Quick Guide: Configure PPTP VPN on FortiGate Firewalls in Minutes

This guide walks you through configuring a PPTP VPN on FortiGate firewalls quickly and reliably. While PPTP is considered deprecated due to well-known security weaknesses, there are legacy scenarios where it remains required for compatibility. The instructions below provide detailed, practical steps for both the FortiGate GUI and CLI, including authentication, IP pool configuration, firewall policies, routing, and troubleshooting. This content is aimed at webmasters, enterprise IT administrators, and developers who need to establish or maintain PPTP access with FortiGate devices.

Understanding PPTP considerations

Before implementing PPTP, recognize its limitations. PPTP uses MPPE for encryption and MS-CHAPv2 for authentication, which are vulnerable to modern attacks. If security is a priority, consider using SSL-VPN or IPsec instead. However, if legacy client support or a specific compatibility requirement forces PPTP, apply compensating controls such as network segmentation, strict access control, logging and monitoring, and short-lived credentials.

When PPTP might be acceptable

• Access to non-sensitive legacy systems where clients cannot use modern VPN protocols.
• Lab or testing environments where encryption strength is not critical.
• Temporary migration scenarios to support older clients while planning for migration to secure VPN types.

Prerequisites and planning

Before starting the configuration, prepare the following:

• FortiGate firmware version—ensure your device runs a supported firmware that still includes PPTP server functionality (some newer versions may deprecate PPTP features).
• A public IP or reachable WAN interface on the FortiGate to accept PPTP connections.
• An address range (IP pool) to assign to remote PPTP clients that does not conflict with internal subnets.
• User accounts or an authentication backend (local users, LDAP, RADIUS).
• Firewall policies and routing plan to control remote access to internal resources.

Step-by-step configuration (GUI)

The following steps outline configuring PPTP via the FortiGate web UI (GUI). The exact menu locations may vary slightly between FortiOS versions.

1. Configure the IP pool for PPTP clients

Set aside an IP range for PPTP clients to use. In the GUI:

• Go to Network > Interfaces (or Network > Address), then choose to create a new address or IP pool.
• Create an address object or IP pool with type IP Range or Subnet and specify the network (for example: 10.10.100.0/24).
• Label it clearly, e.g., PPTP_CLIENT_POOL.

2. Enable PPTP on the WAN interface

PPTP is a combination of TCP (control) and GRE (protocol 47) traffic. Configure the FortiGate to accept GRE and TCP 1723 on the appropriate interface.

• Ensure the WAN interface’s ACL or zone permits inbound TCP/1723 and IP protocol 47 (GRE).
• In some deployments, allow GRE in Policy > IPv4 Policy or via explicit Service configuration.

3. Create user accounts or configure authentication backend

For small deployments, local users are simplest. For enterprise environments, configure LDAP or RADIUS (typically with MSCHAPv2 support).

• Go to User & Device > User & Groups. Create a new local user or set up a remote server.
• When using RADIUS, ensure the RADIUS server allows MS-CHAPv2 and returns correct attributes.
• Create a user group for PPTP users and add users or link the remote server.

4. Configure the PPTP settings

Enable the PPTP server on the FortiGate and associate the client IP pool and authentication group.

• Go to VPN > PPTP (or VPN > PPTP Server depending on FortiOS version).
• Enable the PPTP server, select the WAN interface to listen on, and set the IP Pool to the previously created PPTP_CLIENT_POOL.
• Set the authentication method to local or RADIUS/LDAP and select the user group.
• Optionally limit concurrent sessions, set idle timeout, and configure DNS/WINS servers for clients.

5. Add firewall policies for PPTP traffic

Create policies to allow PPTP clients to reach required internal resources and to allow return traffic to the internet.

• Create an incoming policy from the WAN to the internal network if necessary, but more commonly, allow traffic from the PPTP interface (or source IP pool) to internal zones.
• Example: Source: PPTP_CLIENT_POOL, Destination: Internal_Subnet, Service: ALL (or restrict to needed ports), Action: ACCEPT.
• Create an outbound policy allowing PPTP clients to access the internet if required.
• Ensure policies include logging and security profiles as needed. For less secure PPTP, consider applying strict web filter and IPS policies on access to sensitive resources.

