Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

What is PPTP?

Posted on November 5th, 2021 by in Security.

 

The Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol used to secure the connection between your device and a VPN server. One of the oldest VPN protocols, PPTP is plagued by multiple security issues and is now considered obsolete.

Despite this, its broad compatibility with a huge range of legacy software and hardware, its ease of setup, its lightweight nature, plus the high cost for businesses to upgrade their old PPTP corporate intranet VPN systems, means that in 2021 the protocol remains in widespread use.

What is a VPN protocol?

The VPN protocol is a mix of transmission protocols and encryption standards that establish a secure connection between your device and a VPN server, and encrypts data as it travels between them. 

A VPN protocol should provide three things:

  • Authentication – prevents unauthorized users from connecting to the VPN server
  • Confidentially – using encryption to ensure that no one can access (“sniff”) the contents of data packets sent over the VPN network
  • Integrity – detects if transmitted data has been tampered with in any way

VPN protocols used today include:

  • PPTP
  • L2TP/IPsec
  • IKEv2 (/IPsec)
  • OpenVPN
  • WireGuard®
  • SSTP
  • SoftEther
  • Cisco AnyConnect (and its open-source variant OpenConnect) – these protocols are used almost exclusively by corporate VPN intranets, not by commercial VPN services, such as ProtonVPN.

Learn more about VPN protocols

Learn more about WireGuard

What is PPTP VPN?

History

Developed by a consortium founded by Microsoft, the specification for PPTP was designed for creating VPN connections over dial-up networks and was published in 1999. Microsoft quickly added PPTP support to Windows 95, with the result that it quickly became the default VPN protocol for corporate intranets everywhere.  

Support

Over the last 20+ years, support for PPTP has been built-in to almost every VPN-capable platform, and it continues to be natively supported by Windows 11, Android 12, most Linux distros, and the vast majority of VPN-capable routers.

Apple, however, removed support for PPTP from iOS 10+ and macOS 10.12 Sierra in 2018, and recommended against its use on older versions of its operating systems.

Recent versions of Chrome OS do not support PPTP directly, but it is possible to configure PPTP connections using the Android subsystem on Chromebooks that support the Google Play Store. 

How it works

PPTP is a tunneling protocol, not, in itself, a complete VPN protocol. Encryption and authentication are handled by the Point-to-Point Protocol (PPP), but PPP includes no routing mechanism to direct packets to their destination.

PPTP establishes a TCP connection to the VPN server over port 1723, repackaging the PPP IP packets using Generic Routing Encapsulation (GRE). These packets are encrypted with Microsoft Point-to-Point Encryption (MPPE), which uses an RSA RC4 stream cipher with a maximum key size of 128-bits. 

Authentication is usually achieved using the MS-CHAP (now v2) protocol. (It is possible to use the more secure AEP-TLS, but this involves implementing a server certificate system, which largely negates the advantages of using PPTP in the first place.)

Speed

PPTP is a very simple and lightweight VPN protocol. This makes for good speed performance (especially on devices with low processing power), and good battery life on mobile devices. This is especially true when compared to the much more secure (but also more cumbersome) OpenVPN protocol. 

Security

PPTP is known to have numerous critical security issues. One the most serious of these is the possibility of un-encapsulated MS-CHAP v2 authentication, which can allow an attacker to exploit cryptographic weaknesses to obtain user credentials.

Using this exploit, tools first released by crypto-legend Moxie Marlinspike in 2012 allow PPTP to be cracked in under a day. This flaw led Microsoft itself to recommend using L2TP/IP, IKEv2, IPsec, or SSTP instead. 

In 2019, Microsoft also issued an “Applicability Statement”, noting that the authentication method used by MS-CHAP v2 is susceptible to dictionary attacks. To make matters worse, the RC4 cipher used by PPTP to encrypt data is vulnerable to bit-flipping attacks.

It therefore came as very little surprise when, in 2014, Der Spiegel released documents obtained from whistleblower Edward Snowden that confirmed the United States’ NSA has little problem accessing data secured using PPTP. 

Top secret slide obtained from Edward Snowden detailing how the NSA easily breaks PPTP encryption

Resistance to censorship

PPTP uses TCP port 1723, and packets encapsulated by GRE use IP protocol number 47, both of which are trivial to block using a firewall. 

Summary

PPTP is not a secure VPN protocol, and should never be used in any situation where security is a factor.

Its ease of use, lightweight nature, and almost ubiquitous support mean that it can still be useful in situations where security is not an issue. For example, use cases include when you need to overcome IPS throttling, unblock geo-restricted websites, and stream Netflix content.

However, at ProtonVPN we believe this obsolete protocol’s security weaknesses make it unfit for purpose, and that it is irresponsible for modern commercial VPN services to provide PPTP as an option to their users.

At ProtonVPN we only offer cryptographically secure VPN protocols implemented at their highest security settings. These protocols are:

  • OpenVPN 
  • IKEv2
  • WireGuard

Frequently asked questions

What port does PPTP use?

PPT uses TCP port 1723.

What is PPTP passthrough?

All routers use Network Address Translation (NAT) to map incoming and outgoing connections to local devices that are connected to them. However, not all routers understand what to do with packets that have been encrypted using older VPN protocols, such as PPTP, IPSec, and L2TP. 

To handle traffic that uses these VPN protocols, a router must support VPN passthrough. If it doesn’t, the VPN traffic will be blocked by the router. A PPTP passthrough replaces the basic GRE protocol used by PPTP with an enhanced version that includes a call ID it can use to identify PPTP clients and correctly route their packets. 

Most modern routers include a VPN passthrough that can handle all the common VPN protocols that are affected by this issue (including PPTP). In addition to this, modern VPN protocols, such as OpenVPN, IKEv2, and Wireguard are not affected by this issue as they have been designed to address it. 

Do I need a PPTP client?

Most VPN-capable devices and operating systems include a native PPTP VPN client. A major exception is Apple devices, which no longer support PPTP. This is a good move on Apple’s part because more modern VPN protocols can do everything PPTP does while also being much more secure. 

Douglas has worked for many years as a technology writer in the cyberprivacy and cybersecurity sector. He is now very pleased to work for a company with a mission that he passionately believes in.

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN