Why we don’t use PPTP anymore.

In this article we skip the technical parts.

From a user standpoint is usually the main reason why we don’t use PPTP VPN anymore is because some of our biggest companies like Apple, Watchguard etc is not supporting this VPN type anymore.

For example, since 2016, Apple removes the possibility to use PPTP VPN on their devices with their new iOS10 and macOS Sierra. Read more about it on Apple Support’s own article here…

There are a few different VPN types but te one i and meny others recomend for a replacement is L2TP VPN. It works almost the same but has a higher encryption level. Easy to use and easy to set up.
Most devices supports L2TP, from home router to business firewalls.

Read more about L2TP here…

IPSEC Site-to-Site for Edgerouter Lite

IPSEC Site-to-Site

set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group vpntunnel
set vpn ipsec esp-group vpntunnel compression disable
set vpn ipsec esp-group vpntunnel lifetime 86400
set vpn ipsec esp-group vpntunnel mode tunnel
set vpn ipsec esp-group vpntunnel pfs disable
set vpn ipsec esp-group vpntunnel proposal 1
set vpn ipsec esp-group vpntunnel proposal 1 encryption 3des
set vpn ipsec esp-group vpntunnel proposal 1 hash sha1
set vpn ipsec ike-group vpntunnel
set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec ike-group vpntunnel proposal 2
set vpn ipsec ike-group vpntunnel proposal 2 dh-group 2
set vpn ipsec ike-group vpntunnel proposal 2 encryption 3des
set vpn ipsec ike-group vpntunnel proposal 2 hash sha1
set vpn ipsec site-to-site peer 88.88.88.88
set vpn ipsec site-to-site peer 88.88.88.88 local-address 99.99.99.99
set vpn ipsec site-to-site peer 88.88.88.88 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 88.88.88.88 authentication pre-shared-secret thisisalongsecret
set vpn ipsec site-to-site peer 88.88.88.88 connection-type initiate
set vpn ipsec site-to-site peer 88.88.88.88 default-esp-group FOO0
set vpn ipsec site-to-site peer 88.88.88.88 ike-group FOO0
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 remote prefix 192.168.1.0/24

L2TP VPN Configuration for Edgerouter Lite

L2TP VPN Configuration

set vpn l2tp remote-access client-ip-pool start 192.168.10.140
set vpn l2tp remote-access client-ip-pool stop 192.168.10.149
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret “Secret”
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password test
set vpn l2tp remote-access mtu 1492
set vpn l2tp remote-access dns-servers server-1 192.168.10.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

Standard configuration for Edgerouter Lite

Standard Configuration
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall name WAN_IN default-action drop
set firewall name WAN_IN enable-default-log
set firewall name WAN_IN rule 1 action accept
set firewall name WAN_IN rule 1 description “Allow established connections”
set firewall name WAN_IN rule 1 state established enable
set firewall name WAN_IN rule 1 state related enable
set firewall name WAN_IN rule 2 action drop
set firewall name WAN_IN rule 2 log enable
set firewall name WAN_IN rule 2 description “Drop invalid state”
set firewall name WAN_IN rule 2 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL enable-default-log
set firewall name WAN_LOCAL rule 1 action accept
set firewall name WAN_LOCAL rule 1 description “Allow established connections”
set firewall name WAN_LOCAL rule 1 state established enable
set firewall name WAN_LOCAL rule 1 state related enable
set firewall name WAN_LOCAL rule 2 action drop
set firewall name WAN_LOCAL rule 2 log enable
set firewall name WAN_LOCAL rule 2 description “Drop invalid state”
set firewall name WAN_LOCAL rule 2 state invalid enable
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set service nat rule 5010 description “Masquerade for WAN”
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth1 address 192.168.10.2/24
set service dhcp-server disabled false
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 default-router 192.168.10.1
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 dns-server 192.168.10.1
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 start 192.168.10.41 stop 192.168.10.99
set service dns forwarding listen-on eth2