{"id":167,"date":"2024-02-29T14:16:29","date_gmt":"2024-02-29T14:16:29","guid":{"rendered":"https:\/\/adrianbromley.co.uk\/?p=167"},"modified":"2025-01-31T16:39:24","modified_gmt":"2025-01-31T16:39:24","slug":"windows-to-draytek-vpn-using-pptp","status":"publish","type":"post","link":"https:\/\/adrianbromley.co.uk\/index.php\/2024\/02\/29\/windows-to-draytek-vpn-using-pptp\/","title":{"rendered":"Windows to Draytek VPN using PPTP"},"content":{"rendered":"\n<p>The good news here is that a Draytek, out-the-box, is already setup for PPTP. Just add your usernames\/passwords, and you are good to go.<\/p>\n\n\n\n<p>The other good news is that Windows also supports PPTP out-of-box. Just add a VPN with your username and password and you are good to go. Adding the VPN is easy \u2013 its a PowerShell one-liner (although you can use the GUI if you prefer).<\/p>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<p>This guide applies to any Draytek router running DrayOS. This is all the desktop models (eg 26xx and 28xx) and the new rack-mount 2910 and 3010 models, but not the 2900 or 3900 models, which ran Linux.<\/p>\n\n\n\n<p>The parameters that you need for this procedure are:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Username<\/li>\n\n\n\n<li>Password<\/li>\n\n\n\n<li>Router\u2019s WAN FQDN (or IP address)<\/li>\n<\/ol>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Quick start<\/h2>\n\n\n\n<p>On the router:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log in<\/li>\n\n\n\n<li>Navigate to \u2018VPN and Remote access\/Remote Dial-in User\u2019<\/li>\n\n\n\n<li>Click on an index number. Tick enable Type the username and password. Click OK.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"603\" height=\"444\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2-1.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2-1.png 603w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2-1-300x221.png 300w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<p>On the Windows PC:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log on as the user<\/li>\n\n\n\n<li>Start a PowerShell window<\/li>\n\n\n\n<li>type:\u00a0<code>Add-VpnConnection -Name 'VPN' -ServerAddress '&lt;router fqdn or IP>' -TunnelType 'PPTP' -SplitTunneling -RememberCredential<\/code><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"832\" height=\"403\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-5.png\" alt=\"\" class=\"wp-image-177\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-5.png 832w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-5-300x145.png 300w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-5-768x372.png 768w\" sizes=\"auto, (max-width: 832px) 100vw, 832px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Connect the VPN<\/li>\n\n\n\n<li>Type in username and password<\/li>\n\n\n\n<li>Complete!<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"357\" height=\"114\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-6.png\" alt=\"\" class=\"wp-image-178\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-6.png 357w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-6-300x96.png 300w\" sizes=\"auto, (max-width: 357px) 100vw, 357px\" \/><\/figure>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detailed guide<\/h2>\n\n\n\n<p>This detailed guide includes screenshots, notes and troubleshooting information.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><em>Note: Notes are presented in a bordered box like this<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><em>4G: A dial-up VPN needs to connect to the WAN interface of your router, so your router will need to have a public routable IP on the WAN interface. 4G is NATed by the service provider so you cannot connect to the WAN interface of the router directly (unless you have a 4G SIM with fixed public IP).<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><em>Dynamic IP: If the routers public IP is dynamic, you will need to assign a DynDns name to it \u2013 see the [not written yet] Draytek-DynDns post for details. However, if the IP does not change very often, and you are keen to get going, you can make a note of what it is now and use it temporarily until it changes.<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Enable the PPTP service<\/h5>\n\n\n\n<p>This is enabled by default on older routers, but not on newer. If it has been disabled, click to re-enable (requires a router reboot).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"193\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-1.png\" alt=\"\" class=\"wp-image-170\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-1.png 541w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-1-300x107.png 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Setup PPP, including DHCP<\/h5>\n\n\n\n<p>When the user connects, it is PPP that authenticates the user, sets the encryption and assigns an IP address to the VPN. The default Draytek and Windows security settings work out-the-box to give the best security, and so there should be no need to change settings here. More info on how PPP works with Windows can be found in \u2018<a href=\"https:\/\/adrianbromley.co.uk\/index.php\/2024\/02\/28\/draytek-ppp-general\/\">Draytek-PPP-General<\/a>\u2018, but it is worth looking at DHCP here.