Problem solve Get help with specific problems with your technologies, process and projects.

VPN client alternatives: Point-to-Point Tunneling Protocol (PPTP)

Lisa Phifer discusses one widely available type of "free" client: those used in Point-to-Point Tunneling Protocol VPNs.

Read about Lisa

 by Lisa Phifer, Core Competence

I am frequently asked about "free" VPN client software. As discussed last month, this question cannot really be answered without first considering the purpose of the VPN, the application(s) being protected, the security policy dictated by the VPN gateway you are trying to reach, and the client platform. After these requirements have been determined, you can start searching for a "free" client that meets your needs. In this article, I'll discuss one widely available type of "free" client: those used in Point-to-Point Tunneling Protocol (PPTP) VPNs.

Point-to-Point Tunneling Protocol
Microsoft has long included PPTP VPN client software in Windows dial-up networking (DUN). PPTP is a tunneling protocol commonly used to authenticate users and encrypt traffic tunneled between Win32 PPTP clients and Windows NT/2000 PPTP servers. Many firewall appliances and broadband/wireless gateways -- particularly those for the small business or small office/home office market -- also support PPTP.

Small businesses often use PPTP because, in comparison to Internet Protocol Security (IPsec) or Layer 2 Tunneling Protocol (L2TP) over IPsec, PPTP VPNs are relatively inexpensive and simple to configure. Strictly speaking, embedded PPTP clients are commercial software, purchased with your licensed copy of Windows. However, they are "free" in the sense that you don't have to buy an additional software license for each client PC. As we shall see, commercial, embedded, and open source PPTP clients are also available for several other operating systems. This low entry cost makes PPTP attractive to many small companies operating a tight budget.

Of course, there is a catch: PPTP is not as secure as IPsec or L2TP over IPsec. After its initial release for WinNT4 Routing and Remote Access Service (RRAS) and Win95 DUN, a number of serious security flaws were discovered in PPTP. In response, Microsoft upgraded its point-to-point encryption protocol (MPPE) implementation and created a new version of its authentication protocol (MS-CHAPv2). To learn more about what these improvements did and did not address, see the 1999 analysis of this PPTP upgrade published by Bruce Schneier and Mudge.

The revised PPTP is improved, but PPTP sniffers like Anger (used with L0phtCrack) demonstrate that even MS-CHAPv2 is still vulnerable to password-guessing. In Windows 2000, Microsoft added two stronger non-password authentication methods: smart cards and digital certificates. But to use these, you'll need Windows 2000 or XP VPN clients and a public key infrastructure. Windows 95 with DUN 1.3+, NT4, 98, ME, and CE 3.0 all support MS-CHAPv2 today. However, many non-Windows PPTP implementations still only support the original CHAP -- and the even less-secure PAP (Password Authentication Protocol).

Despite PPTP's checkered past, many users with modest confidentiality requirements find it adequate to meet their needs. If you plan to use a PPTP VPN in your small business or home office, just be aware of its limitations and adjust security parameters to avoid as many security flaws as you can. Always require 128-bit encryption and avoid PAP, CHAP, or MS-CHAP(v1) whenever possible. Use long, complex, and preferrably random passwords. But don't save your password or automatically connect with your Windows login/password unless you use a password-protected login prompt and screen saver. These simple measures won't result in hacker-proof security, but they'll make the most of the VPN clients you probably already own.

Microsoft's Win32 PPTP clients are familiar to many users and well-documented in Windows online help, so I won't discuss them further here. Instead, I'll consider PPTP VPN client options for other platforms.

PPTP VPN client for Pocket PC
If you own a PDA running Windows Pocket PC, you have probably noticed that your PDA arrived with built-in "VPN support." It might not be obvious, but that's a basic PPTP client. To configure this embedded client, just open the Settings / Connections panel and modify the connection used to "automatically connect to Work." Select the "VPN" tab, click on "New", and enter the hostname or IP address of your PPTP server. To see an animation of this simple setup, visit Microsoft's Pocket PC Connection Manager tutorial.

The next time you connect to work, you'll be prompted for your username, password, and domain name. Because PDAs are easily lost or stolen, I recommend not saving your password here. (If you do, invest in strong password protection and file encryption software for your PDA -- for example, PDA Defense.) By default, your PPTP server will assign a client IP address and name servers whenever you connect to the VPN. However, these parameters can also be statically configured using the "Advanced" button when creating the new VPN entry. The simple GUI does not let you modify security parameters, but this client does use MS-CHAPv2.

