Ports

Port 1723: PPTP

Legacy VPN control channel. The data plane uses GRE and the security model is outdated.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 1723 is used by PPTP, a legacy VPN protocol, and it shows that a port can represent only one piece of a larger tunnel. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

PPTP uses TCP 1723 for the control channel where the client and server negotiate tunnel setup and authentication. The actual user data is carried separately using GRE, which is IP protocol 47, not TCP or UDP, so a working PPTP connection typically requires both TCP 1723 and GRE to pass through firewalls and NAT.

In practice, a client first establishes the control connection to port 1723, the tunnel is created, and then PPP frames are encapsulated inside GRE for the data path. Security wise, PPTP is considered obsolete due to known cryptographic weaknesses, so seeing 1723 open often indicates legacy remote access that should be migrated to modern VPNs.

How it works in broad strokes

  1. Client connects to 1723 to set up a control session and negotiate PPP parameters.
  2. A GRE tunnel carries the encapsulated data traffic.
  3. Authentication and encryption depend on the chosen PPP mechanisms, which are weak by modern standards.

Concrete example

A remote user connects to a legacy PPTP server. The control session is on 1723, but the traffic itself is inside GRE. Many firewalls treat this combination differently, which is one reason PPTP causes support tickets.

Why it matters

PPTP matters mainly as a risk signal. Its cryptographic choices are outdated and it is widely discouraged. If you find PPTP enabled, you should assume it exists for legacy reasons and prioritize a migration to a modern VPN.

Security angle

  • Prefer modern VPNs such as WireGuard or IPsec based solutions.
  • If PPTP cannot be removed immediately, restrict it to a small internal use case and plan a timeline to retire it.
  • Monitor for connections and disable weak auth methods.

Common pitfalls

  • Assuming PPTP is secure because it is called a VPN.
  • Blocking only 1723 and forgetting GRE is required for the tunnel.
  • Leaving it enabled for compatibility long after it is needed.