How to Configure SSTP VPN on Windows Server 2019

In this blog article we are going to discuss about How to configure SSTP VPN on Windows Server 2019 using Routing and Remote Access Service server role. A VPN is short form of virtual private network, which gives us a privacy, anonymity and security over public internet. A VPN service masks our ISP IP so your online actions are virtually untraceable. A VPN can also be used to connect computers to isolated remote computer networks that is usually inaccessible, by using the Internet or another intermediate network.

Microsoft servers provided with RRAS server roles for implementing such remote access services. The full form of RRAS is Routing and Remote Access Service. It is a suite of network services in the Windows Server family that enables a server to perform the services of a conventional router.It is also a Windows proprietary server role, that supports remote user or site to site connectivity by using virtual private network or dial-up connections. So using RRAS we can convert a regular Windows Server as VPN server. Microsoft RRAS server and VPN client supports PPTP, L2TP, IPSec, SSTP and IKEv2 based VPN connections. Using RRAS as VPN remote users can connect to their company organisation networks internally and securely over public internet.

Now what’s awesome about Secure Socket Tunnelling Protocol ( SSTP) SSL VPNs is they allow connecting client machines in to VPN server over TCP port 443. Which means SSTP protocol has some mechanism to tunnelling VPN PPP traffic over HTTPS protocol. The TCP port 443 is a commonly used port which is often enabled on firewalls of client ISPs. So by using SSTP VPN we have extra SSL/TLS security over VPN traffic.

System Configuration We Used.

Used Windows server 2019 which is covert as a VPN SSTP server.

Used Windows 10 client PC for connecting to Windows VPN server 2019.

Another thing is we are settings up this SSTP VPN on windows server 2019 which only have one Network interface. So this blog article can be implemented on Most of VPS ( Virtual Private Server) provided by Hosting Providers or with the Cloud Windows VMs.

Additionally, SSTP VPN setup needed SSL certificate. In this testing we are using self signed certificate generated for VPS host-name. We can also use Let’s Encrypt SSL certificate or SSL certificate purchased for our Server Domain name through SSL vendors.

Here I have divided the whole steps in to different parts. Lets get started. Even though we are performing the install on Windows server 2019, you can refer this article for Windows server 2016 and windows server 2012.

Part:1 Install Remote Access Server role on Windows Server 2019

Log into the Windows Server 2019 > Click Windows Start Icon >> Click Server Manager.

Click Add Roles And Features

Click Next

Choose the Installation Type as ” Role based or feature based installation and click Next.

From Server selection, choose “select a server from the server pool” and click Next.

From Server Role choose ” Remote Access” and click Next.

Leave Features section as it is and click Next.

Click Next on Remote Access section.

Under Role Services choose “Direct Access and  VPN (RAS) and Routing and click Next. A popup window will appear for confirming the features that need to be installed for Direct Access and VPN. Confirm it by clicking “Add Features”.

Under Web Server Role (IIS) Section click Next.

Under IIS Role services section leave the default one and Click Next.

Under Final Confirmation section click Install.

The Remote Access server role install will start automatically and normally it will get completed with in few Minutes. Once the installation succeeded click close.

Part:2 Create Additional Loopback Network Adaptor On Windows Server 2019

Its for skipping the error while running Configuring Remote Access Wizard and the error  will be like below.

Less than two network interfaces were detected on this machine. For standard VPN server configuration at least two network interfaces need to be installed. Please use custom configuration path instead.

Under Server Manager  click Tools >> Computer Management.

From Computer Management window Click  Device Manager >> Click VM name from Right side.

Under Actions tab >> Click “Add legacy Hardware”

A add Hardware wizard will open and click Next.

Choose option ” Install the hardware that I manually select from a list ” and click Next.

Choose “Network Adaptors” and click Next.

Choose “Microsoft” as Manufacturer  and ” Microsoft KM-TEST Loopback Adaptor ” as Model. Click Next.

Confirm the Install by clicking Next.

