While it’s true that the PPTP protocol has essentially been deprecated by Microsoft because of security issues, it’s also true that many companies are still using the protocol to set up VPNs. (And, yes, it’s still available on Windows 10.) Let’s take a look at PPTP, why it has retained its popularity, and how you can use it securely.
PPTP is the abbreviation for Point-to-Point Tunneling Protocol. It is a protocol or a set of communication rules used for implementing on-demand Virtual Public Networks (VPNs) over the Internet or any other public TCP/IP based network.
PPTP operates at Layer 2 of the OSI model, also called the data-link layer.
PPTP is an extension of PPP and uses its negotiation, authentication, and encryption processes.
PPTP encapsulates IP, IPX, or NETBEUI packets into the PPP frame to create a tunnel for secure communication. This tunnel, also called a session, is used for sending private data across WAN or LAN networks, so this information is secure and not visible to unauthorized users.
It can be particularly helpful to send data over unsecure networks.
PPTP was first introduced to the world in 1995 by a consortium led by Microsoft, 3Com, and others.
It was the first VPN protocol that was supported by the Windows dial-up, and every Microsoft operating support released after 1995 supports it. Other operating systems such as Linux and OS X supported this protocol through native applications.
Today, almost every mobile and desktop platform supports PPTP.
PPTP is popular due to the following reasons.
Tunneling is the process of sending packets through a private network by routing them over a different network such as the Internet. This ensures that other network routers can’t access the computers that are connected to the private network.
Three computers are used in any PPTP deployment, and they are a PPTP client, a PPTP server, and a network access server. In some implementations, a PPTP Network Server (PNS) and a PPTP Access Concentrator (PAC) are also used.
A PPTP client is a computer that encapsulates PPP packets into IP datagrams to transmit them over the Internet to the PPTP server.
A PPTP server is an intermediary computer that’s connected to both the routing network and private network.
The role of a PPTP server is to get PPP packets from the routing server, process this packet to get the destination computer’s name or address, and send it through the private network.
A PPTP server receives the IP datagrams sent by a PPTP client and breaks it down into PPP packets. It decrypts these PPP packets using the private network’s protocol, and routes them accordingly.
This PPTP server is configured to read multiprotocol packets simply because PPP supports multiple protocols.
A network access server is a server that provides Internet access to connected computers. It is designed to handle huge numbers of dial-in clients, so it can help multiple computers to connect to the Internet.
In PPTP, network access servers provide PPP service to support PPTP-enabled clients.
PPTP uses control channels such as TCP and GRE to encapsulate PPP packets, and this task of encapsulation is divided between PNS and PAC. Typically, a PNS sits on the firewall or router of a network gateway whereas a PAC is the dial-up NAS or even a PC that comes with a PPTP client.
A PPTP client and a PPTP server use tunneling to route packets through a private network. However, both these computers ensure that they use only those routers that know the address of the private network’s intermediary server, to ensure the packets are secure.
A PPTP client sends a packet through the established tunnel to the PPTP server. In turn, this server gets the destination address and sends it across a private network to the destination computer.
You don’t need a network access server when you’re using a PPTP client that’s already connected to the LAN, provided the PPTP server is also connected to the same LAN.
Otherwise, you need a network access server to create a PPTP tunnel.
A PPTP client can connect to the PPTP server in two ways.
PPTP supports two types of tunneling:
Voluntary tunneling doesn’t require any support from ISPs or other network devices such as bridges because it is initiated by the client.
Compulsory tunneling, on the other hand, should be supported by routers or network access servers because it is initiated by a PPTP server.
You need a modem and a VPN device to configure PPTP clients with a network access server, as you’ll have to make two separate connections.
The first connection is a dial-up one that uses a modem to connect to an ISP. This connection uses the PPP protocol.
The second is a VPN connection that goes over the modem and the ISP, and this uses PPTP. The second connection cannot be established without the first one because you need a PPP connection to the Internet to create a tunnel between two VPN devices.
In most cases, yes. The only exception is when you use PPTP to create a VPN connection between computers that are physically connected to the same LAN. In such a case, the PPTP is already connected to the network, so it needs only a dial-up to connect to the PPTP server on the same LAN.
There are two types of PPTP encapsulated packets — one that handles control information and the other that handles data.
Packets that transport control information use TCP connection. On the other hand, data is transported as a payload in a PPP packet using a modified version of GRE protocol. Also, the payload can be in the form of IP, IPX datagram, AppleTalk, or a NETBEUI frame.
