What is PPTP? Understanding this VPN protocol
PPTP (Point-to-Point Tunneling Protocol) is a network protocol designed for the creation of virtual private networks (VPNs). It’s mainly used to provide a secure and encrypted connection between a remote user and a private corporate network over the public Internet. A PPTP VPN ensures privacy by encrypting the data before its transmission. Like other VPN protocols with encryption, it can also be used to bypass geographic restrictions and Internet censorship. Despite its past popularity, it is now considered less secure when compared to other VPN protocols and has largely fallen out of use. Besides, it has lost software and device support to a large extent. Dive deeper into the question “what is PPTP?” and find out more about this VPN protocol in this article.
To answer the question “What is PPTP?”, we have to look back to the past. PPTP was developed and standardized in the 1990s by Microsoft in collaboration with other companies such as Ascend Communications (now Alcatel-Lucent), 3Com, ECI Telematics, and USRobotics. The protocol aimed to create Virtual Private Networks (VPNs) over the Internet. In the late 1990s and early 2000s, PPTP became a popular choice for VPNs due to its simplicity of implementation and integration into Microsoft products. Over time, critical vulnerabilities were discovered in the PPTP VPN protocol. The reputation of the protocol was damaged when a vulnerability in the MS-CHAP v2 authentication system was discovered and published in 2012. This led to a decline in the popularity of the protocol, being replaced by L2TP/IPsec, OpenVPN, SSTP (also from Microsoft), and Cisco SSL VPN.
Features of the PPTP protocol
Route Push: This feature automatically provides the clients with information about routes in the remote network, allowing them to work with intranet resources.
TCP and UDP support: The PPTP VPN protocol supports the transfer of both TCP and UDP traffic, making it versatile when it comes to the transmission of various types of data.
Push DNS servers: PPTP can automatically assign DNS servers to client machines, simplifying the setup process and ensuring correct and secure name resolution, especially for names within local domains.
Use of Identity Providers: PPTP is flexible in terms of integration with directory services. PPTP VPN servers in Windows integrate well with Active Directory (another Microsoft product) and offer good support for RADIUS. Thanks to Active Directory capabilities, the PPTP VPN server can be integrated with LDAP, allowing the use of existing user databases and their accounts for VPN access.
Use of Cryptographic Algorithms: PPTP primarily uses the MS-CHAP v2 authentication system and MPPE encryption based on the stream cipher RC4, which can operate at different levels of complexity, ranging from 40 to 128 bits. Both algorithms are currently considered outdated and have theoretical or practical vulnerabilities. In summary, PPTP provides basic encryption but is not well-suited for industrial applications.
Together, these features provide flexibility, convenience, and relative security when working with a PPTP VPN protocol. For users, automatic configurations (such as Route Push and DNS server push) come in handy, and support for both TCP and UDP ensures a variety of uses. Integration with authentication systems allows for scalable solutions for large organizations, and despite their vulnerabilities, the cryptographic algorithms are able to provide basic data protection.
Applications in the corporate sector
The PPTP VPN protocol, developed in the 1990s and actively used until the 2010s, became a valuable tool for corporations, enabling them to solve numerous tasks. Its primary function was to provide remote access to office resources. Employees working from home or on business trips could securely connect to the corporate network and access file servers, databases, and other internal applications. Additionally, companies with branch offices used the PPTP VPN protocol to establish stable VPN connections between locations, creating a unified network space. This was especially valuable for businesses with geographically dispersed divisions.
PPTP also served as a tool to ensure data confidentiality during data transmission. When sending important information over public or potentially unreliable networks, data was encrypted, reducing the risk of interception. In regions with limited Internet access or strict censorship, corporations could use a PPTP VPN protocol to bypass restrictions and allow their employees to work freely on the Internet. Thanks to integration with authentication systems such as RADIUS or LDAP, companies could effectively manage access to their resources using a unified system of accounts.
Despite its simplicity and cost-effectiveness, corporations eventually started to phase out PPTP in favor of more secure protocols due to identified vulnerabilities.
Let's take a closer look at the advantages and disadvantages of this protocol from the perspective of corporate users.
