pfSense Support Subscription

Author Topic: HEADS UP: PPTP has been removed from pfSense 2.3  (Read 14036 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
HEADS UP: PPTP has been removed from pfSense 2.3
« on: November 24, 2015, 02:56:31 pm »
PPTP has been known to be completely broken for over three years now. Due to its insecure nature, the PPTP VPN server has been removed entirely from pfSense 2.3. It was removed from the pfSense 2.3 code base about two months ago.

Since the pfSense 2.3 release is coming up fast, if you are one of the few still clinging to PPTP: NOW is the time to start migrating away to another VPN solution.

If a customer, boss, client, or other interested party is insisting on PPTP, it's past time to drag them kicking and screaming into the age of modern VPNs.

We strongly recommend using IKEv2 or OpenVPN. Both of which can accommodate a wide range of operating systems.

IKEv2 has a native client in Windows 7 and later, OS X 10.11 and later, iOS 9 and later, among others. There is a simple app for it on Android as well and there are Network Manager modules for it on Linux. OpenVPN has a third-party client on many client operating systems.

If for some unimaginable reason moving away from PPTP is not possible, seek alternate means for establishing a PPTP connection, such as forwarding the traffic (TCP/1723 and all GRE) in to a Windows server or something else that will still speak PPTP.

"If it's not broken, don't fix it" does not apply here -- it may function but the protocol is fundamentally broken.
« Last Edit: November 24, 2015, 07:39:02 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

BlueKobold

  • Guest
Re: HEADS UP: PPTP has been removed from pfSense 2.3
« Reply #1 on: November 24, 2015, 07:35:28 pm »
On one side it is fine to hear about, but on the other it isnīt. For the security itself it is a gain and a goal
that will be reaching more security, but often someone likes WISPs (Wireless ISPs) are only using it as a
workaround for sending the name and password as "plain text". For the rest it was not interesting anymore
for sure.

Quote
If for some unimaginable reason moving away from PPTP is not possible, seek alternate means for establishing a PPTP connection, such as forwarding the traffic (TCP/1723 and all GRE) in to a Windows server or something else that will still speak PPTP.
CentOS 6/7 together with the SoftEtherVPN server would be a good working VPN solution.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: PPTP has been removed from pfSense 2.3
« Reply #2 on: November 24, 2015, 07:37:43 pm »
The PPTP WAN Client is staying. The PPTP VPN server is going.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline riahc3

  • Full Member
  • ***
  • Posts: 135
  • Karma: +3/-4
    • View Profile
Re: HEADS UP: PPTP has been removed from pfSense 2.3
« Reply #3 on: April 13, 2016, 03:07:55 am »
Quote
If a customer, boss, client, or other interested party is insisting on PPTP, it's past time to drag them kicking and screaming into the age of modern VPNs.

So because of pfSense Im going to lose a client? Fuck no.

If the client still wants PPTP after warning him, he is going to get PPTP period. I will just simply not use pfSense.

Not only that but L2TP/IPSec is broken in pfSense. There is as of right now, NO BUILT IN VPN SOLUTION FOR ANY OS IN PFSENSE OpenVPN is a third party solutoin that requires a third party client on ALL OSs, server desktop and mobile.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: HEADS UP: PPTP has been removed from pfSense 2.3
« Reply #4 on: April 13, 2016, 06:47:08 am »
PPTP is broken. If your client wants PPTP, the client is broken. Fix the client. They are running an insecure VPN that is exposing their data to anyone that wants to see it. By continuing to allow them to use PPTP you are doing them a disservice. The customer is not always right, it's your job to ensure the security of the customer.

IKEv2 VPNs are natively supported in nearly every OS. https://doc.pfsense.org/index.php/Mobile_VPN_Client_Availability
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!