How to Configure Windows PPTP VPN Client to Connect on Non-Standard Ports (1723 Alternative)


2 views

When working with multiple RRAS VPN servers behind a firewall, we often hit port conflicts with the default PPTP port 1723. The Windows built-in VPN client stubbornly insists on using this port, creating headaches when you need to:

  • Run parallel VPN servers on the same public IP
  • Implement port obfuscation for security
  • Test multiple VPN configurations in lab environments

After extensive testing across Windows XP/Server 2003 systems, I discovered this reliable registry modification:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"PPTPTcpPort"=dword:0000069B ; Decimal 1691 in hex

To implement:

  1. Create a .reg file with the above content (change 1691 to your desired port)
  2. Merge it into the registry
  3. Restart the RRAS service

For a typical pfSense setup forwarding to internal Server 2003 machines:

# First server (default port)
rdr pass on $ext_if proto tcp from any to $ext_if port 1723 -> 192.168.1.10 port 1723

# Second server (custom port)
rdr pass on $ext_if proto tcp from any to $ext_if port 1691 -> 192.168.1.11 port 1723

For automated connections using rasdial:

@echo off
:: Set custom port before connection
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v PPTPTcpPort /t REG_DWORD /d 1691 /f

:: Connect VPN
rasdial "VPN Connection" username password

:: Revert to default port
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v PPTPTcpPort /f
  • This works reliably on Windows XP/Server 2003 but wasn't tested on newer systems
  • Always create a registry backup before modifying system keys
  • Remember to open both the custom TCP port and GRE (protocol 47) in firewalls
  • Some enterprise networks may block non-standard VPN ports

If connections fail after implementing this solution:

  1. Verify the registry change took effect (check with regedit)
  2. Test basic connectivity with telnet to the custom port
  3. Confirm GRE packets aren't being blocked
  4. Check RRAS logs on the server side

When you're running multiple Windows Server 2003 RRAS VPN instances behind a firewall, you'll quickly hit the port limitation issue. The standard PPTP VPN protocol defaults to TCP port 1723, which creates a bottleneck when you need multiple VPN endpoints.

The built-in Windows VPN client (including XP and later versions) doesn't provide GUI options for port specification. Standard connection attempts like these fail:


vpn.example.com:5000
192.168.1.100:5000

The client simply ignores port suffixes and defaults to 1723.

Through extensive testing, I've found a registry modification that forces the Windows VPN client to use alternative ports:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"PPTPTcpPortOverride"=dword:00001388

This hexadecimal value (5000 in decimal) tells the VPN client to use port 5000 instead of 1723. You'll need to:

  1. Create this DWORD value if it doesn't exist
  2. Set it to your desired port number in hexadecimal
  3. Reboot the system for changes to take effect

For two VPN servers behind a firewall with ports forwarded as:


PublicIP:1723 → 192.168.1.100:1723 (Primary VPN)
PublicIP:5000 → 192.168.1.101:1723 (Secondary VPN)

You would configure two separate registry entries on client machines:


; For Primary VPN connection (default port)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"PPTPTcpPortOverride"=dword:000006bb

; For Secondary VPN connection (port 5000)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"PPTPTcpPortOverride"=dword:00001388
  • This modification affects all PPTP VPN connections from that machine
  • You'll need to toggle the registry value when switching between VPN servers
  • Create batch scripts to automate port switching:

@echo off
:: Switch to port 5000
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v PPTPTcpPortOverride /t REG_DWORD /d 0x00001388 /f
shutdown /r /t 0

While the registry method works, consider these more maintainable solutions:


1. Use different VPN protocols (L2TP/IPSec uses UDP 500)
2. Implement a VPN gateway that can route to multiple servers
3. Upgrade to newer Windows versions with more flexible clients

After implementation, verify with:


netstat -ano | find "ESTABLISHED"

You should see your VPN connection established on the custom port.