This is a quick guide on how to install VPN server based on Windows Server and configure it. All the actions described in this article were performed on Windows Server 2016, but the instruction is suitable for any modern Windows Server operating system (starting from Windows Server 2008 R2 and ending with Windows Server 2016).
So, let’s begin! The first thing we need to do is setup the Remote Access role. To do this, in the Server Manager snap-in, run the Add Roles Wizard and select the Remote Access role with all the additional features.
Then, in the list of services for this role, select DirectAccess and VPN (RAS).
In addition to the Remote Access role and management tools, the IIS web server and the Windows Internal Database (WID) will also be installed. A complete list of installed features can be viewed in the final wizard window, before you confirm the installation.
Installing the Remote Access role along with all the necessary features is much faster with PowerShell. To do this, open the PowerShell console with administrator privileges and execute the command:
Install-WindowsFeature -Name DirectAccess-VPN -IncludeAllSubFeature -IncludeManagementTools
After installing the role, you need to enable and configure the service using the Routing and Remote Access snap-in. To open it, enter the rrasmgmt.msc command.
In the RRAS snap-in, select the server name, right click and select Configure and Enable Routing and Remote Access in the opened menu.
In the configuration wizard, select Custom configuration item.
Tick VPN access option in the list of services.
After that, the system will prompt you to start the Routing and Remote Access service.
After that the VPN service is installed and enabled, now it is necessary to configure it in the way we need. Again, open the server menu and select Properties item.
Click the IPv4 tab. If you do not have a DHCP server on your network, you need to specify the range of IP addresses that clients will receive when they connect to the VPN server.
In addition you can configure security settings in Security tab — choose the type of authentication, set the Preshared Key for L2TP, or select a certificate for SSTP.
Couple of important things to keep in mind when setting up a VPN server
First, you need to select users who have permissions to connect to this VPN server. For a stand-alone server, the configuration is done locally, in the Computer Management snap-in. To run the snap-in, you need to run the compmgmt.msc command, then go to the Local Users and Groups section. Then you need to select the user, open its properties and on the Dial-In tab mark the Allow access item. If the computer is a member of an Active Directory domain, the same settings can be made from the Active Directory Users and Computers snap-in.
And secondly, check if the necessary ports are open on the Windows Firewall. Theoretically, when you install the RRAS role, the corresponding rules are automatically turned on, but once again you can check. The list of allowed inbound rules (ports):
- Routing and Remote Access (GRE-In) – Protocol 47 (GRE);
- Routing and Remote Access (L2TP-In) – TCP/1701, UDP/500, UDP/4500 and Protocol 50 (ESP);
- Routing and Remote Access (PPTP-In) – TCP/1723;
- Secure Socket Tunneling protocol (SSTP-in) – TCP/443.
If your VPN server is behind NAT, in order to install the L2TP/ipsec VPN-connection on the client side, you need to go to branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent and change/add the value of the parameter AssumeUDPEncapsulationContextOnSendRule by setting it to 2.
That’s all. That was pretty easy to install VPN server on Windows Server 2016! Now the VPN server is configured, and you can connect to it using a VPN client.