NAME

pppd - Point-to-Point Protocol Daemon

SYNOPSIS

pppd [ options ]

DESCRIPTION

PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links. The _p_p_p_d daemon works together with the kernel PPP driver to establish and maintain a PPP link with another system (called the _p_e_e_r) and to negotiate Internet Protocol (IP) addresses for each end of the link. Pppd can also authenticate the peer and/or supply authentication information to the peer. PPP can be used with other network protocols besides IP, but such use is becoming increasingly rare.

FREQUENTLY USED OPTIONS

ttyname
Use the serial port called _t_t_y_n_a_m_e to communicate with the peer. If _t_t_y_n_a_m_e does not begin with a slash (/), the string "/dev/" is prepended to _t_t_y_n_a_m_e to form the name of the device to open. If no device name is given, or if the name of the terminal connected to the standard input is given, pppd will use that terminal, and will not fork to put itself in the background. A value for this option from a privileged source cannot be overridden by a non-privileged user.
speed
An option that is a decimal number is taken as the desired baud rate for the serial device. On systems such as 4.4BSD and NetBSD, any speed can be specified. Other systems (e.g. Linux, SunOS) only support the commonly-used baud rates.
asyncmap _m_a_p_<_/_b_> _<_d_d_> _T_h_i_s _o_p_t_i_o_n _s_e_t_s _t_h_e _A_s_y_n_c_-_C_o_n_t_r_o_l_-_C_h_a_r_a_c_t_e_r_-_M_a_p _(_A_C_C_M_) _f_o_r _t_h_i_s _e_n_d _o_f _t_h_e _l_i_n_k_. _T_h_e _A_C_C_M _i_s _a _s_e_t _o_f _3_2 _b_i_t_s_, _o_n_e _f_o_r _e_a_c_h _o_f _t_h_e _A_S_C_I_I _c_o_n_t_r_o_l _c_h_a_r_a_c_t_e_r_s _w_i_t_h _v_a_l_u_e_s _f_r_o_m _0 _t_o _3_1_, _w_h_e_r_e _a _1 _b_i_t _i_n_d_i_c_a_t_e_s _t_h_a_t _t_h_e _c_o_r_r_e_s_p_o_n_d_i_n_g _c_o_n_t_r_o_l _c_h_a_r_a_c_t_e_r _s_h_o_u_l_d _n_o_t _b_e _u_s_e_d _i_n _P_P_P _p_a_c_k_e_t_s _s_e_n_t _t_o _t_h_i_s _s_y_s_t_e_m_. _T_h_e _m_a_p _i_s _e_n_c_o_d_e_d _a_s _a _h_e_x_a_d_e_c_i_m_a_l _n_u_m_b_e_r _(_w_i_t_h_o_u_t _a _l_e_a_d_i_n_g _0_x_) _w_h_e_r_e _t_h_e _l_e_a_s_t _s_i_g_n_i_f_i_c_a_n_t _b_i_t _(_0_0_0_0_0_0_0_1_) _r_e_p_r_e_s_e_n_t_s _c_h_a_r_a_c_t_e_r _0 _a_n_d _t_h_e _m_o_s_t _s_i_g_n_i_f_i_c_a_n_t _b_i_t _(_8_0_0_0_0_0_0_0_) _r_e_p_r_e_s_e_n_t_s _c_h_a_r_a_c_t_e_r _3_1_. _P_p_p_d _w_i_l_l _a_s_k _t_h_e _p_e_e_r _t_o _s_e_n_d _t_h_e_s_e _c_h_a_r_a_c_t_e_r_s _a_s _a _2_-_b_y_t_e _e_s_c_a_p_e _s_e_q_u_e_n_c_e_. _I_f _m_u_l_t_i_p_l_e _a_s_y_n_c_m_a_p options are given, the values are ORed together. If no _a_s_y_n_c_m_a_p option is given, the default is zero, so pppd will ask the peer not to escape any control characters. To escape transmitted characters, use the _e_s_c_a_p_e option.
auth
Require the peer to authenticate itself before allowing network packets to be sent or received. This option is the default if the system has a default route. If neither this option nor the _n_o_a_u_t_h option is specified, pppd will only allow the peer to use IP addresses to which the system does not already have a route.
call _n_a_m_e_<_/_b_> _<_d_d_> _R_e_a_d _a_d_d_i_t_i_o_n_a_l _o_p_t_i_o_n_s _f_r_o_m _t_h_e _f_i_l_e _/_e_t_c_/_p_p_p_/_p_e_e_r_s_/_n_a_m_e. This file may contain privileged options, such as _n_o_a_u_t_h, even if pppd is not being run by root. The _n_a_m_e string may not begin with / or include .. as a pathname component. The format of the options file is described below.
connect _s_c_r_i_p_t_<_/_b_> _<_d_d_> _U_s_u_a_l_l_y _t_h_e_r_e _i_s _s_o_m_e_t_h_i_n_g _w_h_i_c_h _n_e_e_d_s _t_o _b_e _d_o_n_e _t_o _p_r_e_p_a_r_e _t_h_e _l_i_n_k _b_e_f_o_r_e _t_h_e _P_P_P _p_r_o_t_o_c_o_l _c_a_n _b_e _s_t_a_r_t_e_d_; _f_o_r _i_n_s_t_a_n_c_e_, _w_i_t_h _a _d_i_a_l_-_u_p _m_o_d_e_m_, _c_o_m_m_a_n_d_s _n_e_e_d _t_o _b_e _s_e_n_t _t_o _t_h_e _m_o_d_e_m _t_o _d_i_a_l _t_h_e _a_p_p_r_o_p_r_i_a_t_e _p_h_o_n_e _n_u_m_b_e_r_. _T_h_i_s _o_p_t_i_o_n _s_p_e_c_i_f_i_e_s _a_n _c_o_m_m_a_n_d _f_o_r _p_p_p_d _t_o _e_x_e_c_u_t_e _(_b_y _p_a_s_s_i_n_g _i_t _t_o _a _s_h_e_l_l_) _b_e_f_o_r_e _a_t_t_e_m_p_t_i_n_g _t_o _s_t_a_r_t _P_P_P _n_e_g_o_t_i_a_t_i_o_n_. _T_h_e _c_h_a_t _(_8_) _p_r_o_g_r_a_m _i_s _o_f_t_e_n _u_s_e_f_u_l _h_e_r_e_, _a_s _i_t _p_r_o_v_i_d_e_s _a _w_a_y _t_o _s_e_n_d _a_r_b_i_t_r_a_r_y _s_t_r_i_n_g_s _t_o _a _m_o_d_e_m _a_n_d _r_e_s_p_o_n_d _t_o _r_e_c_e_i_v_e_d _c_h_a_r_a_c_t_e_r_s_. _A _v_a_l_u_e _f_o_r _t_h_i_s _o_p_t_i_o_n _f_r_o_m _a _p_r_i_v_i_l_e_g_e_d _s_o_u_r_c_e _c_a_n_n_o_t _b_e _o_v_e_r_r_i_d_d_e_n _b_y _a _n_o_n_-_p_r_i_v_i_l_e_g_e_d _u_s_e_r_. _<_d_t_> _<_b_>_c_r_t_s_c_t_s_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_a_t _p_p_p_d _s_h_o_u_l_d _s_e_t _t_h_e _s_e_r_i_a_l _p_o_r_t _t_o _u_s_e _h_a_r_d_w_a_r_e _f_l_o_w _c_o_n_t_r_o_l _u_s_i_n_g _t_h_e _R_T_S _a_n_d _C_T_S _s_i_g_n_a_l_s _i_n _t_h_e _R_S_-_2_3_2 _i_n_t_e_r_f_a_c_e_. _I_f _n_e_i_t_h_e_r _t_h_e _c_r_t_s_c_t_s, the _n_o_c_r_t_s_c_t_s, the _c_d_t_r_c_t_s nor the _n_o_c_d_t_r_c_t_s option is given, the hardware flow control setting for the serial port is left unchanged. Some serial ports (such as Macintosh serial ports) lack a true RTS output. Such serial ports use this mode to implement unidirectional flow control. The serial port will suspend transmission when requested by the modem (via CTS) but will be unable to request the modem to stop sending to the computer. This mode retains the ability to use DTR as a modem control line.
defaultroute
Add a default route to the system routing tables, using the peer as the gateway, when IPCP negotiation is successfully completed. This entry is removed when the PPP connection is broken. This option is privileged if the _n_o_d_e_f_a_u_l_t_r_o_u_t_e option has been specified.
disconnect _s_c_r_i_p_t_<_/_b_> _<_d_d_> _E_x_e_c_u_t_e _t_h_e _c_o_m_m_a_n_d _s_p_e_c_i_f_i_e_d _b_y _s_c_r_i_p_t, by passing it to a shell, after pppd has terminated the link. This command could, for example, issue commands to the modem to cause it to hang up if hardware modem control signals were not available. The disconnect script is not run if the modem has already hung up. A value for this option from a privileged source cannot be overridden by a non-privileged user.
escape _x_x_,_y_y_,_._._._<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_a_t _c_e_r_t_a_i_n _c_h_a_r_a_c_t_e_r_s _s_h_o_u_l_d _b_e _e_s_c_a_p_e_d _o_n _t_r_a_n_s_m_i_s_s_i_o_n _(_r_e_g_a_r_d_l_e_s_s _o_f _w_h_e_t_h_e_r _t_h_e _p_e_e_r _r_e_q_u_e_s_t_s _t_h_e_m _t_o _b_e _e_s_c_a_p_e_d _w_i_t_h _i_t_s _a_s_y_n_c _c_o_n_t_r_o_l _c_h_a_r_a_c_t_e_r _m_a_p_)_. _T_h_e _c_h_a_r_a_c_t_e_r_s _t_o _b_e _e_s_c_a_p_e_d _a_r_e _s_p_e_c_i_f_i_e_d _a_s _a _l_i_s_t _o_f _h_e_x _n_u_m_b_e_r_s _s_e_p_a_r_a_t_e_d _b_y _c_o_m_m_a_s_. _N_o_t_e _t_h_a_t _a_l_m_o_s_t _a_n_y _c_h_a_r_a_c_t_e_r _c_a_n _b_e _s_p_e_c_i_f_i_e_d _f_o_r _t_h_e _e_s_c_a_p_e option, unlike the _a_s_y_n_c_m_a_p option which only allows control characters to be specified. The characters which may not be escaped are those with hex values 0x20 - 0x3f or 0x5e.
file _n_a_m_e_<_/_b_> _<_d_d_> _R_e_a_d _o_p_t_i_o_n_s _f_r_o_m _f_i_l_e _n_a_m_e (the format is described below). The file must be readable by the user who has invoked pppd.
init _s_c_r_i_p_t_<_/_b_> _<_d_d_> _E_x_e_c_u_t_e _t_h_e _c_o_m_m_a_n_d _s_p_e_c_i_f_i_e_d _b_y _s_c_r_i_p_t, by passing it to a shell, to initialize the serial line. This script would typically use the chat(8) program to configure the modem to enable auto answer. A value for this option from a privileged source cannot be overridden by a non-privileged user.
lock
Specifies that pppd should create a UUCP-style lock file for the serial device to ensure exclusive access to the device. By default, pppd will not create a lock file.
mru _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _M_R_U _[_M_a_x_i_m_u_m _R_e_c_e_i_v_e _U_n_i_t_] _v_a_l_u_e _t_o _n. Pppd will ask the peer to send packets of no more than _n bytes. The value of _n must be between 128 and 16384; the default is 1500. A value of 296 works well on very slow links (40 bytes for TCP/IP header + 256 bytes of data). Note that for the IPv6 protocol, the MRU must be at least 1280.
mtu _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _M_T_U _[_M_a_x_i_m_u_m _T_r_a_n_s_m_i_t _U_n_i_t_] _v_a_l_u_e _t_o _n. Unless the peer requests a smaller value via MRU negotiation, pppd will request that the kernel networking code send data packets of no more than _n bytes through the PPP network interface. Note that for the IPv6 protocol, the MTU must be at least 1280.
passive
Enables the "passive" option in the LCP. With this option, pppd will attempt to initiate a connection; if no reply is received from the peer, pppd will then just wait passively for a valid LCP packet from the peer, instead of exiting, as it would without this option.