Advantages of PPTP from the perspective of corporate users
A PPTP VPN protocol allows employees to connect to the corporate network from anywhere in the world. This is especially useful for those working remotely or frequently traveling.
A PPTP VPN protocol is considered one of the simplest VPN protocols to set up. Thanks to this, it can be quickly deployed without significant investments in hardware, software, or specialized IT personnel.
Integration with Windows
Since the PPTP VPN protocol was developed by Microsoft, it integrates well with Windows operating systems and other Microsoft software solutions. This makes it convenient for large companies where Windows-based computers are prevalent.
Despite not being the safest VPN protocol, PPTP still provides basic data protection by encrypting the traffic between the client and the server.
In the past, when alternative solutions might have been more expensive or less accessible, the PPTP VPN protocol offered an affordable way to implement VPNs.
Broad device support (in the past)
Many mobile devices, routers, and computers supported PPTP by default, making it easy for employees to connect to corporate networks.
Disadvantages of PPTP in the corporate sector
The primary drawback of the PPTP VPN protocol currently is its security vulnerabilities. Attacks like "Man-in-the-Middle" can compromise the traffic passing through a PPTP VPN tunnel.
The standard encryption used by PPTP is based on MPPE, which is considered outdated and less reliable when compared to modern methods.
Most organizations have transitioned to more secure VPN protocols, and device manufacturers and software developers are gradually discontinuing PPTP support. For example, Apple excluded PPTP from available VPN protocols in iOS 10 (2016), and public VPN providers like ExpressVPN and NordVPN stopped using the protocol in 2023 and 2018, respectively.
In short, the use of PPTP in the corporate sector has declined in recent years due to security concerns. Modern protocols like L2TP/IPsec, OpenVPN, and WireGuard offer much more reliable protection and have become the preferred choice for corporate use.
Applications of PPTP in the private sector
The PPTP protocol has the ability to address some needs of private users, such as providing access to home networks or securing public Wi-Fi connections. However, deploying new instances of PPTP today is rather pointless.
Advantages are limited to continued support for PPTP on older devices (e.g., legacy home routers) and quick setup. On the other hand, the drawbacks remain unchanged: issues with support, low security levels, exclusion from both iOS and Android modern mobile devices, lack of obfuscation, and others.
Applicability and availability of the PPTP protocol on home routers
The Point-to-Point Tunneling Protocol (PPTP) has long been a standard for VPN connections and, as a result, gained widespread support in various devices, including home routers. The primary advantage of PPTP lies in its universality: most routers, especially older models, come with built-in support for this protocol.
Easy to block
The original Point-to-Point Tunneling Protocol (PPTP) was not designed with active blocking resistance in mind, making it vulnerable to measures such as:
Specific ports: PPTP uses the TCP on port 1723 and the GRE protocol for its operation. These specific ports and protocols can be easily identified and blocked by network filters.
Traffic characteristics: PPTP traffic patterns can be detected through deep packet inspection (DPI), which allows a targeted blocking of VPN connections.
Lack of obfuscation: Unlike some other VPN protocols, PPTP lacks built-in obfuscation mechanisms that could hide or alter its traffic characteristics, making it less visible to blocking systems.
Due to these characteristics, PPTP can be easily blocked by national or corporate firewalls, as well as other network traffic filtering systems.
