I'll briefly explain an easy tip to change the default TCP 1723 port of a PPTP server.
Port TCP 1723 being an easy target for network scanners, it may prove usefull to change the PPTP server listening port to a private-range port, well hidden in the dark.
Linux OS will be used for the PPTP client, as it allows for easy networking-ports manipulations, using iptables.
I'm using a Raspberry PI as the PPTP server here, but any OS will work.
I'll use the TCP 57594 port throughout this post as an exemple, do choose your own, private-range port ( 49152 to 65535 )
PPTP client used : Debian 7.5 LXDE
Edited July 8 2014
1. PPTP Server Setup
The PPTP server setup is quite simple : As it most likely lies just before an upstream router, we will just use the port-forwarding options of the upstream router to do the tweak :
we'll forward port TCP 57594 to the PPTP server port TCP 1723.
2. PPTP Client Setup
The PPTP client tweak is very easy : we'll just create an iptables rule, that uses the nat table to change the outgoing port :
sudo iptables -t nat -I OUTPUT -p tcp --dport 1723 -j DNAT --to-destination :57594
( this is not persistent. a script is needed to automate it )
3. Global Picture, and Additional Considerations
Here is the global picture :
Like always with PPTP, the heart of the matter will remain :
the Internet Gateway 1 / ISP 1/ ISP2 / Internet Gateway 2 path
and the way they'll treat/handle the GRE protocol. Wireshark is of great help to troubleshoot eventual problems.
Part 4 : PPTP server port translation
Just out of clarity, here is how to have the port translation directly performed by the PPTP server :
The iptables tweak on the server-side will be :
sudo iptables -t nat -I PREROUTING -p tcp --dport 57594 -j REDIRECT --to-ports 1723
( again, this is not persistent. a script is needed to automate it )