A virtual private network (VPN) is used to connect computers to isolated remote computer networks that is usually inaccessible, by using the Internet or another intermediate network. It creates a secure connection over public network. In this article we are looking at How to install VPN on Windows Server using RRAS that is used to allow internet connection so client computers can browse websites through VPN server even if they are in the restricted internal network.
We are implementing VPN service in a VPS server installed with Windows server 2012 r2 standard Edition. The idea will be same for a Windows server 2016 or 2019. This VPS server only have one NIC card and its configured with Static Public IP address ( Not NAT enabled One) of server. Since its a VPS server, we only have RDP access using the VPS public IP address.
This article will walk you through to install VPN using RRAS and connect to it from your local system with working internet access.
Login to your server through Remote Desktop in which you want to install VPN.
Open Server Manager and click on Add roles and features.
Follow the steps for the installation wizard. Select ‘Role-based or feature-based installation‘ Installation Type.
In server selection field, check ‘Select a server from the server pool‘. You will see your server with computer name in server pool.
Select “Remote Access” role in Server roles and click on Next.
No need to select anything from Features section and click on Next.
In Role services, select DirectAccess and VPN, Routing services
A popup window will appear for adding features for selected server role services. Click on “Add features” button and Click on Next.
Click Next until Review installation page and click on install once you are ready.
Once the installation is completed, click ‘Open the Getting Started Wizard‘.
Normally ‘Configure Remote Access‘ wizard will open automatically after some time. If it doesn’t open, we can open it through Server manager section >> Click “Remote Access” >> Right click server name >> Select ” Remote Access Management” >> Click “Run the Remote Access Setup Wizard”
Now will see ‘Configure Remote Access‘ wizard. Click on Deploy VPN only.
Now we will see Routing and Remote Access MMC. Right click on your server name and click on ‘Configure and Enable Routing and Remote Access‘.
Now, follow the installation wizard instruction. Click Next on Welcome wizard.
In configuration wizard, select ‘Virtual Private Network (VPN) access and NAT‘ and click on Next.
Now we will get an error like below.
“Less than two network interfaces were detected on this machine. For standard VPN server configuration at least two network interfaces need to be installed. Please use custom configuration path instead.”
So what I understood is we can only proceed with current “VPN access and NAT option ” selection if we have two network interfaces in the VPS server. In order to achieve two network interface, I added a Loopback Network Adapter in the Windows server 2012. Below are the steps.
Click on Windows start button icon >> Right click on My Computer Icon >> Click ” Properties ”
Click “Device manager ” >> Select the Server name >> Right click and select ” Add Legacy Hardware ”
Click Next on Add hardware wizard
Select ” Install the hardware that I manually select from the list ” and click Next
Choose “Network Adapters ” and click next
Choose ” Microsoft ” >> “Microsoft KM-TEST Loopback Adapter” and click next.
Click Next until you finish the installation.
Now in the device manager if we expand the ” Network Adapters ” section, we can see the new ” Microsoft KM-TEST Loopback Adapter” appear along with your default network adapter.
We can also see the newly added network adapter by opening ” Network and Sharing Center ” >> Click “Change Adapter settings ”
Now cancel the current Configure and Enable Routing and Remote Access wizard”
From Routing and Remote Access MMC. Again Right click on your server name and click on ‘Configure and Enable Routing and Remote Access‘.
select ‘Virtual Private Network (VPN) access and NAT‘ and click on Next.
In VPN Connection, select the network interface which has public IP address with proper Internet connection and click on Next.
In IP Address Assignment, select ‘From a specified range of addresses‘ and click on Next.
In Address Range Assignment, click on New and add local IP address range (Here make sure that the Start IP address is same as your Internal network’s primary IP address). This will be used to allocate IP address to remote clients who connect to this VPN server. Once you have added IP range, click on Next to proceed.
In Managing Multiple Remote Access Server, select ‘No, use Routing and Remote Access to authenticate connection requests‘ and click on Next.
In completing wizard, click on Finish. You will be prompted with a message for DHCP relay agent, simply click on Ok for this message.
Now VPN installation is complete and we need need to modify the Windows Firewall inbound rules to allow the VPN traffic. For that will need to open the following ports.
- For PPTP: 1723 TCP and Protocol 47 GRE (also known as PPTP Pass-through
- For L2TP over IPSEC: 1701 TCP and 500 UDP
- For SSTP: 443 TCP
We also need to to allow the default RDP port “3389” in NAT services and ports. Follow the below mentioned steps for the same.
In the same Routing and Remote Access MMC , expand the server >> IPV4 >> NAT >> Right click on External Network where public IP configured >> go to properties >> Services and ports tab >> select “Remote desktop ” >> Gave server IP address in the ” Private Address ” field. Click Ok button.
Now, tweak the setting of the user account in the server, which will be used to make VPN connection from client/remote machine.
Go to Administrative tools >> Computer Management >> Local Users and Groups >> Users >> Right click on the user(which you want to set for VPN connection) and click on properties >> Go to Dial-in tab, select ‘Allow access‘ in ‘Network Access Permission’ option and click on Apply.