OPTIONS

<local_IP_address>::_&_l_t_;_r_e_m_o_t_e___I_P___a_d_d_r_e_s_s_&_g_t_;_<_/_i_> _<_d_d_> _S_e_t _t_h_e _l_o_c_a_l _a_n_d_/_o_r _r_e_m_o_t_e _i_n_t_e_r_f_a_c_e _I_P _a_d_d_r_e_s_s_e_s_. _E_i_t_h_e_r _o_n_e _m_a_y _b_e _o_m_i_t_t_e_d_. _T_h_e _I_P _a_d_d_r_e_s_s_e_s _c_a_n _b_e _s_p_e_c_i_f_i_e_d _w_i_t_h _a _h_o_s_t _n_a_m_e _o_r _i_n _d_e_c_i_m_a_l _d_o_t _n_o_t_a_t_i_o_n _(_e_._g_. _1_5_0_._2_3_4_._5_6_._7_8_)_. _T_h_e _d_e_f_a_u_l_t _l_o_c_a_l _a_d_d_r_e_s_s _i_s _t_h_e _(_f_i_r_s_t_) _I_P _a_d_d_r_e_s_s _o_f _t_h_e _h_o_s_t_n_a_m_e _o_f _t_h_e _s_y_s_t_e_m _(_u_n_l_e_s_s _t_h_e _n_o_i_p_d_e_f_a_u_l_t option is given). The remote address will be obtained from the peer if not specified in any option. Thus, in simple cases, this option is not required. If a local and/or remote IP address is specified with this option, pppd will not accept a different value from the peer in the IPCP negotiation, unless the _i_p_c_p_-_a_c_c_e_p_t_-_l_o_c_a_l and/or _i_p_c_p_-_a_c_c_e_p_t_-_r_e_m_o_t_e options are given, respectively.
ipv6 _&_l_t_;_l_o_c_a_l___i_n_t_e_r_f_a_c_e___i_d_e_n_t_i_f_i_e_r_&_g_t_;,_&_l_t_;_r_e_m_o_t_e___i_n_t_e_r_f_a_c_e___i_d_e_n_t_i_f_i_e_r_&_g_t_;_<_/_b_> _<_d_d_> _S_e_t _t_h_e _l_o_c_a_l _a_n_d_/_o_r _r_e_m_o_t_e _6_4_-_b_i_t _i_n_t_e_r_f_a_c_e _i_d_e_n_t_i_f_i_e_r_. _E_i_t_h_e_r _o_n_e _m_a_y _b_e _o_m_i_t_t_e_d_. _T_h_e _i_d_e_n_t_i_f_i_e_r _m_u_s_t _b_e _s_p_e_c_i_f_i_e_d _i_n _s_t_a_n_d_a_r_d _a_s_c_i_i _n_o_t_a_t_i_o_n _o_f _I_P_v_6 _a_d_d_r_e_s_s_e_s _(_e_._g_. _:_:_d_e_a_d_:_b_e_e_f_)_. _I_f _t_h_e _i_p_v_6_c_p_-_u_s_e_-_i_p_a_d_d_r option is given, the local identifier is the local IPv4 address (see above). On systems which supports a unique persistent id, such as EUI-48 derived from the Ethernet MAC address, _i_p_v_6_c_p_-_u_s_e_-_p_e_r_s_i_s_t_e_n_t option can be used to replace the _i_p_v_6 _&_l_t_;_l_o_c_a_l_&_g_t_;_,_&_l_t_;_r_e_m_o_t_e_&_g_t_; option. Otherwise the identifier is randomized.
active-filter-in _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n_<_/_b_> _<_d_d_> _<_d_t_> _<_b_>_a_c_t_i_v_e_-_f_i_l_t_e_r_-_o_u_t _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _a_n _i_n_c_o_m_i_n_g _a_n_d _o_u_t_g_o_i_n_g _p_a_c_k_e_t _f_i_l_t_e_r _t_o _b_e _a_p_p_l_i_e_d _t_o _d_a_t_a _p_a_c_k_e_t_s _t_o _d_e_t_e_r_m_i_n_e _w_h_i_c_h _p_a_c_k_e_t_s _a_r_e _t_o _b_e _r_e_g_a_r_d_e_d _a_s _l_i_n_k _a_c_t_i_v_i_t_y_, _a_n_d _t_h_e_r_e_f_o_r_e _r_e_s_e_t _t_h_e _i_d_l_e _t_i_m_e_r_, _o_r _c_a_u_s_e _t_h_e _l_i_n_k _t_o _b_e _b_r_o_u_g_h_t _u_p _i_n _d_e_m_a_n_d_-_d_i_a_l_i_n_g _m_o_d_e_. _T_h_i_s _o_p_t_i_o_n _i_s _u_s_e_f_u_l _i_n _c_o_n_j_u_n_c_t_i_o_n _w_i_t_h _t_h_e iiddllee option if there are packets being sent or received regularly over the link (for example, routing information packets) which would otherwise prevent the link from ever appearing to be idle. The _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n syntax is as described for tcpdump(8), except that qualifiers which are inappropriate for a PPP link, such as eetthheerr and aarrpp, are not permitted. Generally the filter expression should be enclosed in single-quotes to prevent whitespace in the expression from being interpreted by the shell. This option is currently only available under NetBSD, and then only if both the kernel and pppd were compiled with PPP_FILTER defined.
allow-ip _a_d_d_r_e_s_s_(_e_s_)_<_/_b_> _<_d_d_> _A_l_l_o_w _p_e_e_r_s _t_o _u_s_e _t_h_e _g_i_v_e_n _I_P _a_d_d_r_e_s_s _o_r _s_u_b_n_e_t _w_i_t_h_o_u_t _a_u_t_h_e_n_t_i_c_a_t_i_n_g _t_h_e_m_s_e_l_v_e_s_. _T_h_e _p_a_r_a_m_e_t_e_r _i_s _p_a_r_s_e_d _a_s _f_o_r _e_a_c_h _e_l_e_m_e_n_t _o_f _t_h_e _l_i_s_t _o_f _a_l_l_o_w_e_d _I_P _a_d_d_r_e_s_s_e_s _i_n _t_h_e _s_e_c_r_e_t_s _f_i_l_e_s _(_s_e_e _t_h_e _A_U_T_H_E_N_T_I_C_A_T_I_O_N _s_e_c_t_i_o_n _b_e_l_o_w_)_. _<_d_t_> _<_b_>_a_l_l_o_w_-_n_u_m_b_e_r _n_u_m_b_e_r_<_/_b_> _<_d_d_> _A_l_l_o_w _p_e_e_r_s _t_o _c_o_n_n_e_c_t _f_r_o_m _t_h_e _g_i_v_e_n _t_e_l_e_p_h_o_n_e _n_u_m_b_e_r_. _A _t_r_a_i_l_i_n_g _`_*_' _c_h_a_r_a_c_t_e_r _w_i_l_l _m_a_t_c_h _a_l_l _n_u_m_b_e_r_s _b_e_g_i_n_n_i_n_g _w_i_t_h _t_h_e _l_e_a_d_i_n_g _p_a_r_t_. _<_d_t_> _<_b_>_b_s_d_c_o_m_p _n_r_,_n_t_<_/_b_> _<_d_d_> _R_e_q_u_e_s_t _t_h_a_t _t_h_e _p_e_e_r _c_o_m_p_r_e_s_s _p_a_c_k_e_t_s _t_h_a_t _i_t _s_e_n_d_s_, _u_s_i_n_g _t_h_e _B_S_D_-_C_o_m_p_r_e_s_s _s_c_h_e_m_e_, _w_i_t_h _a _m_a_x_i_m_u_m _c_o_d_e _s_i_z_e _o_f _n_r bits, and agree to compress packets sent to the peer with a maximum code size of _n_t bits. If _n_t is not specified, it defaults to the value given for _n_r. Values in the range 9 to 15 may be used for _n_r and _n_t; larger values give better compression but consume more kernel memory for compression dictionaries. Alternatively, a value of 0 for _n_r or _n_t disables compression in the corresponding direction. Use _n_o_b_s_d_c_o_m_p or _b_s_d_c_o_m_p _0 to disable BSD-Compress compression entirely.
callback _p_h_o_n_e___n_u_m_b_e_r_<_/_b_> _<_d_d_> _R_e_q_u_e_s_t _a _c_a_l_l_-_b_a_c_k _t_o _t_h_e _p_h_o_n_e_-_n_u_m_b_e_r. This only works if the peer is speaking the Call Back Configuration Protocol. Don't put this into the main options file if you sometimes connect to servers that don't support it.
cdtrcts
Use a non-standard hardware flow control (i.e. DTR/CTS) to control the flow of data on the serial port. If neither the _c_r_t_s_c_t_s, the _n_o_c_r_t_s_c_t_s, the _c_d_t_r_c_t_s nor the _n_o_c_d_t_r_c_t_s option is given, the hardware flow control setting for the serial port is left unchanged. Some serial ports (such as Macintosh serial ports) lack a true RTS output. Such serial ports use this mode to implement true bi-directional flow control. The sacrifice is that this flow control mode does not permit using DTR as a modem control line.
chap-interval _n_<_/_b_> _<_d_d_> _I_f _t_h_i_s _o_p_t_i_o_n _i_s _g_i_v_e_n_, _p_p_p_d _w_i_l_l _r_e_c_h_a_l_l_e_n_g_e _t_h_e _p_e_e_r _e_v_e_r_y _n seconds.
chap-max-challenge _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _C_H_A_P _c_h_a_l_l_e_n_g_e _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 10).
chap-restart _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _C_H_A_P _r_e_s_t_a_r_t _i_n_t_e_r_v_a_l _(_r_e_t_r_a_n_s_m_i_s_s_i_o_n _t_i_m_e_o_u_t _f_o_r _c_h_a_l_l_e_n_g_e_s_) _t_o _n seconds (default 3).
child-timeout _n_<_/_b_> _<_d_d_> _W_h_e_n _e_x_i_t_i_n_g_, _w_a_i_t _f_o_r _u_p _t_o _n seconds for any child processes (such as the command specified with the ppttyy command) to exit before exiting. At the end of the timeout, pppd will send a SIGTERM signal to any remaining child processes and exit. A value of 0 means no timeout, that is, pppd will wait until all child processes have exited.
connect-delay _n_<_/_b_> _<_d_d_> _W_a_i_t _f_o_r _u_p _t_o _n milliseconds after the connect script finishes for a valid PPP packet from the peer. At the end of this time, or when a valid PPP packet is received from the peer, pppd will commence negotiation by sending its first LCP packet. The default value is 1000 (1 second). This wait period only applies if the ccoonnnneecctt or ppttyy option is used.
debug
Enables connection debugging facilities. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. The packets are logged through syslog with facility _d_a_e_m_o_n and level _d_e_b_u_g. This information can be directed to a file by setting up /etc/syslog.conf appropriately (see syslog.conf(5)).
default-asyncmap
Disable asyncmap negotiation, forcing all control characters to be escaped for both the transmit and the receive direction.
default-mru
Disable MRU [Maximum Receive Unit] negotiation. With this option, pppd will use the default MRU value of 1500 bytes for both the transmit and receive direction.
deflate _n_r_,_n_t_<_/_b_> _<_d_d_> _R_e_q_u_e_s_t _t_h_a_t _t_h_e _p_e_e_r _c_o_m_p_r_e_s_s _p_a_c_k_e_t_s _t_h_a_t _i_t _s_e_n_d_s_, _u_s_i_n_g _t_h_e _D_e_f_l_a_t_e _s_c_h_e_m_e_, _w_i_t_h _a _m_a_x_i_m_u_m _w_i_n_d_o_w _s_i_z_e _o_f _2_*_*_n_r bytes, and agree to compress packets sent to the peer with a maximum window size of _2_*_*_n_t bytes. If _n_t is not specified, it defaults to the value given for _n_r. Values in the range 9 to 15 may be used for _n_r and _n_t; larger values give better compression but consume more kernel memory for compression dictionaries. Alternatively, a value of 0 for _n_r or _n_t disables compression in the corresponding direction. Use _n_o_d_e_f_l_a_t_e or _d_e_f_l_a_t_e _0 to disable Deflate compression entirely. (Note: pppd requests Deflate compression in preference to BSD-Compress if the peer can do either.)
demand
Initiate the link only on demand, i.e. when data traffic is present. With this option, the remote IP address must be specified by the user on the command line or in an options file. Pppd will initially configure the interface and enable it for IP traffic without connecting to the peer. When traffic is available, pppd will connect to the peer and perform negotiation, authentication, etc. When this is completed, pppd will commence passing data packets (i.e., IP packets) across the link.

