The bug in the Android PPTP VPN client

Note: Starting with 2014/12/17 the PPTP service was discontinued... Read more

SecurityKISS has enabled the PPTP connection method on their servers having in mind that users may also want to securely connect from their tablets and smartphones where PPTP client software is available.

Android users are a big share of this group. Unfortunately PPTP VPN software on the Android platform is flawed: if you configure your PPTP VPN with the 'Enable Encryption' option ticked in 'Properties' then the connection is established but no transfer is possible or it hangs up after a short while.

This is caused by a bug in the MPPE (Microsoft Point-to-Point Encryption) implementation in Android software. Even though PPTP VPN seems to be the essential feature and is advertised on Android phones it does not work correctly. Furthermore the defect was deteted at least 2 years ago and Google has not fixed it in any of the newer Android versions.

Although the 'Enable Encryption' option is recommended in almost all configurations we have enabled a few SecurityKISS servers without MPPE encryption to allow Android users to use PPTP anyway.

The only thing that the user (that is anyone without MPPE encryption) has to do is to select the proper PPTP server from the list in the client panel:

and configure their VPN connection to this server with the 'Enable Encryption' option unticked:

Technical details of the defect:

The error reported on the PPTP server side suggests that the Android PPTP client tries to negotiate an unsupported protocol:

pppd: Protocol-Reject for unsupported protocol 0xxx

but it is a misleading message since initially the protocol is negotiated correctly and the connection is established. Only after several dozen frames are transmitted does the error appear and it repeats with a different value of unsupported protocol in the message.

Which puts the PPTP tunnel out of sync and the Android client sends effectively random octets from the MPPE encryption module.