This post should show you how to install a VPN Server on Windows Server 2012. This post covers a VPN server for a small environment or for a hosted server scenario. This post is note made for enterprise deployments. If you want to run a VPN solution in your enterprise you should definitely look at Direct Access which is much easier to deploy in Windows Server 2012 than in Windows Server 2008 R2.
For a VPN server on Windows Server 2008 R2 check this post: How to Install VPN on Windows Server 2008 R2
- Install the role “Remote Access” via Server Manager or PowerShell
- Select the DirectAccess and VPN (RAS) role services
- The other selection in the wizard can use the default properties.
- After the features are installed you can us the Getting Started Wizard to configure the VPN scenario.
- If you don’t deploy DirectAccess choose Deploy VPN only.
- This will open the Routing and Remote Access MMC. Right click on your server and choose Configure and Enable Routing and Remote Access.
- This launches the Routing and Remote Access Server Setup Wizard
- If you have just a single network interface in your server choose Custom configuration
- Select VPN access
- And click finish and start service
- Now open the following ports on your firewall and forward them to your Windows Server
For PPTP: 1723 TCP and Protocol 47 GRE (also known as PPTP Pass-through
For L2TP over IPSEC: 1701 TCP and 500 UDP
For SSTP: 443 TCP - Users have to be enabled for Remote Access. On a standalone server this can be done in the Computer Management MMC, in a domain environment this can be done in the user properties of an Active Directory user.
Optional: If you don’t have a DHCP Server in your local network you have to add a static address pool. This can could be if you use a single server hosted by a hosting provider.
- Right click on your Remote Access Server and open properties
- Click on the IPv4 tab and select “Static address pool”
- Now add a IP address pool for example 192.168.1.100 – 192.168.1.200
- Now if this is a standalone server which has only a single Public IP address, add a secondary IP address to the server network interface which is in the same subnet as the IP address pool.
i appreciate your guide
i wanted to try the setup but i’m behind a small router from my isp . my question is to configure the client do i need a public ip ?
i would appreciate to have the client config too
You can use a public IP or you can setup a Port-Forwarding via NAT. (see the ports in my post)
What are the pre-requisite when installing server 2012?
Hi, thanks for this article.
I have installed VPN by your example, but when the client is connecting to the server it ends with Verifying username and password.. In the server system event log I see: CoId={01181E8F-FC20-4A5B-8E91-17C4DB6E4073}: The user connected to port VPN3-127 has been disconnected because the authentication process did not complete within the required amount of time.
Do you have any idea what can be wrong?
thanks.
To Martin:
I had that same problem, so I installed NPS and reconfigure VPN and it works now.
@Thomas, I followed your contents, and failed to connect to the host. my client is win7, must i do some special setting on the client. thank you.
finally, it tells ‘Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable…’
1. Click Start and type in Active Directory users and Computers into the Quick Search then open it.
2. Navigate down to the account in question and open up its properties.
3. On the “Dial-in” tab check that under “Remote Access Permissions (Dial-in or VPN)” that “Allow Access” is selected. If it is not then change it and Apply the update.
On the client VPN connection
1. Right-click the VPN connection and click Properties.
2. Select the Security tab.
3. Under Type of VPN: select Point to Point Tunneling Protocol (PPTP).
4. Under Data encryption: select Optional encryption (connect even if no encryption).
5. Make sure Allow these protocols is selected
6. Check mark Microsoft CHAP Version 2 (MS-CHAP v2).
Finally retry the VPN Connection.
Hope it helps Grammy Leung
Hi All,
I could install ppptp on win 2012 and I could connect from clients, but I can’t ping tha LAN, neither can’t access the server. I have checked the NAP polices many many times. Do you have any ideas ?
Thx!
LKP, i’m having the same problem…WS2012 following instructions to start the RAS VPN-Only role…
i can connect to the VPN from a remote location, put i cannot ping or rdp anywhere on the network…
ports and services are triple checked..i’m hitting my head against the wall..:-(
Thank you for this article. I was missing the Network Access Permissions – Allow Access in the User properties.
My current issue is this. I’m connected to the remote server. However, I cannot map a drive on the server. It’s a 1 server VPN. Anyone have suggestions?
Thank you Tom, this helped me out.
this will work in azure ?
In Windows Azure you can use a build in Gateway to do VPN with your on premise network
Hi stat, Have you had solution ? I haven’t find yet
Hi
Just noticed this post is word for word with http://XXXXX
Clearly yours was posted first. Really sad to see people copy others work.
Keep up the good work
In the name of God
I hope good luck
I had a question
How do I setup my domain vpn in Windows Server 2008
What do settings in Windows 7
Thanks
VPN works as expected but to secure the server I want to change the network profile from public to private but this can’t be done on Windows Server 2012??? Do you have an answer?
The answer is: Force the private network profile by setting the local security policy under network lists manager rules for RAS (Dial In) Interface properties -> networkaddress -> location type -> from unconfigured to private
hi thanx for the tut i like your header can i save it
Is it possible to Manage Hyper-V Free with Windows 2012 Essentials? I know that there is no Hyper-V in Essentials, but can you manage with it? Great website you have here! Have a great week!
I configure VPN successfully, But when I connect with my VPN, I can not browse Internet. What can i do?
Browse the Internet not works. How I can change it?
Jewel,
On the Network you are connecting to, is it part of a domain or workgroup? On the client side computer in the properties you need to make sure you have the correct DNS settings to use. If it is using a DNS server in the domain put the correct DNS server in on the client computer vpn connection.
Under Advanced in the TCP/IP v4 settings you can uncheck the box to use the remote gateway. This will allow you to use the gateway of the local network you are on for the internet.
Now if this is a standalone server which has only a single Public IP address, add a secondary IP address to the server network interface which is in the same subnet as the IP address pool.
——————————————–
Hello , my server is a standalone and single public ip address,
How can I add a secondary IP address to the server network interface ?
Would you please help ,thank you
Well on the NIC configuration in the advanced configuration you can add other IP addresses
I think this is a DNS or Routing Problem
Any ideas on how to do a site to site VPN?