EdgeRouter - PPTP VPN Server using RADIUS


Readers will learn how to configure the EdgeRouter as a PPTP (Point to Point Tunneling Protocol) server using RADIUS authentication. Please see the PPTP VPN Server article for information on how to setup local authentication with PPTP. 

warning_25x25white.png ATTENTION: Packets passed through a PPTP tunnel are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.




Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.


Equipment used in this article:

EdgeRouter-4 (ER-4)

- Windows Server 2016 Network Policy Server (NPS)

- Test clients

Table of Contents

  1. Network Diagram
  2. Steps: PPTP VPN Server
  3. Steps: Windows Server
  4. Steps: Windows Client
  5. Steps: Testing & Verification
  6. Related Articles

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) -
  • eth1 (LAN) -

Steps: PPTP VPN Server

Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to PPTP are:

  • TCP 1723 (PPTP)
  • Protocol 47 (GRE)


CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.


2. Add a firewall rule for the PPTP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description PPTP
set firewall name WAN_LOCAL rule 30 destination port 1723
set firewall name WAN_LOCAL rule 30 protocol tcp

NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn pptp remote-access authentication radius-server key <secret>
set vpn pptp remote-access authentication radius-server port 1812
set vpn pptp remote-access authentication mode radius

NOTE: The default port used for RADIUS authentication in EdgeOS is UDP 1812.

4. Define the IP address pool that will be used by the VPN clients.

set vpn pptp remote-access client-ip-pool start
set vpn pptp remote-access client-ip-pool stop

NOTE You can also issue IP addresses the local subnet ( in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network. 

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn pptp remote-access dns-servers server-1
set vpn pptp remote-access dns-servers server-2

(Optional) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.

set vpn pptp remote-access dns-servers server-1
set service dns forwarding options "listen-address="
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

6. Define the WAN interface which will receive PPTP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP.

set vpn pptp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address.

set vpn pptp remote-access outside-address

(C) Your WAN interface receives an address through PPPoE.

set vpn pptp remote-access outside-address

7. (Optional) Lower the MTU for PPTP traffic.

Experiment with lowering the MTU value if the performance of the PPTP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn pptp remote-access mtu <mtu-value>

8. Commit the changes and save the configuration.

commit ; save

Steps - Windows Server

Back to Top

The section below (briefly) focuses on configuring the Network Policy and Access Services (NPS) role on a Windows 2016 server. There are multiple guides available online that go into more detail than this article.


1. Add the NPS role.

Server Manager > Add Roles and Features > Network Policy and Access Services

2. Add the EdgeRouter to the RADIUS clients (replace <secret> with your desired passphrase).

Network Policy Server Console (NPS) > Radius Clients and Servers > Radius Clients > New

Friendly Name: ER-4 (does not have to match device hostname)
Address (IP or DNS): (the source address of the router)
Shared Secrets Template: None
Shared Secret: Manual
Shared Secret / Confirm: <secret>

NOTE: You can also create a ‘RADIUS Shared Secret Template’ and use the same passphrase for all RADIUS Clients.

3. Create a Network Policy for the RADIUS clients.

NPS > Policies > Network Policy > New

Policy Name: ER Radius Clients
Type of Network Access Server: Unspecified

Specify Conditions > Add

Client Friendly Name: ER-?
User Groups: UBNT\Network Engineers

NOTEYou can use Active Directory (AD) or local users (Windows Group) for authentication. In this example, the users allowed to authenticate to the ER are ‘Network Engineers’ in the UBNT domain. You can use expressions when matching the ‘Client Friendly Name’. For example 'ER-?' matches device names starting with 'ER-'.

Next > Specify Access Permission

Access Granted

Next > Configure Authentication Methods

Uncheck all methods and check ‘Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2)’

Next > Configure Constraints > Next > Configure Settings > Radius Attributes: Standard

Framed-Protocol: PPP
Service-Type: Framed

Routing and Remote Access > Encryption

Uncheck all methods and check ‘Strongest Encryption (MPPE 128-bit)

Steps - Windows Client

Back to Top

There are different ways to connect to a PPTP server using a multitude of applications and operating systems. In this article, we are focusing on on only one, the built-in Windows 10 VPN client. Please note that the built-in macOS PPTP client was removed starting from MacOS Sierra.


1. Navigate to the Windows 10 VPN settings and add a new connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name:
VPN Type: Point to Point Tunneling Protocol (PPTP)
Type of sign-in info: User name and password
User name: <username>
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > PPTP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

Steps - Testing & Verification

Back to Top

1. Verify that the traffic is increasing the counters on the PPTP firewall rule.

show firewall name WAN_LOCAL statistics 

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  PPTP
10000 9           702         DROP    DEFAULT ACTION

2. Capture the PPTP traffic on the WAN interface.

sudo tcpdump -i eth0 -n tcp dst port 1723
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP > Flags [S], seq 2520152954, win 64240, options
IP > Flags [.], ack 2843548513, win 256, length 0
IP > Flags [P.], seq 0:156, ack 1, win 256, length 156: pptp
IP > Flags [P.], seq 156:324, ack 157, win 256, length 168: pptp
IP > Flags [P.], seq 324:348, ack 189, win 255, length 24: pptp
IP > Flags [P.], seq 348:372, ack 189, win 255, length 24: pptp

NOTE This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.

3. Verify the status of the remote access users and interfaces.

show vpn remote-access 
Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte 
---------- --------- ----- -----   --------------- ------ ------ ------ ------
user1      00h05m57s PPTP  pptp0     8    104     87   7.5K
user2      00h03m20s PPTP  pptp1    12    367     80   6.4K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                                            
pptp0                      u/u  User: user1                
pptp1                      u/u  User: user2                

4. Analyze the PPTP log messages.

show log | match pppd
ubnt pppd[2951]: pppd 2.4.4 started by root, uid 0
ubnt pppd[2951]: Connect: ppp0 <--> /dev/pts/2
ubnt pppd[2951]: peer from calling number authorized
ubnt pppd[2951]: MPPE 128-bit stateless compression enabled
ubnt pppd[2951]: local IP address
ubnt pppd[2951]: remote IP address

ubnt pppd[3579]: pppd 2.4.4 started by root, uid 0
ubnt pppd[3579]: Connect: ppp1 <--> /dev/pts/3
ubnt pppd[3579]: peer from calling number authorized
ubnt pppd[3579]: local IP address
ubnt pppd[3579]: remote IP address

5. Capture the RADIUS authentication requests and responses on the internal interface.

sudo tcpdump -i eth1 -n -vv udp dst port 1812
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:37:12.507645 IP (tos 0x0, ttl 64, id 51495, offset 0, flags [DF], proto UDP (17), length 172) > [udp sum ok] RADIUS, length: 144
  Access-Request (1), id: 0x8d, Authenticator: 7c5624329f1acdad11da5cde16e9ce37
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
User-Name Attribute (1), length: 7, Value: user1
0x0000: 7573 6572 31
Vendor-Specific Attribute (26), length: 24, Value: Vendor: Microsoft (311)
Vendor Attribute: 11, Length: 16, Value: v_..\a....|.|..F
0x0000: 0000 0137 0b12 765f c9ff 5c61 dd1c fbad
0x0010: 7c85 7c00 9a46
Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
Vendor Attribute: 25, Length: 50, Value: ..........h..._............n}......v...w*(.&..a.K.
0x0000: 0000 0137 1934 9900 bf2e c0ba e60b cb8a
0x0010: 68e1 f39a 5faa a0c3 0000 0000 0000 0000
0x0020: c06e 7dbd 2ebb a8cc 8476 a1e2 b877 2a28
0x0030: a126 d9d4 61a9 4bc6
Calling-Station-Id Attribute (31), length: 11, Value:
0x0000: 3139 322e 302e 322e 31
NAS-IP-Address Attribute (4), length: 6, Value:
0x0000: 7f00 0101
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000

6. Analyze the event logs on the RADIUS server.

Event Viewer > Custom Views > ServerRoles > Network Policy and Access Services


NOTE If access to the user is granted but the PPTP connection fails to establish, verify the MPPE encryption settings on the NPS server. The PPTP logs will show the 'MPPE required, but keys are not available. Possible plugin problem?' error message if this is the case.

Related Articles

Back to Top