Once the install got completed close the install wizard by clicking Finish.

Now, we can confirm the new network adaptor install from the Computer Management panel itself. For that click Device Manager >> Click VM name >> Expand Network Adaptors, there we can see the newly added LoopBack Network adaptor available.

Part:3 Create a Self-signed Certificate using the IIS manager.

We are creating the self signed certificate for Server Hostname and its using for Remote Access service role. If you already have SSL certificate purchased from SSL vendor for your domain or have Lets-encrypt SSL and its imported through IIS manager, we can skip this part.

From Server Manager choose IIS > Right click the Server Name and choose ” Internet Information Services (IIS) Manager ”

Choose VM name and double click on “Server Certificates”

From Actions box choose ” create self signed certificate”

Give any name in the “specify a friendly name for the certificate ” field and Choose “personal” under select a certificate store for the new certificate section. In our case I gave the name as “vpnsslcertificate” and click ok.

Now in the IIS server certificate section, we can see our self signed certificate for hostname got generated.

Part:4 Export a self-signed certificate.

Now we need to Export this self signed certificate to a file and  later  need to import it on remote Windows 10 Client PC for successful SSTP VPN connection.

Click Windows Start button >> search run and open it.

Type “certlm.msc” and click ok.

In the Certificates section expand “Trusted Root Certification Authorities” >> choose Certificates >> In the right side we can see our created self signed certificate with friendly name as “vpnsslcertificate”.

Right click our self signed certificate >> Under All tasks >> Click Export.

A certificate Export wizard will open and click Next.

Choose ” Yes, export the Private key” option and click next.

Choose “Personal Information Exchange PKCS 12 (.PFX) ” and click next.

In security section, click password option and give a secure password. Click Next. By doing this we are password protecting the exported ssl certificate file.

Leave the encryption type as default one which is TrippleDES-SHA1.

In File to Export Section, click Browse and choose where we want to save the exported ssl file. I choose to save it in Desktop itself. Also give a file name for exporting file. Click Save and Click Next.

Complete the Export by clicking Finish.

We will see a Export was successful message , click Ok.

Now if we go the desktop, we will see a new file named “vpnsslcertificate ”  with .pfx extension and which contains our certificate information.

Part:5 Configuring Remote Access Service and SSTP VPN.

From Server Manager Choose Remote Access >> Right click the Server name >> Choose Remote Access Management.

Under “Direct Access And VPN” Click “Run the Remote Access Setup Wizard”

The Configure remote Access wizard will open Click “Deploy VPN only”

In the Routing and Remote Access Console , right click server name and choose ” configure and Enable routing and remote access ” option.

Click Next on Routing and Remote access server  setup wizard.

Choose Virtual private network( VPN) access and NAT option. Click Next.

In the select Network Interface section, choose the network adaptor where our public IP configured and click Next.

In the IP address Assigned section, choose ” from a specified range of address” and Click Next. Here we are trying to define the private IP address that server give to remote VPN click PC after successful connection.

Click New button.

Give the starting and ending private IP range in the corresponding fields. Click Ok. We are giving IPs starting from 192.168.3.150 to 192.168.3.160.

Now we will see the assigned range and click Next.

In the Do you want to setup this server to work with a radius server question section, select “No, use Routing and Remote Access to authenticate connection requests” and Click next.

Click Finish on Completing the Routing and Remote Access server setup wizard.

Click Ok.

This completes the configuration of Routing and Remote Access Server. Now we can see a green up arrow next to server hostname and which shows the Routing and Remote access server service started successfully.

Part:6 Allow Remote Access to our VPN server through Public Network Adaptor.

For maintain the access to the VPN server over remote desktop we need to allow the remote access port over our public network adaptor itself through routing and remote access properties section. Otherwise we will loss the access to the server through remote desktop because we only have one Network interface available on server for both VPN traffic and for the remote access.

In the Routing and Remote Access Manager , Expand Server name >> Expand IPv4 >> Choose NAT >> Right Click Our Public Network Adaptor and choose Properties.