The _d_e_m_a_n_d option implies the _p_e_r_s_i_s_t option. If this behavior is not desired, use the _n_o_p_e_r_s_i_s_t option after the _d_e_m_a_n_d option. The _i_d_l_e and _h_o_l_d_o_f_f options are also useful in conjunction with the _d_e_m_a_n_d option.

domain _d_<_/_b_> _<_d_d_> _A_p_p_e_n_d _t_h_e _d_o_m_a_i_n _n_a_m_e _d to the local host name for authentication purposes. For example, if gethostname() returns the name porsche, but the fully qualified domain name is porsche.Quotron.COM, you could specify _d_o_m_a_i_n _Q_u_o_t_r_o_n_._C_O_M. Pppd would then use the name _p_o_r_s_c_h_e_._Q_u_o_t_r_o_n_._C_O_M for looking up secrets in the secrets file, and as the default name to send to the peer when authenticating itself to the peer. This option is privileged.
dryrun
With the ddrryyrruunn option, pppd will print out all the option values which have been set and then exit, after parsing the command line and options files and checking the option values, but before initiating the link. The option values are logged at level info, and also printed to standard output unless the device on standard output is the device that pppd would be using to communicate with the peer.
dump
With the dduummpp option, pppd will print out all the option values which have been set. This option is like the ddrryyrruunn option except that pppd proceeds as normal rather than exiting.
endpoint _&_l_t_;_e_p_d_i_s_c_&_g_t_;_<_/_b_> _<_d_d_> _S_e_t_s _t_h_e _e_n_d_p_o_i_n_t _d_i_s_c_r_i_m_i_n_a_t_o_r _s_e_n_t _b_y _t_h_e _l_o_c_a_l _m_a_c_h_i_n_e _t_o _t_h_e _p_e_e_r _d_u_r_i_n_g _m_u_l_t_i_l_i_n_k _n_e_g_o_t_i_a_t_i_o_n _t_o _&_l_t_;_e_p_d_i_s_c_&_g_t_;. The default is to use the MAC address of the first ethernet interface on the system, if any, otherwise the IPv4 address corresponding to the hostname, if any, provided it is not in the multicast or locally-assigned IP address ranges, or the localhost address. The endpoint discriminator can be the string nnuullll or of the form _t_y_p_e:_v_a_l_u_e, where type is a decimal number or one of the strings llooccaall, IIPP, MMAACC, mmaaggiicc, or pphhoonnee. The value is an IP address in dotted-decimal notation for the IIPP type, or a string of bytes in hexadecimal, separated by periods or colons for the other types. For the MAC type, the value may also be the name of an ethernet or similar network interface. This option is currently only available under Linux.
eap-interval _n_<_/_b_> _<_d_d_> _I_f _t_h_i_s _o_p_t_i_o_n _i_s _g_i_v_e_n _a_n_d _p_p_p_d _a_u_t_h_e_n_t_i_c_a_t_e_s _t_h_e _p_e_e_r _w_i_t_h _E_A_P _(_i_._e_._, _i_s _t_h_e _s_e_r_v_e_r_)_, _p_p_p_d _w_i_l_l _r_e_s_t_a_r_t _E_A_P _a_u_t_h_e_n_t_i_c_a_t_i_o_n _e_v_e_r_y _n seconds. For EAP SRP-SHA1, see also the ssrrpp--iinntteerrvvaall option, which enables lightweight rechallenge.
eap-max-rreq _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _E_A_P _R_e_q_u_e_s_t_s _t_o _w_h_i_c_h _p_p_p_d _w_i_l_l _r_e_s_p_o_n_d _(_a_s _a _c_l_i_e_n_t_) _w_i_t_h_o_u_t _h_e_a_r_i_n_g _E_A_P _S_u_c_c_e_s_s _o_r _F_a_i_l_u_r_e_. _(_D_e_f_a_u_l_t _i_s _2_0_._) _<_d_t_> _<_b_>_e_a_p_-_m_a_x_-_s_r_e_q _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _E_A_P _R_e_q_u_e_s_t_s _t_h_a_t _p_p_p_d _w_i_l_l _i_s_s_u_e _(_a_s _a _s_e_r_v_e_r_) _w_h_i_l_e _a_t_t_e_m_p_t_i_n_g _a_u_t_h_e_n_t_i_c_a_t_i_o_n_. _(_D_e_f_a_u_l_t _i_s _1_0_._) _<_d_t_> _<_b_>_e_a_p_-_r_e_s_t_a_r_t _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _r_e_t_r_a_n_s_m_i_t _t_i_m_e_o_u_t _f_o_r _E_A_P _R_e_q_u_e_s_t_s _w_h_e_n _a_c_t_i_n_g _a_s _a _s_e_r_v_e_r _(_a_u_t_h_e_n_t_i_c_a_t_o_r_)_. _(_D_e_f_a_u_l_t _i_s _3 _s_e_c_o_n_d_s_._) _<_d_t_> _<_b_>_e_a_p_-_t_i_m_e_o_u_t _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _t_i_m_e _t_o _w_a_i_t _f_o_r _t_h_e _p_e_e_r _t_o _s_e_n_d _a_n _E_A_P _R_e_q_u_e_s_t _w_h_e_n _a_c_t_i_n_g _a_s _a _c_l_i_e_n_t _(_a_u_t_h_e_n_t_i_c_a_t_e_e_)_. _(_D_e_f_a_u_l_t _i_s _2_0 _s_e_c_o_n_d_s_._) _<_d_t_> _<_b_>_h_i_d_e_-_p_a_s_s_w_o_r_d_<_/_b_> _<_d_d_> _W_h_e_n _l_o_g_g_i_n_g _t_h_e _c_o_n_t_e_n_t_s _o_f _P_A_P _p_a_c_k_e_t_s_, _t_h_i_s _o_p_t_i_o_n _c_a_u_s_e_s _p_p_p_d _t_o _e_x_c_l_u_d_e _t_h_e _p_a_s_s_w_o_r_d _s_t_r_i_n_g _f_r_o_m _t_h_e _l_o_g_. _T_h_i_s _i_s _t_h_e _d_e_f_a_u_l_t_. _<_d_t_> _<_b_>_h_o_l_d_o_f_f _n_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _h_o_w _m_a_n_y _s_e_c_o_n_d_s _t_o _w_a_i_t _b_e_f_o_r_e _r_e_-_i_n_i_t_i_a_t_i_n_g _t_h_e _l_i_n_k _a_f_t_e_r _i_t _t_e_r_m_i_n_a_t_e_s_. _T_h_i_s _o_p_t_i_o_n _o_n_l_y _h_a_s _a_n_y _e_f_f_e_c_t _i_f _t_h_e _p_e_r_s_i_s_t or _d_e_m_a_n_d option is used. The holdoff period is not applied if the link was terminated because it was idle.
idle _n_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_a_t _p_p_p_d _s_h_o_u_l_d _d_i_s_c_o_n_n_e_c_t _i_f _t_h_e _l_i_n_k _i_s _i_d_l_e _f_o_r _n seconds. The link is idle when no data packets (i.e. IP packets) are being sent or received. Note: it is not advisable to use this option with the _p_e_r_s_i_s_t option without the _d_e_m_a_n_d option. If the aaccttiivvee--ffiilltteerr--iinn and/or aaccttiivvee--ffiilltteerr--oouutt options are given, data packets which are rejected by the specified activity filter also count as the link being idle.
ipcp-accept-local
With this option, pppd will accept the peer's idea of our local IP address, even if the local IP address was specified in an option.
ipcp-accept-remote
With this option, pppd will accept the peer's idea of its (remote) IP address, even if the remote IP address was specified in an option.
ipcp-max-configure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_C_P _c_o_n_f_i_g_u_r_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 10).
ipcp-max-failure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_C_P _c_o_n_f_i_g_u_r_e_-_N_A_K_s _r_e_t_u_r_n_e_d _b_e_f_o_r_e _s_t_a_r_t_i_n_g _t_o _s_e_n_d _c_o_n_f_i_g_u_r_e_-_R_e_j_e_c_t_s _i_n_s_t_e_a_d _t_o _n (default 10).
ipcp-max-terminate _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_C_P _t_e_r_m_i_n_a_t_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 3).
ipcp-restart _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _I_P_C_P _r_e_s_t_a_r_t _i_n_t_e_r_v_a_l _(_r_e_t_r_a_n_s_m_i_s_s_i_o_n _t_i_m_e_o_u_t_) _t_o _n seconds (default 3).
ipparam _s_t_r_i_n_g_<_/_b_> _<_d_d_> _P_r_o_v_i_d_e_s _a_n _e_x_t_r_a _p_a_r_a_m_e_t_e_r _t_o _t_h_e _i_p_-_u_p_, _i_p_-_p_r_e_-_u_p _a_n_d _i_p_-_d_o_w_n _s_c_r_i_p_t_s_. _I_f _t_h_i_s _o_p_t_i_o_n _i_s _g_i_v_e_n_, _t_h_e _s_t_r_i_n_g supplied is given as the 6th parameter to those scripts.
+ipv6
Enable IPv6CP negotiation and IPv6 communication. It needs to be explicitly specified if you want IPv6CP.
-ipv6
Disable IPv6CP negotiation and IPv6 communication.
ipv6cp-accept-local
With this option, pppd will accept the peer's idea of our local IPv6 address, even if the local IPv6 address was specified in an option.
ipv6cp-use-ipaddr
Use the local IPv4 address as the local interface address.
ipv6cp-use-persistent
Use uniquely-available persistent value for link local address (Solaris 2 only).
ipv6cp-max-configure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_v_6_C_P _c_o_n_f_i_g_u_r_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 10).
ipv6cp-max-failure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_v_6_C_P _c_o_n_f_i_g_u_r_e_-_N_A_K_s _r_e_t_u_r_n_e_d _b_e_f_o_r_e _s_t_a_r_t_i_n_g _t_o _s_e_n_d _c_o_n_f_i_g_u_r_e_-_R_e_j_e_c_t_s _i_n_s_t_e_a_d _t_o _n (default 10).
ipv6cp-max-terminate _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_v_6_C_P _t_e_r_m_i_n_a_t_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 3).
ipv6cp-restart _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _I_P_v_6_C_P _r_e_s_t_a_r_t _i_n_t_e_r_v_a_l _(_r_e_t_r_a_n_s_m_i_s_s_i_o_n _t_i_m_e_o_u_t_) _t_o _n seconds (default 3).
ipx
Enable the IPXCP and IPX protocols. This option is presently only supported under Linux, and only if your kernel has been configured to include IPX support.
ipx-network _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _I_P_X _n_e_t_w_o_r_k _n_u_m_b_e_r _i_n _t_h_e _I_P_X_C_P _c_o_n_f_i_g_u_r_e _r_e_q_u_e_s_t _f_r_a_m_e _t_o _n, a hexadecimal number (without a leading 0x). There is no valid default. If this option is not specified, the network number is obtained from the peer. If the peer does not have the network number, the IPX protocol will not be started.
ipx-node _n::_m_<_/_b_> _<_d_d_> _S_e_t _t_h_e _I_P_X _n_o_d_e _n_u_m_b_e_r_s_. _T_h_e _t_w_o _n_o_d_e _n_u_m_b_e_r_s _a_r_e _s_e_p_a_r_a_t_e_d _f_r_o_m _e_a_c_h _o_t_h_e_r _w_i_t_h _a _c_o_l_o_n _c_h_a_r_a_c_t_e_r_. _T_h_e _f_i_r_s_t _n_u_m_b_e_r _n is the local node number. The second number _m is the peer's node number. Each node number is a hexadecimal number, at most 10 digits long. The node numbers on the ipx-network must be unique. There is no valid default. If this option is not specified then the node numbers are obtained from the peer.
ipx-router-name _&_l_t_;_s_t_r_i_n_g_&_g_t_;_<_/_b_> _<_d_d_> _S_e_t _t_h_e _n_a_m_e _o_f _t_h_e _r_o_u_t_e_r_. _T_h_i_s _i_s _a _s_t_r_i_n_g _a_n_d _i_s _s_e_n_t _t_o _t_h_e _p_e_e_r _a_s _i_n_f_o_r_m_a_t_i_o_n _d_a_t_a_. _<_d_t_> _<_b_>_i_p_x_-_r_o_u_t_i_n_g _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _r_o_u_t_i_n_g _p_r_o_t_o_c_o_l _t_o _b_e _r_e_c_e_i_v_e_d _b_y _t_h_i_s _o_p_t_i_o_n_. _M_o_r_e _t_h_a_n _o_n_e _i_n_s_t_a_n_c_e _o_f _i_p_x_-_r_o_u_t_i_n_g may be specified. The '_n_o_n_e' option (0) may be specified as the only instance of ipx-routing. The values may be _0 for _N_O_N_E, _2 for _R_I_P_/_S_A_P, and _4 for _N_L_S_P.
ipxcp-accept-local
Accept the peer's NAK for the node number specified in the ipx-node option. If a node number was specified, and non-zero, the default is to insist that the value be used. If you include this option then you will permit the peer to override the entry of the node number.
ipxcp-accept-network
Accept the peer's NAK for the network number specified in the ipx-network option. If a network number was specified, and non-zero, the default is to insist that the value be used. If you include this option then you will permit the peer to override the entry of the node number.
ipxcp-accept-remote
Use the peer's network number specified in the configure request frame. If a node number was specified for the peer and this option was not specified, the peer will be forced to use the value which you have specified.
ipxcp-max-configure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_X_C_P _c_o_n_f_i_g_u_r_e _r_e_q_u_e_s_t _f_r_a_m_e_s _w_h_i_c_h _t_h_e _s_y_s_t_e_m _w_i_l_l _s_e_n_d _t_o _n. The default is 10.
ipxcp-max-failure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_X_C_P _N_A_K _f_r_a_m_e_s _w_h_i_c_h _t_h_e _l_o_c_a_l _s_y_s_t_e_m _w_i_l_l _s_e_n_d _b_e_f_o_r_e _i_t _r_e_j_e_c_t_s _t_h_e _o_p_t_i_o_n_s_. _T_h_e _d_e_f_a_u_l_t _v_a_l_u_e _i_s _3_. _<_d_t_> _<_b_>_i_p_x_c_p_-_m_a_x_-_t_e_r_m_i_n_a_t_e _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _I_P_X_C_P _t_e_r_m_i_n_a_t_e _r_e_q_u_e_s_t _f_r_a_m_e_s _b_e_f_o_r_e _t_h_e _l_o_c_a_l _s_y_s_t_e_m _c_o_n_s_i_d_e_r_s _t_h_a_t _t_h_e _p_e_e_r _i_s _n_o_t _l_i_s_t_e_n_i_n_g _t_o _t_h_e_m_. _T_h_e _d_e_f_a_u_l_t _v_a_l_u_e _i_s _3_. _<_d_t_> _<_b_>_k_d_e_b_u_g _n_<_/_b_> _<_d_d_> _E_n_a_b_l_e _d_e_b_u_g_g_i_n_g _c_o_d_e _i_n _t_h_e _k_e_r_n_e_l_-_l_e_v_e_l _P_P_P _d_r_i_v_e_r_. _T_h_e _a_r_g_u_m_e_n_t _v_a_l_u_e_s _d_e_p_e_n_d _o_n _t_h_e _s_p_e_c_i_f_i_c _k_e_r_n_e_l _d_r_i_v_e_r_, _b_u_t _i_n _g_e_n_e_r_a_l _a _v_a_l_u_e _o_f _1 _w_i_l_l _e_n_a_b_l_e _g_e_n_e_r_a_l _k_e_r_n_e_l _d_e_b_u_g _m_e_s_s_a_g_e_s_. _(_N_o_t_e _t_h_a_t _t_h_e_s_e _m_e_s_s_a_g_e_s _a_r_e _u_s_u_a_l_l_y _o_n_l_y _u_s_e_f_u_l _f_o_r _d_e_b_u_g_g_i_n_g _t_h_e _k_e_r_n_e_l _d_r_i_v_e_r _i_t_s_e_l_f_._) _F_o_r _t_h_e _L_i_n_u_x _2_._2_._x _k_e_r_n_e_l _d_r_i_v_e_r_, _t_h_e _v_a_l_u_e _i_s _a _s_u_m _o_f _b_i_t_s_: _1 _t_o _e_n_a_b_l_e _g_e_n_e_r_a_l _d_e_b_u_g _m_e_s_s_a_g_e_s_, _2 _t_o _r_e_q_u_e_s_t _t_h_a_t _t_h_e _c_o_n_t_e_n_t_s _o_f _r_e_c_e_i_v_e_d _p_a_c_k_e_t_s _b_e _p_r_i_n_t_e_d_, _a_n_d _4 _t_o _r_e_q_u_e_s_t _t_h_a_t _t_h_e _c_o_n_t_e_n_t_s _o_f _t_r_a_n_s_m_i_t_t_e_d _p_a_c_k_e_t_s _b_e _p_r_i_n_t_e_d_. _O_n _m_o_s_t _s_y_s_t_e_m_s_, _m_e_s_s_a_g_e_s _p_r_i_n_t_e_d _b_y _t_h_e _k_e_r_n_e_l _a_r_e _l_o_g_g_e_d _b_y _s_y_s_l_o_g_d_(_8_) _t_o _a _f_i_l_e _a_s _d_i_r_e_c_t_e_d _i_n _t_h_e _/_e_t_c_/_s_y_s_l_o_g_._c_o_n_f _c_o_n_f_i_g_u_r_a_t_i_o_n _f_i_l_e_. _<_d_t_> _<_b_>_k_t_u_n_e_<_/_b_> _<_d_d_> _E_n_a_b_l_e_s _p_p_p_d _t_o _a_l_t_e_r _k_e_r_n_e_l _s_e_t_t_i_n_g_s _a_s _a_p_p_r_o_p_r_i_a_t_e_. _U_n_d_e_r _L_i_n_u_x_, _p_p_p_d _w_i_l_l _e_n_a_b_l_e _I_P _f_o_r_w_a_r_d_i_n_g _(_i_._e_. _s_e_t _/_p_r_o_c_/_s_y_s_/_n_e_t_/_i_p_v_4_/_i_p___f_o_r_w_a_r_d _t_o _1_) _i_f _t_h_e _p_r_o_x_y_a_r_p option is used, and will enable the dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to 1) in demand mode if the local address changes.
lcp-echo-failure _n_<_/_b_> _<_d_d_> _I_f _t_h_i_s _o_p_t_i_o_n _i_s _g_i_v_e_n_, _p_p_p_d _w_i_l_l _p_r_e_s_u_m_e _t_h_e _p_e_e_r _t_o _b_e _d_e_a_d _i_f _n LCP echo-requests are sent without receiving a valid LCP echo-reply. If this happens, pppd will terminate the connection. Use of this option requires a non-zero value for the _l_c_p_-_e_c_h_o_-_i_n_t_e_r_v_a_l parameter. This option can be used to enable pppd to terminate after the physical connection has been broken (e.g., the modem has hung up) in situations where no hardware modem control lines are available.
lcp-echo-interval _n_<_/_b_> _<_d_d_> _I_f _t_h_i_s _o_p_t_i_o_n _i_s _g_i_v_e_n_, _p_p_p_d _w_i_l_l _s_e_n_d _a_n _L_C_P _e_c_h_o_-_r_e_q_u_e_s_t _f_r_a_m_e _t_o _t_h_e _p_e_e_r _e_v_e_r_y _n seconds. Normally the peer should respond to the echo-request by sending an echo-reply. This option can be used with the _l_c_p_-_e_c_h_o_-_f_a_i_l_u_r_e option to detect that the peer is no longer connected.
lcp-max-configure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _L_C_P _c_o_n_f_i_g_u_r_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 10).
lcp-max-failure _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _L_C_P _c_o_n_f_i_g_u_r_e_-_N_A_K_s _r_e_t_u_r_n_e_d _b_e_f_o_r_e _s_t_a_r_t_i_n_g _t_o _s_e_n_d _c_o_n_f_i_g_u_r_e_-_R_e_j_e_c_t_s _i_n_s_t_e_a_d _t_o _n (default 10).
lcp-max-terminate _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _L_C_P _t_e_r_m_i_n_a_t_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 3).
lcp-restart _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _L_C_P _r_e_s_t_a_r_t _i_n_t_e_r_v_a_l _(_r_e_t_r_a_n_s_m_i_s_s_i_o_n _t_i_m_e_o_u_t_) _t_o _n seconds (default 3).
linkname _n_a_m_e
Sets the logical name of the link to _n_a_m_e. Pppd will create a file named pppppp--_n_a_m_e..ppiidd in /var/run (or /etc/ppp on some systems) containing its process ID. This can be useful in determining which instance of pppd is responsible for the link to a given peer system. This is a privileged option.
local
Don't use the modem control lines. With this option, pppd will ignore the state of the CD (Carrier Detect) signal from the modem and will not change the state of the DTR (Data Terminal Ready) signal. This is the opposite of the mmooddeemm option.
logfd _n_<_/_b_> _<_d_d_> _S_e_n_d _l_o_g _m_e_s_s_a_g_e_s _t_o _f_i_l_e _d_e_s_c_r_i_p_t_o_r _n. Pppd will send log messages to at most one file or file descriptor (as well as sending the log messages to syslog), so this option and the llooggffiillee option are mutually exclusive. The default is for pppd to send log messages to stdout (file descriptor 1), unless the serial port is already open on stdout.
logfile _f_i_l_e_n_a_m_e_<_/_b_> _<_d_d_> _A_p_p_e_n_d _l_o_g _m_e_s_s_a_g_e_s _t_o _t_h_e _f_i_l_e _f_i_l_e_n_a_m_e (as well as sending the log messages to syslog). The file is opened with the privileges of the user who invoked pppd, in append mode.
login
Use the system password database for authenticating the peer using PAP, and record the user in the system wtmp file. Note that the peer must have an entry in the /etc/ppp/pap-secrets file as well as the system password database to be allowed access.
maxconnect _n_<_/_b_> _<_d_d_> _T_e_r_m_i_n_a_t_e _t_h_e _c_o_n_n_e_c_t_i_o_n _w_h_e_n _i_t _h_a_s _b_e_e_n _a_v_a_i_l_a_b_l_e _f_o_r _n_e_t_w_o_r_k _t_r_a_f_f_i_c _f_o_r _n seconds (i.e. _n seconds after the first network control protocol comes up).
maxfail _n_<_/_b_> _<_d_d_> _T_e_r_m_i_n_a_t_e _a_f_t_e_r _n consecutive failed connection attempts. A value of 0 means no limit. The default value is 10.
modem
Use the modem control lines. This option is the default. With this option, pppd will wait for the CD (Carrier Detect) signal from the modem to be asserted when opening the serial device (unless a connect script is specified), and it will drop the DTR (Data Terminal Ready) signal briefly when the connection is terminated and before executing the connect script. On Ultrix, this option implies hardware flow control, as for the _c_r_t_s_c_t_s option. This is the opposite of the llooccaall option.
mp
Enables the use of PPP multilink; this is an alias for the `multilink' option. This option is currently only available under Linux.
mppe-stateful
Allow MPPE to use stateful mode. Stateless mode is still attempted first. The default is to disallow stateful mode.
mpshortseq
Enables the use of short (12-bit) sequence numbers in multilink headers, as opposed to 24-bit sequence numbers. This option is only available under Linux, and only has any effect if multilink is enabled (see the multilink option).
mrru _n_<_/_b_> _<_d_d_> _S_e_t_s _t_h_e _M_a_x_i_m_u_m _R_e_c_o_n_s_t_r_u_c_t_e_d _R_e_c_e_i_v_e _U_n_i_t _t_o _n. The MRRU is the maximum size for a received packet on a multilink bundle, and is analogous to the MRU for the individual links. This option is currently only available under Linux, and only has any effect if multilink is enabled (see the multilink option).
ms-dns _&_l_t_;_a_d_d_r_&_g_t_;_<_/_b_> _<_d_d_> _I_f _p_p_p_d _i_s _a_c_t_i_n_g _a_s _a _s_e_r_v_e_r _f_o_r _M_i_c_r_o_s_o_f_t _W_i_n_d_o_w_s _c_l_i_e_n_t_s_, _t_h_i_s _o_p_t_i_o_n _a_l_l_o_w_s _p_p_p_d _t_o _s_u_p_p_l_y _o_n_e _o_r _t_w_o _D_N_S _(_D_o_m_a_i_n _N_a_m_e _S_e_r_v_e_r_) _a_d_d_r_e_s_s_e_s _t_o _t_h_e _c_l_i_e_n_t_s_. _T_h_e _f_i_r_s_t _i_n_s_t_a_n_c_e _o_f _t_h_i_s _o_p_t_i_o_n _s_p_e_c_i_f_i_e_s _t_h_e _p_r_i_m_a_r_y _D_N_S _a_d_d_r_e_s_s_; _t_h_e _s_e_c_o_n_d _i_n_s_t_a_n_c_e _(_i_f _g_i_v_e_n_) _s_p_e_c_i_f_i_e_s _t_h_e _s_e_c_o_n_d_a_r_y _D_N_S _a_d_d_r_e_s_s_. _(_T_h_i_s _o_p_t_i_o_n _w_a_s _p_r_e_s_e_n_t _i_n _s_o_m_e _o_l_d_e_r _v_e_r_s_i_o_n_s _o_f _p_p_p_d _u_n_d_e_r _t_h_e _n_a_m_e ddnnss--aaddddrr.)
ms-wins _&_l_t_;_a_d_d_r_&_g_t_;_<_/_b_> _<_d_d_> _I_f _p_p_p_d _i_s _a_c_t_i_n_g _a_s _a _s_e_r_v_e_r _f_o_r _M_i_c_r_o_s_o_f_t _W_i_n_d_o_w_s _o_r _"_S_a_m_b_a_" _c_l_i_e_n_t_s_, _t_h_i_s _o_p_t_i_o_n _a_l_l_o_w_s _p_p_p_d _t_o _s_u_p_p_l_y _o_n_e _o_r _t_w_o _W_I_N_S _(_W_i_n_d_o_w_s _I_n_t_e_r_n_e_t _N_a_m_e _S_e_r_v_i_c_e_s_) _s_e_r_v_e_r _a_d_d_r_e_s_s_e_s _t_o _t_h_e _c_l_i_e_n_t_s_. _T_h_e _f_i_r_s_t _i_n_s_t_a_n_c_e _o_f _t_h_i_s _o_p_t_i_o_n _s_p_e_c_i_f_i_e_s _t_h_e _p_r_i_m_a_r_y _W_I_N_S _a_d_d_r_e_s_s_; _t_h_e _s_e_c_o_n_d _i_n_s_t_a_n_c_e _(_i_f _g_i_v_e_n_) _s_p_e_c_i_f_i_e_s _t_h_e _s_e_c_o_n_d_a_r_y _W_I_N_S _a_d_d_r_e_s_s_. _<_d_t_> _<_b_>_m_u_l_t_i_l_i_n_k_<_/_b_> _<_d_d_> _E_n_a_b_l_e_s _t_h_e _u_s_e _o_f _t_h_e _P_P_P _m_u_l_t_i_l_i_n_k _p_r_o_t_o_c_o_l_. _I_f _t_h_e _p_e_e_r _a_l_s_o _s_u_p_p_o_r_t_s _m_u_l_t_i_l_i_n_k_, _t_h_e_n _t_h_i_s _l_i_n_k _c_a_n _b_e_c_o_m_e _p_a_r_t _o_f _a _b_u_n_d_l_e _b_e_t_w_e_e_n _t_h_e _l_o_c_a_l _s_y_s_t_e_m _a_n_d _t_h_e _p_e_e_r_. _I_f _t_h_e_r_e _i_s _a_n _e_x_i_s_t_i_n_g _b_u_n_d_l_e _t_o _t_h_e _p_e_e_r_, _p_p_p_d _w_i_l_l _j_o_i_n _t_h_i_s _l_i_n_k _t_o _t_h_a_t _b_u_n_d_l_e_, _o_t_h_e_r_w_i_s_e _p_p_p_d _w_i_l_l _c_r_e_a_t_e _a _n_e_w _b_u_n_d_l_e_. _S_e_e _t_h_e _M_U_L_T_I_L_I_N_K _s_e_c_t_i_o_n _b_e_l_o_w_. _T_h_i_s _o_p_t_i_o_n _i_s _c_u_r_r_e_n_t_l_y _o_n_l_y _a_v_a_i_l_a_b_l_e _u_n_d_e_r _L_i_n_u_x_. _<_d_t_> _<_b_>_n_a_m_e _n_a_m_e_<_/_b_> _<_d_d_> _S_e_t _t_h_e _n_a_m_e _o_f _t_h_e _l_o_c_a_l _s_y_s_t_e_m _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_o_n _p_u_r_p_o_s_e_s _t_o _n_a_m_e. This is a privileged option. With this option, pppd will use lines in the secrets files which have _n_a_m_e as the second field when looking for a secret to use in authenticating the peer. In addition, unless overridden with the _u_s_e_r option, _n_a_m_e will be used as the name to send to the peer when authenticating the local system to the peer. (Note that pppd does not append the domain name to _n_a_m_e.)
noaccomp
Disable Address/Control compression in both directions (send and receive).
noauth
Do not require the peer to authenticate itself. This option is privileged.
nobsdcomp
Disables BSD-Compress compression; ppppppdd will not request or agree to compress packets using the BSD-Compress scheme.
noccp
Disable CCP (Compression Control Protocol) negotiation. This option should only be required if the peer is buggy and gets confused by requests from pppd for CCP negotiation.
nocrtscts
Disable hardware flow control (i.e. RTS/CTS) on the serial port. If neither the _c_r_t_s_c_t_s nor the _n_o_c_r_t_s_c_t_s nor the _c_d_t_r_c_t_s nor the _n_o_c_d_t_r_c_t_s option is given, the hardware flow control setting for the serial port is left unchanged.
nocdtrcts
This option is a synonym for _n_o_c_r_t_s_c_t_s. Either of these options will disable both forms of hardware flow control.
nodefaultroute
Disable the _d_e_f_a_u_l_t_r_o_u_t_e option. The system administrator who wishes to prevent users from creating default routes with pppd can do so by placing this option in the /etc/ppp/options file.
nodeflate
Disables Deflate compression; pppd will not request or agree to compress packets using the Deflate scheme.
nodetach
Don't detach from the controlling terminal. Without this option, if a serial device other than the terminal on the standard input is specified, pppd will fork to become a background process.
noendpoint
Disables pppd from sending an endpoint discriminator to the peer or accepting one from the peer (see the MULTILINK section below). This option should only be required if the peer is buggy.
noip
Disable IPCP negotiation and IP communication. This option should only be required if the peer is buggy and gets confused by requests from pppd for IPCP negotiation.
noipv6
An alias for -ipv6.
noipdefault
Disables the default behavior when no local IP address is specified, which is to determine (if possible) the local IP address from the hostname. With this option, the peer will have to supply the local IP address during IPCP negotiation (unless it specified explicitly on the command line or in an options file).
noipx
Disable the IPXCP and IPX protocols. This option should only be required if the peer is buggy and gets confused by requests from pppd for IPXCP negotiation.
noktune
Opposite of the _k_t_u_n_e option; disables pppd from changing system settings.
nolock
Opposite of the _l_o_c_k option; specifies that pppd should not create a UUCP-style lock file for the serial device. This option is privileged.
nolog
Do not send log messages to a file or file descriptor. This option cancels the llooggffdd and llooggffiillee options.
nomagic
Disable magic number negotiation. With this option, pppd cannot detect a looped-back line. This option should only be needed if the peer is buggy.
nomp
Disables the use of PPP multilink. This option is currently only available under Linux.
nomppe
Disables MPPE (Microsoft Point to Point Encryption). This is the default.
nomppe-40
Disable 40-bit encryption with MPPE.
nomppe-128
Disable 128-bit encryption with MPPE.
nomppe-stateful
Disable MPPE stateful mode. This is the default.
nompshortseq
Disables the use of short (12-bit) sequence numbers in the PPP multilink protocol, forcing the use of 24-bit sequence numbers. This option is currently only available under Linux, and only has any effect if multilink is enabled.
nomultilink
Disables the use of PPP multilink. This option is currently only available under Linux.
nopcomp
Disable protocol field compression negotiation in both the receive and the transmit direction.
nopersist
Exit once a connection has been made and terminated. This is the default unless the _p_e_r_s_i_s_t or _d_e_m_a_n_d option has been specified.
nopredictor1
Do not accept or agree to Predictor-1 compression.
noproxyarp
Disable the _p_r_o_x_y_a_r_p option. The system administrator who wishes to prevent users from creating proxy ARP entries with pppd can do so by placing this option in the /etc/ppp/options file.
notty
Normally, pppd requires a terminal device. With this option, pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. Pppd will create a child process to act as a `character shunt' to transfer characters between the pseudo-tty master and its standard input and output. Thus pppd will transmit characters on its standard output and receive characters on its standard input even if they are not terminal devices. This option increases the latency and CPU overhead of transferring data over the ppp interface as all of the characters sent and received must flow through the character shunt process. An explicit device name may not be given if this option is used.