PPTP VPN client for *NIX
If you're looking for a Linux, FreeBSD, or NetBSD PPTP client, you can download an open source package from SourceForge. Users tunneling to non-Windows PPTP servers might get away with simply installing this rpm (e.g., rpm -i pptp-linux-1.1.0-1.i386.rpm). Users tunneling to Windows PPTP servers will need Microsoft's Point-To-Point Encryption (MPPE).

You may already have the MPPE module installed. If not, you will need to download and install a ppp-mppe rpm. Follow the links at SourceForge. Depending on your OS, you'll need to manually build and install this kernel module. This isn't a process for your typical end user, but *NIX admins with root access will have little trouble. It took me around an hour to install ppp-mppe using the RedHat 7.3 HOW-TO, modified slightly for my version of RedHat (7.0).

Once installed, configuring and launching the *NIX PPTP client is not difficult. But, again, it's not for your typical end user. For one thing, you must have root access. Use the pptp-command utility and follow menu prompts to add CHAP secrets for every username/password. Next, add a new PPTP tunnel, specifying the PPTP server's IP address, routes to be added when the tunnel comes up, and your username/password. You can also add Intranet domain servers to resolv.conf to be used with this tunnel. Finally, start or stop the tunnel with the same utility. For example:

[[email protected]]# pptp-command
1.) start
2.) stop
3.) setup
4.) quit
What task would you like to do?: 1
1.) my_tunnel
Start a tunnel to which server?: 1
Route: add -net ppp0 added
All routes added.
Tunnel my_tunnel is active on ppp0. IP Address:
Installed /etc/resolv.conf.pptp as /etc/resolv.conf

[[email protected]]# pptp-command stop
Installed /etc/resolv.conf.real as /etc/resolv.conf
Sending HUP signal to PPTP processes...

Clearly, this PPTP client isn't for everyone. But if you're a Linux/BSD fan, it's nice to know you have this free client available to you. Check the SourceForge Web site for further info about compatibility with various PPTP VPN servers. Also look at pppd options for authentication and encryption settings.

PPTP client for Mac
If you're willing to try a shareware PPTP client for Mac OS X, search your favorite download site -- but be cautious about entrusting security to anyone's beta-code-in-progress. Other options? A 30-day evaluation version of the DigiTunnel PPTP client for Mac OS X is available from Gracion Software. A 30-day evaluation version of the TunnelBuilder PPTP client for Mac OS 9 is available from Efficient Networks. Neither of these is really free, but at least you can get your feet wet at no cost.

If you want a "free" commercial-grade PPTP client, you can upgrade your Mac to the hot-off-the-presses OS X v10.2 (Jaguar). In keeping with Apple's UI philosophy, configuring this embedded PPTP client is graphical and simple. Just enter the PPTP server name, username, and password. Your password can be entered and stored securely with the OS X Keychain utility.

Looking ahead: L2TP and IPsec
If you search the Internet, you'll find other PPTP clients. For example, there's an incomplete shareware PPTP client for OS/2. You'll also find some hardware appliances -- notably, broadband/wireless gateways -- that can act as PPTP clients, tunneling workgroup traffic to a centrally-located PPTP server. Similarly, although Windows XP is really only a PPTP client, XP Internet Connection Sharing can be configured to forward PPTP from other clients to an external PPTP server.

Clearly, there is a wide range of PPTP implementations out there, many embedded in operating systems or appliances at no extra cost. This is why I began my survey of "free" VPN clients with PPTP. However, even Microsoft acknowledges that other tunneling protocols provide much stronger security. In Windows 2000, Microsoft added support for IPsec tunneling. Today, Microsoft's Windows 2000 and XP VPN clients support both PPTP and L2TP, where L2TP tunnels are secured by IPsec. L2TP over IPsec is more secure than PPTP, but it also requires more effort and knowledge to configure. Next month, I'll discuss these and other "free" L2TP-over-IPsec VPN client alternatives.

Do you have comments about this article, or suggestions for Lisa to write about in future columns? Let us know!

This was last published in August 2002

Dig Deeper on Network Security Best Practices and Products