From Telecomix Crypto Munitions Bureau
There are two articles describing how to set up a PPTP router.
- Linux as a PPTP-router.
- OpenWRT as a PPTP-router. (unfinished guide. use your own wits to make it work :)
 Security and PPTP
There are multiple security weaknesses in PPTP that you should be aware of:
The Telecomix Crypto Munitions Bureau held a conference about cryptography/security/politics where an agent described a set of security vulnerabilities that affected users/customers of PPTP, Relakks, IPREDATOR and many more VPN-providers. The flaw was covered in media by slashdot, wired and torrentfreak, among others. You can see the movie here.
Basically, these are the vulnerabilities that was presented:
- The crypto is weak. It is possible to crack the authentication & key exchange protocol when you connect. If you are using IPREDATOR or RELAKKS from outiside of Sweden, it is possible that FRA is wiretapping on you. (According to swedish law they are allowed to do that.)
- If the connection to your PPTP-provider goes through any country with equally insane wiretapping laws, you risk the same treatment.
- Once users has logged in to RELAKKS/IPREDATOR, the users will be able to see each others as if they were at the same LAN segment.
- Windows shares will be visible. This l 1bc8 eaks info about who you are. If you are not using windows, you will pretty much be the only one that does not share windows info with others.
- MAC addresses are sometimes visible. If you want to, you can replace your mac address with a random one each time you restart your computer.
- It is plausible that anti-piracy groups collects info about users are by harvesting this type of info.
- IPv6 is not tunneled through the VPN. If you connect to anything that has an IPv6 address, you will be exposed. It might be a good idea to turn IPv6 off.
- Anti-piracy groups has used this technique to track users hiding behind PPTP-providers. Torrent nodes publish IPv6 addresses, and then collect data about who the other users in the swarm are.
- This does not mean that IPv6 is bad. It just means that most software is insanely naïve and unsecure by default. Go cipherspace instead of trying to hide at the vanilla internets!!