Light at the end of the tunnel: Answers to all your PPTP questions

While it’s true that the PPTP protocol has essentially been deprecated by Microsoft because of security issues, it’s also true that many companies are still using the protocol to set up VPNs. (And, yes, it’s still available on Windows 10.) Let’s take a look at PPTP, why it has retained its popularity, and how you can use it securely.

What is PPTP?

PPTP is the abbreviation for Point-to-Point Tunneling Protocol. It is a protocol or a set of communication rules used for implementing on-demand Virtual Public Networks (VPNs) over the Internet or any other public TCP/IP based network.

PPTP operates at Layer 2 of the OSI model, also called the data-link layer.

What’s the relationship between PPP and PPTP?

PPTP is an extension of PPP and uses its negotiation, authentication, and encryption processes.

PPTP encapsulates IP, IPX, or NETBEUI packets into the PPP frame to create a tunnel for secure communication. This tunnel, also called a session, is used for sending private data across WAN or LAN networks, so this information is secure and not visible to unauthorized users.

It can be particularly helpful to send data over unsecure networks.

When was PPTP first introduced to the world?

PPTP was first introduced to the world in 1995 by a consortium led by Microsoft, 3Com, and others.

It was the first VPN protocol that was supported by the Windows dial-up, and every Microsoft operating support released after 1995 supports it. Other operating systems such as Linux and OS X supported this protocol through native applications.

Today, almost every mobile and desktop platform supports PPTP.

Why is PPTP so popular?

PPTP is popular due to the following reasons.

  • It’s been around for more than 20 years.
  • Configuring PPTP is easier than any other protocol.
  • It has many different levels of encryption to suit your specific needs.
  • It delivers high performance, especially while streaming geo-restricted content.
  • Since it encapsulates data, information sent over public networks tend to be safe.
  • It requires only a user name, password, and a server address to create a reliable connection with the server.
  • It supports up to 128-bit session key encryption that was also developed by Microsoft.
  • It uses TCP and GRE.
  • It is supported by all current versions of Microsoft, Linux, iOS, Android, Mac OS, Tomato, and other operating systems.

What is PPTP tunneling?

Tunneling is the process of sending packets through a private network by routing them over a different network such as the Internet. This ensures that other network routers can’t access the computers that are connected to the private network.

What are the components involved in a PPTP deployment?

Three computers are used in any PPTP deployment, and they are a PPTP client, a PPTP server, and a network access server. In some implementations, a PPTP Network Server (PNS) and a PPTP Access Concentrator (PAC) are also used.

What is a PPTP client?

A PPTP client is a computer that encapsulates PPP packets into IP datagrams to transmit them over the Internet to the PPTP server.

What is a PPTP server?

A PPTP server is an intermediary computer that’s connected to both the routing network and private network.

The role of a PPTP server is to get PPP packets from the routing server, process this packet to get the destination computer’s name or address, and send it through the private network.

A PPTP server receives the IP datagrams sent by a PPTP client and breaks it down into PPP packets. It decrypts these PPP packets using the private network’s protocol, and routes them accordingly.

This PPTP server is configured to read multiprotocol packets simply because PPP supports multiple protocols.

What is a network access server?

A network access server is a server that provides Internet access to connected computers. It is designed to handle huge numbers of dial-in clients, so it can help multiple computers to connect to the Internet.

In PPTP, network access servers provide PPP service to support PPTP-enabled clients.

What’s the role of PNS and PAC?


PPTP uses control channels such as TCP and GRE to encapsulate PPP packets, and this task of encapsulation is divided between PNS and PAC. Typically, a PNS sits on the firewall or router of a network gateway whereas a PAC is the dial-up NAS or even a PC that comes with a PPTP client.

How does PPTP work?

A PPTP client and a PPTP server use tunneling to route packets through a private network. However, both these computers ensure that they use only those routers that know the address of the private network’s intermediary server, to ensure the packets are secure.

A PPTP client sends a packet through the established tunnel to the PPTP server. In turn, this server gets the destination address and sends it across a private network to the destination computer.

Do I need a network access server to create a PPTP tunnel?

You don’t need a network access server when you’re using a PPTP client that’s already connected to the LAN, provided the PPTP server is also connected to the same LAN.

