11

Scenario: Two Windows Server 2003 machines running RRAS VPNs. The firewall port forwards 1723 to one of those machines for normal remote access. I'd like to find a way to connect to the second machine as well. Not because I need to but just because it's the sort of thing I reckon should be possible but can't figure out how to do.

Is it possible to have the Windows PPTP VPN client (on XP in this instance) connect on a port other than 1723? If so, I can simply port forward another port to the second server. I've done a fair bit of Googling over the last few days and have only found others asking the same question but no answers.

I have of course tried to add a port number in the host name or IP connection box, in various formats, but to no avail. While this might be possible with a third part client I'm really only interested in whether or not it can be done with the Windows built-in client and if so how?. Perhaps there's a registry hack I'm not aware of?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • Is using an alternate VPN technology (OpenVPN) an option? OpenVPN uses a single UDP port by default and you can easily change it to any port you like. – Zoredache Mar 09 '10 at 08:35
  • If this is something I NEEDED an alternative option would certainly be considered but in this case I'm really just interested in whether or not it's possible just using the Windows client. – John Gardeniers Mar 09 '10 at 10:13
  • did yo ever find a solution to this? I need it for internet reply in censored countries. there are people who provide working PPTP Service but my Windows 2012 PPTP gets connected but they cannot get to any sites afterward. I have L2TP and SSTP with softether but they are blocked too since they blocked these generic VPN connections. I wonder how some are providing fast PPTP connections there. let me know if you found a wy to change the GRE or TCP port thanx –  Apr 16 '15 at 04:38

4 Answers4

4

Been there! you cannot do it, give up now.

Upgrade to windows server 2008 & use a SSL VPN

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
4

Basically no, you can't change it. The TCP port is only used to setup the initial connection. All traffic is sent over GRE, not TCP. I highly recommend requiring client certificates. PPTP as a protocol is plenty secure when you pair it with client certs, no need to upgrade to something like SSL VPN.

See this question from the other day for links on how to setup this up.

Community
  • 1
Chris S
  • 77,337
  • 11
  • 120
  • 212
  • My country ISP recently jam whole network due to filtering of another application, though they were unsuccessful by far, still they blocking things... and mostly VPN cause they can be used as an anti-proxy material... I look for a way to do it by customizing port number or even protocols,.. by know i config PPTP and L2TP with shared key, none worked, and for other i'm not sure how to config – Hassan Faghihi May 01 '18 at 11:38
1

The only way to do this with a PAT firewall is to bind another IP address to the external interface of your firewall. Use this second IP to forward TCP 1723 to your second Win2K3 box.

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
0

Not to my knowledge. Have to say, though, that I never had the need to this too.

The main problem i see with PPTP is the package payload (GRE packets). I could see the TCP control channel getting redirected, but once the data flows (GRE encapsuled packets) I dont think it is possible (i.e. there is no port number in the data).

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • I would think that if the firewall has good state-matching pptp code then it should be able to handle figuring out where to direct the GRE packets. – Zoredache Mar 09 '10 at 08:34
  • And how would that work? Seriously. GRE is a generic wrapper around an IP packet. It is not always clar from the context where to route. Imagine the client is connected to BOTH PPTP links... what you do then? This basically is beyond the specifications of PPTP, and thus not supported. – TomTom Mar 09 '10 at 08:37
  • Good points but I think we're getting away from the question a bit, which is really just about whether or not the Windows built-in VPN client can be made to connect using a different port. If that's not possible then the rest is pretty much academic. – John Gardeniers Mar 09 '10 at 10:13
  • Actually no. PPTP can not handle it to start with - so per definition the client can not do it. PPTP is not able to handle multiple server processes behind one IP address by the setup of the GRE packets, IMHO. Besides that, no - the client can not. – TomTom Mar 09 '10 at 11:21