Limit access to PPTP VPN server by IP address


I would like to limit access to a PPTP VPN server by source IP address. The server always runs on port 1723, such is PPTP.

According to the explanation in the router GUI regarding inbound firewall rules, it is NOT possible to limit access to port 1723 by source IP when the router is the VPN server.

However, if a PC on the LAN is running a VPN server, then port forwarding is needed to direct incoming requests on port 1723 and in this case, inbound firewall rules can be used to limit access by source IP address.

Is this correct?


Hi Michael,

Yes you will need to forward port 1723 in addition you will also need to forward GRE IP protocol 47 to your internal PPTP server IP.



Hi Michael,

Sorry I misread your question. Yes by using internal PPTP server you will then be able to limit access by source IP address to port 1723.



And this limiting of access by source IP (that is IP of the PPTP client, not the IP of a WAN connection) is done with an inbound firewall rule? If so, how? Do I have to set one rule that denies everyone access to port 1723 by default and then set a higher rule that says IP address is allowed into port 1723?

As to your first point, I have been running an internal PPTP server for a while based on just a single port forwarding rule. I did not forward GRE IP protocol 47. I’m not familiar with what this is. My PPTP seems to be functioning. Is this other protocol really needed?




Depends whether your default terminating policy is allow or deny all. If its allow all then you also need a rule denying access to 1723 as you suggested. If your default rule is deny all then just then only the permit rule is needed.

PPTP requires TCP port 1723 as well as GRE protocol for data. I just checked with engineering and it looks like the Peplink inspects 1723 traffic and automatically handles the GRE forwarding so you dont need to add it manually.



Ah that explains a query I had.

I only have the default inbound FW rule, which I have set to disallow and my Peplink PPTP service is still accessible from the WAN.

So I guess that this ‘hidden’ inbound FW rule means that it isn’t possible to allow access from a specific IP address or subnet? Although thinking about it would it be possible to add a rule allowing the specific required remote IP/subnet then add another rule disallowing this traffic type from anywhere. I suppose this depends on where this ‘hidden’ rule is in the ordered list of rules?



It cannot be done using the integrated PPTP server only using a LAN side PPTP server. The firewall rules only apply to traffic forwarded through Peplink.