EdgeRouter - PPTP VPN Server


Overview


Readers will learn how to configure the EdgeRouter as a PPTP (Point-to-Point Tunneling Protocol) server using local authentication.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. PPTP Server
  3. PPTP Client
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below.

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

topology_pptp_server_new.png


PPTP Server


Back to Top

ATTENTION: Packets passed through a PPTP tunnel are not eligible for offloading. Please see this article for more information.

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The port and protocol that are relevant to PPTP are:

  • TCP 1723 (PPTP)
  • Protocol 47 (GRE)
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add a firewall rule for the PPTP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description PPTP
set firewall name WAN_LOCAL rule 30 destination port 1723
set firewall name WAN_LOCAL rule 30 protocol tcp

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username <username> password <secret>
NOTE: The EdgeRouter PPTP server uses MS-CHAP v2 authentication by default.

4. Define the IP address pool that will be used by the VPN clients.

set vpn pptp remote-access client-ip-pool start 192.168.100.240
set vpn pptp remote-access client-ip-pool stop 192.168.100.249
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn pptp remote-access dns-servers server-1 <ip-address>
set vpn pptp remote-access dns-servers server-2 <ip-address>

6. Define the WAN interface which will receive PPTP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP

set vpn pptp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address

set vpn pptp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE

set vpn pptp remote-access outside-address 0.0.0.0

7. (Optional) Lower the MTU for PPTP traffic.

set vpn pptp remote-access mtu <mtu-value>

8. Commit the changes and save the configuration.

commit ; save

 

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics
show vpn remote-access
show interfaces
show log | match pppd

PPTP Client


Back to Top

In this article, we are using a Windows 10 machine as the PPTP client.

Windows_logo_-_2012.svg.png

1. Add a new VPN connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: PPTP
Server name: 203.0.113.1
VPN Type: Point to Point Tunneling Protocol (PPTP)
Type of sign-in info: User name and password
User name: <username>
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > PPTP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

Related Articles


Back to Top


We're sorry to hear that!