Windows 11 broken VPN client (PPTP) workaround

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
johnpfoley
DD-WRT Novice


Joined: 25 Jun 2018
Posts: 12

PostPosted: Sat May 20, 2023 6:24    Post subject: Windows 11 broken VPN client (PPTP) workaround Reply with quote
Changes to the windows 11 built in VPN support have caused breakage with all kinds of applications including DD-WRT. For the past five months since I got a windows 11 machine I have tried all the solutions (dozens posted everywhere) none of which would allow a successful connection from a win 11 client to the built in PPTP vpn server on DD-WRT (I hear people saying, "deprecated PPTP is, use it not you must!" in the voice of yoda).

But today I figured it out. Microsoft broke the handshake in their VPN client and the solution is to change two hidden properties on the VPN connections via Group Policy editor. The two properties have to do with netbios over DNS, but that's not important... you make the changes, reboot the machine, create a new VPN connection object, and there is at least one combination of parameters that will connect to dd-wrt.

the microsoft workaround

https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/dev-channel-build-25284-vpn-known-issue/11b04abe-2678-4498-905e-356b02811668

It requires gpedit.msc. If you have windows home edition you will need to use a script to install it from the microsoft cabs, several of which are available. I used one from the majorgeeks site.

The combination of settings on the connection that allowed me to connect to dd-wrt are:

Type of VPN: Point to Point
Encryption:
Require Encryption
EAP: disabled
PAP: enabled
CHAP: enabled
MSCHAPV2 enabled
Sponsor
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat May 20, 2023 9:42    Post subject: Re: Windows 11 broken VPN client (PPTP) workaround Reply with quote
johnpfoley wrote:
the microsoft workaround

https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/dev-channel-build-25284-vpn-known-issue/11b04abe-2678-4498-905e-356b02811668

It requires gpedit.msc. If you have windows home edition you will need to use a script to install it from the microsoft cabs, several of which are available. I used one from the [url=https://www.majorgeeks.com/mg/getmirror

Group Policy Editor changes can usually be done via the registry. Following 2 links might do the same, but I have never tried them. I think you can alter NetBIOS over TCP/IP direclty via Network Adapter settings.

Vulnerabilities in security configuration on your Windows machines should be remediated - Turn off multicast name resolution - Microsoft Q&A
https://learn.microsoft.com/en-us/answers/questions/1032979/vulnerabilities-in-security-configuration-on-your

How to Disable NetBIOS and LLMNR Protocols in Windows Using GPO? | Windows OS Hub
https://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
johnpfoley
DD-WRT Novice


Joined: 25 Jun 2018
Posts: 12

PostPosted: Sat May 20, 2023 14:58    Post subject: Re: Windows 11 broken VPN client (PPTP) workaround Reply with quote
mwchang wrote:
Group Policy Editor changes can usually be done via the registry. Following 2 links might do the same, but I have never tried them. I think you can alter NetBIOS over TCP/IP direclty via Network Adapter settings.

I am assuming microsoft's decision to publish the workaround as a GP fix is that the potential damage done by mistake is less using GPEDIT than REGEDIT? But guessing why MS does anything is a sport not a science.

I can verify that the local GP changes do fix the problem connecting to DD-WRT which was my reason for posting this. I am not arguing the wisdom of closing security gaps, only pointing out that microsoft broke something that has worked for more than a decade in doing so and that there is a workaround to deal with it if necessary
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Sat May 20, 2023 15:31    Post subject: Reply with quote
Which Is the Best VPN Protocol? PPTP vs. OpenVPN vs. L2TP/IPsec vs. SSTP

Quote:
Don’t use PPTP. Point-to-point tunneling protocol is a common protocol because it’s been implemented in Windows in various forms since Windows 95. PPTP has many known security issues, and it’s likely the NSA (and probably other intelligence agencies) are decrypting these supposedly “secure” connections. That means attackers and more repressive governments would have an easier way to compromise these connections.

Yes, PPTP is common and easy to set up. PPTP clients are built into many platforms, including Windows. That’s the only advantage, and it’s not worth it. It’s time to move on.

In Summary: PPTP is old and vulnerable, although integrated into common operating systems and easy to set up. Stay away.


What Is the Best VPN Protocol? OpenVPN vs. WireGuard vs. SSTP and More

Quote:
From some of the better VPN protocols out there, we go to probably one of the worst available. Point-to-point tunneling protocol (PPTP) is a VPN protocol dating from the nineties—ancient in tech terms—which is not particularly secure and incredibly slow.

