PPTP VPN server

Your home network can be connected to an office network or another Keenetic's network via a VPN PPTP with any Internet access. The built-in PPTP server provides secure access to your home network through the Internet from your smartphone, tablet or computer from anywhere, as if you were at home. PPTP (Point-to-Point Tunneling Protocol) is the most affordable and easy way to connect to a VPN. Up to 10 clients can be connected to the built-in VPN PPTP server simultaneously.

NOTE: Important! A Keenetic device that hosts the PPTP VPN server must be connected to the Internet with a global (public) IP address, and if using the KeenDNS domain name, it must be configured in the Direct Access mode. If any of these conditions are not met, connecting to such a server from the Internet will be impossible.

To set up the server, it is necessary to install the system component 'PPTP VPN-server'. You can do it on the 'General system settings' page in the 'Updates and component options' section by clicking on the 'Component options'.


Then go to the 'Applications' page. Here you will see the PPTP VPN server panel. Click the 'PPTP VPN server' link.


Configure the server.


The 'Multiple sign-in' parameter controls the ability to establish several simultaneous connections to the server using the same credentials. This is not a recommended scenario due to the lower security level and the disadvantages in monitoring. However, during the initial configuration, or in cases where you want to allow the installation of a tunnel from multiple devices of the same user, you can leave the option enabled.
Multiple clients can be connected with one login and password, but the total number of connections cannot exceed 10.

NOTE: Important! If the 'Multiple sign-in' option is disabled, you can assign a static IP address to the PPTP client. This can be done on the PPTP VPN server configuration page in the 'Users' section.

By default, the 'With encryption only' option is enabled on the server. This means that a tunnel will use the MPPE (Microsoft Point-to-Point Encryption) data encryption protocol. The Keenetic MPPE supports a 40 (default) or 128-bit encryption key length. The MPPE provides secure data transfer for PPTP connection between the VPN client and the VPN server.

NOTE: Important! The default MPPE protocol in Keenetic's PPTP server works with a 40-bit key, then Windows OS PPTP connections by default use a 128-bit key. For more information about connecting to the Keenetic PPTP server from Windows, please see the Connecting to the Keenetic's PPTP server from Windows article.

By default, the 'NAT for clients' option is enabled in the server configuration. This setting is used to allow VPN server clients to access the Internet. In a built-in Windows client, this feature is enabled by default and when a tunnel is established, requests to the Internet will be sent through it.

NOTE: Important! If you disable the 'NAT for clients' function on the server but do not reconfigure the default routing policy in the Windows client, the Internet access may not work after the installation of the tunnel on the computer.

In server settings in the 'Network access' field, you can also specify a segment different from the Home segment, if necessary. In this case, the network of the specified segment will be available through the tunnel.

The total number of possible simultaneous connections depends on the IP address pool size setting. As with the starting IP address, it is not recommended to change this setting unnecessarily.

NOTE: Important! If the 'Start IP address' falls within the network range of the segment specified in the 'Network Access' field, the ARP-Proxy function is enabled to allow access to such VPN client from the specified local segment. For example, if the home network with a netmask of and the DHCP server setting of 'Start Pool Address':, 'IP address pool': 120 is selected, you can set the 'Start IP address' of the VPN server to, which falls in the range, and have access from the home network to the VPN clients in the same way as access to the local devices.

In the 'Users' section, select the users you want to allow access to the PPTP server and the local network. Here you can also add a new user by specifying a username and password.

After configuring the server, set the switch to the 'Enabled' state.


By clicking on the 'Connection statistics' link, you can see the connection status and additional information about active sessions.


If you want to provide clients with access not only to the local network of the VPN server but also in the opposite direction, i.e. from the network of the VPN server to the remote network of the VPN client to provide data exchange between the two sides of the VPN-tunnel, refer to the Routing networks through VPN instruction.

NOTE: Important! If you are having problems opening websites with the established connection, try manually setting the MTU on the server; for example, try values of 1460 or 1400 bytes. You can set the MTU using the CLI commands:

mtu 1400
system configuration save


TIP: Note

To connect to the server as a client, you can use:

Keenetic router - PPTP client;
Windows PC - PPTP connection in Windows;
or a mobile device.


Was this article helpful?

37 out of 48 found this helpful