1

Ive got a Draytek router which im trying to setup as a VPN host.

The options i have are :

  • PPTP
  • IPSEC
  • LT2P with IPSEC policy
  • SSL

My VPN client only seems to supported PPTP and LT2P with IPSEC policy.

Ive setup multiple other VPNs on other draytek hardware using LT2P with IPSEC policy in the past, but this time the only option i can get to work is PPTP.

The VPN is to be used infrequently for remote management of other LAN hardware. In managing this LAN hardware i need to login to the hardware in question so passwords are being sent across the VPN.

The VPN will always be connected to from a secure LAN, but im most worried about the data as it transfer through the WAN.

If i set the idle timeout to 0 (as i understand this mitigates man in the middle attacks, due to any increased latency causing the connection to fail, and use 128 bit encryption for the PPTP client connection (the max OSX 10.11 will allow) would this be a secure connection ?

Johnny
  • 1,051
  • 5
  • 19
sam
  • 536
  • 3
  • 14
  • https://security.stackexchange.com/questions/47518/is-pptp-vpn-ever-secure-under-dd-wrt?rq=1 seems pretty clear on this. – mythofechelon Oct 29 '18 at 11:20
  • 1
    @mythofechelon - i guess where my question differs is that that article does not refer to using 128 bit encryption – sam Oct 29 '18 at 17:09
  • 2
    pptp is vulnerable at its core. the implementation can make it better or worse but at the end adding layers in this case does not fix the main issue.. is like WPA or older 802.11 etc. so I won't use it.. just choose openvpn or a modern open standard that is not listed on the snowden papers. – cfernandezlinux Oct 30 '18 at 00:02
  • 1
    I echo @mythofechelon's response. – rockower Oct 30 '18 at 00:38
  • 2
    Here's a question which specifically refers to 128 bit encryption. https://security.stackexchange.com/questions/45509/are-there-any-known-vulnerabilities-in-pptp-vpns-when-configured-properly#45510 Look at the accepted answer. You can even attempt to crack it yourself (assuming you have the time). If this is just for VPNing into your own house, then it may be fine, but if it's for anything business related you could be found negligent if an attack gets in through it. – Daisetsu Oct 30 '18 at 01:11

1 Answers1

5

In short, no configuration using PPTP should be considered secure.

Firstly, setting a low idle timeout is not a mitigation against a MITM attack. The idle timeout setting just determines how long the server will allow an idle session to remain connected (and setting it to 0 will actually probably disable the timeout entirely in most implementations). It has no direct relationship to latency. What's more, an ARP poisoning attack (to establish MITM) may not look that different from any normal hop along the route anyway, so latency is a difficult side-channel for detecting this kind of man-in-the-middle outside of a fast, predictable local network. The kind of MITM attack required to break PPTP is much simpler than, say SSL, where the stream needs to be de- and then re-encrypted. The attacker simply needs to capture and forward your packets to break your connection.

The trouble for you with PPTP is that even in its "most secure" arrangement it is utterly broken (see Are there any known vulnerabilities in PPTP VPNs when configured properly?). A successful MITM can not only impersonate you to the VPN, but it can decrypt any captured sessions, which will include the passwords or any other credentials that you need to send to the destination.

So the answer to your question is a resounding no, PPTP cannot be considered secure in any configuration.

Since your options seem limited, though, you may decide that PPTP can be secure enough for your use case. Just be aware that if your connection passes through a malicious connection, there are tools available that can automatically sniff and crack any PPTP sessions. It might not be likely, but if you're unlucky, PPTP is so insecure that you needn't even be specifically targetted, you could simply be a target of opportunity. It really is that insecure.

My VPN client only seems to supported PPTP and LT2P with IPSEC policy.

It seems to me you should really start here. You need a better client.

Johnny
  • 1,051
  • 5
  • 19