How to Set up VPN Server on Windows Server
In this article we will show you how to install and configure a simple Windows Server based VPN server that can be used in a small organization.
Note. This manual is not recommended as a guide for organizing a VPN server in a large corporate network. As an enterprise-class solution, it is preferable to deploy Direct Access and use it for remote access.
The first thing that you need to do is install the “Remote Access” role. You can do this through the Server Manager console or PowerShell.
With the Remote Access role, we are interested in the DirectAccess and VPN (RAS) service. Let’s install it! Open Server Manager go to Add Roles and Features -> Click Next two times-> We need to install the Remote Access and IIS web server roles.
Click Next three times and select DirectAccess and VPN (RAS), click next and Install.
When the wizard is finished, click the “Open the Getting Started Wizard” link and the RAS Server Configuration Wizard will start.
Install RAS Service Using PowerShell
You can install the RAS service using the following Powershell command:
Install-WindowsFeatures RemoteAccess -IncludeManagementTools
Configure Remote Access Service
Since we do not need to deploy the DirectAccess service, let us specify that we only need to install the VPN server.
The familiar Routing and Remote Access MMC console opens up. In the console, right click on the server name and click the Configure and Enable Routing and Remote Access option.
The RAS Server Setup Wizard is launched. In the wizard window, select “Custom configuration” and then select the “VPN Access” option.
When the wizard is finished, the system will offer to start the Routing and Remote Access service. Do it.
Configure Firewall to Allow VPN
If there is a firewall between your VPN server and the Internet from which clients will connect, you need to open the following ports and redirect traffic to these ports to your VPN server:
For PPTP: TCP - 1723 and Protocol 47 GRE (also called PPTP Pass-through)
For SSTP: TCP 443
For L2TP over IPSEC: TCP 1701 and UDP 500
After installing the server, you must allow VPN access in the user account properties (Dial-in tab) for those users which you want to connect via VPN. If the server is joined to an Active Directory domain, this should be done in the user properties of the ADUC console. If the server is local, you can find it in user properties of the Computer Management console (Network Access Permission – Allow access).
Configure DHCP for VPN
If you are not using a DHCP server that distributes IP addresses to vpn clients, you should enable “Static address pool” on the IPv4 tab of the VPN server properties and specify the range of addresses to be distributed.
Note. IP addresses distributed by the server for routing purposes must not overlap with IP addressing on the VPN client side.
So it is only remains is to configure the VPN client and test it.