PPTP packets are stored based on the location of the PPTP client.
A PPTP packet from a remote PPTP client is moved to the physical media of a telecom device whereas a packet from a LAN PPTP client is stored on the network adapter’s physical media.
PPTP is mostly used for enabling VPN remote access over the Internet. To create VPN tunnels using PPTP, launch a PPTP client that connects to your Internet Service provider. In turn, PPTP will create a TCP connection between the VPN client and server to establish the tunnel connection.
The following messages are used to create and maintain a tunnel.
PPTP uses the “shared-secret” encryption process of RAS. Both ends of the connection use the same encryption key, which in this case, is the user password. This password is hashed and stored on both the PPTP client and server. RSA RC4 standard is used to create this 40-bit session key that’s based on the password.
PPTP VPN clients are built into Windows operating systems, so all versions can access it. PPTP is also available on Mac OS, Linux, and other operating systems through PPTP clients.
Yes, PPTP supports VPN connectivity over the local network, too. Once you create the tunnel and establish a VPN connection, PPTP enables data packets and control messages to flow through it.
Yes. Microsoft’s Remote Access Server (RAS) supports PPTP through dial-up and dedicated connections.
To set up Windows NT as a PPTP server,
To create a new VPN connection using PPTP,
This should create a new VPN connection for you.
PPTP should work on most modern routers. Older routers do not allow protocol traffic to pass through VPN connections, so they’re not compatible with PPTP.
If you’re unsure, check your router’s documentation. It should have the PPTP port 1723 open and should also support the forwarding of GRE Protocol type 47.
You can use PPTP with most firewalls. All that you have to do is route the traffic meant for port 1723 to the firewall.
In fact, firewalls enhance the overall security by regulating the data that comes from the Internet to the private network.
Yes, two computers can establish a tunnel over the Internet, provided they are running the same network protocol.
This is an important requirement, because PPTP supports many protocols such as IP, IPX and NETBEUI.
To troubleshoot PPTP over a TCP/IP connection, check the following.
For those worried about PPTP security, there are alternatives to PPTP. They are:
Out of this list, L2TP/IPSec is the closest alternative for PPTP, followed by OpenVPN.
However, none of these protocols is as easy as PPTP to setup. Also, none of these come preinstalled in any operating system.
There are three key differences between PPTP and L2TP/IPSec. First, encryption process in PPTP begins after the PPP process is completed. This means the PPP authentication is used for this protocol. In L2TP/IPSec, encryption begins before the PPP process begins.
Second, PPTP uses a stream cipher called Microsoft Point to Point Encryption (MPPE) that uses 40, 56, or 128-bit encryption keys. This stream cipher encrypts data as a bitstream. L2TP/IPSec, on the other hand, uses Data Encryption Standard (DES), a block cipher that encrypts data in discrete blocks.
Lastly, PPTP requires only user-level authentication whereas L2TP/IPSec requires both user-level and system-level authentication.
In general, L2TP/IPSec is considered to be more secure than PPTP, and this is why some organizations have started using this protocol to implement remote connectivity. In L2TP/IPSec, every packet is checked for data integrity, data authentication, data confidentiality, and replay protection. Effectively, what this means is that every packet is checked to ensure that data was sent by an authorized user, it was not modified in transit, none of the packets are captured without encryption, and a stream of captured packets is not re-sent.
PPTP, on the hand, provides only data confidentiality.
Also, the fact that L2TP/IPSec uses two levels of authentication makes it more secure than PPTP.
There are two situations when PPTP scores over L2TP/IPSec.
Firstly, PPTP doesn’t require any kind of certificate infrastructure for authenticating computers whereas L2TP/IPSec needs an extensive certificate infrastructure for providing computer certificates to the authenticating server and to all other VPN client computers.
Secondly, PPTP doesn’t require expensive leased lines for communication as it can send encrypted data over the Internet or public telephone lines. This way, it reduces the cost of deploying an enterprise-wide remote access solution without compromising on security and encryption.
Lastly, PPTP is supported by all Windows platforms, including Windows XP, Windows 2000, Windows NT 4.0, and even older ones like Windows 95, and Windows 98. L2TP/IPSec, on the other hand, is supported only by Windows XP and Windows 2000 VPN clients.
Photo credit: Pexels
Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…
Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…
Two of the main factors that affect the total cost of an organization’s Microsoft 365…
Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…
SAN and NAS provide dedicated storage for a group of users using completely different approaches…
In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…