Update: See link here for Setting up the VPN Role on Server 2019- http://www.riptidehosting.com/blog/how-to-install-vpn-server-on-windows-server-2019/
Windows Server 2016 VPN
Using a VPN with RDP is more secure because it provides two steps to access your network. You could require clients to connect with a VPN first before being able to RDP to the server. Unless you are using our Dedicated Server Hosting offering where you can have a hardware vpn device, you will need to install a software VPN on the server. One option is using the free built-in Windows VPN role service. Other software VPN options available have been Hamachi (acquired by LogMeIn), Zerotier which provides software defined networking capabilities, and other options.
WINDOWS SERVER BUILT-IN VPN ROLE:
If you are interested in setting up the built-in VPN role on Windows Server 2016 and then limiting RDP access to private IPs after VPN is connected, contact Riptide Hosting for a post we wrote on how to set this up. PPTP VPN using Windows Authentication is password based so strong/complex passwords are still very important. Other VPN protocols, certificate authentication, may provide stronger security depending on your needs and environment. You can use the built-in Windows VPN to setup a L2TP VPN with preshared keys too.
General steps to install the (free) built-in VPN role on Windows Server 2016:
- Add “Remote Access” server role with “DirectAccess and VPN (RAS)” role service.
- Open the Getting Started Wizard, select “Deploy VPN only”, “Configure and Enable Routing and Remote Access”, Select “Custom Configuration”, Select “VPN access” only. Start Service. Reboot
- Go into “Routing and Remote Access” properties, IPv4 tab to add static IP address pool with private IPs
- Change Network Adapter settings, IPv4, to add secondary IP from private IP range above
- Adjust User Properties for each user on the Dial-In tab to Allow “Network Access Permission”
- Setup VPN Connection on each user PC (may need to uncheck “use default gateway on remote network” if having internet issues on the PC)
- Adjust Server Firewall rules to disable RDP access on port 3389
- Test deployment (verify you can’t RDP without using VPN first, etc.)
- Our steps generally follow the steps in these links with a few additional items noted