Master PPTP Split-Tunnel: Step-by-Step Configuration for Selective VPN Routing

Introduction

Split-tunneling with PPTP remains a pragmatic solution for organizations that require selective routing of traffic through a VPN while allowing other traffic to traverse the local network or internet directly. Although PPTP is considered less secure compared to modern VPN protocols, there are scenarios — legacy equipment, vendor constraints, or specific performance considerations — where administrators need to implement a reliable and well-documented split-tunnel setup. This article gives a detailed, step-by-step technical guide for configuring PPTP split-tunnel across common platforms and devices, with practical routing examples and operational caveats.

What is PPTP Split-Tunneling and When to Use It

Split-tunneling is the practice of routing only a subset of network traffic through the VPN tunnel while other traffic goes through the local internet connection. The two primary split-tunnel approaches are:

• Network-based split-tunneling — specific destination networks (for example, 10.0.0.0/8) are routed to the VPN; everything else uses the local gateway.
• Application-based split-tunneling — only certain applications or processes are forced through the VPN (this often requires client-level controls or OS-level policy routing).

Use cases for PPTP split-tunnel include accessing internal company subnets while retaining local internet access for high-bandwidth services, or offloading non-sensitive traffic to reduce VPN bandwidth consumption.

Security Considerations

Before implementing PPTP split-tunnel, evaluate the security trade-offs:

• PPTP uses MS-CHAPv2 for authentication and MPPE for encryption. These mechanisms are known to be weaker than modern alternatives. Avoid using PPTP for sensitive data or regulatory environments unless no alternatives exist.
• Split-tunneling increases attack surface because client devices access both trusted internal resources and the untrusted internet simultaneously. Ensure endpoint security controls (firewall, antivirus, EDR) are enforced.
• Consider logging and monitoring — selective routing can complicate traffic visibility. Use central logging and IDS/IPS that account for split-tunnel flows.

High-Level Steps for Implementing PPTP Split-Tunnel

Regardless of platform, split-tunneling configuration follows these general steps:

• Set up the PPTP server and define the internal networks that should be reachable over the VPN.
• Disable or avoid the default “send all traffic” behavior on clients, so that only specific routes are pushed or added locally.
• Configure server-side routing or push route directives where supported to inform clients about VPN-only prefixes.
• Test connectivity and verify the routing table and traffic flows.
• Harden endpoints and monitor for policy compliance.

Windows Client Configuration (Step-by-Step)

Windows clients by default may use the remote default gateway, which forces all traffic through the VPN. To implement split-tunneling:

GUI Method

• Open Network Connections (ncpa.cpl).
• Right-click the PPTP connection → Properties → Networking tab → select Internet Protocol Version 4 (TCP/IPv4) → Properties → Advanced.
• Uncheck Use default gateway on remote network and click OK. This prevents the VPN from changing the default route.

After this, add specific routes to send only corporate subnets through the VPN:

Command-Line: route add

• Open an elevated Command Prompt or PowerShell.
• Identify the VPN interface’s network metric and gateway (use route print or Get-NetIPInterface).
• Add persistent routes pointing to the VPN’s interface gateway, for example:

route -p add 10.50.0.0 mask 255.255.0.0 192.168.77.1 metric 1

Where 10.50.0.0/16 is the remote corporate network and 192.168.77.1 is the VPN-assigned gateway on the client.

PowerShell Example

A PowerShell approach to add persistent route:

New-NetRoute -DestinationPrefix 10.50.0.0/16 -InterfaceIndex <ifIndex> -NextHop 192.168.77.1

Replace <ifIndex> with the interface index from Get-NetIPInterface. Use this in logon scripts or Group Policy to automate route deployment across many clients.

