PPTP
PPTP (Point-to-Point Tunneling Protocol) is a legacy remote-access VPN protocol supported in RouterOS. It encapsulates PPP frames using GRE (Generic Routing Encapsulation) and uses TCP port 1723 for control. Optional MPPE (Microsoft Point-to-Point Encryption) provides link-layer encryption.
:::warning Security notice PPTP has known cryptographic weaknesses. MS-CHAPv2 (the standard auth method) is vulnerable to offline dictionary attacks, and MPPE key derivation is tied to the same credentials. PPTP should only be used where legacy client compatibility is strictly required. For new deployments, prefer L2TP/IPsec, IKEv2, WireGuard, or OpenVPN. :::
Summary
Section titled “Summary”| Feature | Value |
|---|---|
| Control port | TCP 1723 |
| Data transport | GRE (IP protocol 47) |
| Encryption | MPPE (RC4-based, optional) |
| Authentication | PAP, CHAP, MSCHAPv1, MSCHAPv2 |
| Sub-menu | /interface pptp-server, /interface pptp-client |
| Available since | RouterOS v2.x |
PPTP does not provide its own key exchange or identity verification — it relies entirely on PPP authentication and MPPE. This makes it significantly weaker than IPsec-based protocols.
Prerequisites
Section titled “Prerequisites”- RouterOS router with a reachable public IP (or port forwarding for TCP 1723 and GRE)
- Firewall input rules permitting TCP 1723 and GRE (protocol 47)
- Both ports/protocols must be open — connections fail silently if only TCP 1723 is allowed but GRE is blocked
Server Configuration
Section titled “Server Configuration”Step 1 — Create an IP Pool
Section titled “Step 1 — Create an IP Pool”/ip pool add name=pptp-pool ranges=192.168.89.10-192.168.89.100Step 2 — Create a PPP Profile
Section titled “Step 2 — Create a PPP Profile”/ppp profile add \ name=pptp-profile \ local-address=192.168.89.1 \ remote-address=pptp-pool \ use-encryption=required \ dns-server=8.8.8.8,8.8.4.4local-address is the router’s tunnel-side IP. remote-address assigns pool addresses to clients. use-encryption=required enables MPPE and rejects unencrypted connections.
Step 3 — Enable the PPTP Server
Section titled “Step 3 — Enable the PPTP Server”/interface pptp-server server set \ enabled=yes \ default-profile=pptp-profile \ authentication=mschap2authentication=mschap2 is the most common setting. Avoid pap and chap — they transmit credentials in plain text or with weak hashing.
Step 4 — Add PPP Users
Section titled “Step 4 — Add PPP Users”/ppp secret add \ name=vpnuser \ password=StrongUserPass \ service=pptp \ profile=pptp-profileSet service=pptp to restrict the credential to PPTP only. Add one entry per user.
Step 5 — Open the Firewall
Section titled “Step 5 — Open the Firewall”PPTP requires both TCP 1723 (control) and GRE (data). Opening only TCP 1723 causes connections to hang after authentication:
/ip firewall filteradd chain=input action=accept protocol=tcp dst-port=1723 \ in-interface-list=WAN comment="PPTP control"add chain=input action=accept protocol=gre \ in-interface-list=WAN comment="PPTP GRE data"Place these rules before any drop rules in the input chain.
MPPE Encryption
Section titled “MPPE Encryption”MPPE (Microsoft Point-to-Point Encryption) is an RC4-based stream cipher negotiated during PPP setup. It is controlled via the PPP profile’s use-encryption setting:
| Value | Behaviour |
|---|---|
required | Require MPPE; reject clients that don’t support it |
yes | Use MPPE if the client supports it; allow unencrypted otherwise |
no | Disable MPPE; plaintext PPP data |
MPPE key length is 128-bit when MSCHAPv2 is used. Key material is derived from the MSCHAPv2 session — this creates a dependency between authentication strength and encryption strength. A compromised MSCHAPv2 session exposes the MPPE key.