novj
Disable Van Jacobson style TCP/IP header compression in both the transmit and the receive direction.
novjccomp
Disable the connection-ID compression option in Van Jacobson style TCP/IP header compression. With this option, pppd will not omit the connection-ID byte from Van Jacobson compressed TCP/IP headers, nor ask the peer to do so.
papcrypt
Indicates that all secrets in the /etc/ppp/pap-secrets file which are used for checking the identity of the peer are encrypted, and thus pppd should not accept a password which, before encryption, is identical to the secret from the /etc/ppp/pap-secrets file.
pap-max-authreq _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _n_u_m_b_e_r _o_f _P_A_P _a_u_t_h_e_n_t_i_c_a_t_e_-_r_e_q_u_e_s_t _t_r_a_n_s_m_i_s_s_i_o_n_s _t_o _n (default 10).
pap-restart _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _P_A_P _r_e_s_t_a_r_t _i_n_t_e_r_v_a_l _(_r_e_t_r_a_n_s_m_i_s_s_i_o_n _t_i_m_e_o_u_t_) _t_o _n seconds (default 3).
pap-timeout _n_<_/_b_> _<_d_d_> _S_e_t _t_h_e _m_a_x_i_m_u_m _t_i_m_e _t_h_a_t _p_p_p_d _w_i_l_l _w_a_i_t _f_o_r _t_h_e _p_e_e_r _t_o _a_u_t_h_e_n_t_i_c_a_t_e _i_t_s_e_l_f _w_i_t_h _P_A_P _t_o _n seconds (0 means no limit).
pass-filter-in _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n_<_/_b_> _<_d_d_> _<_d_t_> _<_b_>_p_a_s_s_-_f_i_l_t_e_r_-_o_u_t _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _a_n _i_n_c_o_m_i_n_g _a_n_d _o_u_t_g_o_i_n_g _p_a_c_k_e_t _f_i_l_t_e_r _t_o _a_p_p_l_i_e_d _t_o _d_a_t_a _p_a_c_k_e_t_s _b_e_i_n_g _s_e_n_t _o_r _r_e_c_e_i_v_e_d _t_o _d_e_t_e_r_m_i_n_e _w_h_i_c_h _p_a_c_k_e_t_s _s_h_o_u_l_d _b_e _a_l_l_o_w_e_d _t_o _p_a_s_s_. _P_a_c_k_e_t_s _w_h_i_c_h _a_r_e _r_e_j_e_c_t_e_d _b_y _t_h_e _f_i_l_t_e_r _a_r_e _s_i_l_e_n_t_l_y _d_i_s_c_a_r_d_e_d_. _T_h_i_s _o_p_t_i_o_n _c_a_n _b_e _u_s_e_d _t_o _p_r_e_v_e_n_t _s_p_e_c_i_f_i_c _n_e_t_w_o_r_k _d_a_e_m_o_n_s _(_s_u_c_h _a_s _r_o_u_t_e_d_) _u_s_i_n_g _u_p _l_i_n_k _b_a_n_d_w_i_d_t_h_, _o_r _t_o _p_r_o_v_i_d_e _a _b_a_s_i_c _f_i_r_e_w_a_l_l _c_a_p_a_b_i_l_i_t_y_. _T_h_e _f_i_l_t_e_r_-_e_x_p_r_e_s_s_i_o_n syntax is as described for tcpdump(8), except that qualifiers which are inappropriate for a PPP link, such as eetthheerr and aarrpp, are not permitted. Generally the filter expression should be enclosed in single-quotes to prevent whitespace in the expression from being interpreted by the shell. This option is currently only available under NetBSD, and then only if both the kernel and pppd were compiled with PPP_FILTER defined.
password _p_a_s_s_w_o_r_d_-_s_t_r_i_n_g_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_e _p_a_s_s_w_o_r_d _t_o _u_s_e _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_n_g _t_o _t_h_e _p_e_e_r_. _U_s_e _o_f _t_h_i_s _o_p_t_i_o_n _i_s _d_i_s_c_o_u_r_a_g_e_d_, _a_s _t_h_e _p_a_s_s_w_o_r_d _i_s _l_i_k_e_l_y _t_o _b_e _v_i_s_i_b_l_e _t_o _o_t_h_e_r _u_s_e_r_s _o_n _t_h_e _s_y_s_t_e_m _(_f_o_r _e_x_a_m_p_l_e_, _b_y _u_s_i_n_g _p_s_(_1_)_)_. _<_d_t_> _<_b_>_p_e_r_s_i_s_t_<_/_b_> _<_d_d_> _D_o _n_o_t _e_x_i_t _a_f_t_e_r _a _c_o_n_n_e_c_t_i_o_n _i_s _t_e_r_m_i_n_a_t_e_d_; _i_n_s_t_e_a_d _t_r_y _t_o _r_e_o_p_e_n _t_h_e _c_o_n_n_e_c_t_i_o_n_. _T_h_e mmaaxxffaaiill option still has an effect on persistent connections.
plugin _f_i_l_e_n_a_m_e_<_/_b_> _<_d_d_> _L_o_a_d _t_h_e _s_h_a_r_e_d _l_i_b_r_a_r_y _o_b_j_e_c_t _f_i_l_e _f_i_l_e_n_a_m_e as a plugin. This is a privileged option. If _f_i_l_e_n_a_m_e does not contain a slash (/), pppd will look in the //uussrr//lliibb//ppppppdd//_v_e_r_s_i_o_n directory for the plugin, where _v_e_r_s_i_o_n is the version number of pppd (for example, 2.4.2).
predictor1
Request that the peer compress frames that it sends using Predictor-1 compression, and agree to compress transmitted frames with Predictor-1 if requested. This option has no effect unless the kernel driver supports Predictor-1 compression.
privgroup _g_r_o_u_p_-_n_a_m_e_<_/_b_> _<_d_d_> _A_l_l_o_w_s _m_e_m_b_e_r_s _o_f _g_r_o_u_p _g_r_o_u_p_-_n_a_m_e to use privileged options. This is a privileged option. Use of this option requires care as there is no guarantee that members of _g_r_o_u_p_-_n_a_m_e cannot use pppd to become root themselves. Consider it equivalent to putting the members of _g_r_o_u_p_-_n_a_m_e in the kmem or disk group.
proxyarp
Add an entry to this system's ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
pty _s_c_r_i_p_t_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_a_t _t_h_e _c_o_m_m_a_n_d _s_c_r_i_p_t is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The _s_c_r_i_p_t will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the _r_e_c_o_r_d option is used in conjunction with the _p_t_y option, the child process will have pipes on its standard input and output.)
receive-all
With this option, pppd will accept all control characters from the peer, including those marked in the receive asyncmap. Without this option, pppd will discard those characters as specified in RFC1662. This option should only be needed if the peer is buggy.
record _f_i_l_e_n_a_m_e_<_/_b_> _<_d_d_> _S_p_e_c_i_f_i_e_s _t_h_a_t _p_p_p_d _s_h_o_u_l_d _r_e_c_o_r_d _a_l_l _c_h_a_r_a_c_t_e_r_s _s_e_n_t _a_n_d _r_e_c_e_i_v_e_d _t_o _a _f_i_l_e _n_a_m_e_d _f_i_l_e_n_a_m_e. This file is opened in append mode, using the user's user-ID and permissions. This option is implemented using a pseudo-tty and a process to transfer characters between the pseudo-tty and the real serial device, so it will increase the latency and CPU overhead of transferring data over the ppp interface. The characters are stored in a tagged format with timestamps, which can be displayed in readable form using the pppdump(8) program.
remotename _n_a_m_e_<_/_b_> _<_d_d_> _S_e_t _t_h_e _a_s_s_u_m_e_d _n_a_m_e _o_f _t_h_e _r_e_m_o_t_e _s_y_s_t_e_m _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_o_n _p_u_r_p_o_s_e_s _t_o _n_a_m_e.
remotenumber _n_u_m_b_e_r_<_/_b_> _<_d_d_> _S_e_t _t_h_e _a_s_s_u_m_e_d _t_e_l_e_p_h_o_n_e _n_u_m_b_e_r _o_f _t_h_e _r_e_m_o_t_e _s_y_s_t_e_m _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_o_n _p_u_r_p_o_s_e_s _t_o _n_u_m_b_e_r.
refuse-chap
With this option, pppd will not agree to authenticate itself to the peer using CHAP.
refuse-mschap
With this option, pppd will not agree to authenticate itself to the peer using MS-CHAP.
refuse-mschap-v2
With this option, pppd will not agree to authenticate itself to the peer using MS-CHAPv2.
refuse-eap
With this option, pppd will not agree to authenticate itself to the peer using EAP.
refuse-pap
With this option, pppd will not agree to authenticate itself to the peer using PAP.
require-chap
Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol] authentication.
require-mppe
Require the use of MPPE (Microsoft Point to Point Encryption). This option disables all other compression types. This option enables both 40-bit and 128-bit encryption. In order for MPPE to successfully come up, you must have authenticated with either MS-CHAP or MS-CHAPv2. This option is presently only supported under Linux, and only if your kernel has been configured to include MPPE support.
require-mppe-40
Require the use of MPPE, with 40-bit encryption.
require-mppe-128
Require the use of MPPE, with 128-bit encryption.
require-mschap
Require the peer to authenticate itself using MS-CHAP [Microsoft Challenge Handshake Authentication Protocol] authentication.
require-mschap-v2
Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2] authentication.
require-eap
Require the peer to authenticate itself using EAP [Extensible Authentication Protocol] authentication.
require-pap
Require the peer to authenticate itself using PAP [Password Authentication Protocol] authentication.
show-password
When logging the contents of PAP packets, this option causes pppd to show the password string in the log message.
silent
With this option, pppd will not transmit LCP packets to initiate a connection until a valid LCP packet is received from the peer (as for the `passive' option with ancient versions of pppd).
srp-interval _n_<_/_b_> _<_d_d_> _I_f _t_h_i_s _p_a_r_a_m_e_t_e_r _i_s _g_i_v_e_n _a_n_d _p_p_p_d _u_s_e_s _E_A_P _S_R_P_-_S_H_A_1 _t_o _a_u_t_h_e_n_t_i_c_a_t_e _t_h_e _p_e_e_r _(_i_._e_._, _i_s _t_h_e _s_e_r_v_e_r_)_, _t_h_e_n _p_p_p_d _w_i_l_l _u_s_e _t_h_e _o_p_t_i_o_n_a_l _l_i_g_h_t_w_e_i_g_h_t _S_R_P _r_e_c_h_a_l_l_e_n_g_e _m_e_c_h_a_n_i_s_m _a_t _i_n_t_e_r_v_a_l_s _o_f _n seconds. This option is faster than eeaapp--iinntteerrvvaall reauthentication because it uses a hash-based mechanism and does not derive a new session key.
srp-pn-secret _s_t_r_i_n_g_<_/_b_> _<_d_d_> _S_e_t _t_h_e _l_o_n_g_-_t_e_r_m _p_s_e_u_d_o_n_y_m_-_g_e_n_e_r_a_t_i_n_g _s_e_c_r_e_t _f_o_r _t_h_e _s_e_r_v_e_r_. _T_h_i_s _v_a_l_u_e _i_s _o_p_t_i_o_n_a_l _a_n_d _i_f _s_e_t_, _n_e_e_d_s _t_o _b_e _k_n_o_w_n _a_t _t_h_e _s_e_r_v_e_r _(_a_u_t_h_e_n_t_i_c_a_t_o_r_) _s_i_d_e _o_n_l_y_, _a_n_d _s_h_o_u_l_d _b_e _d_i_f_f_e_r_e_n_t _f_o_r _e_a_c_h _s_e_r_v_e_r _(_o_r _p_o_l_l _o_f _i_d_e_n_t_i_c_a_l _s_e_r_v_e_r_s_)_. _I_t _i_s _u_s_e_d _a_l_o_n_g _w_i_t_h _t_h_e _c_u_r_r_e_n_t _d_a_t_e _t_o _g_e_n_e_r_a_t_e _a _k_e_y _t_o _e_n_c_r_y_p_t _a_n_d _d_e_c_r_y_p_t _t_h_e _c_l_i_e_n_t_'_s _i_d_e_n_t_i_t_y _c_o_n_t_a_i_n_e_d _i_n _t_h_e _p_s_e_u_d_o_n_y_m_. _<_d_t_> _<_b_>_s_r_p_-_u_s_e_-_p_s_e_u_d_o_n_y_m_<_/_b_> _<_d_d_> _W_h_e_n _o_p_e_r_a_t_i_n_g _a_s _a_n _E_A_P _S_R_P_-_S_H_A_1 _c_l_i_e_n_t_, _a_t_t_e_m_p_t _t_o _u_s_e _t_h_e _p_s_e_u_d_o_n_y_m _s_t_o_r_e_d _i_n _~_/_._p_p_p___p_s_u_e_d_o_n_y_m _f_i_r_s_t _a_s _t_h_e _i_d_e_n_t_i_t_y_, _a_n_d _s_a_v_e _i_n _t_h_i_s _f_i_l_e _a_n_y _p_s_e_u_d_o_n_y_m _o_f_f_e_r_e_d _b_y _t_h_e _p_e_e_r _d_u_r_i_n_g _a_u_t_h_e_n_t_i_c_a_t_i_o_n_. _<_d_t_> _<_b_>_s_y_n_c_<_/_b_> _<_d_d_> _U_s_e _s_y_n_c_h_r_o_n_o_u_s _H_D_L_C _s_e_r_i_a_l _e_n_c_o_d_i_n_g _i_n_s_t_e_a_d _o_f _a_s_y_n_c_h_r_o_n_o_u_s_. _T_h_e _d_e_v_i_c_e _u_s_e_d _b_y _p_p_p_d _w_i_t_h _t_h_i_s _o_p_t_i_o_n _m_u_s_t _h_a_v_e _s_y_n_c _s_u_p_p_o_r_t_. _C_u_r_r_e_n_t_l_y _s_u_p_p_o_r_t_s _M_i_c_r_o_g_a_t_e _S_y_n_c_L_i_n_k _a_d_a_p_t_e_r_s _u_n_d_e_r _L_i_n_u_x _a_n_d _F_r_e_e_B_S_D _2_._2_._8 _a_n_d _l_a_t_e_r_. _<_d_t_> _<_b_>_u_n_i_t _n_u_m_<_/_b_> _<_d_d_> _S_e_t_s _t_h_e _p_p_p _u_n_i_t _n_u_m_b_e_r _(_f_o_r _a _p_p_p_0 _o_r _p_p_p_1 _e_t_c _i_n_t_e_r_f_a_c_e _n_a_m_e_) _f_o_r _o_u_t_b_o_u_n_d _c_o_n_n_e_c_t_i_o_n_s_. _<_d_t_> _<_b_>_u_p_d_e_t_a_c_h_<_/_b_> _<_d_d_> _W_i_t_h _t_h_i_s _o_p_t_i_o_n_, _p_p_p_d _w_i_l_l _d_e_t_a_c_h _f_r_o_m _i_t_s _c_o_n_t_r_o_l_l_i_n_g _t_e_r_m_i_n_a_l _o_n_c_e _i_t _h_a_s _s_u_c_c_e_s_s_f_u_l_l_y _e_s_t_a_b_l_i_s_h_e_d _t_h_e _p_p_p _c_o_n_n_e_c_t_i_o_n _(_t_o _t_h_e _p_o_i_n_t _w_h_e_r_e _t_h_e _f_i_r_s_t _n_e_t_w_o_r_k _c_o_n_t_r_o_l _p_r_o_t_o_c_o_l_, _u_s_u_a_l_l_y _t_h_e _I_P _c_o_n_t_r_o_l _p_r_o_t_o_c_o_l_, _h_a_s _c_o_m_e _u_p_)_. _<_d_t_> _<_b_>_u_s_e_h_o_s_t_n_a_m_e_<_/_b_> _<_d_d_> _E_n_f_o_r_c_e _t_h_e _u_s_e _o_f _t_h_e _h_o_s_t_n_a_m_e _(_w_i_t_h _d_o_m_a_i_n _n_a_m_e _a_p_p_e_n_d_e_d_, _i_f _g_i_v_e_n_) _a_s _t_h_e _n_a_m_e _o_f _t_h_e _l_o_c_a_l _s_y_s_t_e_m _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_o_n _p_u_r_p_o_s_e_s _(_o_v_e_r_r_i_d_e_s _t_h_e _n_a_m_e option). This option is not normally needed since the _n_a_m_e option is privileged.
usepeerdns
Ask the peer for up to 2 DNS server addresses. The addresses supplied by the peer (if any) are passed to the /etc/ppp/ip-up script in the environment variables DNS1 and DNS2, and the environment variable USEPEERDNS will be set to 1. In addition, pppd will create an /etc/ppp/resolv.conf file containing one or two nameserver lines with the address(es) supplied by the peer.
user _n_a_m_e_<_/_b_> _<_d_d_> _S_e_t_s _t_h_e _n_a_m_e _u_s_e_d _f_o_r _a_u_t_h_e_n_t_i_c_a_t_i_n_g _t_h_e _l_o_c_a_l _s_y_s_t_e_m _t_o _t_h_e _p_e_e_r _t_o _n_a_m_e.
vj-max-slots _n_<_/_b_> _<_d_d_> _S_e_t_s _t_h_e _n_u_m_b_e_r _o_f _c_o_n_n_e_c_t_i_o_n _s_l_o_t_s _t_o _b_e _u_s_e_d _b_y _t_h_e _V_a_n _J_a_c_o_b_s_o_n _T_C_P_/_I_P _h_e_a_d_e_r _c_o_m_p_r_e_s_s_i_o_n _a_n_d _d_e_c_o_m_p_r_e_s_s_i_o_n _c_o_d_e _t_o _n, which must be between 2 and 16 (inclusive).
welcome _s_c_r_i_p_t_<_/_b_> _<_d_d_> _R_u_n _t_h_e _e_x_e_c_u_t_a_b_l_e _o_r _s_h_e_l_l _c_o_m_m_a_n_d _s_p_e_c_i_f_i_e_d _b_y _s_c_r_i_p_t before initiating PPP negotiation, after the connect script (if any) has completed. A value for this option from a privileged source cannot be overridden by a non-privileged user.
xonxoff
Use software flow control (i.e. XON/XOFF) to control the flow of data on the serial port.

