Lab 5.1 Configuring PPTP Site-to-Site VPN

Lab 5.1 Configuring PPTP Site-to-Site VPN
Configuring PPTP site to site VPN
💡
Please be advised that this post is informational only. This is part 1 of our series in setting up VPN. We start with PPTP, which was a method initially of providing security by encrypting data between two endpoints. While some encryption is better than no encryption at all, Setting up PPTP (Point-to-Point Tunneling Protocol) for a VPN is generally considered a bad idea for several reasons:
Weak Security: PPTP is known for its weak encryption standards. It uses MS-CHAPv1 or MS-CHAPv2 for authentication and RC4 encryption, which are both outdated and vulnerable to modern attacks. This makes PPTP less secure compared to more modern VPN protocols.
Easily Exploited: PPTP has known vulnerabilities that make it susceptible to various types of attacks, such as brute-force attacks and dictionary attacks. For example, the MS-CHAPv2 authentication method has been cracked, allowing attackers to potentially decrypt traffic.
Limited Support for Modern Encryption: PPTP does not support modern encryption protocols like AES (Advanced Encryption Standard), which are more robust and secure. This limitation further compromises the confidentiality and integrity of your data.
Compatibility Issues: Although PPTP is supported by many older systems, it may not be compatible with newer operating systems and devices. This can lead to connectivity issues or the need for additional configuration.
Lack of Forward Secrecy: PPTP does not offer forward secrecy, a feature that ensures session keys are not compromised even if the server’s private key is exposed in the future. Without forward secrecy, if an attacker gains access to the server's key, they could potentially decrypt past communications.
Increased Risk of Data Leakage: Due to its poor security measures, using PPTP can increase the risk of data leakage and exposure of sensitive information. This is a significant concern for both personal and business communications.
For these reasons, it is generally recommended to use more secure and modern VPN protocols like SSTP, OpenVPN, L2TP/IPsec, or WireGuard, which offer stronger encryption and better overall security.

We are going to use the following network to demonstrate setup of a PPTP network.

Step 1: Set up the Client A router. To setup the MikroTik router, we are going to create a bridge interface that includes ports ether2 - ether4 with NAT (network address translation) for outbound traffic and configure ether1 as a DHCP client to obtain an IP address from our ISP (obtained from the Internet). Login to Company A router, and configure the following

# Interface Setup
/interface ethernet set [ find default-name=ether1 ] name=wan
/ip dhcp-client add interface=wan disabled=no
/interface bridge add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4

/ip address
add address=192.168.1.1/24 interface=bridge1
/ip firewall nat
add chain=srcnat out-interface=wan action=masquerade

# DHCP Server
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1
/ip pool add name=dhcp_pool ranges=192.168.1.10-192.168.1.254
/ip dhcp-server add name=dhcp1 address-pool=dhcp_pool disabled=no interface=bridge1 lease-time=10m

# Set system identity
/system identity set name=ClientA

Step 2: Verify the setup on Client A router

Check the status of the DHCP client:

/ip address print

Ensure it has received an IP address from the DHCP server.

Verify the bridge ports:

/interface bridge port print

Confirm that ether2 through ether6 are listed as part of bridge1.

Check the NAT rules:

/ip firewall nat print

Ensure the masquerade rule is listed.

  1. Verify connectivity:
    • Start the VPCS device and log into the console and make sure it can access the internet.
    • Test the router’s connection to the internet using ping or other tools.

Step 3: Set up the Company B router. To setup the MikroTik router, we are going to create a bridge interface that includes ports ether2 - ether4 with NAT (network address translation) for outbound traffic and configure ether1 as a DHCP client to obtain an IP address from our ISP (obtained from the Internet). Login to Company A router, and configure the following

# Interface Setup
/interface ethernet set [ find default-name=ether1 ] name=wan
/ip dhcp-client add interface=wan disabled=no
/interface bridge add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip address
add address=192.168.2.1/24 interface=bridge1
/ip firewall nat
add chain=srcnat out-interface=wan action=masquerade

# DHCP Server
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1
/ip pool add name=dhcp_pool ranges=192.168.2.10-192.168.2.254
/ip dhcp-server add name=dhcp1 address-pool=dhcp_pool disabled=no interface=bridge1 lease-time=10m

# Set system identity
/system identity set name=CompanyB

Step 4: Verify the setup on Company B router

Check the status of the DHCP client:

/ip address print

Ensure it has received an IP address from the DHCP server.

Verify the bridge ports:

/interface bridge port print

Confirm that ether2 through ether6 are listed as part of bridge1.

Check the NAT rules:

/ip firewall nat print

Ensure the masquerade rule is listed.

Step 5: Verify connectivity from the ClientA router to CompanyB router. Ping the ether1 interface of the CompanyB router from the ClientA router to ensure that it is reachable over the Internet (in our case simulated internet). In our scenario, the IP address for the ClientA router is 192.168.150.146 and the IP address for the CompanyB router is 192.168.150.147.

Ping CompanyB router from ClientA

To set up a PPTP VPN connection between ClientA and CompanyB routers using RouterOS 7 via the command line interface (CLI), follow these instructions.

CompanyB router:

/interface pptp-server server set enabled=yes
/ppp secret add local-address=10.0.0.1 name=clientA password=letmein profile=default-encryption remote-address=10.0.0.2 service=pptp
/ip route add disabled=no dst-address=192.168.1.0/24 gateway=10.0.0.2

ClientA router:

/interface pptp-client add connect-to=192.168.150.147 disabled=no name=pptp-out1 user=clientA password=letmein
/ip route add disabled=no dst-address=192.168.2.0/24 gateway=10.0.0.1

Verify connectivity on the server

/ppp active print
Active PPTP connection established

Now, because we set up a route on both the server and the client, we should be able to ping from the client PC to the server. On the VPCS machine, issue a ping to the server. Our server is located at 192.168.2.254, but yours might be different depending on the IP address assigned to the VPCS device.

From ClientA VPCS machine

ping 192.168.2.254

If you are able to ping the client machine, then you have successfully established a PPTP VPN connection between two routers (site-to-site).

We won't delve further into the logistics of setting up or establishing a connection with PPTP, as we have stated, this is for informational purposes only, as PPTP is considered an insecure standard and we strongly advise using PPTP as your preferred method of encryption due to significant security vulnerabilities that can put your data at risk.

Please be aware that the username and password for the GNS3 project is admin/admin