Categories
All Posts Remote Desktop Hosting Uncategorized Windows Server 2016 Windows Server 2019 Windows VPN
- Post author By RiptideHosting
- Post date April 22, 2020
Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important. There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.
STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019
- Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
- Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next. Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot).
- At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.
- Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode)
- Right click on Server name and select “configure and enable routing and remote access”
- Select “Custom configuration”
- Select “VPN access” only, then Finish, Start Service. Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules.
- Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”. Then right click on the server name and select properties. Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below:
- Next, open “Network and Sharing Center” and click on “change adaptor settings”. Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made).
- Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties. Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”. You need to do this for each user you want to allow VPN access to the server.
- Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP):
- Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.
SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)
- On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”. Select “Use My Internet Connection”
- Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
- Enter description name for connection, then create.
- Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
- Click on the VPN Connection you just setup and press connect. Enter Username and Password on next screen and click “Connect”
- You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.). Also you can change VPN settings on the server.
VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE: If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”. (you may have to disconnect and reconnect before this change will apply)
ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE
Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method. You should properly test any changes made.
- Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.
- First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server. If it isn’t (and most likely it is set to public so you will have to change it), change it as follows: gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private)
- Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
- “Remote Desktop Services – User Mode (TCP-In)”
- “Remote Desktop Services – User Mode (UDP-In)”
- “Remote Desktop – User Mode (TCP-In)”
- “Remote Desktop – User Mode (UDP-In)”
and turn it off for Public Profile. You could/should also modify other rules affecting the public profile to restrict access to private profile only. 
- Now it is time to connect and test your changes.
- Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active. You shouldn’t be able to RDP to the public IP address. You should test all scenarios after deployment.
Congratulations, Now your PPTP VPN should be setup and working!
OPTIONAL STEPS TO SETUP/CONFIGURE L2TP:
The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work. You can increase security by implementing L2TP or SSTP. One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection. When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP. In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server. If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).
How to enable L2TP/IPsec VPN and disable PPTP protocol
Configure L2TP with preshared key:
- First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now). Open RAAS Management Console, right click on server name, and go to properties. Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.
- The preshared key is something that is the same for all users
- Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client. Go to you local VPN network adaptor settings and adjust accordingly.
- Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP.
- Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.
FAQs
How do I run a VPN server on Windows Server 2019? ›
- Step 1: Update System.
- Step 2: Install Remote Access Role.
- Step 3: Configure Routing and Remote Access.
- Step 4: Configure VPN Properties.
- Step 5: Configure NAT.
- Step 6: Restart Routing and Remote Access.
- Step 7: Configure Windows Firewall.
- Step 8: Create VPN User.
- For VPN provider, choose Windows (built-in).
- In the Connection name box, enter a name you'll recognize (for example, My Personal VPN). ...
- In the Server name or address box, enter the address for the VPN server.
- For VPN type, choose the type of VPN connection you want to create.
- Tap the Settings icon.
- Tap Network & internet.
- Tap Advanced.
- Tap VPN.
- Tap Add.
- Enter the information including Name, Type, Server Address, Username, and Password.
- Tap Save.
- Again, tap the Settings icon.
- Open up your preferred browser.
- Enter your router's LAN (internal) IP address into the search bar. ...
- Enter the router's username and password. ...
- Go into Settings (or Advanced Settings) > VPN Service.
- Enable the VPN Service.
Windows comes with the built-in ability to function as a VPN server, free of charge. It does this by using the point-to-point tunneling protocol (PPTP) and can be confusing to set up if you're not too tech-savvy.
What are the different types of VPNS supported by a Windows 2019 server? ›Microsoft RRAS server and VPN client supports PPTP, L2TP/IPSec, SSTP and IKEv2 based VPN connection. By default the VPN connections are made using PPTP which is a VPN Point-to-Point Tunnelling Protocol. We can also convert our VPN server to support SSTP. The PPTP protocol connection are established over TCP port 1723.
What is server address in VPN? ›An address used to identify a local network. These are the IP addresses of the computers on each side that are allowed to send traffic through the VPN tunnel. We recommend that you use an address from one of the reserved ranges: 10.0.0.0/8—255.0.0.0.