RouterOS as PPTP Client
Section titled “RouterOS as PPTP Client”A MikroTik router can connect to any PPTP server using /interface pptp-client:
/interface pptp-client add \ name=pptp-out1 \ connect-to=vpn.example.com \ user=vpnuser \ password=StrongUserPass \ profile=default-encryption \ add-default-route=no \ disabled=no| Parameter | Description |
|---|---|
connect-to | Server IP address or hostname |
profile | PPP profile controlling encryption and addresses |
add-default-route=yes | Install a default route through the tunnel (full-tunnel mode) |
Verify the connection:
/interface pptp-client print/ppp active printRADIUS Authentication
Section titled “RADIUS Authentication”PPTP integrates with RADIUS for centralised user authentication and accounting. RouterOS acts as a RADIUS client; an external server (FreeRADIUS, NPS, etc.) handles credential validation.
Step 1 — Add the RADIUS Server
Section titled “Step 1 — Add the RADIUS Server”/radius add \ service=ppp \ address=10.0.0.3 \ secret=RadiusSharedSecret \ authentication-port=1812 \ accounting-port=1813service=ppp covers all PPP-family protocols including PPTP.
Step 2 — Enable RADIUS in PPP AAA
Section titled “Step 2 — Enable RADIUS in PPP AAA”/ppp aaa set \ use-radius=yes \ accounting=yes \ interim-update=5mWhen use-radius=yes, RouterOS sends each PPP authentication request to the RADIUS server. If RADIUS is unreachable, it falls back to local PPP secrets.
Step 3 — Verify
Section titled “Step 3 — Verify”# Check RADIUS client status/radius print/radius monitor 0
# Watch authentication log/log print follow where message~"radius|pptp|ppp"
# Check active sessions/ppp active printComparison with Modern Alternatives
Section titled “Comparison with Modern Alternatives”| Protocol | Security | OS Support | NAT Traversal | Performance |
|---|---|---|---|---|
| PPTP | Weak (MPPE/RC4, MS-CHAPv2 vulnerable) | All OSes (legacy) | Limited (GRE blocked by some NAT) | Low CPU overhead |
| L2TP/IPsec | Good (AES, IKE) | Windows, macOS, iOS, Android (built-in) | Yes (NAT-T / UDP 4500) | Moderate |
| IKEv2/IPsec | Strong (AES, PFS, EAP) | Windows 7+, macOS, iOS, Android | Yes (UDP 500/4500) | Good |
| OpenVPN | Strong (TLS, AES) | All OSes (needs client) | Yes (TCP/UDP) | Moderate |
| WireGuard | Strong (ChaCha20, Noise) | Windows 10+, macOS, Linux, iOS, Android | Yes (UDP) | Excellent |
Recommendations:
- New deployments: Use WireGuard (RouterOS 7+) or IKEv2/IPsec. Both are natively supported, offer strong security, and have modern client support.
- Broad legacy OS compatibility: L2TP/IPsec is built into Windows XP through Windows 11, macOS, iOS, and Android without additional software.
- Existing PPTP users: Migrate to L2TP/IPsec or IKEv2. The RouterOS configuration change is straightforward — PPP profiles and secrets are reused.
- PPTP only if: The client device has no alternative (e.g., old embedded hardware or an OS that cannot run any other VPN client).
Troubleshooting
Section titled “Troubleshooting”Connection hangs after entering credentials
Section titled “Connection hangs after entering credentials”GRE is likely blocked. The PPTP control channel (TCP 1723) succeeded, but the GRE data tunnel cannot form. Add a firewall rule to accept protocol=gre on the input chain.
authentication failed
Section titled “authentication failed”- Verify the username and password in
/ppp secret print - Confirm the user’s
serviceispptp(orany) - Check RADIUS connectivity if RADIUS auth is configured:
/radius monitor 0
MPPE negotiation fails
Section titled “MPPE negotiation fails”The client and server disagree on encryption requirements. If use-encryption=required is set on the server, the client must support MPPE. On Windows, ensure MPPE is enabled in the VPN adapter properties under Security → Data encryption.
Windows client: error 619 or 721
Section titled “Windows client: error 619 or 721”- Error 619: GRE blocked by NAT or firewall
- Error 721: Remote router did not respond; GRE blocked upstream
Add GRE passthrough on any intermediate NAT device.
Enable verbose logging
Section titled “Enable verbose logging”/system logging add topics=pptp,!debug action=memory/log print follow where message~"pptp"Remove after debugging:
/system logging remove [find topics~"pptp"]