Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Mesh Charts

Click for Mesh Charts

VPN Features

Before I plunge into the PPTP endpoint description, let's first cover the WZR's VPN pass-through capabilities. In a nutshell, it supports multiple pass-through sessions for IPsec, L2TP and PPTP clients and also supports connection to multiple remote VPN gateways. For some reason, there's only a checkbox for IPsec passthrough on the Network Address Translation page, but Buffalo assured me that all three protocols are supported.

Figure 9 shows the controls (and defaults) for the WZR's PPTP server, which turned out to be just fine for my test using a Win XP Home SP2 client.

NOTE! Note: I actually started out using the built-in External Connection wizard (accessible via a button on the Top page). But I bailed out at the Host Name Registration step because I couldn't follow the explanation of what I was supposed to enter, and just ended up entering my User account information on the PPTP Server page.

BuffaloTech WZR-RS-G54: PPTP server configuration

Figure 9: PPTP server configuration
(click image for larger view)

Note that the default "authentication" actually sets MS-CHAPv2 authentication and MPPE 40 / 128 bit tunnel encryption. The latter part is especially important since early PPTP implementations encrypted the authentication (login) transaction only, leaving the actual data in the VPN tunnel unencrypted. This false sense of security helped PPTP gain its reputation as a very weak "VPN" technology, which remains to this day...at least among some users.

I have to confess that I was one of those users, until I did a little research while writing this review. I've reached the conclusion that while the combination of MS-CHAPv2 / MPPE 40 / 128 isn't as secure as L2TP or IPsec - which use stronger 3DES encryption and have the options of certificate-based authentication - it's a hell of a lot easier to set up and use.

There are those who strongly feel that the words "PPTP" and "secure" should never be used together, primarily because of the reliance on passwords for authentication by most commonly-available (including Windows) PPTP clients. While it is true that PPTP (along with WEP, WPA-PSK, IPsec using pre-shared keys, etc.) can be compromised by knowledgeable people in a relatively short amount of time, PPTP certainly provides better security than using no authentication or encryption at all!

However, I strongly recommend that you do not change the WZR's defaults of MS-CHAPv2 and MPPE 40-128 to ensure the use of the strongest-available (with this product) authentication and encryption, and most importantly make sure all clients use strong user passwords. The last point is especially important since any password-based authentication scheme is subject to dictionary attacks, where encryption strength ends up being a moot point. If the PPTP client on your computer won't support MS-CHAPv2 / MPPE 40-128, then upgrade your client (or OS) or get a third-party PPTP client that does.

For a good review of PPTP's past and present security capabilities see Is PPTP Safe?. For a less-optimistic view of PPTP, you can also check out this article that describes how most implementations of PPTP are susceptible to brute-force password-cracking attacks.

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2