Is there any way to hide the RED comment?

RouterOS General
1

After upgrading to 7.2.3 from v6, I noticed all of my PPTP connections topped with red messages saying

PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

whether in winbox or terminal.

I know PPTP is insecure, but a large number of my clients’ embedded devices require VPN and PPTP is the only supported protocol then for now I have to suffer full window of red messages which is really annoying and distracting.

Is there any way to hide those red messages? Or any plan to make it be able to if it’s not yet?

Thanks.

2

Yes, use a more modern VPN protocol instead

3

Time to start upgrading older hardware.

4

So there is no plan to make this message hide-able in the future?
Or any plan to remove pptp totally in the future?

5

Time is not the problem. Money is.

6

Using, for example, SSTP require no money…

7

Like I said my clients are using dedicated embedded devices. No one will develop a SSTP stack for it for free as far as I know.

8

But do you know precisely how insecure it is? Anyone who can MITM the connection can break it in under a day with decade-old cracking technology.

The MITM step isn’t a huge hurdle. There are several available methods, all of which are reduced to freely-available tools. Since the best method for avoiding MITM is to encapsulate the traffic in a properly-designed secure tunnel — TLS, SSH, proper VPN, etc. — the argument that MITM isn’t a concern falls in on itself when it comes to questions such as this thread’s.

PPTP is really really really bad!


a large number of my clients’ embedded devices require VPN

How about you draw out the network design, and let us come up with a workable migration plan for you? The only way PPTP is your only feasible option is if you’re about to go out of business. By putting your trust in PPTP, you’re risking that already.


my clients are using dedicated embedded devices. No one will develop a SSTP stack for it for free

Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site WireGuard tunnel, which can be port-forwarded through a NAT layer. That’ll solve your PPTP problems for very little money compared to the company-ending liability risk you’re taking on by not doing something like this.

If the devices won’t talk over anything but PPTP, you can still tunnel PPTP through the outer tunnel. It’d be inefficient, but it’d work.


I have to suffer full window of red messages which is really annoying and distracting.

How much suffering, annoyance, and distraction do you suppose you’re in for if someone decides to start cracking your PPTP tunnels?

You don’t get a choice between zero annoyance and some annoyance. You only get a choice of which bag-of-annoyance you’re willing to pick up. Passively avoiding the choice is still a choice, because it merely means someone else gets to decide which bag-of-annoyance to hand you.


Time is not the problem. Money is.

Do you suppose cleaning up after a successful attack will be cost-free?

9

@tangent
I’m perfectly agree

10

Nothing insecure with PPTP if using correct encoding like EAP / PEAP / EAP-TLS etc. The problem is that ROS lacks support for these in the current implementation. I know plenty of old installations of PPTP (as well as IE6!) in corporate environments that for various reasons are still up and running but have been secured using modern encoding.

But in general and if possible I would advise to change to Wireguard (SOHO) or IPsec/IKv2 (business env).

EDIT:
Another reason to change from PPTP depends on GRE that nowadays often might be filtered in public hot spot, hotels, satellite links etc.

11

So generally there is no way to hide those red message for now and in the future right?

12

I’d bet the OP’s embedded devices lack support for that as well. He doesn’t read as one who’s likely to run a proper PKI.

13

well… 1+1=2… :laughing:

14

I wonder if the reason RouterOS doesn’t bother supporting that is that the underlying MPPE protocol tops out at 128-bit RC4. All adding EAP-TLS does here is secure the authentication layer, effectively replacing a potentially weak CHAP password with a 128-bit random key. That’s better, but is it “better enough” in the modern environment? That level of tech is what WEP and WPA-TKIP were based on, both now considered insecure. RC4 is outright banned in modern TLS.

The nice thing about TLS-based VPN technologies like SSTP and OpenVPN is that you can at least apply restrictions like “TLS v1.2 and up” to track evolving security risks such as these.

15

i think some use cases of PPTP do not are deployed trying to reach confidentiality and integrity goals

sometimes PPTP are simply to overcome some obstacles in connectivity, but the traffic passing accross it is already encrypted because is intended to work accross internet without any aditional protection.

In some cases often establish PPTP without any encription to speedit up

Off course only for internet traffic passing by, no private, corporate or sensitive traffic

Most of internet traffic are already protected to achieve confidentiality and integrity

If you are pleny aware of the risk is your decision

Off course MikroTik have to make very clear the risk to avoid future problems because when a attack or a breach makes publicly known the involved vendor reputation gets affected

because of that they put that red flag impossible to ignore and i agree with that

if you are trying to hide that from your customer that is a bad thing, because of that this red flags exists

16

Yes our use case is exactly like what you’ve mentioned.
We use PPTP to link multiple devices into the same LAN and payloads are already encrypted with TLS. Security is not a concern of the tunnel.
My customers know nothing about the core router. I just want to make my backend clean and easier for me to concentrate because it was back in v6.
It’s still alright if it can’t be hidden since it’s not intolerable.
Thanks.

17

Using EoIP is much better than using PPTP for such purpose. Don’t use PPTP to just link networks

18

That, or ZeroTier.

19

PPTP is the only supported protocol

The OP wrote the above line in his first message. Since then, almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything?

That being said, I both understand “why” there are red messages and why the OP is annoyed.
Wouldn’t it be possible for Mikrotik to add to the message something like “[current message] Use PPTP at your own risks. You can disable this warning in the preferences. Note that PPTP is deprecated for security reasons and will be removed in a future release.”

20

You miss comment like this:

Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site WireGuard tunnel, which can be port-forwarded through a NAT layer. That’ll solve your PPTP problems for very little money compared to the company-ending liability risk you’re taking on by not doing something like this.

If your equipment only supports pptp, get rid of it or add a box in front of it that do support a more secure communiction.