6. Configure routing

PPTP clients will receive an IP from the pool. The FortiGate automatically routes traffic from that pool, but validate routes:

• Go to Network > Static Routes and ensure no conflicting routes exist.
• If splitting tunnels or forcing all traffic through the VPN, ensure policy and routing reflect the design.

Equivalent CLI commands

Below are CLI snippets for common tasks. Use the FortiGate CLI via SSH or console.

Create an address/pool

config firewall address
    edit "PPTP_CLIENT_POOL"
        set type iprange
        set start-ip 10.10.100.10
        set end-ip 10.10.100.200
    next
end

Enable the PPTP server

config system virtual-access
    edit "pptp"
        set interface "wan1"
        set mode pptp
        set ip-range 10.10.100.10-10.10.100.200
        set auth-type local
    next
end

Note: CLI syntax can differ across FortiOS releases. For older versions, the commands may be under config vpn pptp. Always consult your specific version documentation.

Client configuration highlights

Most OSes (Windows, macOS) include a PPTP client. Provide these essentials to your users:

• Server: public IP or DNS name of the FortiGate WAN.
• Protocol: PPTP (uses TCP 1723 and GRE).
• Authentication: Username and password (MS-CHAPv2 preferable if available).
• Optional: Enable MPPE 128-bit if your FortiGate enforces encryption.
• Windows tip: In the VPN adapter properties, under Security, select Point to Point Tunneling Protocol (PPTP), choose Microsoft CHAP Version 2 (MS-CHAP v2), and enable Require encryption (disconnect if server declines) only if you accept the encryption level.

Security hardening and logging

Because PPTP is weak, enforce compensating measures:

• Use strong, frequently rotated credentials and enforce MFA where possible (though classic PPTP does not natively support MFA — consider RADIUS with MFA gateways).
• Restrict access by source IPs, destination subnets, and service ports through firewall policies.
• Segment PPTP clients onto VLANs or dedicated subnets with limited access to critical systems.
• Monitor and log all connections. In FortiGate, enable logging on the PPTP policies and review logs in Log & Report. Forward logs to a central SIEM for correlation.
• Regularly review active sessions (VPN Monitor) and disable unused user accounts.

Troubleshooting checklist

Common issues and checks when PPTP clients cannot connect:

• Verify TCP 1723 and GRE (IP protocol 47) reach the FortiGate. Some ISPs or NAT devices block GRE.
• Check the FortiGate system event log for PPTP connection attempts and errors.
• Confirm the IP pool has available addresses and does not overlap existing subnets.
• Ensure authentication backend (local, LDAP, RADIUS) is reachable and configured to accept MS-CHAPv2.
• For NAT or double-NAT scenarios, ensure the outer device forwards TCP/1723 and supports GRE passthrough.
• Use packet-sniffing on FortiGate (diagnose sniffer packet) to see if GRE and TCP 1723 packets arrive and whether FortiGate responds.

Useful CLI debugging commands:

diagnose vpn pptp list       (show active PPTP sessions)
diagnose sniffer packet any 'port 1723 or proto 47' 4 0 a   (capture PPTP/GRE traffic)
diagnose sys session list | grep pptp   (verify related sessions)

Migration and deprecation planning

Given PPTP’s vulnerabilities, include migration steps in your network roadmap:

• Evaluate client compatibility for SSL-VPN (FortiClient) or IPsec solutions.
• Phase out PPTP by first offering alternative VPN clients and documenting configuration guides for end users.
• Disable PPTP server on FortiGate once all clients have migrated and monitor for any remaining attempts to connect.

Final notes and operational tips

Keep these operational tips in mind:

• Test the configuration with a clean client machine before rolling out widely.
• Apply firmware updates and review FortiCare advisories—some FortiOS releases may change VPN feature sets.
• Document the entire setup, including user account lifecycle, policies, and logging retention periods.

For more in-depth guides on secure VPN alternatives, device-specific examples, and managed VPN solutions, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.