This HowTo should show you how to install a VPN Server on Windows Server 2008 R2. This is a HowTo for a small environment or a stand-alone hosted Server.
- Install the Role “Network Policy and Access Services” with the Server Manager
- Select the Role Services “Routing and Remote Access Services”
- Configure and Enable Routing and Remote Access in the Server Manager.
- Choose “Custom Configuration” if you just have one Network Interface in the Server
- Choose “VPN access”
- Finish and click next
- Allow access for users “Network Access Permission”. You can set that in de Dial-In Tab under the User Premission.
- Open Ports in your Firewall
For PPTP: 1723 TCP 47 GRE
For L2TP over IPSEC: 1701 TCP 500 UDP
For SSTP: 443 TCP
Optional: If you don’t have a DHCP Server in your local network you have to add a static address pool. This could be if you have a stand-alone Server by your provider.
- Right click on “Routing and Remote Access” and open Properties
- Click on the IPv4 Tab and check “Static address pool”
- Add a static address pool of private IP addresses
- Add secondary IP Address to the Server network interface which is in the same subnet as this pool.
Hello,
I tried your proposition to have VPN connection on Windows Server 2008 R2, but I am afraid to miss some points:
1. VPN on Windows 2008 R2 require Active directory configuration or not?
2. i tried to build at home this solution, but you didn’t confirm that we need some action in rest of infrastructure (Internet Box, routeur, etc….) – is it normal?
thanks for your tutorial.
Best Regards,
Bertrand.
hello
1. You don’t need a Active Directory
2. At home you maybe need to add a NAT rule on your router to let PPTP, L2TP or SSTP connections trough your router to your server..
http://en.wikipedia.org/wiki/Network_address_translation
Hi Thomas,
I would like to configure IPSec VPN server in Window 2008 R2. I have 50 mobile phones that are using internet (VPN) to tunnel to the server and for i am using NCP Secure Entry client for mobile vpn client software. Do i need to perform additional step out of the above step that you have explained ?
Additional, i use NLB for network load balancer.
Kindly help to advise.
Many Thanks in advance
Regards,
Handoko
Do you have a HowTo for a medium environment or a network servers.
I want see/access all the network (Servers, PCs, Printers). Your HowTo is for a server connection only. Can you help me about see/access all the network?
I followed your steps but I cannot see the network or cannot ping a hostname, I can ping an IP address only. Why?
Not at the moment but if I do it for a next time I will post it here.
im wondering as how to port open / foward the gre 47 port ?
im having some trouble connecting from the client side to the vpn , ive added all the other ports into the serverside firewall
Hi, in a lot of Firewalls this is called PPTP passthrough
Pingback: DirectAccess Deployment done | Thomas Maurer (tm) - Just another sys engineering weblog
Pingback: DirectAccess Deployment done | Thomas Maurer (tm) - Just another sys engineering weblog
Maybe this could be interesting for a lot of people, which have to deploy a VPN solution.
http://www.thomasmaurer.ch/2011/06/directaccess-for-smb-and-lab-environments-–-design-step-by-step-and-troubleshooting-guide/
> Allow access for users “Network Access Permission”. You can set that in de Dial-In Tab under the User Premission.
and where the fuck that dialog should be open from?????
hi Thomas, thanks fro the write up … one thing while I go through the steps… you say
“Allow access for users “Network Access Permission”. You can set that in de Dial-In Tab under the User Premission.”
how do I get to this window ?
regards
The Dial-in dialogue can be found using Active Directory Users and Computers. Click on a user and you will see the dial-in tab.
Active Directory Users and Computers -> OU where your users are -> Properties of the user you want to have access -> tab “Dial-up”
Hi, i tried setting up my server 2008 r2 using your guide.
then i tried to connect to my server using windows 7
but i get error 800: the remote connection was not made because the attempted VPN tunnels failed.
can you help me on this one?
thanks
Did you check if all Firewall ports are you need are open and forwared (if you use NAT)
Thanks for this. Worked like a treat. No Active Directory required to make this work. To complete the setup by adding dial in access, the window entitled ‘Administrator properties’ in the screenshot above, is simply the properties of the Administrator user account on the server. Server Manager-Configuration-Local Users and Groups-Users-Administrator
I want to use server internet connection but cant access internet true vpn..
can you help me.
Hello,
can you please help me, i did the same exact steps however i can’t connect it keeps giving me error 800, i think it may be something to do with my router.
thank you for the article
Did you allow VPN pass through on your router?
http://www.howtonetworking.com/vpnissues/error800.htm
Hello,
thank you for your reply i did i created port forwarding rule, i have a linksys router which has tomato firmware but the problem is not solved yet
can you help me out?
thank you
Does Tomato Firmware Support pptp passthrough?
http://www.linksysinfo.org/index.php?threads/tomato-pptp-passthrough.30774/
maybe here in the comments you can find a solution:
http://nerdia.net/2010/01/17/pimp-my-router/
“The computer that will handle incoming PPTP connections is setup with a static IP-adress. Then I just configure a Port forward -> Basic of port 1723 to that IP-address. Then under Advanced -> Conntrack/Netfilter under Tracking / NAT-helpers check the GRE / PPTP box. “
thank you so much it worked
hey,
whrere i can find “user permission”?
if you use a standalone server Server Manager –> Configuration –> Local Users and Groups –> User properties
if you are using this in a active directory enviroment, Active Directroy Users & Computers etc… Users properties
Thank you so much for this training guide – it worked perfectly the first time, I found it very easy to understand, and I’m now establishing VPN connections easily! Do you have a guide on permissions though? I have set all the permissions for as broad access as possible (administrator group), but I still can’t modify anything in the mapped VPN drive – only view it. Thank you!
Thank you. Very useful post.
Thank you so much for your useful post. I just refer to the screen shot and successfully installed the Remote Access Service and VPN in my server running Windows Server 2008 R2 with Active Directory in less that 30 minutes.
I didn’t know it would be very easy to setup the above connection.
Thank you very much. Keep up your good work.
hi thanks for your post. i think is not complete could you introduce me another stage for configure vpn server?
please
thanks
i am having only one server 2008 r2.Can i install vpn server in same machine itself?
thanks and regards
basically yes
Hi, just having a bit of trouble knowing what to do for the very last two steps…
– Add a static address pool of private IP addresses
– Add secondary IP Address to the Server network interface which is in the same subnet as this pool.
I have a single server VPS, I don’t have a separate DHCP server, so I will need to employ this solution. Which address pool range should I configure? I only have a single static IP address (the one assigned to the VPS).
I don’t have a secondary IP address.
Where do I go from here?
Many thanks
any one help me to inforn how a remote user connects or used the main office server using vpn.
Thanks for this tutorial, but I have a few remarks/questions…
People say they could setup their VPN in 30 minutes… It’s been days I’m trying, reading about routeur specifications, certificates, protocols, security…
For instance, I’m surprised you don’t talk about the routeur setup. I’ve had lots of trouble to configure it and I can’t be sure it has been done right: it has a DHCP server, a firewall (I need to set a rule there) and a vpn option to setup (to say what to forward where, declare the shared key you want to use – very messy in my opinion).
Also, it seems people don’t agree on which ports/protocole to open. For instant, Windows open 1701 UDP and you talk about 1701 TCP (for L2TP). Others talk of UDP port 4500 and protocol ESP… And nobody says if it would better to shut the ports used by protocol you don’t want to use. Indeed, if I’m going for L2TP, should I close protocol GRE ?
Can you help me with these questions ? Can you tell me why it is so damn hard to find a complete and coherent source of information ?
Hi,
Thanks for the tuto. What if I want to create a group, let’s say “External Users” and tell the VPN Server to only accept connections from the users in this group? The goal is to avoid going on each users’ AD properties and select “Allow Access” in Dial Up tab…
Thanks in advance.
Can you kindly write a tutorial explaining setting up of a SSTP VPN.
I am running my Windows 2008 Server on Cloud and though i can forward TCP/UDP ports through their Web Interface, there is no way to forward GRE.