Otherwise, you need a network access server to create a PPTP tunnel.

How can PPTP clients establish a connection to a PPTP server?

A PPTP client can connect to the PPTP server in two ways.

  • Through the ISP’s network access server, provided it supports PPP connections.
  • Through a TCP/IP LAN that connects to a PPTP server.

What tunneling types does PPTP support?

PPTP supports two types of tunneling:

  • Voluntary tunneling.
  • Compulsory tunneling.

Voluntary tunneling doesn’t require any support from ISPs or other network devices such as bridges because it is initiated by the client.

Compulsory tunneling, on the other hand, should be supported by routers or network access servers because it is initiated by a PPTP server.

How to configure PPTP clients that use a ISP’s network access server?

You need a modem and a VPN device to configure PPTP clients with a network access server, as you’ll have to make two separate connections.

The first connection is a dial-up one that uses a modem to connect to an ISP. This connection uses the PPP protocol.

The second is a VPN connection that goes over the modem and the ISP, and this uses PPTP. The second connection cannot be established without the first one because you need a PPP connection to the Internet to create a tunnel between two VPN devices.

Do I always have to make two connections to create a VPN tunnel?

In most cases, yes. The only exception is when you use PPTP to create a VPN connection between computers that are physically connected to the same LAN. In such a case, the PPTP is already connected to the network, so it needs only a dial-up to connect to the PPTP server on the same LAN.

What are the types of PPTP encapsulated packets?

There are two types of PPTP encapsulated packets — one that handles control information and the other that handles data.

Packets that transport control information use TCP connection. On the other hand, data is transported as a payload in a PPP packet using a modified version of GRE protocol. Also, the payload can be in the form of IP, IPX datagram, AppleTalk, or a NETBEUI frame.

How are PPTP packets stored?

PPTP packets are stored based on the location of the PPTP client.

A PPTP packet from a remote PPTP client is moved to the physical media of a telecom device whereas a packet from a LAN PPTP client is stored on the network adapter’s physical media.

What is the most common use of PPTP?

PPTP is mostly used for enabling VPN remote access over the Internet. To create VPN tunnels using PPTP, launch a PPTP client that connects to your Internet Service provider. In turn, PPTP will create a TCP connection between the VPN client and server to establish the tunnel connection.

What are the primary control messages used by PPTP?

The following messages are used to create and maintain a tunnel.

  • PPTP_START_SESSION_REQUEST — Starts the session.
  • PPTP_START_SESSION_REPLY — Sends a reply to the start sessions request.
  • PPTP_ECHO_REQUEST — Maintains the session.
  • PPTP_ECHO_REPLY — Sends a reply to the echo request.
  • PPTP_WAN_ERROR_NOTIFY — Informs when an error occurs on the PPP connection.
  • PPTP_SET_LINK_INFO — Configures the connection between PPTP client and server.
  • PPTP_STOP_SESSION_REQUEST — Stops the session.
  • PPTP_STOP_SESSION_REPLY — Sends a reply to the stop sessions request.

What data encryption does PPTP use?

PPTP uses the “shared-secret” encryption process of RAS. Both ends of the connection use the same encryption key, which in this case, is the user password. This password is hashed and stored on both the PPTP client and server. RSA RC4 standard is used to create this 40-bit session key that’s based on the password.

Do all operating systems support PPTP?

PPTP VPN clients are built into Windows operating systems, so all versions can access it. PPTP is also available on Mac OS, Linux, and other operating systems through PPTP clients.

Can PPTP support VPN connectivity over a local network?

Yes, PPTP supports VPN connectivity over the local network, too. Once you create the tunnel and establish a VPN connection, PPTP enables data packets and control messages to flow through it.

Does Microsoft’s RAS support PPTP?

Yes. Microsoft’s Remote Access Server (RAS) supports PPTP through dial-up and dedicated connections.

To set up Windows NT as a PPTP server,

  • Navigate to Networks through Control Panel.
  • Open the TCP/IP properties and click on Advanced button.
  • Choose Enable PPTP Filtering.

How can I set up a PPTP VPN connection on Windows?