OPTIONS FILES

Options can be taken from files as well as the command line. Pppd reads options from the files /etc/ppp/options, ~/.ppprc and /etc/ppp/options._t_t_y_n_a_m_e (in that order) before processing the options on the command line. (In fact, the command-line options are scanned to find the terminal name before the options._t_t_y_n_a_m_e file is read.) In forming the name of the options._t_t_y_n_a_m_e file, the initial /dev/ is removed from the terminal name, and any remaining / characters are replaced with dots.

An options file is parsed into a series of words, delimited by whitespace. Whitespace can be included in a word by enclosing the word in double-quotes ("). A backslash (\) quotes the following character. A hash (#) starts a comment, which continues until the end of the line. There is no restriction on using the _f_i_l_e or _c_a_l_l options within an options file.

SECURITY

pppd provides system administrators with sufficient access control that PPP access to a server machine can be provided to legitimate users without fear of compromising the security of the server or the network it's on. This control is provided through restrictions on which IP addresses the peer may use, based on its authenticated identity (if any), and through restrictions on which options a non-privileged user may use. Several of pppd's options are privileged, in particular those which permit potentially insecure configurations; these options are only accepted in files which are under the control of the system administrator, or if pppd is being run by root.

The default behaviour of pppd is to allow an unauthenticated peer to use a given IP address only if the system does not already have a route to that IP address. For example, a system with a permanent connection to the wider internet will normally have a default route, and thus all peers will have to authenticate themselves in order to set up a connection. On such a system, the _a_u_t_h option is the default. On the other hand, a system where the PPP link is the only connection to the internet will not normally have a default route, so the peer will be able to use almost any IP address without authenticating itself.

As indicated above, some security-sensitive options are privileged, which means that they may not be used by an ordinary non-privileged user running a setuid-root pppd, either on the command line, in the user's ~/.ppprc file, or in an options file read using the _f_i_l_e option. Privileged options may be used in /etc/ppp/options file or in an options file read using the _c_a_l_l option. If pppd is being run by the root user, privileged options can be used without restriction.

When opening the device, pppd uses either the invoking user's user ID or the root UID (that is, 0), depending on whether the device name was specified by the user or the system administrator. If the device name comes from a privileged source, that is, /etc/ppp/options or an options file read using the _c_a_l_l option, pppd uses full root privileges when opening the device. Thus, by creating an appropriate file under /etc/ppp/peers, the system administrator can allow users to establish a ppp connection via a device which they would not normally have permission to access. Otherwise pppd uses the invoking user's real UID when opening the device.

