Enable PPTP VPN on FortiOS 4.x

This tutorial is to show you how to enable PPTP VPN feature on Forti devices running FortiOS 4.0+.

For the full VPN configuration on Fortigate devices (site to site, SSL VPN,…), I will create more details in another posts. This post just covers the step of how-to-enable PPTP.

After upgrading your Fortibox to the OS 4.0, the theme color changed (too visual, right), and the VPN PPTP for clients is gone. There is no PPTP option in the VPN section (GUI interface).

This is what you don’t want because there are so many existing remote users who need PPTP VPN to connect to work. With PPTP, Windows users, Linux users, and MacOS users could easily create a VPN connections and connect to the corporate network.

To enable PPTP VPN on Fortigate OS 4.0, you must enable it using CLI (Command line interface). CLI connection to a Fortigate device could be established by Serial Port, Telnet, or SSH. Telnet is less secure than SSH because Telnet is sending everything in plain text, even your password.

Summary of steps

  • Enabling Telnet or SSH on Fortigate OS 4.0
  • Creating a user group for VPN authentication
  • Enabling and configuring PPTP VPN

Step-by-step guides

Enabling Telnet or SSH on Fortigate OS 4.0

Go to the Fortigate dashboard

  • Select tab System –> Network –> Interface

Enable SSH on Fortigate

  • On the right side window, select the interface you will connect to, click Edit
  • Tick the checkbox of Telnet or SSH, or both

Enable SSH on Fortigate interface

Telnet is not secure
Make sure you understand the risks of enabling Telnet on your devices. Especially, enabling Telnet and SSH on internet facing interfaces would expose your network to tons of breaching attempts
  • Click OK to go back to the Interface screen

Your interface now has Telnet and SSH enabled

Creating a user group for VPN authentication

To successfully connect to VPN using PPTP, end users must have a valid credentials (username and password). The account could be on local Fortigate database or Active Directory. In this tutorial, I assume that you are going to use local user database to authenticate VPN users.

Follow these steps while you are in SSH session to create a user account and a group.

Create new user account

PLAINTUTFW01 # config user local

PLAINTUTFW01 (local) # edit client01

new entry ‘client01’ added

PLAINTUTFW01 (client01) # set status enable

PLAINTUTFW01 (client01) # set type password

PLAINTUTFW01 (client01) # set passwd Myn3w-password

PLAINTUTFW01 (client01) # end

Follow these steps to create a new group, add member to this group, set type of this group to use for VPN authentication.

Create group for VPN PPTP

PLAINTUTFW01 # config user group

PLAINTUTFW01 (group) # edit VPN-Users

PLAINTUTFW01 (VPN-Users) # set member client01

PLAINTUTFW01 (VPN-Users) # set group-type firewall

Enabling and configuring PPTP VPN

To enable PPTP VPN on FortiOS 4.x, follow these steps

Enable PPTP VPN on FortiOS 4.x

PLAINTUTFW01 (pptp) # set sip 192.168.100.10

PLAINTUTFW01 (pptp) # set eip 192.168.100.50

PLAINTUTFW01 (pptp) # set ip-mode range

PLAINTUTFW01 (pptp) # set status enable

PLAINTUTFW01 (pptp) # set usrgrp VPN-Users

PLAINTUTFW01 (pptp) # end

“sip” and “eip” are the IP range that you want to assign to PPTP VPN clients. The first IP of the range, in this case is 192.168.100.10, is assigned to Fortinet box. The following IPs after 1.100 are assigned to VPN clients.

set ip-mode range is to tell Fortinet to use the sip and eip defined above.

set usrgrp VPN-Users – Here is what we configured above. The group name VPN-Users we just created is added to PPTP VPN settings. Client01, as a VPN-Clients group member, is now able to connect to the box using PPTP VPN.

Now, your box is ready to accept PPTP requests from client.

Do not forget policies
You need to create Firewall Policy in order to allow PPTP clients access your internal network.

If your clients are from built-in PPTP connection of Windows, Mac,…then all of their traffics are sent back to Fortigate and routed out to internet/corporate network from there.

 

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com

6 Comments

  1. igor says:

    Hi, thanks for the above tutorial. It worked!! there is only one issue I am having I am unable to resolve any DNS names. is there something specific I need to setup to allow DNS resolution?

    • Hao Nguyen says:

      Hi Igor,

      There is no option to assign DNS settings automatically to PPTP clients when they’re connecting to Fortigate PPTP VPN. So, the burden is shifted to the clients when you setup VPN connections for them. I assume that you have internal DNS Server that resolves for your internal domain name and external domain names (using Forwarder), for example your internal DNS Server IP is 192.168.1.1, and your local domain name is testdomain.local

      On VPN connection of each client, you might go to Networking –> TCP/IP v4, Properties it –> Click Advanced, select tab DNS
      Add 192.168.1.1 as the DNS and “DNS suffix for this connection” as testdomain.local

      You have to do this on each client. And when they connect to your network using this VPN connection, they could be able to resolve AnyServerName from your internal network (instead of typing in full AnyServerName.testdomain.local), and they could access to internet as well (through your local DNS server).

      Hope it works for you.

  2. Edwin says:

    Thanks Nguyen for the helpful post. I can open a window from the remote LAN, but cannot do a ping. Would you be able advise?

    • Hao Nguyen says:

      Hi Edwin,

      After you successfully connected to the firewall with PPTP, the next step is to configure ROUTING policy and FIREWALL policy. The routing policy is to let the firewall and your internal network devices to understand the new subnet of the PPTP clients. The Firewall policy is to allow what types of traffic to and from the PPTP clients.

      Hao

  3. Carlos Marquez says:

    I follow your steps an got it all working, but can you show me how to configure it authenticating with the AD? I can authenticate with AD but only with SSL not PPTP and I want to use the windows client

    • Hao Nguyen says:

      Hi Carlos,

      Sorry for late response.
      To configure PPTP VPN to authenticate with Active Directory, you need to use this command in the firewall SSH console
      set usrgrp “GroupName”

      Here is the full code sample that ENABLE PPTP and authenticate using GroupName.
      config vpn pptp
      set status enable
      set eip 192.168.0.70
      set sip 192.168.0.10
      set usrgrp “GroupName”
      end

      Where GroupName is the User Groups that you defined within the menu Users –> Users Group.
      Within that menu, you can set this GroupName to use local account (stored on Fortigate), or Windows account from a RADIUS server that is a part of your domain. This RADIUS server allows you to authenticate by domain users. You need to learn how to configure a RADIUS server in Windows server. It’s pretty simple.

      Hope it helps.
      Hao Nguyen

Leave a Reply