For there reasons i am now trying to setup a VPN using SSTP.
I am finding trouble with the Certificate Part.
I generated a self signed certificate but my client won’t connect
citing the certificate not trusted error.
Thanks!
- Mad
Hello every one!!
i want to set up remote access vpn server..mean a remote server that can be accessed like a person is using in lan…
scenario is :
1 – single server
2 – 2 NICs(one is configured with live ip(provided by the ISP) and the other with Static IP for LAN)
3 – DSL router (modem) provided by the ISP that is configured with the live IP from the Live IP POOL (zyxel).
4 – RRAS server is installed.AD in installed,
but i’m unable to access the server remotely…i’m also confused about the configurations of IP etc
please just guide me in a simple way that i can set up my server and it could be remotely accessed like a vpn server
Hi Thomas thanks for the post. I followed the instructions but when my Win7 Client tried to connect this VPN, it throws Error: 720 “A connection to the remote computer might not be established. You might need to change the network settings for this connection.”
do you know what might cause this and what’s the solution?
Hard to say.
Maybe this KB clould help: http://support.microsoft.com/kb/314869/en-us
worked very well for me, thank you so much. Needed to set static address pool even though I have DHCP server. before setting static address pool I received error 720.
Worked like a charm, thanks!
Very nice and it even works
But after the setup I have a working PPTP VPN, have you something about setting up an IPSec VPN on Win2K8Server, every tutorial I followed until now does not work.
Thanks, Elerdin.
I did the whole procedure, the machines are connected, I can ping the other computers and network printers, but I can not see the computers in the network environment, only the server, still typing \ \ server \ folder. Have any tips?
Hello everyone,
i need some Help installing a pptp-vpn on a windows web server 2008R2 at 1&1
the option which is given above “Network Policy and Access Services”
is missing on my server. Also Routing and Ras is missing. I looked also under Features too.
so i made it with this tutorial
“http://www.sevenforums.com/tutorials/4517-virtual-private-network-vpn-enable-incoming-vpn-connections.html”
Evrything seems to be functioning very well. BUT !
somehow are Hackers in my VPN and trying to login in on the server. Everytime i get disconnected while someone else is on the server. I see this message everytime i get disconnected. What could i do?
Please need Help
I have a windows server 2008 r2 machine that is connected to a domain.
The server also has DHCP installed.
I followed your instructions step-by-step. Clients can connect to the VPN, but
1) the client’s gateway on the client is set to 0.0.0.0. This doesn’t SEEM right to me, but maybe it is.
2) the client is not assigned an IP from the DHCP pool unless I specifically set a static IP range in RSAS
3) if I allow the client to use the vpn’s default gateway (which gets set to 0.0.0.0), then the client loses all connection to the internet AND the VPN’s network. The client can’t ping ANYTHING except the one VPN server (no other servers on the VPN’s network can be reached).
4) if I uncheck “Allow client to use VPN’s default gateway” on the client, then I can ping everything in the world… However, the servers on the VPN network cannot ping the IP assigned to the VPN client (ex: 10.0.0.128).
Any ideas what is going on?
@Sean M : I have exactly the same problem. This is SSTP on Windows 2008. VPN client gets IP but cannot ping anything on the private network. It can ping the NICs on the VPN server and it can ping other VPN clients. Network packet trace shows that an ICMP request from vpn client reaches the private servers and they repond with ICMP reply back to the MAC address of the internal NIC on VPN. It seems the RRAS does not know how to route from the private NIC on VPN server to the Internal adapter of RRAS. Were you able to solve your issue?
Dude, awesome.. I have been looking for a solution to provide my iPhone access to my home network when I am away.. this was perfect.. now I can use the iPhone built in VPN and connect to my network, then I use netportal to access my servers workstations and files etc.. I cant thank you enough..
the only change I had to make was in the “Static Address pool” I used a small portion of the 192 addressing that I already use for my private network (NAT) etc.. so now it rocks.. great Howto…
@Sean M : I had this same problem I fixed it going to Network and Sharing Center and changing the RAS (Dial In) Interface from Public to Private.