Select ” Remote Access” , A pop up window will appear, in the Private Address filed give our server public IP address and click OK.  After that click Apply and OK.

If you have different RDP port, you need to create a new allow rule by clicking add option.

Part:7  Allow VPN remote access for the Users.

In this part we are giving a existing user on VPN server for remote access. Then only if we give the logins of these server users to remote VPN clients, they can successfully connect to server through VPN.

Go to the Computer Management Section >> Expand Local users and Groups >> Choose Users >> Right click a user where we wish to give VPN access and choose properties.

Under “Dial- In” tab >> Choose “Allow Access”. Click Apply and Ok.

part:8 Define the SSL certificate for Routing and Remote Access service.

In this section we attach the self signed certificate we created at part Part 3 to the routing and Remote Access service, then only the remote vpn clients can communicate over SSTP.

In Routing and Remote Access Manager >> right click Server name and choose Properties.

Under Security Tab , choose our self signed certificate and click OK.

Confirm the restart of routing and remote access service by clicking Yes.

Part:9 Allow VPN ports on Windows Firewall.

In this part we are allowing the ports used by the VPN server for communication on windows firewall. Otherwise the remote VPN clients won’t be able to communicate with the VPN server.

Now issue below power shell commands to allow ports in windows firewall.

Now if we look at  the windows firewall inbound section , we can see the ports are allowed.

This Completes the SSTP VPN server setup on Windows server 2019. Now Lets Proceed with the Remote VPN Client Windows 10 PC setup and Try to Establish a VPN server connection.

Step:10 Import a self-signed certificate on Windows 10 PC.

First Download the Exported self signed certificate file at Part 4 from the server into Windows 10 remote PC. For that you can use any download options like, use ftp service or attach the SSL export file to your email and download it from your client PC etc.

Once successfully Downloaded, Double click the exported SSL certificate file. In our case its vpnsslcertificate.pfx file from Windows 10.

Double click the ssl export pfx file.

In the Certificate Import Wizard choose “Local machine ” and click next.

Confirm the file name by clicking Next.

Give password of importing file and click next. Its the same password we give at the part 4

Choose “Please all certificates in the following store” and click Browse. Select the certificate store as ” Trusted root certification authorities ” . Click Ok.

Confirm the store by clicking Next.

Complete the certificate import by clicking finish.

We will get the message as import successful.

Step:11 Test SSTP VPN configuration.

In our case the server hostname is VPNSERVER2019 which is a dummy server name and doesn’t have any proper DNS A records. So before try to connect to VPN server, we define a DNS host entry in the Windows 10 hosts file C:\Windows\System32\drivers\etc\hosts

For that open notepad as administrator. Search notepad in windows search and click run as administrator.

Go to folder location C:\Windows\System32\drivers\etc and Choose Show all files.  It will list file named hosts. Select it and Click Open.

Add entry like in the screenshot and save it.

Now, lets add VPN connection. For that open Network and Internet settings.

Under VPN >> Click Add a VPN connection.

Choose VPN Provider as Windows built in

In Connection Name field , give any Name

In Server name or Address field give Our server Hostname

Select VPN type as secure socket Tunnelling Protocol (SSTP)

Type of sign in info as Username and Password

Gave our VPN username and password. Click Save.

Click connect for our saved VPN client settings.

Now we will see the VPN status as connected.

Two other ways to confirm the VPN connection is successful is go back to VPN server 2019 and Open Routing and Remote Access Manager >> From there Expand our server name >> Choose Remote Access client, and in the right side we can see a active connection.

Another option to confirm the successful VPN connection is , open a browser in Windows 10 PC and search the what is my IP and it will show the public ISP IP as VPN server IP. Which means all the internet traffic from client side is routing through our VPN server.

This Concludes the settings up SSTP VPN  on Windows server 2019. I hope this blog article is informative. Leave your thoughts in the comment box.