<\/p>\n\n\n\n<p>When the user connects, they will need an IP address from the LAN they are dialling into. Draytek have several ways of dealing with this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>If DHCP is enabled on the router LAN, PPP will use that to assign an IP<\/li>\n\n\n\n<li>If DHCP is not enabled, PPP can assign an IP from its own \u2018pool\u2019 of addresses<\/li>\n\n\n\n<li>The user can be assigned a fixed IP address \u2013 see \u2018setting up user\u2019 below<\/li>\n<\/ol>\n\n\n\n<p>No 1 is the easiest, and is the default. No 2 is also enabled by default, and will kick in if you disable DHCP on the LAN. No 3 is a property of the user\u2019s VPN profile, and can be used without disabling 1 or 2.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"289\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-5-1.png\" alt=\"\" class=\"wp-image-65\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-5-1.png 600w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-5-1-300x145.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<p>Here, the router will assign 50 addresses from 192.168.1.200 to 192.168.1.249 if DHCP on the LAN is disabled. You just need to make sure these will not clash with existing IPs or the DHCP range on your LAN.<\/p>\n\n\n\n<p>\u2013<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Setup the user<\/h5>\n\n\n\n<p>The only actions that are required are to tick enable, enter username and password, and ensure PPTP is allowed. By default &#8216;PPTP&#8217; is already ticked on older routers (but not on on later routers). <\/p>\n\n\n\n<p>The username will identify who is connected, so would usually be related to their \u2018real\u2019 name, eg \u2018ABromley\u2019. Both username and password could be different from the user\u2019s Windows password \u2013 so if one is hacked, the other is not. The password could be long and\/or complicated, as it can be remembered by Windows and the user may never see it or type it in (if you type it in for them when setting up their VPN).<\/p>\n\n\n\n<p>A static IP can be assigned if you wish. Sometimes this is useful if DHCP is not used, or as a means of identifying which VPN is generating network traffic when using Wireshark. The IP must, of course, be taken from the router\u2019s LAN subnet. You could also:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>change idle timeout to 0 seconds (so if the user leaves their computer for a while the VPN will not drop)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"603\" height=\"444\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2.png\" alt=\"\" class=\"wp-image-171\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2.png 603w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-2-300x221.png 300w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<p>We will look at some of the other options and features later. For now, that completes the router setup. We can now turn our attention to the Windows client.<\/p>\n\n\n\n<p>\u2014<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<p>The procedure for Windows 10\/11 is very similar (if not identical). The VPN can be created using the GUI, by using Powershell (or a batch file that calls Powershell) or by Group Policy.<\/p>\n\n\n\n<p>Windows VPNs can be system-wide \u2013 where the VPN is available to any user who logs on to that PC, or per-user \u2013 where the VPN is only available to that user. Which you choose depends on whether you want a VPN available to all users who logon the the PC, or just named users.<\/p>\n\n\n\n<p>Its also worth thinking about whether you want to use \u2018Split Tunnelling\u2019. If the VPN is connected with Split Tunnelling enabled, ONLY network traffic for the remote network is sent over the VPN. General Internet traffic (web browsing etc) from your PC is NOT passed over the VPN and exits by the usual route \u2013 over wireless to your home router, for example. Split Tunnelling sounds normal and it is probably what you want; but it is not the default in Windows. Windows will, by default, send even your Internet traffic over the VPN to exit to the Internet via the remote router.<\/p>\n\n\n\n<p>Why would you ever NOT choose split tunnelling? There are a few reasons \u2013 you may want your users Internet traffic filtered by your Office firewall, for example. Or, you may have a network with several subnets behind the VPN router. Or, in the case of dialling-in to a pfSense router, it is sometimes just easier.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Setup the VPN \u2013 PowerShell method<\/h3>\n\n\n\n<p>This method is by far the easiest.<\/p>\n\n\n\n<p>For a per-user VPN, copy this command into notepad. Edit it with your own name, fqdn\/IP and PSK, then copy it into a non-administrator PowerShell window:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Add-VpnConnection  -Name 'VPN'  -ServerAddress '&lt;fqdn or IP>'  -TunnelType 'PPTP' -SplitTunneling -RememberCredential<\/code><\/pre>\n\n\n\n<p>\u2026note how split tunneling is enabled using this method.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">System-wide VPN<\/h4>\n\n\n\n<p>\u2026simply add \u2018-AllUserConnection\u2019 to the above command line, and paste it into an&nbsp;<strong>administrator<\/strong>&nbsp;powershell window.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Setup the VPN \u2013 GUI method<\/h3>\n\n\n\n<p>This procedure sets up a per-user VPN. Setting up a system-wide VPN requires a different starting point \u2013 see below.