How do I download a VPN to my computer? ›How to get a VPN? Download a VPN from a reliable provider. Open the file you just downloaded to install your VPN. After installing the VPN, activate it to protect your data and hide your IP address.
How can I get a free VPN? ›- Proton VPN Free. Truly secure with unlimited data – the best free VPN. ...
- Privado VPN. A free VPN that can unblock Netflix (for now) ...
- Windscribe. Generous on data, and secure too. ...
- Atlas VPN. Great speeds, and tons of data for Mac users. ...
- Hide.me. ...
- Hotspot Shield Basic.
Go to your phone's settings. Select “About device.” Tap on “Status.” Here you can find information about your device, including the IP address.
Can I use my VPS as a VPN? ›
While VPSs and VPNs are different technologies, they can be combined. You can use a VPS as the hosting server to create your own VPN. Some tech-savvy users create their own VPNs in order to both save money and ensure complete privacy.
What is a VPN configuration? ›A VPN, or Virtual Private Network, routes all of your internet activity through a secure, encrypted connection, which prevents others from seeing what you're doing online and from where you're doing it. Basically, a VPN provides an extra layer of security and privacy for all of your online activities.
Can I run OpenVPN server on Windows? ›The OpenVPN protocol is not built into Windows. Therefore, you must install a client app to handle communication with Access Server. A client app is required to capture the traffic you want to send through the OpenVPN tunnel, encrypt it, pass it on to the server, and decrypt the return traffic.
How VPN works step by step? ›A VPN masks your IP address by acting as an intermediary and rerouting your traffic. It also adds encryption, or a tunnel around your identity, as you connect. The combination of the VPN server and the encryption tunnel blocks your ISP, governments, hackers, and anyone else from spying on you as you navigate the web.
How do I know if I have a VPN? ›You can also navigate to your settings application, click network, and then see if you're running a VPN/proxy. Harder to check on Android/iPhone and doesn't really happen on the device. Check with your company's IT people to see if the WiFi is set up with a VPN/proxy.
Is Windows built in VPN free? ›Microsoft is adding a free built-in virtual private network (VPN) service to its Edge browser in a bid to improve security and privacy, a Microsoft support page revealed.
How does Windows built in VPN Work? ›When and how to use the VPN client built into Windows. VPN (virtual private network) technology lets a computer using a public internet connection join a private network by way of a secure “tunnel” between that machine and the network. This protects the data from being seen or tampered with by bad actors.
How do I install Azure VPN client on Windows Server 2019? ›- Navigate to the virtual network gateway.
- Click Point-to-Site configuration.
- Click Download VPN client.
- Select the client and fill out any information that is requested.
- Click Download to generate the . zip file.
- The . zip file will download, typically to your Downloads folder.
When setting up a VPN server with Windows, 3 types of VPN service are installed: PPTP. L2TP. SSTP.
What ports need to be open for L2TP VPN? ›By default, L2TP uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.
What is L2TP and PPTP? ›
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by internet service providers (ISPs) to enable virtual private networks (VPNs). To ensure security and privacy, L2TP must rely on an encryption protocol to pass within the tunnel.
Which server is best for VPN? ›...
What is the best VPN for unblocking sports?
- ExpressVPN has more than 3,000 servers in 94 countries.
- CyberGhost offers 7,000+ servers across 91 countries.
- NordVPN has more than 5,400 servers in 58 countries.
- Go to the “Settings” application.
- On the next screen, tap the “More…” button.
- Click on the “VPN” option.
- Click on the + Button.
- Insert the information from your VPN provider (We have complete instructions for ExpressVPN, CyberGhost and PrivateVPN below)
Open the DOS interface of your computer by typing the letters "cmd" into the "Open" field of the run menu. After you press enter, a new window should open which includes the DOS command prompt. In this window, type "Hostname" and press the enter key. Your computer's server name should appear.
Which VPN is free for PC? ›| #1 Best Overall | #2 Top Pick | |
|---|---|---|
| VPN Provider | ExpressVPN | NordVPN |
| Supported devices | MacOS & iOS Android Windows Linux Microsoft | MacOS & iOS Windows Linux |
| 24/7 support | ✔️ | ✔️ |
| Max connections | 5 | 6 |
Pay for 1 get 4 for FREE! Or even more - with one subscription, you can use our VPN on unlimited devices. You can use any device (desktop, tablets, mobile phones) and any platform (macOS, iOS, Android, Windows, Linux.)
Is VPN 100% free? ›Most VPN providers require a monthly fee if you want to use their secure server network. However, there are some VPN providers that offer a connection for free.
Can I make my own VPN? ›To create your own VPN for personal use, you have a few specific hosting options: Run the software on a cloud virtual private server. All cloud providers, from titans like Amazon Web Services to smaller operations like Vultr, offer cloud-hosted servers called VPSs.
Which VPN is completely free? ›| Speeds | Compatibility | |
|---|---|---|
| hide.me | Fast | Windows, Mac, Android, iOS, Linux, AppleTV, routers and more |
| Hotspot Shield | Average | Windows, Mac, Android, iOs |
| TunnelBear | Fast | Windows, Mac, Android, iOs |
| Kaspersky Secure Connection | Fast | Windows, Mac, Android, iOs |
A public IP address is an IP address that can be accessed directly over the internet and is assigned to your network router by your internet service provider (ISP). Your personal device also has a private IP that remains hidden when you connect to the internet through your router's public IP.
Which is better VPN or VPS? ›
A VPN is only used for one thing – keeping your data safe and secure when browsing the internet. A VPS is a service provided by a hosting company in order to host a website or application. While it can ultimately be used to connect to the internet, it does not inherently keep your information secure.
What is the difference between VPN and VPC? ›Just as a virtual private network (VPN) provides secure data transfer over the public Internet, a VPC provides secure data transfer between a private enterprise and a public cloud provider.
What is difference between VPS and VM? ›A VPS is a physical server partitioned into several smaller virtual servers, with one shared operating system. Whereas a VMware Virtual Machine, splits the server completely, with each partition running its own operating system with its own dedicated resources.
What are the types of VPN? ›The four main types of VPN are:
Remote access VPNs. Personal VPN services. Mobile VPNs. Site-to-site VPNs.
| Service | Monthly price | Max number of devices |
|---|---|---|
| NordVPN | $11.99/mo. | 6 |
| ExpressVPN | $12.95/mo. | 5 |
| CyberGhost | $12.99/mo. | 7 |
| Private Internet Access | $11.95/mo. | 10 |
Configure your VPN's information.
Connection name — Add the name of the VPN on your computer. Server name or address — Enter or change the VPN's server address. VPN type — Enter or change the connection type. Type of sign-in info — Select a new type of sign-in (e.g., Password) if necessary.
OpenVPN is a free VPN option for those looking to protect their privacy. Is it for you? OpenVPN is an open-source VPN protocol allowing secure online access from point-to-point completely free of charge.
Is OpenVPN a VPN provider? ›OpenVPN is an open-source, Virtual Private Network (VPN) encryption protocol - and is recognized across the industry as being the most secure protocol available.
How do I create a OVPN file in Windows? ›...
Create a Client File for Windows Client
- Specify the hostname/IP and port of VPN server. ...
- Set the protocol to UDP or TCP. ...
- Set the device mode to TAP or TUN. ...
- Set the cryptographic cipher. ...
- If Compression is enabled on server, you need to enable compression on the VPN client.
Network-based VPNs are virtual private networks that securely connect two networks together across an untrusted network. One common example is an IPsec-based WAN, where all the offices of a business connect to each other across the internet using IPsec tunnels. There are several kinds of network VPNs.
What is the purpose of VPN? ›
The main purpose of a VPN is to hide your online activity. VPNs are often used to guard against hackers and snoops on public networks, but they're also useful for hiding your IP address, browsing activity, and personal data on any Wi-Fi network — even at home.
Does VPN change IP address? ›A VPN configuration will not only change your IP address, it will also improve your overall internet experience. Using a VPN service can improve your speed by helping you defeat throttling and avoid network congestion.
Can a VPN be hacked? ›VPN services can be hacked, but it's extremely difficult to do so. Most premium VPNs use OpenVPN or WireGuard protocols in combination with AES or ChaCha encryption – a combination almost impossible to decrypt using brute force attacks.
How do you tell if an IP address is a VPN? ›Attempt to use Reverse DNS Lookups for checking VPN addresses. Either using websites, CLI, or scripts, you can identify if an IP address is a VPN based on looking at their hostname. With the hostname, this allows you to identify if the VPN is using a hostname that is related to a VPN provider.
How do you test if a VPN is working? ›The easiest way to check if your VPN is working is to note your IP address before connecting to a VPN, and then to check the IP address again immediately after the VPN connection is established.
What is the difference between DirectAccess and VPN? ›The main difference between Microsoft DirectAccess and VPN is that Microsoft DirectAccess automatically starts functioning as soon as the user connects his computer to the internet. On the other hand, the functioning of VPN needs to be manually started and stopped by the user whenever he is connected to the internet.
Can I run OpenVPN server on Windows? ›The OpenVPN protocol is not built into Windows. Therefore, you must install a client app to handle communication with Access Server. A client app is required to capture the traffic you want to send through the OpenVPN tunnel, encrypt it, pass it on to the server, and decrypt the return traffic.
How do I enable Routing and Remote Access on Windows Server 2019? ›Right-click the server, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next. Click Remote access (dial-up or VPN) to permit remote computers to dial in or connect to this network through the Internet. Click Next.
How do I setup a PPTP server? ›- Note: ...
- 1) Click Add. ...
- Select Connect to a workplace and click Next. ...
- Enter the internet IP address of the router (for example: 218.18. ...
- Enter the User name and Password you have set for the PPTP VPN server on your router, and click Connect.
DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
Does always on VPN require enterprise? ›
Always On VPN is a Windows 10-only solution. However, unlike DirectAccess, client devices do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional, along with all other SKUs, are now supported clients.
What is Microsoft always on VPN? ›Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both.
Is OpenVPN server free? ›OpenVPN is a free VPN option for those looking to protect their privacy. Is it for you? OpenVPN is an open-source VPN protocol allowing secure online access from point-to-point completely free of charge.
How do I create a OVPN file in Windows? ›...
Create a Client File for Windows Client
- Specify the hostname/IP and port of VPN server. ...
- Set the protocol to UDP or TCP. ...
- Set the device mode to TAP or TUN. ...
- Set the cryptographic cipher. ...
- If Compression is enabled on server, you need to enable compression on the VPN client.
By default the OpenVPN Access Server comes configured with OpenVPN daemons that listen on port 1194 UDP, and OpenVPN daemons that listen on port 443 TCP.
How do I install Remote Access and Routing? ›- Open the Windows Server 2012 Server Manager.
- From the Server Manager Dashboard, select Manage > Add Roles and Features.
- Click Next to display the Select Server Roles window.
- Select the Remote Access check box. ...
- Click Next until the Select Role Services page is displayed.
- Select Routing.
Click Start, point to Administrative Tools, and then click Routing and Remote Access. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies. Right-click the right pane, point to New, and then click Remote Access Policy.
What type of connectivity is used for remote VPN connection? ›A VPN is a private network that uses a public network (usually the internet) to connect remote sites or users together. The VPN uses "virtual" connections routed through the internet from the business's private network or a third-party VPN service to the remote site or person.
Which is better OpenVPN or PPTP? ›Conclusion. PPTP has faster speeds and is easier to set up but offers a poorly secured connection. On the other hand, OpenVPN provides decent speeds and excellent security, plus it's great at circumventing geo-blocks and firewalls undetected.
What is L2TP and PPTP? ›Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by internet service providers (ISPs) to enable virtual private networks (VPNs). To ensure security and privacy, L2TP must rely on an encryption protocol to pass within the tunnel.
What is IPSec VPN? ›
IPsec VPN is a protocol, consists of set of standards used to establish a VPN connection. A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN.