PPTP VPN Explained

This used to be a very popular VPN protocol until it was replaced with better solutions...

PPTP

The Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol that secures the connection between your device and a VPN server. As one of the oldest VPN protocols, PPTP is plagued by a few security issues and is now considered obsolete.

Nevertheless, its compatibility with a number of legacy software and hardware, its ease of setup and its lightweight code combined with the high cost for businesses to upgrade their old PPTP corporate intranet VPN systems – means that PPTP remains in widespread use.

VPN protocol 101

A VPN protocol involves a mix of transmission protocols and encryption standards that establish a secure connection between device and a VPN server, and encrypts data as it travels between them.

Every VPN protocol provides authentication to prevent unauthorized users from connecting to the VPN server, confidentially to encrypt the data, and integrity to detect if transmitted data has been tampered with in any way.

The most popular VPN protocols in use today include:

  • PPTP
  • L2TP/IPsec
  • IKEv2 (/IPsec)
  • OpenVPN
  • WireGuard
  • SSTP

And here’s how PPTP fits that picture…

PPTP explained

The PPTP protocol was developed by a consortium founded by Microsoft back in 1999. At that time, it was envisioned to work over dial-up networks and Microsoft included support for PPTP to Windows 95. As a result, it became the default VPN protocol for corporate intranets around the world. Even today, PPTP is supported by virtually all operating systems, including Windows 11, Android 12, most Linux distros, and the majority of VPN-capable routers.

However, Apple removed support for PPTP from iOS 10+ and macOS 10.12 Sierra in 2018, and recommended against its use on older versions of its operating systems.

Similarly, recent versions of Chrome OS do not support PPTP directly, though it is possible to configure PPTP connections using the Android subsystem.

How does PPTP work?

PPTP is not a complete VPN protocol as it only “handles” the tunneling “part.” For encryption and authentication, the Point-to-Point Protocol (PPP) is used, but PPP includes no routing mechanism to direct packets to their destination.

PPTP establishes a TCP connection to the VPN server over port 1723, repackaging the PPP IP packets using Generic Routing Encapsulation (GRE). These packets are then encrypted with Microsoft Point-to-Point Encryption (MPPE), which uses an RSA RC4 stream cipher with a maximum key size of 128-bits.

Authentication is typically achieved using the MS-CHAP protocol or the more secure AEP-TLS protocol, though in the latter case a server certificate system has to be implemented that largely negates the advantages of using PPTP in the first place.

The major advantage of the PPTP protocol comes from its speed, which is related to how simple and lightweight this VPN protocol is. This also ensures a good battery life on mobile devices.

Security issues with PPTP

PPTP has numerous security issues, which prompted Apple and Google to abandon its use.

One of the most serious security issues includes the possibility of un-encapsulated MS-CHAP v2 authentication, which can allow a hacker to exploit cryptographic weaknesses to obtain user credentials. This exploit has even prompted Microsoft to recommend using L2TP/IP, IKEv2, IPsec, or SSTP instead of PPTP.

Adding to that is Edward Snowden’s testimony that NSA has little problem accessing data secured using PPTP.

Similarly, PPTP is not great for bypassing censorship as it always uses TCP port 1723, which can easily be blocked.

The bottom line

PPTP is not a secure VPN protocol, and we don’t advise anyone to use it in any situation where security is a factor.

On the other hand, if you just need a VPN to access streaming services that could otherwise be outside of your reach, PPTP is up for the task. Also, you may use it to overcome ISP throttling, and that’s it.

For everything else, use OpenVPN or better yet – WireGuard. Most modern VPNs support PPTP in addition to all other VPN protocols. And by default, they will opt for WireGuard, OpenVPN or some proprietary protocol they have developed — all of which are much better than PPTP.