Configure VPN in Windows Server 2012 R2

The Case for Windows-based VPN

Historically, VPN has been implemented using firewalls or dedicated VPN appliances. So why use a Windows Server for VPN? Here are some things to consider.

  • Easy to Implement – Installing and configuring a VPN server using Windows Server 2012 R2 is simple. By following the guidance in this article, a VPN server can be implemented in just a few minutes.
  • Easy to Manage – Managing a VPN server running Windows Server 2012 R2 is no different than any other Windows server. Windows system management is mature and well understood, and the server can be maintained using existing platforms, tools, and procedures.
  • Cost Effective – A Windows Server 2012 R2-based VPN server costs significantly less than it does to deploy dedicated and proprietary VPN hardware. The server can be deployed in existing virtual infrastructure and has no per-user licensing requirements. In addition, adding capacity is as easy as spinning up additional VMs, in most cases.

Installation Prerequisites

The VPN server should be configured with two network interfaces; one internal and one external. This configuration allows for a better security posture, as the external network interface can have a more restrictive firewall profile than the internal interface. A server with two network interfaces requires special attention to the network configuration. Only the external network interface is configured with a default gateway. Without a default gateway on the internal network interface, static routes will have to be configured on the server to allow communication to any remote internal subnets. For more information about configuring a multi-homed Windows server, click here.

The server does not have to be joined to a domain, but it is recommended to streamline the authentication process for VPN clients and to provide better management and security for the server.

Preparing the Server

Once the server is provisioned and joined to the domain, installing the VPN role is simple and straightforward. To install the VPN role, enter the following command in an elevated PowerShell command window.

Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools

Image
Install the VPN role using the Install-WindowsFeature PowerShell command.

Configure Remote Access

Open the Routing and Remote Access management console. Right-click the VPN server and choose Configure and Enable Routing and Remote Access.

Image
Configure and enable Routing and Remote Access.

Click Next, choose the Remote access (dial-up or VPN) option, and click Next.

Image
Choose Remote access (dial-up or VPN).

Choose VPN and click Next.

Image
Choose VPN.

Select the network interface that is Internet-facing. In addition, select the option to Enable security on the selected interface by setting up static packet filters and click Next.

Image
Select the Internet-facing network interface.

Note:
When configuring the server, it is helpful to rename the network interfaces using intuitive names such as Internal and External, as shown above.

IP addresses can be assigned to clients manually or via DHCP. For ease of management, it is recommended to use DHCP. Select the option to assign IP addresses automatically and click Next.

Image
Choose automatic IP address assignment for remote clients.

Note:
If the VPN server is to be deployed in a load-balanced cluster, IP addresses must be assigned to clients manually.

The VPN server can authenticate users itself, or forward authentication requests to an internal RADIUS server. For the scope of this article, native Windows authentication using RRAS will be configured. Choose No, use Routing and Remote Access to authenticate connection requests and click Next.

Image
Use Routing and Remote Access to authenticate connection requests.

 Review the configuration and click Finish.

Image

The RRAS configuration wizard will indicate that the DHCP relay agent must be configured for remote access clients. Click OK to continue.

“To support the relaying of DHCP messages from remote access clients, you must configure the properties of the DHCP Relay Agent with the IP address of your DHCP server.”

Image
DHCP Relay Agent configuration reminder.

Configure DHCP Relay Agent

To enable the internal DHCP server to provide IP address assignment for remote access clients, expand IPv4 and then right-click DHCP Relay Agent and choose Properties.

Image
Configure DHCP relay agent.

Enter the IP address of the DHCP server and click Add. Repeat this process for any additional DHCP servers and click OK.

Image
Configure DHCP relay agent.

Network Policy Server (NPS) Configuration

The VPN server is configured to allow remote access only to users whose domain account dial-in properties are set to allow access, by default. A better and more effective way to grant remote access is by using an Active Directory (AD) security group. To configure remote access permissions for an AD group, right-click Remote Access Logging and choose Launch NPS.

Image
Launch NPS.

Right-click Network Policies and choose New. Provide a descriptive name for the policy, select Type of network access server, and then choose Remote Access Server (VPN-Dial up) from the drop-down list and click Next.

Image
Create a new network policy.

Click Add, select Windows Groups, and click Add.

Image
Select Windows Groups.

Click Add Groups, specify the name of the AD security group that includes users to be authorized for remote access VPN, then click OK and Next.

Image
Specify AD security group for remote access.

Choose Access Granted and click Next.

ImageSpecify access permission.

Uncheck the option to use Microsoft Encrypted Authentication (MS-CHAP). Click Add and select Microsoft: Secure password (EAP-MSCHAP v2). Click OK and Next three times and then click Finish.

Image
Configure authentication methods.

Client Connectivity Testing

The VPN server is now configured to accept incoming remote access client connections, but only in a limited fashion. Only the PPTP VPN protocol will function without additional configuration. Unfortunately, PPTP suffers from some serious security vulnerabilities in its default configuration, and it should not be used as configured in a production environment. However, it is quick and effective to validate the network communication path and that authentication is working using it.

To test client connectivity on a Windows 10 client, click on the network icon in the system notification area, click Network Settings, click VPN, and then click Add a VPN Connection. Choose Windows (built-in) for the VPN provider, provide a descriptive name for the connection, enter the name or IP address of the VPN server, and then click Save.

Image
Add a VPN connection.

Click on the test VPN connection and then click Connect.

Image
Establish a VPN connection.

Enter domain credentials when prompted and click OK. If everything is working correctly, the connection should be established successfully.

Image
VPN connection successful.

Summary

Implementing a client-based VPN solution for secure remote access using Windows Server 2012 R2 has many advantages over dedicated and proprietary security appliances. Windows-based VPN servers are easy to manage, cost effective, and offer greater deployment flexibility. However, at this point additional configuration is required to properly secure incoming connections, which will be covered in my next article.

15 thoughts on “Configure VPN in Windows Server 2012 R2”

  1. Hi my name is Jose I will like to congratulate you for this very well done guide.
    I just have a question regarding the AD, is it possible to use an internal server which has the AD service on it, and use that one instead of using your windows account to authenticate.

    Regards.

  2. Hey Richard great article.
    You mention securing connections for the VPN in a subsequent article, would you be able to link to that?

    Thanks

  3. Thank you. Can client / Server VPN connections still allow RDP connections? Meaning, will an external remote access client connecting via RDP through a port forward as well as an internal dumb terminal still be able to RDP to the client / server?

  4. Thank you for the post. I configured vpn,its connected.I can get ping from the client to the server.The only issue i am facing i cant access the network resources in the server.When i am accessing the shared files , i cant get it.its getting error network path was not found.Could you please help me to solve it?

  5. Thanks for the info, Client PC can surf the servers files, but It losts Internet connectivity, how can I set up a gateway on my vpn client? and dns ? Thanks again

  6. Nice article.
    I have a doubt, can a non AD domain user / a computer which do not belong VPN Server’s domain / Different OS like Linux / Mac can connect to this Windows VPN server via Remote Access?

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top