How to Set Up a VPN on Windows Server 2019 using Remote Access

Author: Humphrey Mpairwe

Last Updated: Tue, Dec 7, 2021
Networking Popular Windows Guides

A Virtual Private Network (VPN) is used to securely create a tunnel for data between your local computer to a remote server. On Windows Server 2019, you can configure a VPN to provide network access to connected clients and allow connected devices to communicate securely.

This guide explains how to set up a fresh Windows Server 2019 as an L2TP over IPSec, or a PPTP VPN, using the routing and remote access feature. Layer 2 Tunneling Protocol (L2TP) with IPSec offers robust encryption for connections to the server. On the other hand, the Point to Point Tunneling Protocol (PPTP) is simple to deploy but not as secure.

To set up the VPN server, we shall use the built-in Routing and Remote access feature, which offers a graphic interface to configure remote networking features such as Dial-up, LAN routing, NAT, and VPN.

Requirements

  • Deploy a Windows Server 2019 Instance on Vultr
  • Remotely connect to the server and log in as an Administrator

Create a New VPN User

For the VPN service to work well, it must authenticate with a valid user account to the server. So, you need to create a new user on the server.

Click Tools under server manager and select Computer Management from the drop-down list to create a new user.

Once the computer management window pops up, expand Local Users and Groups from the left pane and right-click Users to select New User on the sub-menu.

computer management

Under the New User dialog box, enter a username, full name, and password for the VPN user, then click create and close the window.

Create new user

The new user will now be listed on the list of active server users, right-click on the new user and select properties.

Under the user properties window, navigate to the Dial-in tab and click Allow access under Network Access Permission. Click OK for changes to take effect.

Dial in Tab

Install the Routing and Remote Access Features

Procedure 1: Through Server Manager

From the Windows start menu, open Server Manager, click Manage, then select Add Roles and Features from the drop-down list.

From the open window, click next and select Role-based or feature based installation, then select your server from the pool. Select Remote Access, Remote Access Administration from the list of server roles.

Server Roles

Next, select DirectAccess and VPN (RAS) and Routing from the features list, then click to Install IIS, which is required for remote access to work well.

Feature installation

Procedure 2: Using Windows PowerShell

You can also install Remote Access from Windows Powershell. From the Windows start menu, open an Administrative Powershell, then install Remote access by pasting the following code to the console.

Install-WindowsFeature RemoteAccess
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

Your output should be similar to:

PS C:\Users\Administrator> Install-WindowsFeature RemoteAccess
>> Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
>> Install-WindowsFeature Routing -IncludeManagementTools

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Remote Access}
True    No             Success        {RAS Connection Manager Administration Kit...
True    No             Success        {Routing}

Configure Routing and Remote Access

Open Server Manager and click Tools on the top toolbar. From the drop-down list, select Remote Access Management.

Remote Access Management

In the open Routing and Remote Access window, right click on your server name just below Server status, then select Configure and Enable Routing and Remote Access from the drop-down menu.

Now, select Custom configuration to configure remote access manually.

Custom Config

Select VPN Access and NAT as services you want to enable on your server, click next to finish the configuration, and start the service.

 Enable VPN, NAT

Setup a PPTP VPN

Now that Remote Access is running, you can set up your PPTP VPN. To get started, you must assign connected clients** static IP Addresses to avoid possible connection issues. To do this, right-click on your server under the Routing and Remote Access window and select Properties from the drop-down list.

Server Properties

Click IPV4 in the Open Window, then select Static address pool. Now, click Add to craft a new IP Address range from the open pop-up window. In this guide, we use the range 10.0.0.1 to 10.0.0.50, and the server will automatically calculate the number of available addresses.

Static IPs

Click OK to save your static IP Address configuration. You will be prompted to restart Routing and Remote Access for changes to apply; simply click OK.

Configure NAT and enable PPTP

We need to configure Network Address Translation (NAT) for connected clients to use the Internet. On the left pane of the same routing and remote access window, expand the IPv4 options under your server. Right-click on NAT and select New Interface.

NAT new Interface

Under the open dialog window, select Public interface and enable NAT on the interface.

Next, navigate to Services and Ports and click VPN Gateway (PPTP) from the drop-down list.

Enable PPTP

Click Edit to set a Private address for the VPN service, change the current address 0.0.0.0 to 127.0.0.1, and click OK to save.

change address to localhost

Finally, click OK to save all changes, then right-click on your server from the left pane and click Restart under the All Tasks sub-menu.