It’s generally not used anymore as it’s obsolete, but for some reason some VPNs still offer it. Whatever you do, don’t use PPTP—especially if you’re doing anything sensitive like using BitTorrent to download files or tunneling out of China.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
johnpfoley
DD-WRT Novice


Joined: 25 Jun 2018
Posts: 12

PostPosted: Sat May 20, 2023 16:06    Post subject: Reply with quote
Quote:


What Is the Best VPN Protocol? OpenVPN vs. WireGuard vs. SSTP and More



That is a reasonable question when you are starting from scratch or planning an upgrade, but not the only question.

If you go to help someone with a problem, do you say "I can't help you because you don't have emacs or notepad++ installed, so we have to install it first"?

You could just as easily ask the question, if PPTP is so awful, why doesn't DD-WRT remove it in all future builds?

The issue is backwards compatibility and solving problems with what is available, not the choice of new solutions.

If you need to solve some reasonably secure remote access, then using software that is on every machine already should be considered. Insisting that someone choose a package, download and install it and now have to support it in the future to do something that is already built in to the standard OS should not be the default position, using what is already there should be considered, particularly for low impact/low security applications. Even more so when it is a standard part of the platform.

I applaud DD-WRT for having built in OPEN-VPN support, however that does nothing to ease the implementation for the plethora of windows machines out there as neither DD-WRT nor windows can (by default) create the certificates to make it work nor does windows come with an openvpn client built in. You used to be able to set up a PPTP connection in a couple of minutes until microsoft broke their client.

Similarly if you want to run car diagnostics programs, good luck getting them to run on a modern operating system, many car manufacturers diagnostic suites will not run on a current version of operating systems (several only work on windows XP). They are not spending a lot of effort and money trying to keep up with microsoft. Deprecated or not, there are still times when you have to use windows XP, windows 7, and other deprecated technology. Why? because progress that doesn't maintain good backward compatibility causes other products to fail, and that makes the people supporting them less willing to use new versions until they absolutely have no other choice.

Microsoft broke backward compatibility in their VPN client. This is a workaround. That's all.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat May 20, 2023 16:36    Post subject: Reply with quote
If you want easy setup, secure and fast consider using WireGuard:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

It is being discussed to remove PPTP to make room for other things (not only discussed at DDWRT but also other third party fimwares)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
johnpfoley
DD-WRT Novice


Joined: 25 Jun 2018
Posts: 12

PostPosted: Sat May 20, 2023 16:57    Post subject: Reply with quote
egc wrote:

It is being discussed to remove PPTP to make room for other things (not only discussed at DDWRT but also other third party firmwares)


That is understandable.

My question would be does wireguard (or some other VPN component being added to DD-WRT) provide the same capability for full function linkage from one DD-WRT network (site if you will) to another DD-WRT network without adding additional components and support the same capabilities that a PPTP link between two DD-WRT routers does currently?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 20, 2023 17:04    Post subject: Reply with quote
Looks like someone hasn't looked around much in the forum, especially the stickies in THIS forum. WG offers point to point functionality, so does OVPN. WG is newer and faster and has matured over the past, what, couple of years or so? I have a feeling that all devices that can run a kernel ≥ 3.10.x will now have WireGuard across the board, at the very least. if they aren't already there. Of course, older Linux 2.4, 2.6, 3.2, and 3.5 devices may have to retain PPTP unless there are plans to port 3.10.x to them.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
johnpfoley
DD-WRT Novice


Joined: 25 Jun 2018
Posts: 12

PostPosted: Sat May 20, 2023 17:18    Post subject: Reply with quote
kernel-panic69 wrote:
Looks like someone hasn't looked around much in the forum, especially the stickies in THIS forum. WG offers point to point functionality, so does OVPN. WG is newer and faster and has matured over the past, what, couple of years or so? I have a feeling that all devices that can run a kernel ≥ 3.10.x will now have WireGuard across the board, at the very least. if they aren't already there. Of course, older Linux 2.4, 2.6, 3.2, and 3.5 devices may have to retain PPTP unless there are plans to port 3.10.x to them.


Actually I was reading the posts about limitations, issues crossing double NAT, routing, etc. as well as problems people experienced in implementing it. I have not seen anywhere that says it is as compatible and functional as openvpn, only that it is much faster and potentially less anonymous.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum