Point-to-Point Tunneling Protocol


Written by:

Paulo Silva


Software Engineering

McMaster University

March 2001


 The purpose of this paper is to give an overview of the Point-to-Point Tunneling Protocol (PPTP). The paper includes the following topics:



Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks, such as the Internet. It was developed by the PPTP Forum which consists of the following organizations: Ascend Communications, Microsoft Corporation, 3 Com/Primary Access, ECI Telematics, and U.S. Robotics.

The networking technology of PPTP is an extension of the remote access Point-to-Point Protocol (PPP). It encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based network or it can also be used in private LAN-to-LAN networking.

The PPTP protocol is designed to perform the following tasks:


An important feature in the use of PPTP is its support for VPN by using public switched telephone networks (PSTNs). This simplifies and reduces costs of deploying an enterprise-wide, remote access solution for remote or mobile users because it provides secure and encrypted communications over the public telephone lines and the Internet.

Generally there are three computers involved in a PPTP deployment. There is a PPTP client, a network access server and a PPTP server. In case of a LAN, the network access server is not required because you are already in the same network. The secure communication created using the PPTP protocol typically involves three processes, each of which requires successful completion of the previous process. They are: PPP connection and communication, PPTP control connection, and PPTP data tunnelling.

PPP Connection and Communication

The first step, the client needs a connection to the Internet by connecting to a Network Access Server (NAS) via local Internet Service Provider (ISP). A PPTP client uses PPP to establish this connection. The connection request by a client consists of access credentials (username, password and domain) and an authentication protocol in order for the PPTP server to authenticate the client. Once connected, the client can send and receive packets over the Internet.

PPTP Control Connection

Once the client has made the initial PPP connection to the ISP, a second dial-up networking call is made over the existing PPP connection. This creates the VPN connection (control connection) to a PPTP server on the private enterprise LAN and acts as a tunnel trough which network packets flow. A set of eight control messages will establish, maintain and end the PPTP tunnel.

PPTP Data Tunneling

After the PPTP tunnel is established, data is transmitted between client and PPTP server. Data is send in the form of IP datagrams that contain PPP packets that are usually referred as encapsulated PPP packets. The IP datagram contain encrypted IPX, NetBEUI, or TCP/IP packets and have the following format:


PPP Delivery Header

IP Header

GRE Header

PPP Header

IP Header

TCP Header


Figure 1: IP datagram containing encrypted PPP packets as created by PPTP


The IP delivery header provides the information necessary for the datagram to traverse the Internet. The GRE header is used to encapsulate the PPP packet within the IP datagram. The shaded are represents the encrypted data. The following figure shows the process of connecting a PPTP client to the private network.

Figure 2: Connection between PPTP client and private network

After the VPN connection is established, the remote user (client) can perform any operation as a locally connected user can.

Understanding PPTP security

One of the reasons why this protocol is so popular is because of the security features available. There are three areas in PPTP security that makes it very appealing. They are: authentication, data encryption and PPTP packet filtering.


Authentication of a remote PPTP client is done by using the same PPP authentication methods used for any other RAS client. The user accounts of remote users are set-up so they are the only ones that are granted specific access to the network through a trusted domain. The use of secure passwords is one of the best ways to successful deployment of PPTP.

Data Encryption

Data send back and forward through the PPTP tunnel is encrypted. The network packets are encrypted at the source (client or server), travel inside the tunnel and are decrypted at the destination. Also, since the entire network traffic in a PPTP connection flows inside the tunnel, data is invisible to the outside world. The packet encryption inside the tunnel provides an additional level of security.

PPTP Packet Filtering

This is an option that can significantly improve the performance and reliability of network security if it is enabled on the PPTP server. When enabled, it accepts and routes only PPTP packets from authorized users. This prevents all other packets from entering the PPTP server and the private network.


Considering the fact that current technologies available, such as the Internet, can be used to enhance and facilitate access to private networks, makes very useful in terms of using powerful resources for very little cost.

This approach has two benefits. First, a VPN lets mobile users avoid long-distance telephone charges (assuming there is access available to a local ISP) and minimize costs. Second, the service provider is responsible for maintaining, updating and troubleshooting your WAN’s infrastructure. If every company or Institution, or organization had to build their own WANs, would be almost impossible because of the cost behind it.

Also, the security provided by PPTP and the simplicity in using this protocol makes a good package and worthwhile implementing it.