To create a new VPN connection using PPTP,

  • In Control Panel, open Networking and Sharing Center on your Windows operating system.
  • Click on a link called “Setup a new connection”.
  • A window will pop up. In this window, choose the “Connect to a workplace” option and click on the Next button.
  • Then, choose the “use my Internet Connection (VPN)” option.
  • Input the details of VPN server and give it a local name. You can get this information from your server admin. Using a local name will make it easy to reconnect at a later time.
  • Check if you need any other optional settings and finally click the “Create” button.

This should create a new VPN connection for you.

Will PPTP work on home routers?

PPTP should work on most modern routers. Older routers do not allow protocol traffic to pass through VPN connections, so they’re not compatible with PPTP.

If you’re unsure, check your router’s documentation. It should have the PPTP port 1723 open and should also support the forwarding of GRE Protocol type 47.

Can I use PPTP with firewalls?

You can use PPTP with most firewalls. All that you have to do is route the traffic meant for port 1723 to the firewall.

In fact, firewalls enhance the overall security by regulating the data that comes from the Internet to the private network.

Can two computers establish a tunnel over the Internet?

Yes, two computers can establish a tunnel over the Internet, provided they are running the same network protocol.

This is an important requirement, because PPTP supports many protocols such as IP, IPX and NETBEUI.

How can I identify problems in PPTP over a TCP/IP connection?

To troubleshoot PPTP over a TCP/IP connection, check the following.

  • Ping your PPTP server to check if you’re connected to it.
  • Make sure you have trusted credentials in your PPTP server’s domain to avoid any security pitfalls.
  • You shouldn’t have an active Winsock Proxy client as this can redirect PPTP packets to a proxy server instead of your VPN.
Flickr / See-ming Lee

What are the alternatives to PPTP?

For those worried about PPTP security, there are alternatives to PPTP. They are:

  • OpenVPN
  • L2TP/IPSec
  • SSTP
  • IKEv2

Out of this list, L2TP/IPSec is the closest alternative for PPTP, followed by OpenVPN.

However, none of these protocols is as easy as PPTP to setup. Also, none of these come preinstalled in any operating system.

What is the difference between PPTP and L2TP/IPSec protocols?

There are three key differences between PPTP and L2TP/IPSec. First, encryption process in PPTP begins after the PPP process is completed. This means the PPP authentication is used for this protocol. In L2TP/IPSec, encryption begins before the PPP process begins.

Second, PPTP uses a stream cipher called Microsoft Point to Point Encryption (MPPE) that uses 40, 56, or 128-bit encryption keys. This stream cipher encrypts data as a bitstream. L2TP/IPSec, on the other hand, uses Data Encryption Standard (DES), a block cipher that encrypts data in discrete blocks.

Lastly, PPTP requires only user-level authentication whereas L2TP/IPSec requires both user-level and system-level authentication.

Is L2TP/IPSec better than PPTP?

In general, L2TP/IPSec is considered to be more secure than PPTP, and this is why some organizations have started using this protocol to implement remote connectivity. In L2TP/IPSec, every packet is checked for data integrity, data authentication, data confidentiality, and replay protection. Effectively, what this means is that every packet is checked to ensure that data was sent by an authorized user, it was not modified in transit, none of the packets are captured without encryption, and a stream of captured packets is not re-sent.

PPTP, on the hand, provides only data confidentiality.

Also, the fact that L2TP/IPSec uses two levels of authentication makes it more secure than PPTP.

When is PPTP better than L2TP/IPSec?

There are two situations when PPTP scores over L2TP/IPSec.

Firstly, PPTP doesn’t require any kind of certificate infrastructure for authenticating computers whereas L2TP/IPSec needs an extensive certificate infrastructure for providing computer certificates to the authenticating server and to all other VPN client computers.

Secondly, PPTP doesn’t require expensive leased lines for communication as it can send encrypted data over the Internet or public telephone lines. This way, it reduces the cost of deploying an enterprise-wide remote access solution without compromising on security and encryption.

Lastly, PPTP is supported by all Windows platforms, including Windows XP, Windows 2000, Windows NT 4.0, and even older ones like Windows 95, and Windows 98. L2TP/IPSec, on the other hand, is supported only by Windows XP and Windows 2000 VPN clients.

Photo credit: Pexels

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top