How to Install VPN server on Windows Server 2019

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important.  There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.

STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019

  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
  2. Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next.  Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot). Installing Remote Access VPN-1Installing Remote Access VPN-2
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.Open the Getting Started Wizard
  4. Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode) Open the Getting Started Wizard-Deploy VPN only selection
  5. Right click on Server name and select “configure and enable routing and remote access” Configure RRAS-1Configure RRAS-2
  6. Select “Custom configuration” Configure RRAS-3
  7. Select “VPN access” only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules. Configure RRAS-4Configure RRAS-5Configure RRAS-6
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below: Configure RRAS-7
  9. Next, open “Network and Sharing Center” and click on “change adaptor settings”.  Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made). Ethernet adaptor propertiesEthernet adaptor properties-2
  10. Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”.  You need to do this for each user you want to allow VPN access to the server.Change User Properties Dial-In to Allow Access
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): Windows Firewall Inbound Rule PPTP GRE L2TP SSTP
  12. Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.

SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)

  1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”.  Select “Use My Internet Connection”Setup VPN connection on Local PC
  2. Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
  3. Enter description name for connection, then create.
  4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
  5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click “Connect”
  6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.

VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”.  (you may have to disconnect and reconnect before this change will apply)Local PC VPN connection - uncheck use default gateway

ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE

Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method.  You should properly test any changes made.

  1. Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.
  2. First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server.  If it isn’t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) RAS interface must be changed to Private ProfileRAS interface must be changed to Private Profile-2RAS interface must be changed to Private Profile-3
  • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
    • “Remote Desktop Services – User Mode (TCP-In)”
    • “Remote Desktop Services – User Mode (UDP-In)”
    • “Remote Desktop – User Mode (TCP-In)”
    • “Remote Desktop – User Mode (UDP-In)”

and turn it off for Public Profile.  You could/should also modify other rules affecting the public profile to restrict access to private profile only. Adjust inbound firewall rules to exclude public profile

  • Now it is time to connect and test your changes.
  • Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active.  You shouldn’t be able to RDP to the public IP address.  You should test all scenarios after deployment.

Congratulations, Now your PPTP VPN should be setup and working!

OPTIONAL STEPS TO SETUP/CONFIGURE L2TP:

The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).

How to enable L2TP/IPsec VPN and disable PPTP protocol

Configure L2TP with preshared key:

  1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.L2TP preshared key on server settings
  2. The preshared key is something that is the same for all users
  3. Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.L2TP preshared key on local PC VPN connection settings
  4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. Disable PPTP ports
  5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.