AUTHENTICATION

Authentication is the process whereby one peer convinces the other of its identity. This involves the first peer sending its name to the other, together with some kind of secret information which could only come from the genuine authorized user of that name. In such an exchange, we will call the first peer the "client" and the other the "server". The client has a name by which it identifies itself to the server, and the server also has a name by which it identifies itself to the client. Generally the genuine client shares some secret (or password) with the server, and authenticates itself by proving that it knows that secret. Very often, the names used for authentication correspond to the internet hostnames of the peers, but this is not essential.

At present, pppd supports three authentication protocols: the Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP). PAP involves the client sending its name and a cleartext password to the server to authenticate itself. In contrast, the server initiates the CHAP authentication exchange by sending a challenge to the client (the challenge packet includes the server's name). The client must respond with a response which includes its name plus a hash value derived from the shared secret and the challenge, in order to prove that it knows the secret. EAP supports CHAP-style authentication, and also includes the SRP-SHA1 mechanism, which is resistant to dictionary-based attacks and does not require a cleartext password on the server side.

The PPP protocol, being symmetrical, allows both peers to require the other to authenticate itself. In that case, two separate and independent authentication exchanges will occur. The two exchanges could use different authentication protocols, and in principle, different names could be used in the two exchanges.

The default behaviour of pppd is to agree to authenticate if requested, and to not require authentication from the peer. However, pppd will not agree to authenticate itself with a particular protocol if it has no secrets which could be used to do so.

Pppd stores secrets for use in authentication in secrets files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP, MS-CHAP, MS-CHAPv2, and EAP MD5-Challenge, and /etc/ppp/srp-secrets for EAP SRP-SHA1). All secrets files have the same format. The secrets files can contain secrets for pppd to use in authenticating itself to other systems, as well as secrets for pppd to use when authenticating other systems to itself.

Each line in a secrets file contains one secret. A given secret is specific to a particular combination of client and server - it can only be used by that client to authenticate itself to that server. Thus each line in a secrets file has at least 3 fields: the name of the client, the name of the server, and the secret. These fields may be followed by a list of the IP addresses that the specified client may use when connecting to the specified server.

A secrets file is parsed into words as for a options file, so the client name, server name and secrets fields must each be one word, with any embedded spaces or other special characters quoted or escaped. Note that case is significant in the client and server names and in the secret.

If the secret starts with an `@', what follows is assumed to be the name of a file from which to read the secret. A "*" as the client or server name matches any name. When selecting a secret, pppd takes the best match, i.e. the match with the fewest wildcards.

Any following words on the same line are taken to be a list of acceptable IP addresses for that client. If there are only 3 words on the line, or if the first word is "-", then all IP addresses are disallowed. To allow any address, use "*". A word starting with "!" indicates that the specified address is _n_o_t acceptable. An address may be followed by "/" and a number _n, to indicate a whole subnet, i.e. all addresses which have the same value in the most significant _n bits. In this form, the address may be followed by a plus sign ("+") to indicate that one address from the subnet is authorized, based on the ppp network interface unit number in use. In this case, the host part of the address will be set to the unit number plus one.

Thus a secrets file contains both secrets for use in authenticating other hosts, plus secrets which we use for authenticating ourselves to others. When pppd is authenticating the peer (checking the peer's identity), it chooses a secret with the peer's name in the first field and the name of the local system in the second field. The name of the local system defaults to the hostname, with the domain name appended if the _d_o_m_a_i_n option is used. This default can be overridden with the _n_a_m_e option, except when the _u_s_e_h_o_s_t_n_a_m_e option is used. (For EAP SRP-SHA1, see the srp-entry(8) utility for generating proper validator entries to be used in the "secret" field.)

When pppd is choosing a secret to use in authenticating itself to the peer, it first determines what name it is going to use to identify itself to the peer. This name can be specified by the user with the _u_s_e_r option. If this option is not used, the name defaults to the name of the local system, determined as described in the previous paragraph. Then pppd looks for a secret with this name in the first field and the peer's name in the second field. Pppd will know the name of the peer if CHAP or EAP authentication is being used, because the peer will have sent it in the challenge packet. However, if PAP is being used, pppd will have to determine the peer's name from the options specified by the user. The user can specify the peer's name directly with the _r_e_m_o_t_e_n_a_m_e option. Otherwise, if the remote IP address was specified by a name (rather than in numeric form), that name will be used as the peer's name. Failing that, pppd will use the null string as the peer's name.

When authenticating the peer with PAP, the supplied password is first compared with the secret from the secrets file. If the password doesn't match the secret, the password is encrypted using crypt() and checked against the secret again. Thus secrets for authenticating the peer can be stored in encrypted form if desired. If the _p_a_p_c_r_y_p_t option is given, the first (unencrypted) comparison is omitted, for better security.

Furthermore, if the _l_o_g_i_n option was specified, the username and password are also checked against the system password database. Thus, the system administrator can set up the pap-secrets file to allow PPP access only to certain users, and to restrict the set of IP addresses that each user can use. Typically, when using the _l_o_g_i_n option, the secret in /etc/ppp/pap-secrets would be "", which will match any password supplied by the peer. This avoids the need to have the same secret in two places.

Authentication must be satisfactorily completed before IPCP (or any other Network Control Protocol) can be started. If the peer is required to authenticate itself, and fails to do so, pppd will terminated the link (by closing LCP). If IPCP negotiates an unacceptable IP address for the remote host, IPCP will be closed. IP packets can only be sent or received when IPCP is open.

In some cases it is desirable to allow some hosts which can't authenticate themselves to connect and use one of a restricted set of IP addresses, even when the local host generally requires authentication. If the peer refuses to authenticate itself when requested, pppd takes that as equivalent to authenticating with PAP using the empty string for the username and password. Thus, by adding a line to the pap-secrets file which specifies the empty string for the client and password, it is possible to allow restricted access to hosts which refuse to authenticate themselves.

ROUTING

When IPCP negotiation is completed successfully, pppd will inform the kernel of the local and remote IP addresses for the ppp interface. This is sufficient to create a host route to the remote end of the link, which will enable the peers to exchange IP packets. Communication with other machines generally requires further modification to routing tables and/or ARP (Address Resolution Protocol) tables. In most cases the _d_e_f_a_u_l_t_r_o_u_t_e and/or _p_r_o_x_y_a_r_p options are sufficient for this, but in some cases further intervention is required. The /etc/ppp/ip-up script can be used for this.

Sometimes it is desirable to add a default route through the remote host, as in the case of a machine whose only connection to the Internet is through the ppp interface. The _d_e_f_a_u_l_t_r_o_u_t_e option causes pppd to create such a default route when IPCP comes up, and delete it when the link is terminated.

In some cases it is desirable to use proxy ARP, for example on a server machine connected to a LAN, in order to allow other hosts to communicate with the remote host. The _p_r_o_x_y_a_r_p option causes pppd to look for a network interface on the same subnet as the remote host (an interface supporting broadcast and ARP, which is up and not a point-to-point or loopback interface). If found, pppd creates a permanent, published ARP entry with the IP address of the remote host and the hardware address of the network interface found.

When the _d_e_m_a_n_d option is used, the interface IP addresses have already been set at the point when IPCP comes up. If pppd has not been able to negotiate the same addresses that it used to configure the interface (for example when the peer is an ISP that uses dynamic IP address assignment), pppd has to change the interface IP addresses to the negotiated addresses. This may disrupt existing connections, and the use of demand dialing with peers that do dynamic IP address assignment is not recommended.

Multilink PPP provides the capability to combine two or more PPP links between a pair of machines into a single `bundle', which appears as a single virtual PPP link which has the combined bandwidth of the individual links. Currently, multilink PPP is only supported under Linux.

Pppd detects that the link it is controlling is connected to the same peer as another link using the peer's endpoint discriminator and the authenticated identity of the peer (if it authenticates itself). The endpoint discriminator is a block of data which is hopefully unique for each peer. Several types of data can be used, including locally-assigned strings of bytes, IP addresses, MAC addresses, randomly strings of bytes, or E-164 phone numbers. The endpoint discriminator sent to the peer by pppd can be set using the endpoint option.

In some circumstances the peer may send no endpoint discriminator or a non-unique value. The bundle option adds an extra string which is added to the peer's endpoint discriminator and authenticated identity when matching up links to be joined together in a bundle. The bundle option can also be used to allow the establishment of multiple bundles between the local system and the peer. Pppd uses a TDB database in /var/run/pppd2.tdb to match up links.

Assuming that multilink is enabled and the peer is willing to negotiate multilink, then when pppd is invoked to bring up the first link to the peer, it will detect that no other link is connected to the peer and create a new bundle, that is, another ppp network interface unit. When another pppd is invoked to bring up another link to the peer, it will detect the existing bundle and join its link to it.

If the first link terminates (for example, because of a hangup or a received LCP terminate-request) the bundle is not destroyed unless there are no other links remaining in the bundle. Rather than exiting, the first pppd keeps running after its link terminates, until all the links in the bundle have terminated. If the first pppd receives a SIGTERM or SIGINT signal, it will destroy the bundle and send a SIGHUP to the pppd processes for each of the links in the bundle. If the first pppd receives a SIGHUP signal, it will terminate its link but not the bundle.

Note: demand mode is not currently supported with multilink.

EXAMPLES

The following examples assume that the /etc/ppp/options file contains the _a_u_t_h option (as in the default /etc/ppp/options file in the ppp distribution).

Probably the most common use of pppd is to dial out to an ISP. This can be done with a command such as

pppd call isp

where the /etc/ppp/peers/isp file is set up by the system administrator to contain something like this:

ttyS0 19200 crtscts

connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp'
noauth

In this example, we are using chat to dial the ISP's modem and go through any log on sequence required. The /etc/ppp/chat-isp file contains the script used by chat; it could for example contain something like this:

ABORT "NO CARRIER"

ABORT "NO DIALTONE"
ABORT "ERROR"
ABORT "NO ANSWER"
ABORT "BUSY"
ABORT "Username/Password Incorrect"
"" "at"
OK "at&d0&c1"
OK "atdt2468135"
"name:" "^Umyuserid"
"word:" "\qmypassword"
"ispts" "\q^Uppp"
"~-^Uppp-~"

See the chat(8) man page for details of chat scripts.

Pppd can also be used to provide a dial-in ppp service for users. If the users already have login accounts, the simplest way to set up the ppp service is to let the users log in to their accounts and run pppd (installed setuid-root) with a command such as

pppd proxyarp

To allow a user to use the PPP facilities, you need to allocate an IP address for that user's machine and create an entry in /etc/ppp/pap-secrets, /etc/ppp/chap-secrets, or /etc/ppp/srp-secrets (depending on which authentication method the PPP implementation on the user's machine supports), so that the user's machine can authenticate itself. For example, if Joe has a machine called "joespc" that is to be allowed to dial in to the machine called "server" and use the IP address joespc.my.net, you would add an entry like this to /etc/ppp/pap-secrets or /etc/ppp/chap-secrets:

joespc server "joe's secret" joespc.my.net

(See srp-entry(8) for a means to generate the server's entry when SRP-SHA1 is in use.) Alternatively, you can create a username called (for example) "ppp", whose login shell is pppd and whose home directory is /etc/ppp. Options to be used when pppd is run this way can be put in /etc/ppp/.ppprc.

If your serial connection is any more complicated than a piece of wire, you may need to arrange for some control characters to be escaped. In particular, it is often useful to escape XON (^Q) and XOFF (^S), using _a_s_y_n_c_m_a_p _a_0_0_0_0. If the path includes a telnet, you probably should escape ^] as well (_a_s_y_n_c_m_a_p _2_0_0_a_0_0_0_0). If the path includes an rlogin, you will need to use the _e_s_c_a_p_e _f_f option on the end which is running the rlogin client, since many rlogin implementations are not transparent; they will remove the sequence [0xff, 0xff, 0x73, 0x73, followed by any 8 bytes] from the stream.

DIAGNOSTICS

Messages are sent to the syslog daemon using facility LOG_DAEMON. (This can be overridden by recompiling pppd with the macro LOG_PPP defined as the desired facility.) See the syslog(8) documentation for details of where the syslog daemon will write the messages. On most systems, the syslog daemon uses the /etc/syslog.conf file to specify the destination(s) for syslog messages. You may need to edit that file to suit.

The _d_e_b_u_g option causes the contents of all control packets sent or received to be logged, that is, all LCP, PAP, CHAP, EAP, or IPCP packets. This can be useful if the PPP negotiation does not succeed or if authentication fails. If debugging is enabled at compile time, the _d_e_b_u_g option also causes other debugging messages to be logged.

Debugging can also be enabled or disabled by sending a SIGUSR1 signal to the pppd process. This signal acts as a toggle.