Restart Remote Access

This will restart routing and remote access services making your server ready for incoming VPN connections.

Configure Windows Firewall to accept Incoming PPTP VPN Connections

Click Tools from the Windows server manager and select Windows Defender Firewall with Advanced Security from the drop-down list.

Under the open Windows Defender Firewall with Advanced Security window, select Inbound Rules on the left pane, then click New Rule on the right pane.

New Inbound rule

In the open new Inbound rule wizard, click Predefined and select Routing and Remote Access from the list.

Predefine Remote Access

Under predefined rules, choose Routing and Remote Access (PPTP-In), click next to allow the connection, then finish for the new Firewall rule to be applied and test your new PPTP VPN server.

Allow Firewall connection

Test your PPTP VPN

Using your personal computer (PC) or Smartphone, go to Networks, Add a new VPN and select PPTP as the VPN type. Then, enter the VPN username and password created earlier to connect.

In this guide, we cover and test the PPTP VPN on a Windows 10 PC. To get started, click the start menu and search for Control Panel, then, click Network and Internet.

Under Network and Internet, open the Network and Sharing Center and click Set up a new connection or network.

Network and sharing center

Under the open window, select Connect to a workplace and click Use my Internet connection (VPN).

Then, enter your server’s public IP Address (Check your Vultr server dashboard), assign the connection a name, and click create.

Enter Server IP

Now, on the left pane, click Change adapter settings, then right click your created VPN interface and select Properties.

Adapter Settings

Under the pop-up, click Security, then choose Point to Point Tunneling Protocol (PPTP) under Type of VPN.

Finally, under Allow these protocols, select CHAP and MS-CHAP v2, then click OK to apply changes.

Choose VPN protocols

Your new VPN is configured successfully. Click the network connection icon on the taskbar, select your VPN on the list and click Connect to enter the VPN username and password created earlier to establish a connection to your new PPTP VPN server.

Connection established

Setup L2TP with IPSEC

Open server manager, click Tools, and open Remote Access Management, then right-click your server on the left pane to select Properties from the drop-down list.

Under server properties, navigate to the Security tab, and click Allow custom IPSec policy for L2TP/IKEv2 connection to enter your new pre-shared key.

In this guide, we use 12345678, choose something stronger, then navigate to IPV4 to set a static address pool and click OK to apply changes.

Set Preshared Key

Keep note of the pre-shared key (PSK) since it will be required for every user establishing a connection to the VPN server.

From the left pane, expand the IPV4 sub-menu and right-click on NAT, then select New Interface. If you set PPTP earlier, click NAT and edit the existing interface you already created.

Navigate to the Services and Ports tab and select VPN Gateway [L2TP/IPSec], then click edit to change the private address from 0.0.0.0 to 127.0.0.1. Click OK to save changes and restart remote access from the left pane under All Tasks.

This will restart Routing and Remote Access, then save the applied L2TP configurations.

Allow L2TP Connections through Windows Firewall

Open Windows Defender with Firewall, select inbound rules and add a new rule. Select Predefined and from the list, choose Routing and remote access.

Under Predefined rules, select Routing and Remote Access [L2TP-In] and click next.

Allow L2TP

Finally, allow the connection and click Finish to apply the new Firewall rule.

Connect and Test Your L2TP VPN server

In this guide, we test the new L2TP with IPSec VPN on a mac. To get started, open System Preferencesand click Network.

Under the Network Preferences window, click the + sign and select VPN under the Interface dialog box. Then, choose L2TP with IPSec as the VPN Type and assign your connection a name.

Add VPN

Click create, then enter your public server IP Address (server address) and username (Account name). Next, click Authentication Settings to enter your account password and Pre-shared key (Shared secret) created earlier.

Authentication Settings

Next, click Advanced and select Send all Traffic over VPN Connection, then click Apply, and finally click Connect to establish a connection with your new L2TP VPN server.

Establish L2TP connection

Conclusion

You have set up a VPN on your Windows server 2019 instance; you can choose to create both PPTP and L2TP VPNs with different users connecting through your server without any limitations.

For every connected device, they will be able to access the Internet through your server and interact with other connected computers.

Want to contribute?

You could earn up to $600 by adding new articles.

Die deutsche Version dieser Website ist eine Übersetzung, die nur zu Informationszwecken erstellt wurde. Die englische Version hat Vorrang.