In this post I will cover how to setup and configure a Windows 2008 server as a VPN server. There are several different steps and configurations that need to be done. There are 4 parts to this setup that I will walk through.
Part #1 Installing NPAS and RRAS:
Open Server Manager and open roles
Click on add roles and add the Network Policy and Access Services role (NPAS)
Click next on the informational screen
On the role services screen choose Routing and Remote Access Services (RRAS) and click next
On the next screen click install
When it is done it will give you a screen telling you if it installed successfully or failed
If it was successful click close and choose to restart when it prompts you
Part #2 Configure RRAS:
Open Server Manager
Expand the Roles tree
Expand NPAS and right click on RRAS choose configure
OPTION #1 = If you have two network cards choose “Remote access (dial-up or VPN)”
OPTION #2 = If you have one network card choose “Custom configuration”
NOTE: It is recommend to use two network cards
OPTION #1 = Click next and select the VPN box
OPTION #2 = Click next and check the VPN box
On the next screen when prompted click start service and then click finish
Part #3 Configure VPN user group:
Go into your Active Directory and create a group for VPN access. An example name would be MYVPNGROUP. Add the users to this group that you want to have VPN access to your network.
Part #4 Configure Network Policy Server:
You need to specify a server that will provide access to your network. This is a RADIUS server. For this example I will use the same server for everything.
Go to start>>programs>>administrative tools>>Network Policy Server
Expand RADIUS Clients and Servers
Right click on RADISU Clients and choose new
Fill in all the fields in my screenshot
NOTE: be sure to create a shared secret and write this down somewhere.
Right click on Network Policies and choose new
Click next
On this screen click on “Add”
Select “User Groups” and click add
Once you do this the condition requires the users to be a part of this VPN group before they can connect to VPN.
On the next screen choose “Access granted” and click next
On the Authentication Methods screen I leave the defaults. You can select a different type of authentication according to your needs.
On the Configure Constraints screen select NAS Port Type
I do not configure any of the other options on this screen. You can configure what you need according to your needs.
On Configure Settings screen I leave most of the default settings. I do make sure under IP Settings that the Server settings determine IP address assignment.
Click next and finish
Then you will see your VPN policy on the next screen.
That’s it you should be able to connect to VPN now.
Thank you for this great guide.
Do you know which ports I have to forward on my router to allow incoming connections to this?
Does it use standard PPTP, TCP port 1723 and IP Protocol 47 (GRE)?
If it is the standard PPTP I can’t forward IP Protocol 47 as it only allows TCP or UDP.
Are there any way to do this without having to change my router?
Hi John-D all you need to do is open up incoming TCP port 1723 on your router or firewall. The only way that I am aware of to get around this is to use a VPN service such as Leaf Networks (http://www.leafnetworks.net/download.html). I hope this helps.
Cool, yeah it works with TCP port 1723 only.
Thank you very much.
I followed these instructions step by step and I was able to setup my VPN server at home in no time. after the VPN server was setup I opened port 1723 TCP for PPTP and it all worked like a charm.
thanks Steve!!!
Buchatech rocks!!!
This is quite helpful but, I’m having some difficulties because my network topology is different from this scenario.
I have my VPN server inside another internal network. Say, Router A (192.168.1.0) connects me with my ISP and Router B (192.168.0.0), which is connected to A, is where the server is connected.
I have opened port 1723 for PPTP on both routers and equally forwarded VPN application on router A to router B interface. Still, I can’t connect even after following the above well-stated steps.
Do I have to connect to the VPN server using the IP address of Router A’s modem (which is public)? What am I doing wrongly? Thanks.
Hi devim,
Thanks for commenting. Correct me if I am wrong but it sounds like what you actually need is a VPN Tunnel. The steps in this post do not cover that. I would look into the tunnel. If that does not help you I think this will need some more looking into and I do freelance work so you can ping me offline about it if you want.
Hi sbuchanan, I’m using excellent guide to setup a vpn server at this time, questions do not really need a domain? where I am working only use working groups …
and finally from the outside as it should be done to connect to this vpn server?
thanks for all
Hi Nattig,
Thanks for your comment. Can you clarify your question more?
Everything is crystal clear until Step #3. Can you provide the same step by step details for this portion of the setup? You have a way of making the instructions very easy to follow even for those without much server software experience. Job well done!
Hi Kent,
Thanks for the feedback. I will see if I can detail that step out when I get some time.
I’m a bit confused on step 3 as well.
Ok, the easiet way for step 3 is to simply click start, and then right click on computer, then click on the manage option. That should take you to editing the user accounts and groups.
I’m new to the whole VPN thing. Are these instructions for a basic pptp connection? I ask because I own a blackberry playbook, and I am trying to figure out how to connect it to my home server. It seems to connect through IKEv2 VPN and some other various authentication types. Is there a way to create that type of VPN from these instructions, or would that type of authentication require more that basic consumer hardward/configuration i get with whs 2011?
Hi, thank you for the great guide. What address do I need to use to access the VPN from outside my network?
Thanks