<\/p>\n\n\n\n<p>Click Start\/Settings\/Network and Internet\/VPN\/Add a VPN. Complete the settings. Most should be self-explanatory,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server name or address: is the public IP of your VPN router. Either fqdn or IP can be used<\/li>\n\n\n\n<li>Username and Password: Type the password here and leave \u2018remember my sign-in\u2019 ticked.  The user will not be prompted for credentials.<\/li>\n<\/ul>\n\n\n\n<p>That should now connect \u2013 but will not have split tunnelling enabled. Your Internet traffic will be sent over the VPN.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-click the Windows Start button, Network Connections.<\/li>\n\n\n\n<li>Win 10: Scroll down to \u2018Change adapter options\u2019.<\/li>\n\n\n\n<li>Win 11: Click into &#8216;VPN&#8217;, find your VPN, click the down arrow, click on &#8216;advanced options&#8217;, click edit against &#8216;more VPN options&#8217;.<\/li>\n<\/ul>\n\n\n\n<p>or, in the Windows search box type \u2018ncpa.cpl\u2019 and click on the \u2018Control Panel Item\u2019.<\/p>\n\n\n\n<p>Then,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-click your VPN connection and open Properties.<\/li>\n\n\n\n<li>In the Networking tab, select Internet Protocol Version 4 (TCP\/IPv4).<\/li>\n\n\n\n<li>Click Advanced.<\/li>\n\n\n\n<li>In the General tab, click Advanced.<\/li>\n\n\n\n<li>Disable Use default gateway on remote network.<\/li>\n\n\n\n<li>Restart your VPN connection.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"200\" height=\"244\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-7.png\" alt=\"\" class=\"wp-image-80\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">System-wide VPN<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-click the Windows Start button and go to Network Connections.<\/li>\n\n\n\n<li>Scroll down to Network and Sharing Centre<\/li>\n\n\n\n<li>Setup a Connection or Network<\/li>\n\n\n\n<li>Connect to a workplace<\/li>\n\n\n\n<li>No, Create a new connection<\/li>\n\n\n\n<li>Use my Internet Connect (VPN)<\/li>\n\n\n\n<li>Enter server IP or FQDN, give it a name, and tick \u2018allow other people to connect\u2019.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"307\" height=\"227\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-8.png\" alt=\"\" class=\"wp-image-83\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-8.png 307w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-L2TP-PSK-8-300x222.png 300w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/figure>\n\n\n\n<p>That will create the VPN. You will need to manually set the type to PPTP, and set authentication to MS-CHAPv2 by running \u2018ncpa.cpl\u2019 and editing the connection:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"271\" height=\"356\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-3.png\" alt=\"\" class=\"wp-image-172\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-3.png 271w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-3-228x300.png 228w\" sizes=\"auto, (max-width: 271px) 100vw, 271px\" \/><\/figure>\n\n\n\n<p>Split tunneling can be enabled the same way as described above.<\/p>\n\n\n\n<p>\u2014<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting<\/h2>\n\n\n\n<p>VPN connections can be quite difficult to troubleshoot, mainly because of the lack of logging and the meaningless error messages at the Windows end. Draytek logging is OK but needs a bit of interpretation.<\/p>\n\n\n\n<p>What could go wrong with PPTP? If it doesn&#8217;t connect, check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Is the IP or FQDN correct?<\/li>\n\n\n\n<li>Is PPTP enabled both in &#8216;Remote Access Control&#8217; and in the user profile?<\/li>\n<\/ul>\n\n\n\n<p>An incorrect username\/password will be self-evident &#8211; Windows will prompt<\/p>\n\n\n\n<p>You may want to see evidence that the connection attempts making it to the Draytek, To check this, look at the logs in the Draytek:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Diagnostics\/Syslog Explorer<\/li>\n\n\n\n<li>\u2018Web Syslog\u2019 tab<\/li>\n\n\n\n<li>Tick \u2018Enable web syslog\u2019<\/li>\n\n\n\n<li>Syslog type: VPN<\/li>\n\n\n\n<li>Display mode: always record the new event (you will need to refresh regularly)<\/li>\n\n\n\n<li>Export if you wish.<\/li>\n<\/ul>\n\n\n\n<p>The exported log will look similar to this<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1002\" height=\"267\" src=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-4.png\" alt=\"\" class=\"wp-image-173\" srcset=\"https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-4.png 1002w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-4-300x80.png 300w, https:\/\/adrianbromley.co.uk\/wp-content\/uploads\/2024\/02\/Windows-Draytek-PPTP-4-768x205.png 768w\" sizes=\"auto, (max-width: 1002px) 100vw, 1002px\" \/><\/figure>\n\n\n\n<p>Note &#8216;PPP Start(), &#8216;CHAP Login OK&#8217; and IP addresses being allocated.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The good news here is that a Draytek, out-the-box, is already setup for PPTP. Just add your usernames\/passwords, and you are good to go. The other good news is that Windows also supports PPTP out-of-box. Just add a VPN with<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":3,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":179,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/167\/revisions\/179"}],"wp:attachment":[{"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adrianbromley.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}