How unsecure is PPTP for my use?

[jkroeder]

On my home router with Tomato firmware, I have two options of setting up a VPN. I can use OpenVPN or PPTP. I'm aware that the consensus between the two is that OpenVPN is the winner by far.

However, all I'm trying to do with this is to have an encrypted tunnel to use on the rare occasion I need it on a wifi hotspot or similar situation. So, if the password is strong enough (more than 12 characters, random, etc), all traffic is forwarded through the connection, and MPPE-128 encryption is used, is it good enough for this use?



I realize I could just do it right and use OpenVPN. I've been trying to do just that. I've just been having issues generating certificates, specifically the server cert. I think it's an issue with index.txt file which I'm looking into.

Thanks

 

[matricks]

I don't know what index.txt file you are talking about. I've just used the EasyRSA scripts, they've never failed me (I've run my own OpenVPN gateways with certificate authentication since OpenVPN 2.0 days).

You ask if PPTP is secure enough. How secure do you need it to be? Is it OK if some geek dedicates a few hours of his computer resources to decrypt your traffic? There are ready-made tools for cracking PPTP, all a malicious guy needs is some actual data to work with.

I would never use PPTP unless my only goal was to form a tunnel to a remote point, not having to care at all about who could potentially read my communication. If the certificates are your only issue, just figure them out.

 

[Chaosblade02]

Its fine if you're just looking to hide your real IP address for random internet related tasks, but its not secure for someone who is willing to put forth the time and effort into finding out your information. But hey, at least they have to work for it. I'm flattered if some random geek wants to dedicate hours of their time for little old me.

I like open VPN better, and there are some free VPN services like vpnbook that have open VPN profiles you can use. Its simple enough where a novice user could set this up.

 

[jkroeder]

This was the index.txt error I was referring to.
https://forums.openvpn.net/topic7551.html

I should be able to put some more time into it and get OpenVPN working then.

So, to use a different networking analogy, it'd be like using WEP on a wireless network then.


Thanks for the PPTP info guys. I won't use it much longer then.

 

[jkroeder]

So, I was able to get the certificates generated after I got that issue fixed.

I have the OpenVPN server and client to route all traffic through the VPN. One issue I'm having now is that I'm getting DNS leaks. I do however get the correct home IP address.

If i go to dnsleaktest.com or ipleak.net, it clearly shows the DNS servers of my current connection and not the home connection. Whereas with the PPTP connection, I don't have any DNS leak.

Any ideas what I should be looking for?

my opvn file

client
dev tun
proto tcp
remote ipaddressofserver 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4

 

[matricks]

Show your server config as well. Do you push DNS addresses to your clients?

server
proto udp
port 1194
[and]
[so]
[on]

push "dhcp-option DNS 77.109.148.136"
push "dhcp-option DNS 77.109.148.137"

 

[jkroeder]

Basic Screen
http://i.imgur.com/XjIE7sO.png

Advanced Screen
http://i.imgur.com/xfgQRU4.png

These are screen grabs from my Tomato config

I have "Advertise DNS to clients" and "Respond to DNS" enabled. I'm pretty sure that refers to pushing DNS to clients.

 

[mxnerd]

Every website you visit can use tools to do ip lookup, check with ARIN and find your ISP IP block and your ISP DNS.

The websites that use "leak" in their name just trying to sell you VPN service.