Retired > PPTP

PPTP has been cracked - stop using it and migrate ASAP

(1/7) > >>

jimp:
PPTP is no longer considered a secure VPN technology. PPTP relies upon MS-CHAPv2 which has been completely compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party 100% of the time, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.

This is not specific to pfSense, it is the entire PPTP protocol regardless of its implementation.

More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

We have placed a warning on the PPTP page in 2.1 and 2.0.2 stating this. Other VPN clients may not be as convenient, but PPTP is dead, it's time to move on. This also means that any bugs that are pending for PPTP are not likely to be fixed. PPTP has been entirely removed from the upcoming 2.3 release.

If you insist on using it, or have a client that insists on using it, be aware that it is not providing and real measure of security. In the case of a client requiring it, it may not be a bad idea to make them sign a waiver stating they were informed of this and chose to ignore it.

kejianshi:
I'm not sure what alot of people are thinking, but I can still see a use for PPTP on wired networks where privacy isn't the goal but IP location shifting is, for example to avoid geo-filtering on US based audio/video media services and using older client hardware.  But yeah.  Anyone who thinks they are getting privacy or security in an environment where their packets are being scanned is dead wrong.

m4f1050:
Ever since I upgraded to 2.0.3 I can't connect my PPTP clients to my pfSense, was this disabled?  I've tried my Android phone, a Win 7 and Win 8 with no success.  I get a message that the remote has disconnected me (on Win 8 )

EDIT:  At around the same time I switched ISP's to AT&T, could AT&T be blocking any ports?  I setup PPTP on my Win machine and selected to do pass-thru to the Win workstation and canyouseeme.org showed port 1723 open, but when I enable it on pfsense I don't see it open, that's what makes me believe it was disabled.

kejianshi:
PPTP work on mine with 2.03, 32 bit so its not that.  (Although I never use it for anything)

m4f1050:
Tried a second time, same results.  I can't find any open ports, which is odd.  I opened TCP ports 1701, 1723 and UDP ports 500, 4500 and 1194.  My PPTP doesn't work nor my L2TP, but OpenVPN worked.  Problem is I have a Toshiba Excite 10 tablet that doesn't have bootloader unlocked (can't root it) and I can't use OpenVPN on it and it's the one I use the most on my home network via VPN.  So strange canyouseeme.org can see my PC when I use the pass-thru but it can't see it when I use pfSense's PPTP or L2TP.  Any advise?

Navigation

[0] Message Index

[#] Next page

Go to full version