Now VPN server is ready for client/remote connections. and let’s see how to configure client machine to connect to VPN server.
Open Network and Sharing Center of your local PC/Laptop. Click on ‘Set up a new Connection or Network‘. Please note the screenshots are from a Windows 7 PC.
Click on Connect to a workplace.
Click on Use my Internet connection (VPN)
Enter IP address of VPN server (External network’s Primary/static IP which has Internet connection) and click on next.
Enter the user login details of VPN server, the user we created in VPN server or existing one with enabled VPN access and click on Connect.
Now you can see the client machine is trying to connect to the VPN server. Normally the connections are established using PPTP protocol. After successful connection, you can see a new VPN network adapter is created in Client PC Network adapters section.
If you right click on the VPN Network adapter and select “Properties” , you can see many tabs with different settings. Below are the default settings of my Client PC VPN network Adapter.
Refer below screenshots if you have any issues with VPN connection from client side.
Now lets convert our current VPN install for supporting SSTP SSL in Windows Server 2012 R2
what’s awesome about Secure Socket Tunneling Protocol ( SSTP) SSL VPNs is they allow connecting client machines in to server IP over VPN and make it a full-on part of the network. And this is all done over port 443, a commonly used port which is often enabled on firewalls of client side.
We need SSL certificate for VPN connection over SSTP. We can either purchase an SSL certificate for our company domain name or can use a Self signed Certificate.
In our case we are using a self signed certificate. Follow below steps for creating self signed certificate. Open IIS manager installed at the time of RRAS role install. >> Click server name >> Double click on Server Certificate.
Click “Create Self Signed Certificate” >> Specify a friendly name and click ok. Now you can see a certificate is generated for VPN server hostname. In our case the server hostname is “SERVER”.
Now lets make sure this generated self signed certificate are available in the local machine’s Certificate store , Trusted root certificate authorities section.
Open run >> run certlm.msc >> Under trusted root certificate authorities section, we can see our certificate is available.
Now we need to export this certificate in to our client PC/Laptop “trusted root certificate authorities section”. For that Right click on server certificate >> All tasks , click Export. >> Choose ” Yes, export the private key ” >> Choose personal information exchange format >> Gave any security password for certificate >> Click browse , gave a file name and choose location for saving >> Finish the export.
Now download this .pfx certificate from server in your local client machine where you are trying to connect in to the VPN server.
Now in client PC open windows run >> run “mmc” >> Choose “certificate”, click add >> Choose “Computer account ” >> Choose local Computer and click finish button and click ok.
Now in the current MMC console, Expand trusted root certificate authorities >> In the right side action pane >> Click “More actions” >> All tasks >> Click “import” >> Choose the download .pfx SSL certificate file using browse option >> Gave the same password we used for SSL certificate at the time of SSL certificate export >> Click next and complete the import.
Now RDP in to the VPN server >> From server manager >> Click “Remote Access” >> Right click server name >> Select ” Remote Access Management” >> Click ” Open RRAS management >> Routing and Remote Access MMC will popup >> Right click on Server name , choose properties >> Under “security tab ” choose our self signed certificate >> Click ok and confirm the “Routing and Remote access” service restart.
At this point the VPN server is ready for VPN connection over SSTP protocol.
Now lets assume we haven’t imported the certificate we exported from VPN server in to client PC trusted root certificate authorities section, we will get below error while trying to connect to VPN.
Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109
Now below are the changes we need to be done in the client PC, VPN network adapter settings for connection over SSTP. Right click on the existing VPN network adapter and select properties.
In the General section, we need to replace the VPN server IP with VPN server hostname. In our case the VPN server hostname is
“SERVER”. We know the hostname like “SERVER” is not a valid hostname and it doesn’t resolve the VPN server IP address. In such cases, add a host entry in the client PC file C:\Windows\System32\Drivers\etc\hosts in to the VPN server IP address. By doing this client will try to connect to the actual VPN server itself.
Suppose if we didn’t replaced the VPN server IP address with VPN server hostname, we will get error like.
Error Description: 0x800B010F: The certificate’s CN name does not match the passed value.
Possible Cause: This issue may occur if the host name of the server that is specified in the VPN connection does not match the subject name that is specified on the SSL certificate that the server submits to the client computer.
Possible Solution: Verify that the SSTP VPN server address is typed in hostname for ex sstp.earthvpn.com, not an IP address.
This is all. Now, your client machine will have the internet access via VPN. However, should you find any difficulty, feel free to email us through our contact form.
Now if you would like to reset the VPN configuration setting use ” Disable Routing and Remote access ” option which is available at the Routing and Remote access MMC.
If you may run into some issues with printer and file sharing you can do the following to resolve this issue.
You can use gpedit.msc to change the settings.
Computer Configuration->Windows Settings->Security Settings->Network List Manager Policies-> VPN Connection
Change the location type to Private
Our VPN setup is allowed clients to have internet access through VPN server during VPN connection. While VPN connection our ISP IP will show as VPN Server IP address and its can be confirmed by simply visiting the url like http://whatismyip.org/
If you would like to confirm the subject name of an SSL certificate, just double click on the SSL certificate from trusted root certificate authorities section.