This post shows you how you can install a VPN Server on Windows Server 2016 Step-by-Step. It shows you how you can easily setup a VPN server for a small environment or for a hosted server scenario. This blog post covers how you can use Windows Server VPN.
This is definitely not a guide for an enterprise deployment, if you are thinking about a enterprise deployment you should definitely have a look at Direct Access.
I already did similar blog posts for Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.
- How to Install VPN on Windows Server 2012 R2
- How to Install VPN on Windows Server 2012
- How to Install VPN on Windows Server 2008 R2
- How to Install VPN on Windows Server 2019
You can simply follow this step by step guide:
Install the Windows Server VPN Role
First install the “Remote Access” via Server Manager or Windows PowerShell.
Select the “DirectAccess and VPN (RAS)” role services and click next.
On the next steps just use the default settings. After that you can have a look at the overview screen and install the role.
After the features are installed, which can take a while to finish you see the link for the Getting Started Wizard. Click on “Open the Getting Started Wizard“.
Configure Windows Server VPN
This opens a new wizard which will help you to configure the server. On the first screen select “Deploy VPN only“.
This opens the Routing and Remote Access Management Console
Right click on the Server name and click on “Configure and Enable Routing and Remote Access“.
On the new wizard select “Custom configuration“.
Select “VPN Access“.
After you have click finish you can now start the Routing and Remote Access service.
If you have an other firewall between the internet and your Windows Server you have to open the following Firewall port sand forward them to your Windows Server:
For PPTP: 1723 TCP and Protocol 47 GRE (also known as PPTP Pass-through)
For L2TP over IPSEC: 1701 TCP and 500 UDP
For SSTP: 443 TCP
After the installation Users have to be enabled for Remote Access to connect to your VPN Server. On a standalone server this can be done in the Computer Management MMC, in a domain environment this can be done in the user properties of an Active Directory user.
If you don’t have a DHCP Server in your environment you have to add a static IP address pool. This is often needed if you have a single server hosted at a service provider. In the properties of your VPN server you can click on the IPv4 tab and enable and configure the “Static address pool”.
You now have to add a IP address from the same subnet as your static address pool to the network interface of your server, so users can access the server.
I hope this helps you to setup a VPN server in a small environment, lab or hosted server.
Tags: Direct Access, GRE, installation, L2TP, Microsoft, PPTP, RAS, Remote Access, routing, setup, SSTP, VPN, VPN Server, Windows, Windows Server, Windows Server 2016, Windows Server VPN Last modified: April 25, 2019
Hi,
I have followed your step by step guide, but unfortunately failed to complete it. When I press the “Start Service” button, a message about initialization pops up with a turning clock icon, but it takes forever — I have waited for over an hour before killing the console and restarting the server. When restarted, the console shows that the service is enabled and configured, but the interfaces are “unreachable” and the “Unreachability Reason” (when right-click on them) is that “The ROuting and Remote Access service is not running on the specified computer”. Although the service is indeed running in the Services console. What I noticed there is that the “Remote Access Management Service” is in “Starting” status but it never starts.
All this on a Windows 2016 VPS, standalone (no domain).
Any ideas?
Thanks,
Alex
Thanks, nice writeup!
Alex, I have the same issue. And that on a brand new freshly installed server. It just takes forever and ever. Apparently Microsoft did some proper QA testing on their VPN services… incredible
Hi Martijn,
I can’t exactly recall how I finally overcame this, but if I remember correctly, it had to do with the REmote Access Management Service not starting properly. I think that I had to change the account under which the service runs and make sure that the service was started before trying to re-install. It finally worked.
Hope this helps,
Alex
How can I access my network through another network?
Hi,
I’ve installed RRAS on Windows Server 2016, but when I launch the console I get the following;
Legacy mode is disabled on this Server
I’ve googled the life out of this one but can’t seem to find any info on enabling Legacy mode.
Any help would be greatly appreciated.
Mauricio
I went further and created a pre-shared key. Unfortunately, remote clients are getting:
ERROR: “The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator”
I verified that the windows firewall ports 1701 & 500 are open & that they accept connections. I also verified that the router is forwarding those ports.
Not sure why clients are getting this error.
Hi I want to share with you that I use astrillvpn and I set manual configuration on my pc using PPTP/L2TP and it works fine. But sometimes the connection can’t be established is it a problem on my setup or in a server on VPN?
A very compelling write up and easy to follow. Once you’ve finished the last step here, what else do we do? Are PPTP, L2TP, and SSTP all ready to be used at this point? How does a client connect to this service?
I also had “Legacy Mode Disabled” on 2016 Standard server with the Essentials role and was unable to assign a static IP range. I finally figured out how to do it in PowerShell:
Set-VpnIPAddressAssignment -IPAssignmentMethod “StaticPool” -IPAddressRange “30.1.1.10”, “30.1.1.30” -PassThru
Blogged the details here:
https://www.mcbsys.com/blog/2017/08/set-a-static-ip-address-pool-for-your-2016-vpn/
I want to go to career school teaches IT…
It has been only three(3) months in IT field and everything is so confusing…
I get an unidentified error when trying to add Remote Access role.
The only thing I found in the event log has to do with Activation Event ID: 10016 and 8198
I did not activate Windows because I’m testing.
Can I add Remote Access role if Windows server 2016 is not activated?
About my previous post.
It turns out I was unable to install any role at all. There is a GPO which redirects the Document folder. This is what was causing the problem.
Thank you
Hi, Thank you! nice write up! everything went on based on what you mentioned, the only issues is VPN connection on client stuck on verifying username and password and then it got timed-out. I believe its something related to my server to get authentication from domain controller. the VPN server that I’m using is just member of domain, is there any way that I can let it to get users credential from domain controllers?
This configuration worked for me to establish a VPN, however once established I was unable to ping the interface on the server or telnet to ports I had a script listening on.
Applying the same config to a 2012 server worked fine so can only assume something has changed in 2016 since this article was written.
Server 2016 build is 10.0.14393, we had initially thought it was due to our server hardening however the issue was present an on a vanilla build as well. I haven’t tried another build of server 2016 and its worth noting this scenario was in a workgroup config rather than in a domain so no group policy configs applied either. Has anyone else experienced a similar issue?
Nice guide to setting up but i have a client that i need to provide access on VPN to server the server is on a network connected to a Watchguard firewall with 10.50.70.1 ip range and watchguard is connected to BT internet router with gateway 192.168.1.254. The trouble i am having is how to configure port forwarding to server from BT router with different IP range. My question do i connect one of the 4 gigabit lan connections from the server to the BT router directly or is there another way i have to forward the SSH port 443 to the server for VPN?
I had installed the Remote Desktop Gateway Service before this, and to get the vpn to work I had to enable (grant access) the “connections to Microsoft Routing and Remote Access” network policy in the NPS.
Hi, tnaks for this tutorial, I have a question though, do I need the web server (IIS) to install the VPN ? I don’t need it and I don’t want it.
Thanks
Simon
Hi Simon Thanks happy it helped you. The Routing and RAS Role/feature was depending on some of the technology in the webserver role. No worries it won’t install a full web server with everything, only the things you need.
Grüezi Thomas, and tha’s about almost all I can say in Schwizertütsch (maybe churchichlächli) :-) And thanks, so I can go on and install the thing even with the webserver. Does it have to be on ? (I had some experience with the ms web server before) but can I just leave it there and shut it down ?
Hi there! Great post. I was able to connect right away, but I cannot see any of the network devices. Upon looking at the address, it appears it gave a subnet of 255.255.255.255, when my other devices are on 255.255.255.0. I don’t know where to go from here. Any thoughts?