EXIT STATUS

The exit status of pppd is set to indicate whether any error was detected, or the reason for the link being terminated. The values used are:
0
Pppd has detached, or otherwise the connection was successfully established and terminated at the peer's request.
1
An immediately fatal error of some kind occurred, such as an essential system call failing, or running out of virtual memory.
2
An error was detected in processing the options given, such as two mutually exclusive options being used.
3
Pppd is not setuid-root and the invoking user is not root.
4
The kernel does not support PPP, for example, the PPP kernel driver is not included or cannot be loaded.
5
Pppd terminated because it was sent a SIGINT, SIGTERM or SIGHUP signal.
6
The serial port could not be locked.
7
The serial port could not be opened.
8
The connect script failed (returned a non-zero exit status).
9
The command specified as the argument to the _p_t_y option could not be run.
10
The PPP negotiation failed, that is, it didn't reach the point where at least one network protocol (e.g. IP) was running.
11
The peer system failed (or refused) to authenticate itself.
12
The link was established successfully and terminated because it was idle.
13
The link was established successfully and terminated because the connect time limit was reached.
14
Callback was negotiated and an incoming call should arrive shortly.
15
The link was terminated because the peer is not responding to echo requests.
16
The link was terminated by the modem hanging up.
17
The PPP negotiation failed because serial loopback was detected.
18
The init script failed (returned a non-zero exit status).
19
We failed to authenticate ourselves to the peer.

SCRIPTS

Pppd invokes scripts at various stages in its processing which can be used to perform site-specific ancillary processing. These scripts are usually shell scripts, but could be executable code files instead. Pppd does not wait for the scripts to finish (except for the ip-pre-up script). The scripts are executed as root (with the real and effective user-id set to 0), so that they can do things such as update routing tables or run privileged daemons. Be careful that the contents of these scripts do not compromise your system's security. Pppd runs the scripts with standard input, output and error redirected to /dev/null, and with an environment that is empty except for some environment variables that give information about the link. The environment variables that pppd sets are:
DEVICE
The name of the serial tty device being used.
IFNAME
The name of the network interface being used.
IPLOCAL
The IP address for the local end of the link. This is only set when IPCP has come up.
IPREMOTE
The IP address for the remote end of the link. This is only set when IPCP has come up.
PEERNAME
The authenticated name of the peer. This is only set if the peer authenticates itself.
SPEED
The baud rate of the tty device.
ORIG_UID
The real user-id of the user who invoked pppd.
PPPLOGNAME
The username of the real user-id that invoked pppd. This is always set.

For the ip-down and auth-down scripts, pppd also sets the following variables giving statistics for the connection:

CONNECT_TIME
The number of seconds from when the PPP negotiation started until the connection was terminated.
BYTES_SENT
The number of bytes sent (at the level of the serial port) during the connection.
BYTES_RCVD
The number of bytes received (at the level of the serial port) during the connection.
LINKNAME
The logical name of the link, set with the _l_i_n_k_n_a_m_e option.
DNS1
If the peer supplies DNS server addresses, this variable is set to the first DNS server address supplied.
DNS2
If the peer supplies DNS server addresses, this variable is set to the second DNS server address supplied.

Pppd invokes the following scripts, if they exist. It is not an error if they don't exist.

/etc/ppp/auth-up
A program or script which is executed after the remote system successfully authenticates itself. It is executed with the parameters
_i_n_t_e_r_f_a_c_e_-_n_a_m_e _p_e_e_r_-_n_a_m_e _u_s_e_r_-_n_a_m_e _t_t_y_-_d_e_v_i_c_e _s_p_e_e_d
Note that this script is not executed if the peer doesn't authenticate
itself, for example when the _n_o_a_u_t_h option is used.
/etc/ppp/auth-down
A program or script which is executed when the link goes down, if /etc/ppp/auth-up was previously executed. It is executed in the same manner with the same parameters as /etc/ppp/auth-up.
/etc/ppp/ip-pre-up
A program or script which is executed just before the ppp network interface is brought up. It is executed with the same parameters as the ip-up script (below). At this point the interface exists and has IP addresses assigned but is still down. This can be used to add firewall rules before any IP traffic can pass through the interface. Pppd will wait for this script to finish before bringing the interface up, so this script should run quickly.
/etc/ppp/ip-up
A program or script which is executed when the link is available for sending and receiving IP packets (that is, IPCP has come up). It is executed with the parameters
_i_n_t_e_r_f_a_c_e_-_n_a_m_e _t_t_y_-_d_e_v_i_c_e _s_p_e_e_d _l_o_c_a_l_-_I_P_-_a_d_d_r_e_s_s _<_d_d_> _r_e_m_o_t_e_-_I_P_-_a_d_d_r_e_s_s _i_p_p_a_r_a_m
/etc/ppp/ip-down
A program or script which is executed when the link is no longer available for sending and receiving IP packets. This script can be used for undoing the effects of the /etc/ppp/ip-up and /etc/ppp/ip-pre-up scripts. It is invoked in the same manner and with the same parameters as the ip-up script.
/etc/ppp/ipv6-up
Like /etc/ppp/ip-up, except that it is executed when the link is available for sending and receiving IPv6 packets. It is executed with the parameters
_i_n_t_e_r_f_a_c_e_-_n_a_m_e _t_t_y_-_d_e_v_i_c_e _s_p_e_e_d _l_o_c_a_l_-_l_i_n_k_-_l_o_c_a_l_-_a_d_d_r_e_s_s _<_d_d_> _r_e_m_o_t_e_-_l_i_n_k_-_l_o_c_a_l_-_a_d_d_r_e_s_s _i_p_p_a_r_a_m
/etc/ppp/ipv6-down
Similar to /etc/ppp/ip-down, but it is executed when IPv6 packets can no longer be transmitted on the link. It is executed with the same parameters as the ipv6-up script.
/etc/ppp/ipx-up
A program or script which is executed when the link is available for sending and receiving IPX packets (that is, IPXCP has come up). It is executed with the parameters
_i_n_t_e_r_f_a_c_e_-_n_a_m_e _t_t_y_-_d_e_v_i_c_e _s_p_e_e_d _n_e_t_w_o_r_k_-_n_u_m_b_e_r _l_o_c_a_l_-_I_P_X_-_n_o_d_e_-_a_d_d_r_e_s_s _<_d_d_> _r_e_m_o_t_e_-_I_P_X_-_n_o_d_e_-_a_d_d_r_e_s_s _l_o_c_a_l_-_I_P_X_-_r_o_u_t_i_n_g_-_p_r_o_t_o_c_o_l _r_e_m_o_t_e_-_I_P_X_-_r_o_u_t_i_n_g_-_p_r_o_t_o_c_o_l _l_o_c_a_l_-_I_P_X_-_r_o_u_t_e_r_-_n_a_m_e _r_e_m_o_t_e_-_I_P_X_-_r_o_u_t_e_r_-_n_a_m_e _i_p_p_a_r_a_m _p_p_p_d_-_p_i_d
The local-IPX-routing-protocol and remote-IPX-routing-protocol field
may be one of the following:
NONE to indicate that there is no routing protocol

RIP to indicate that RIP/SAP should be used
NLSP to indicate that Novell NLSP should be used
RIP NLSP to indicate that both RIP/SAP and NLSP should be used
/etc/ppp/ipx-down
A program or script which is executed when the link is no longer available for sending and receiving IPX packets. This script can be used for undoing the effects of the /etc/ppp/ipx-up script. It is invoked in the same manner and with the same parameters as the ipx-up script.

FILES

/var/run/ppp_n..ppiidd (BSD or Linux), //eettcc//pppppp//pppppp_n..ppiidd (others)
Process-ID for pppd process on ppp interface unit _n.
/var/run/ppp-_n_a_m_e..ppiidd (BSD or Linux),
//eettcc//pppppp//pppppp--_n_a_m_e..ppiidd (others) Process-ID for pppd process for logical link _n_a_m_e (see the _l_i_n_k_n_a_m_e option).
/var/run/pppd2.tdb
Database containing information about pppd processes, interfaces and links, used for matching links to bundles in multilink operation. May be examined by external programs to obtain information about running pppd instances, the interfaces and devices they are using, IP address assignments, etc. /etc/ppp/pap-secrets Usernames, passwords and IP addresses for PAP authentication. This file should be owned by root and not readable or writable by any other user. Pppd will log a warning if this is not the case.
/etc/ppp/chap-secrets
Names, secrets and IP addresses for CHAP/MS-CHAP/MS-CHAPv2 authentication. As for /etc/ppp/pap-secrets, this file should be owned by root and not readable or writable by any other user. Pppd will log a warning if this is not the case.
/etc/ppp/srp-secrets
Names, secrets, and IP addresses for EAP authentication. As for /etc/ppp/pap-secrets, this file should be owned by root and not readable or writable by any other user. Pppd will log a warning if this is not the case.
~/.ppp_pseudonym
Saved client-side SRP-SHA1 pseudonym. See the _s_r_p_-_u_s_e_-_p_s_e_u_d_o_n_y_m option for details.
/etc/ppp/options
System default options for pppd, read before user default options or command-line options.
~/.ppprc
User default options, read before /etc/ppp/options._t_t_y_n_a_m_e.
/etc/ppp/options._t_t_y_n_a_m_e_<_/_b_> _<_d_d_> _S_y_s_t_e_m _d_e_f_a_u_l_t _o_p_t_i_o_n_s _f_o_r _t_h_e _s_e_r_i_a_l _p_o_r_t _b_e_i_n_g _u_s_e_d_, _r_e_a_d _a_f_t_e_r _~_/_._p_p_p_r_c_. _I_n _f_o_r_m_i_n_g _t_h_e _t_t_y_n_a_m_e part of this filename, an initial /dev/ is stripped from the port name (if present), and any slashes in the remaining part are converted to dots.
/etc/ppp/peers
A directory containing options files which may contain privileged options, even if pppd was invoked by a user other than root. The system administrator can create options files in this directory to permit non-privileged users to dial out without requiring the peer to authenticate, but only to certain trusted peers.

SEE ALSO

chat(8) pppstats(8)
RFC1144
Jacobson, V. _C_o_m_p_r_e_s_s_i_n_g _T_C_P_/_I_P _h_e_a_d_e_r_s _f_o_r _l_o_w_-_s_p_e_e_d _s_e_r_i_a_l _l_i_n_k_s_. February 1990.
RFC1321
Rivest, R. The MD5 Message-Digest Algorithm. April 1992.
RFC1332
McGregor, G. PPP Internet Protocol Control Protocol (IPCP). May 1992.
RFC1334
Lloyd, B.; Simpson, W.A. PPP authentication protocols. October 1992.
RFC1661
Simpson, W.A. The Point-to-Point Protocol (PPP). July 1994.
RFC1662
Simpson, W.A. PPP in HDLC-like Framing. July 1994.
RFC2284
Blunk, L.; Vollbrecht, J., PPP Extensible Authentication Protocol (EAP). March 1998.
RFC2472
Haskin, D. IP Version 6 over PPP December 1998.
RFC2945
Wu, T., The SRP Authentication and Key Exchange System September 2000.
draft-ietf-pppext-eap-srp-03.txt
Carlson, J.; et al., EAP SRP-SHA1 Authentication Protocol. July 2001.

NOTES

Some limited degree of control can be exercised over a running pppd process by sending it a signal from the list below.
SIGINT, SIGTERM
These signals cause pppd to terminate the link (by closing LCP), restore the serial device settings, and exit. If a connector or disconnector process is currently running, pppd will send the same signal to its process group, so as to terminate the connector or disconnector process.
SIGHUP
This signal causes pppd to terminate the link, restore the serial device settings, and close the serial device. If the _p_e_r_s_i_s_t or _d_e_m_a_n_d option has been specified, pppd will try to reopen the serial device and start another connection (after the holdoff period). Otherwise pppd will exit. If this signal is received during the holdoff period, it causes pppd to end the holdoff period immediately. If a connector or disconnector process is running, pppd will send the same signal to its process group.
SIGUSR1
This signal toggles the state of the _d_e_b_u_g option.
SIGUSR2
This signal causes pppd to renegotiate compression. This can be useful to re-enable compression after it has been disabled as a result of a fatal decompression error. (Fatal decompression errors generally indicate a bug in one or other implementation.)

AUTHORS

Paul Mackerras (paulus@samba.org), based on earlier work by Drew Perkins, Brad Clements, Karl Fox, Greg Christy, and Brad Parker. Pppd is copyrighted and made available under conditions which provide that it may be copied and used in source or binary forms provided that the conditions listed below are met. Portions of pppd are covered by the following copyright notices:

Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved.
Copyright (c) 1993-2004 Paul Mackerras. All rights reserved.
Copyright (c) 1995 Pedro Roque Marques. All rights reserved.
Copyright (c) 1995 Eric Rosenquist. All rights reserved.
Copyright (c) 1999 Tommi Komulainen. All rights reserved.
Copyright (C) Andrew Tridgell 1999
Copyright (c) 2000 by Sun Microsystems, Inc. All rights reserved.
Copyright (c) 2001 by Sun Microsystems, Inc. All rights reserved.
Copyright (c) 2002 Google, Inc. All rights reserved.

The copyright notices contain the following statements.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software without prior written permission. For permission or any legal details, please contact
Office of Technology Transfer
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-4387, fax: (412) 268-7395
tech-transfer@andrew.cmu.edu

3b. The name(s) of the authors of this software must not be used to endorse or promote products derived from this software without prior written permission.

4. Redistributions of any form whatsoever must retain the following acknowledgments:
"This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."
"This product includes software developed by Paul Mackerras <paulus@samba.org>".
"This product includes software developed by Pedro Roque Marques <pedro_m@yahoo.com>".
"This product includes software developed by Tommi Komulainen <Tommi.Komulainen@iki.fi>".

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.