Linux Client Configuration (pppd & ip route)

On Linux, PPTP is commonly managed by pppd (via packages like pptp-linux) or NetworkManager. Split-tunneling can be implemented by preventing defaultroute from being installed and adding specific routes in /etc/ppp/ip-up or NetworkManager dispatcher scripts.

pppd / /etc/ppp/ip-up Script

• In the pppd options, avoid using the defaultroute option so the default route is not replaced.
• Create or edit /etc/ppp/ip-up (runs when the PPP interface comes up). Example additions:

#!/bin/sh
# Add route to corporate subnet via the tunnel
/sbin/ip route add 10.50.0.0/16 dev $1

Here $1 is the PPP interface name (e.g., ppp0). Make the script executable (chmod +x /etc/ppp/ip-up).

NetworkManager / Dispatcher Script

• Create a dispatcher script in /etc/NetworkManager/dispatcher.d/ that checks for the VPN connection and adds routes using ip route add.
• This approach integrates well with desktop environments and ensures routes are applied/removed on connect/disconnect.

PPTP Server-Side: Pushing Routes

Some PPTP server implementations (for example, using pppd on Linux with RADIUS or chap-secrets) can push routes to clients using the ms-dns, ms-wins, and route options in the ppp configuration. Another common approach is using RADIUS attributes to send static routes to clients.

• In /etc/ppp/options or per-user options files, include lines such as:

route 10.50.0.0 255.255.0.0

This instructs the server to add a route to the client via the PPP interface. Implementation varies by PPP server version and RADIUS setup; consult your server documentation for exact syntax.

Routers and Edge Devices (OpenWrt, MikroTik)

When using a router as the VPN client or concentrator, split-tunneling is implemented via policy-based routing (PBR) or multiple routing tables.

OpenWrt Example (ip rule + ip route)

• Create a new routing table in /etc/iproute2/rt_tables, e.g., 200 vpn.
• Add routes to that table pointing to the PPTP interface: ip route add 10.50.0.0/16 dev ppp0 table vpn.
• Add a rule to direct traffic matching the source or destination into that table: ip rule add to 10.50.0.0/16 table vpn (or use from to route traffic from specific LAN IPs through the VPN).

MikroTik (Routing Mark + Mangle)

• Use mangle rules to mark packets (based on source addresses or ports).
• Create a routing rule that uses a routing table with the marked connections to send traffic via the PPTP interface (PPP interface uses a gateway set by MikroTik).

Testing and Troubleshooting

Verify split-tunnel behavior thoroughly:

• Check routing tables: Use route print on Windows or ip route on Linux/routers to ensure only specific prefixes go through the VPN.
• Use traceroute: tracert or traceroute to confirm path to internal and external destinations.
• Packet captures: Use tcpdump/Wireshark on the client or gateway to observe whether packets for targeted networks traverse the tunnel.
• DNS considerations: Ensure internal DNS resolution for corporate hosts is routed via the VPN or configure split DNS so queries for internal domains use internal resolvers.

Automation and Large-Scale Deployment

For enterprise rollouts, prefer automated mechanisms:

• Group Policy or SCCM for Windows to distribute scripts that set routes or toggle the default gateway option.
• Configuration management tools (Ansible, Puppet, Chef) to push scripts and network settings for Linux clients and routers.
• Client VPN software that supports centralized policy for split-tunneling and route push (if available), which reduces per-device configuration complexity.

When to Consider Alternative VPNs

If security and performance are priorities, consider migrating from PPTP to modern VPN protocols:

• WireGuard — simple, high-performance, and supports policy routing and source-based rules for split-tunnel use cases.
• OpenVPN — mature, flexible, supports pushed routes and fine-grained configuration for split-tunneling.
• IPsec/L2TP or IKEv2 — stronger encryption suites and can be integrated with enterprise authentication systems.

Conclusion

Implementing effective PPTP split-tunnel requires careful routing configuration on both client and server sides, thorough testing, and compensating security controls on endpoints. While PPTP can still serve niche needs, ensure you balance operational requirements with the security risk profile and plan for migration to stronger VPN technologies where feasible. For more in-depth tutorials and deployment templates tailored to specific routers and OS versions, visit Dedicated-IP-VPN.

Dedicated-IP-VPN — https://dedicated-ip-vpn.com/