How to setup VPN Access on Server 2008

In this post I will cover how to setup and configure a Windows 2008 server as a VPN server. There are several different steps and configurations that need to be done. There are 4 parts to this setup that I will walk through.

Part #1 Installing NPAS and RRAS:

Open Server Manager and open roles

 

 

Click on add roles and add the Network Policy and Access Services role (NPAS)

Click next on the informational screen

On the role services screen choose Routing and Remote Access Services (RRAS) and click next

 

On the next screen click install

When it is done it will give you a screen telling you if it installed successfully or failed

If it was successful click close and choose to restart when it prompts you

Part #2 Configure RRAS:

Open Server Manager

Expand the Roles tree

Expand NPAS and right click on RRAS choose configure

OPTION #1 = If you have two network cards choose “Remote access (dial-up or VPN)”

 

OPTION #2 = If you have one network card choose “Custom configuration”

 

NOTE: It is recommend to use two network cards

OPTION #1 = Click next and select the VPN box

 

OPTION #2 = Click next and check the VPN box

 

On the next screen when prompted click start service and then click finish

 

Part #3 Configure VPN user group:

Go into your Active Directory and create a group for VPN access. An example name would be MYVPNGROUP.  Add the users to this group that you want to have VPN access to your network.

Part #4 Configure Network Policy Server:

You need to specify a server that will provide access to your network. This is a RADIUS server. For this example I will use the same server for everything.

Go to start>>programs>>administrative tools>>Network Policy Server

 

Expand RADIUS Clients and Servers

Right click on RADISU Clients and choose new

Fill in all the fields in my screenshot

NOTE: be sure to create a shared secret and write this down somewhere.

 

Right click on Network Policies and choose new

 

Click next

On this screen click on “Add”

Select “User Groups” and click add

 

Once you do this the condition requires the users to be a part of this VPN group before they can connect to VPN.

 

On the next screen choose “Access granted” and click next

On the Authentication Methods screen I leave the defaults. You can select a different type of authentication according to your needs.

 

On the Configure Constraints screen select NAS Port Type

 

I do not configure any of the other options on this screen. You can configure what you need according to your needs.

On Configure Settings screen I leave most of the default settings. I do make sure under IP Settings that the Server settings determine IP address assignment.

 

Click next and finish

Then you will see your VPN policy on the next screen.

 

That’s it you should be able to connect to VPN now.

13 comments to How to setup VPN Access on Server 2008

  • John-D  says:

    Thank you for this great guide.
    Do you know which ports I have to forward on my router to allow incoming connections to this?
    Does it use standard PPTP, TCP port 1723 and IP Protocol 47 (GRE)?
    If it is the standard PPTP I can’t forward IP Protocol 47 as it only allows TCP or UDP.
    Are there any way to do this without having to change my router?

  • sbuchanan  says:

    Hi John-D all you need to do is open up incoming TCP port 1723 on your router or firewall. The only way that I am aware of to get around this is to use a VPN service such as Leaf Networks (http://www.leafnetworks.net/download.html). I hope this helps.

  • John-D  says:

    Cool, yeah it works with TCP port 1723 only.
    Thank you very much.

  • cduran  says:

    I followed these instructions step by step and I was able to setup my VPN server at home in no time. after the VPN server was setup I opened port 1723 TCP for PPTP and it all worked like a charm.

    thanks Steve!!!
    Buchatech rocks!!!

    • devim  says:

      This is quite helpful but, I’m having some difficulties because my network topology is different from this scenario.

      I have my VPN server inside another internal network. Say, Router A (192.168.1.0) connects me with my ISP and Router B (192.168.0.0), which is connected to A, is where the server is connected.

      I have opened port 1723 for PPTP on both routers and equally forwarded VPN application on router A to router B interface. Still, I can’t connect even after following the above well-stated steps.

      Do I have to connect to the VPN server using the IP address of Router A’s modem (which is public)? What am I doing wrongly? Thanks.

  • sbuchanan  says:

    Hi devim,

    Thanks for commenting. Correct me if I am wrong but it sounds like what you actually need is a VPN Tunnel. The steps in this post do not cover that. I would look into the tunnel. If that does not help you I think this will need some more looking into and I do freelance work so you can ping me offline about it if you want.

  • nattig  says:

    Hi sbuchanan, I’m using excellent guide to setup a vpn server at this time, questions do not really need a domain? where I am working only use working groups …

    and finally from the outside as it should be done to connect to this vpn server?

    thanks for all

  • sbuchanan  says:

    Hi Nattig,

    Thanks for your comment. Can you clarify your question more?

  • Kent  says:

    Everything is crystal clear until Step #3. Can you provide the same step by step details for this portion of the setup? You have a way of making the instructions very easy to follow even for those without much server software experience. Job well done!

  • sbuchanan  says:

    Hi Kent,

    Thanks for the feedback. I will see if I can detail that step out when I get some time.

  • dookie67  says:

    I’m a bit confused on step 3 as well.

  • dookie67  says:

    Ok, the easiet way for step 3 is to simply click start, and then right click on computer, then click on the manage option. That should take you to editing the user accounts and groups.

    I’m new to the whole VPN thing. Are these instructions for a basic pptp connection? I ask because I own a blackberry playbook, and I am trying to figure out how to connect it to my home server. It seems to connect through IKEv2 VPN and some other various authentication types. Is there a way to create that type of VPN from these instructions, or would that type of authentication require more that basic consumer hardward/configuration i get with whs 2011?

  • mattr  says:

    Hi, thank you for the great guide. What address do I need to use to access the VPN from outside my network?

    Thanks

Leave a reply