While the PPTP compatibility remains on Windows, it is no longer supported in most other operating systems such as iOS, Android, and macOS. Regarding Windows, here is a step-by-step guide for the setup of a client connection:
Steps for installing and configuring a PPTP connection on Windows
The installation and configuration of PPTP for a VPN connection may vary depending on the version of the operating system, but you can follow some basic steps. Here are the general steps for setting up PPTP on a Windows computer:
Open the Control Panel:
- Go to "Control Panel" → "Network and Internet" → "Network and Sharing Center"
Create a New Connection:
- Click on "Set up a new connection or network"
- Choose "Connect to a workplace" and click "Next"
- Select "Use my Internet connection (VPN)"
Enter Server Information:
- Enter the server address to which you want to connect (usually provided by your VPN provider)
- Give the connection a name (e.g., "My VPN")
Enter User Credentials:
- Enter your credentials (username and password) provided by your VPN provider
Additional Connection Settings:
- Right-click on the newly created VPN connection and select "Properties"
- Go to the "Security" tab
- Set the VPN type to "PPTP"
- Select "Allow encryption" (if available)
Connect to the VPN:
- Return to the "Network and Sharing Center" and click on your VPN connection, then click "Connect"
Verify the Connection:
- After a successful connection, the status of your connection will change to "Connected"
Over the years, several vulnerabilities have been identified on the PPTP protocol and seriously compromise its security:
PPTP often uses MS-CHAP v2 for authentication, and while this represents an improvement when compared to the original MS-CHAP, this protocol is still susceptible to certain attacks. For example, with a "man-in-the-middle" attack, the protocol can be forced to revert to the original version of MS-CHAP, which is easily cracked.
PPTP employs the RC4 encryption algorithm, which is considered outdated and vulnerable to various attacks.
Data authentication issues
As of today, PPTP does not provide data origin authentication, meaning it does not guarantee that data has not undergone any alteration during the transit between the sender and receiver.
Recommendations for using the PPTP protocol
Avoid using PPTP for critical applications. Due to its well-known vulnerabilities, PPTP is not recommended for transmitting confidential information.
Restrict server access with a firewall. If you have a PPTP server, limit access to it only from known and trusted IP addresses.
Consider transitioning to more modern VPN protocols. Explore the possibility of switching to more secure and modern protocols such as IPsec, OpenVPN, or WireGuard.
Unlike more modern protocols like OpenVPN or WireGuard, PPTP uses encryption algorithms that do not put a big load on your processor, allowing for higher encryption/decryption speeds on older hardware, such as legacy routers.
On new hardware where modern cryptographic algorithms (e.g., AES) are supported in hardware, PPTP is unlikely to have an advantage over OpenVPN, IPsec, or WireGuard.
Comparison with other protocols
For the reasons mentioned above, comparing PPTP to modern VPN protocols in terms of speed and encryption reliability does not make much sense, it would fall behind by every metric.
However, it can be said that during its heyday, especially in Windows environments, PPTP had much broader device support, ease of deployment, and integration with other systems than any of the modern VPN protocols.
PPTP is dead. Long live SSTP?
In 2008, Microsoft introduced a new VPN protocol called SSTP. It uses SSL/TLS to transport traffic and operates over TCP on port 443 by default, making it resemble regular HTTPS traffic. Since HTTPS traffic is allowed in most network environments, SSTP can pass through most firewalls and proxy servers, where other protocols might be blocked.
Technical Features of the Protocol:
- SSTP uses SSL/TLS for traffic transportation (up to version 1.3).
- Server authentication is typically performed using SSL/TLS certificates. This ensures that the client connects to the genuine server, not a malicious one.
- SSTP supports various client authentication methods, including EAP (Extensible Authentication Protocol) and MS-CHAP v2. This allows different authentication schemes, such as certificates, user accounts, or even one-time passwords.
- Both the server and client can authenticate each other, enhancing the connection's security.
Significant drawbacks include the inability to work over UDP (TCP-over-TCP degrades rapidly with deteriorating network quality) and limited platform support. For these reasons, SSTP became a decent replacement for PPTP in Windows environments (alongside L2TP/IPsec), but it did not replicate the success of its predecessor.
Now that you know what PPTP is, it’s easy to understand that it holds a significant place in the history of VPNs. It was one of the pioneers in this field and introduced many technological innovations that became industry standards and are still implemented today. Thanks to this, along with its easy setup and active support from major players like Microsoft, PPTP was virtually unrivaled in its heyday.
However, like many other technologies, PPTP couldn't avoid becoming outdated. Over time, its security vulnerabilities became evident, leading to the emergence of more modern and secure protocols like OpenVPN and IPsec.
Today, PPTP resembles an exhibit in the museum of technology, reminding us of how the era of VPNs began. Its use is rarely justified, usually by historical reasons in exceptional cases. For all new tasks, we recommend considering something more modern and secure.