The retired predecessor of modern VPN protocols
PPTP (Point-to-Point Tunneling Protocol) is the oldest VPN protocol for general use. It’s so old that it was originally designed to tunnel dial-up connections; just like dial-up connections, PPTP is now considered obsolete, and has been replaced by modern, more advanced protocols like OpenVPN and WireGuard.
While rarely used nowadays, PPTP still has a bunch of perks some other protocols lack. The now-22-year-old protocol is still among the fastest, plus it’s incredibly easy to set up even for the least tech-savvy of users.
On the other hand, the PPTP VPN protocol comes with some glaring security vulnerabilities, making it less than ideal in a world of already fleeting privacy and anonymity. Nonetheless, PPTP is still offered by practically every VPN provider.
If your questions are “What is PPTP exactly?” “What made it great?” and “How did we abandon it?” here’s a rundown of the veteran protocol’s history and use cases.
A Little Bit of History
The PPTP protocol came into public use in 1999, while the beta version was available as early as 1997. The protocol was developed by a vendor consortium comprised of Microsoft, Ascend Communications, 3Com, and others. Initially, PPTP was designed as an improvement over PPP (Point-to-Point Protocol).
The PPP is a “regular” data link layer communication protocol that connects two routers without hosts. What this VPN PPTP protocol does is encapsulate PPP packets, allowing a data tunnel to be formed between two points in the network.
Tunneling is a process for moving data from one network to another. This process forms the backbone of VPN connections, as it creates a “tunnel” around your data, repackages it, and allows it to be sent across the internet.
However, tunneling itself doesn’t make data flows private, which is why VPN providers tack on encryption to hide all the information in transit. On the other hand, encryption would be impossible without tunneling and encapsulation, which allow for the repackaging of data in the first place.
PPTP’s original implementation was as a protocol for Windows 95, allowing users to connect to remote private networks. The primary use of PPTP back in the day was to connect to private enterprise servers in a corporate setting. It quickly outgrew its original use and formed the basis of the VPN protocols we use today.
How Does PPTP Work?
Like all VPN protocols that came after it, the PPTP client creates a tunnel (connection) to a PPTP server. This PPTP tunnel allows data to be sent to another point on the network – in this case, a VPN server – which then forwards it to the target server (for example, a site you’re trying to reach). The data the VPN server receives from the web page is then sent back to the user.
When it comes to VPN protocols, all the data going back and forth through VPN servers is encrypted, preventing ISPs, government agencies, or malicious third parties from spying.
Again, this whole process would be impossible without PTPP’s primary purpose – encapsulation. This transforms all your network data into an IP packet, enabling VPN servers to act as proxies for you.
As we’ve shown above, PPTP relies on a client-server model to function. The encrypted tunnel created between the PPTP VPN client and server goes through TCP port 1723, while encapsulation uses the GRE (General Routing Encapsulation) protocol.
This network communication operates at Layer 2 of the OSI model. If you want to get technical, OSI represents an abstract model of how protocols and devices on the network communicate. The data link layer, where the PPTP operates, is the second out of seven layers in the OSI model.
When a PPTP tunneling connection has been formed between the client and the server, the PPTP protocol supports two types of information: Control messages and data packets.
- Control messages, as their name implies, serve to manage the VPN connection, including turning it off when needed.
- Data packets, on the other hand, contain all information that passes through the tunnel. This is basically the “meat” of your connection, encompassing all data about the sites you connect to, your actions on those sites, and so on.
PPTP relies on Microsoft RAS (Remote Access Service) to set up remote access to Windows PPTP VPN servers. The server admin can use a modem bank as a connection point for remote users. Since PPTP relies on the PPP protocol (more on that later), all RAS-supported connection protocols can be transported through the connection: TCP/IP, NetBEUI, and IPX/SPX.
To establish a connection, the PPTP requires only the server address, username, and password. On top of that, there are two PPTP tunneling types supported with this protocol:
This type of tunneling is initiated by the client/user. It does not require any additional hardware or network device – e.g., a router – to function. When you’re using VPN services as a consumer, voluntary tunneling is the only tunneling type that will take place.
Compulsory tunneling is initiated by the server, not the client. With compulsory tunneling, the VPN server requires remote access privileges as well as a router to function. Compulsory tunneling is used mainly in corporate environments to mandate that all company devices are protected by the VPN network.
PPTP’s specification doesn’t include encryption or authentication. Instead, it relies on PPP protocol tunneling for connection security. This is because PPTP implementation in Windows products, the protocol’s native ground, uses Microsoft Point-to-Point encryption to safeguard data.
Microsoft Point-to-Point encryption supports three encryption schemes: 40-bit key, 56-bit key, and 128-bit key. Naturally, any PPTP connection today should use the 128-bit key encryption to provide the strongest level of protection possible.
Still, even with this encryption, no one would describe PPTP security as good. Numerous PPT security audits found was a slew of vulnerabilities that severely impact its ability to keep your online activity hidden.
First, there are glaring issues in the MS-CHAP, Microsoft’s version of the challenge-handshake authentication protocol. Protocols such as this are used to authenticate the identity of the connecting client.
There are two versions of MS-CHAP available for use – MS-CHAP-v1 and MS-CHAP-v2. The first version is fundamentally insecure, as NT password hashes can be easily extracted from any captured MS-CHAP-v1 data exchange. This trivializes the whole point of encryption and leaves the door wide open for anyone trying to spy on you.
Unfortunately, the MS-CHAP-v2 doesn’t fare much better, either. Captured response packets are vulnerable to dictionary attacks. Additionally, it was discovered that the complexity of brute force attacks on MS-CHAP-v2 is equivalent to brute-forcing a DES 56-bit key.
Unlike 256-bit keys and above, which currently require millions of years to break, 56-bit encryption can be brute-forced relatively quickly. Also, the underlying Microsoft Point-to-Point encryption relies on the RC4 stream cipher for encryption. The RC4 is also proven vulnerable and is susceptible to bit-flipping attacks.
The final nail in the coffin for PPTP’s security is the lack of Perfect Forward Secrecy. This means that cracking one PPTP session cracks all previous ones as well.
In short, is PPTP VPN secure? No, not really.
What Is PPTP Passthrough?
PPTP, similar to other older protocols like IPSec and L2TP, requires something called a VPN Passthrough to establish a connection. The VPN Passthrough is a feature found on routers that allows data packets from the VPN client to “pass through” the router and reach the VPN server.
The aforementioned protocols require the VPN Passthrough feature because they don’t natively work with NAT (Network Address Translation). NAT allows all devices on a single network to use the same online connection and IP address. Hence, in order to be able to connect to a PPTP VPN server, the router used needs to possess the Passthrough feature.
Passthrough settings are enabled or disabled through your router’s settings. To do so, you’ll need to type in your IP address in the browser’s URL bar, with most routers using the 192.168.1.1. Address. There will usually be separate toggle buttons for each protocol’s Passthrough feature.
If you want to use a VPN client for PPTP connections, click ‘Enable’ for PPTP Passthrough, and you’re all set.
With all its security vulnerabilities, PPTP has one area where it really shines – performance. Usually, the main factor that negatively impacts a protocol’s connection speed is encryption. The stronger the encryption, the slower the speed.
As we’ve covered previously, PPTP features pretty lightweight (basically nonexistent) encryption, allowing PPTP users to retain near-original connection speeds. Of course, you won’t keep 100% of your original speed – VPN tunneling still causes minor drops.
Still, PPTP speed overall is pretty admirable. This is one of the reasons why PPTP is still in use today. Fast speeds are ideal for VPN torrenting, streaming, and other activities where speed is more important than security.
Besides its speed, PPTP’s strength also lies in its easy setup and configurability, as the protocol has native support in multiple operating systems. The installation process is just downloading the client and typing in the credentials given by the VPN provider.
PPTP was initially developed for Windows, but now Linux and iOS PPTP VPN clients are available too. When connecting to PPTP servers, you’ll only need the server address, username, and password, without fiddling with additional options.
Nearly every VPN provider offers software with PPTP support, which allows you to simply choose it from the available protocol list and connect to the available servers. In case you run into issues, most VPN companies also provide installation guides to help you set up PPTP VPN on their site.
PPTP Platform Availability
As we just mentioned, the PPTP protocol is available on all major operating systems: Windows, iOS, macOS, Android, Linux, and even FireOS. The last two do not feature native PPTP support, but this is easily solved by using a VPN client from one of the more popular providers.
You really shouldn’t have problems finding providers that offer PPTP support. From industry leaders like NordVPN, to smaller companies like IPVanish, all of them let you use the PPTP protocol to connect to their servers.
While PPTP is an outdated protocol that fails on many fronts, it does have several things going for it.
The first one is definitely speed. Using a PPTP VPN service lets you use the full power of your original connection, significantly outperforming other protocols. In cases where security isn’t a major concern, you can use PPTP and enjoy top-tier performance.
Users looking to stream in HD can probably benefit the most from PPTP, as there are really no security risks while using Netflix, for example.
Secondly, PPTP is very easy to set up. There’s no convoluted configuration process to go through; you just type in the credentials and click connect.
Lastly, PPTP can be used on practically all platforms without issue. Whichever device or operating system you’re using, you can use the PPTP protocol to connect to a VPN server.
One of the main reasons why people use VPNs in the first place is to preserve security and anonymity. More modern VPN protocols are pretty good at encrypting your connection, preventing anyone from snooping in on your online activities or divulging your actual location or IP.
Unfortunately, the VPN PPTP protocol is an abysmal choice for achieving this. It features very weak encryption that can be broken within a day. We’ve listed all the major security vulnerabilities earlier in the article that make PPTP so susceptible to different types of attacks. Furthermore, PPTP is believed to have been cracked by the NSA very early into its existence.
When comparing PPTP vs. OpenVPN or WireGuard, the newer protocols boast both advanced encryption and high-speeds, which makes PPTP pretty much obsolete. While PPTP can outperform them, the difference isn’t as significant, and it’s much less secure.
Unless you’re trying to draw every ounce of power out of your connection, you’re better off using OpenVPN, WireGuard, or one of the other newer protocols.
TOP 3 VPNs with PPTP Protocol
In case you’re looking to use PPTP and can’t decide on a VPN provider, we can help you out. While providers with PPTP support aren’t exactly hard to find, we picked out the three best ones that come with other advantages as well.
A titan in the VPN market, ExpressVPN has everything you might need from a VPN service. Its server network covers 160 locations in 94 countries, easily unblocks streaming platform libraries, and offers a wide range of protocols, including PPTP.
NordVPN is, next to ExpressVPN, probably the most popular provider out there. With over 5,000 servers, a strict No Logs policy, and top-tier security, you can’t go wrong with NordVPN. In addition to PPTP and many other protocols, NordVPN also features a proprietary protocol that performs admirably on most tests.
IPVanish is a smaller VPN provider that can go toe-to-toe with the best ones in the market. Its VPN service lets you connect an unlimited number of devices simultaneously, and comes with great extra features like split tunneling and a kill switch. Additionally, IPVanish is great for both torrenting and streaming.
What is a PPTP VPN connection?
PPTP is the first widely used VPN protocol that set the stage for VPN services as we know them today. While fast and easy to set up, it comes with a whole range of security vulnerabilities.
Is PPTP VPN safe?
No, PPTP’s encryption is very weak, leaving it open to different kinds of attacks. If you’re using a VPN to protect your anonymity, you should use newer protocols.
How does PPTP VPN Work?
The PPTP VPN protocol creates a tunnel to a VPN server by encapsulating your network data into an IP packet, allowing VPN servers to route your connection to the designated web server.
When should you use PPTP?
While you’re better off using modern VPN protocols like OpenVPN or WireGuard, PPTP still has some uses. Due to its extraordinary speed, it can be used for streaming, torrenting, and other activities where speed is paramount.