EdgeRouter - PPTP VPN Server


Readers will learn how to configure the EdgeRouter as a PPTP (Point to Point Tunneling Protocol) server using local authentication. Please see the PPTP VPN Server using RADIUS article for information on how to setup RADIUS authentication with PPTP. 

warning_25x25white.png ATTENTION: Packets passed through a PPTP tunnel are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.




Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.


Equipment used in this article:

EdgeRouter-4 (ER-4)

- Test clients

Table of Contents

  1. Network Diagram
  2. Steps: PPTP VPN Server
  3. Steps: Windows Client
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) -
  • eth1 (LAN) -

Steps: PPTP VPN Server

Back to Top

For the purpose of this article, it is assumed that the routing and interface configuration are already in place and that reachability has been tested.

The port and protocol that are relevant to PPTP are:

  • TCP 1723 (PPTP)
  • Protocol 47 (GRE)


CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.


2. Add a firewall rule for the PPTP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description PPTP
set firewall name WAN_LOCAL rule 30 destination port 1723
set firewall name WAN_LOCAL rule 30 protocol tcp

NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username user1 password <secret>
set vpn pptp remote-access authentication local-users username user2 password <secret>

NOTE: If you define a pre-shared-secret using 'quotation marks', make sure that the secret on the client side does not include these same quotes. For example, set vpn pptp ... username user1 password 'sup3rSecure' must be entered as sup3rSecure on the client. 

4. Define the IP address pool that will be used by the VPN clients.

set vpn pptp remote-access client-ip-pool start
set vpn pptp remote-access client-ip-pool stop

NOTEYou can also issue IP addresses the local subnet ( in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network. 

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn pptp remote-access dns-servers server-1
set vpn pptp remote-access dns-servers server-2

(Optional) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also need to enable DNS forwarding (if not already enabled) and set listen-address to the same internal IP.

set vpn pptp remote-access dns-servers server-1
set service dns forwarding options "listen-address="
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

6. Define the WAN interface which will receive PPTP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP.

set vpn pptp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address.

set vpn pptp remote-access outside-address

(C) Your WAN interface receives an address through PPPoE.

set vpn pptp remote-access outside-address

7. (Optional) Lower the MTU for PPTP traffic.

Experiment with lowering the MTU value if the performance of the PPTP tunnel is poor. Example use cases when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn pptp remote-access mtu <mtu-value>

8. Commit the changes and save the configuration.

commit ; save

Steps - Windows Client

Back to Top

There are different ways to connect to a PPTP server using a multitude of applications and operating systems. In this article, we are focusing on on only one, the built-in Windows 10 VPN client. Please note that the built-in macOS PPTP client was removed starting from MacOS Sierra.


1. Navigate to the Windows 10 VPN settings and add a new connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name:
VPN Type: Point to Point Tunneling Protocol (PPTP)
Type of sign-in info: User name and password
User name: user1
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > PPTP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

Steps - Testing & Verification

Back to Top

1. Verify that the traffic is increasing the counters on the PPTP firewall rules.

show firewall name WAN_LOCAL statistics 

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  PPTP
10000 9           702         DROP    DEFAULT ACTION

2. Capture the PPTP traffic on the WAN interface.

sudo tcpdump -i eth0 -n tcp dst port 1723
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP > Flags [S], seq 2520152954, win 64240, options
IP > Flags [.], ack 2843548513, win 256, length 0
IP > Flags [P.], seq 0:156, ack 1, win 256, length 156: pptp
IP > Flags [P.], seq 156:324, ack 157, win 256, length 168: pptp
IP > Flags [P.], seq 324:348, ack 189, win 255, length 24: pptp
IP > Flags [P.], seq 348:372, ack 189, win 255, length 24: pptp

NOTE This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.

3. Verify the status of the remote access users and interfaces.

show vpn remote-access 
Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte 
---------- --------- ----- -----   --------------- ------ ------ ------ ------
user1      00h05m57s PPTP  pptp0     8    104     87   7.5K
user2      00h03m20s PPTP  pptp1    12    367     80   6.4K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                                            
pptp0                      u/u  User: user1                
pptp1                      u/u  User: user2                

4. Analyze the PPTP log messages.

show log | match pppd
ubnt pppd[2951]: pppd 2.4.4 started by root, uid 0
ubnt pppd[2951]: Connect: ppp0 <--> /dev/pts/2
ubnt pppd[2951]: peer from calling number authorized
ubnt pppd[2951]: MPPE 128-bit stateless compression enabled
ubnt pppd[2951]: local IP address
ubnt pppd[2951]: remote IP address

ubnt pppd[3579]: pppd 2.4.4 started by root, uid 0
ubnt pppd[3579]: Connect: ppp1 <--> /dev/pts/3
ubnt pppd[3579]: peer from calling number authorized
ubnt pppd[3579]: local IP address
ubnt pppd[3579]: remote IP address

Related Articles

Back to Top