

limit=count/time

Specifies acceptable rate of connections, for example limit=1/s or limit=10/m.

burst=count
timeout=n

Specifies timeout in seconds after which module doesn't check rate until burst number of connections will be arrived.

[shaper]

This module controls shaper.

attr=name

Specifies which radius attribute contains rate information. Default - Filter-ID.

attr-up=name
attr-down=name

Specifies which radius attributes contains rate information for upstream and downstream respectively.

burst-factor=n

Burst will be calculated as rate multyply burst-factor.

up-burst-factor=n
down-burst-factor=n

Specifies burst factor for upstream and downstream respectively.

latency=n

Specifies latency (in milliseconds) parameter of tbf qdisc.

mpu=n

Specifies mpu parameter of tbf qdisc and policer.

r2q=n

Specifies r2q parameter of root htb qdisc.

quantum=n

Specifies quantum parameter of htb classes.

moderate-quantum=1|0

If fixed quantum is not specified and this option is specified then shaper module will check for quantum value is valid (in range 1000-200000).

fwmark=n

Specifies the fwmark for traffic that won't be passed through shaper.

up-limiter=police|htb

Specifes upstream rate limiting method.

down-limiter=tbf|htb

Specifies downstream rate limiting method.

leaf-qdisc=qdisc parameters

In case if htb is used as up-limiter or down-limiter specified leaf qdisc can be attached automatically. At present sfq and fq_codel qdiscs are implemented. Parameters are same as for tc:
sfq [ limit NUMBER ] [ perturn SECS ] [ quantum BYTES ]
fq_codel [ limit PACKETS ] [flows NUMBER ] [ target TIME ] [ interval TIME ] [quantum BYTES ] [ [no]ecn ]

rate-multiplier=n

Due to accel-ppp operates with rates in kilobit basis if you send rates in different basis then you can use this option to bring your values to kilobits.

rate-limit=download_speed/upload_speed

Specifies, should accel-ppp set default rate-limit for clients. Clients rate-limit will be overwritten by RADIUS filter attributes or chap-secrets rate-limit params.

[cli]

Configuration of the command line interface.

verbose=n

If n = 1 then cli module will log IP address of each connection.
If n = 2 then cli module will also log passed commands.

tcp=host:port

Defines on which IP address and port the TCP module will listen for incoming connections. When host is empty, the TCP module listens on all local interfaces. It isn't loaded if this option isn't defined.

telnet=host:port

Defines on which IP address and port the Telnet module will listen for incoming connections. When host is empty, the Telnet module listens on all local interfaces. It isn't loaded if this option isn't defined.

password=passwd

Defines the password to be used by the TCP and Telnet modules for authenticating clients. No authentication is performed if this option isn't defined.

prompt=prompt

Defines the prompt string used by the Telnet module (defaults to accel-ppp).

history-file=filename

Defines the file used by the Telnet module for loading and storing its command history (defaults to /var/lib/accel-ppp/history).

sessions-columns=column_list

Defines the default set of columns to be displayed by the "show sessions" command (defaults to ifname,username,calling-sid,ip,rate-limit,type,comp,state,uptime).
Possible columns:
ifname - interface name
username - user name
ip - IP address
ip6 - IPv6 address
ip6-dp - IPv6 delegated prefix
type - connection type [pppoe|ipoe|pptp|l2tp|sstp]
state - state of session
uptime - uptime (human readable)
uptime-raw - uptime (in seconds)
calling-sid - calling station id
called-sid - called station id
sid - session id
comp - compression/encryption method
inbound-if - inbound interface
service-name - PPPoE service name
rx-bytes - received bytes (human readable)
tx-bytes - transmitted bytes (human readable)
rx-bytes-raw - received bytes
tx-bytes-raw - transmitted bytes
rx-pkts - received packets
tx-pkts - transmitted packets
netns - network namespaces
vrf - virtual routing and forwarding
Invalid column names are silently discarded.

Info

23 August 2011