{"id":1681,"date":"2020-04-22T17:25:54","date_gmt":"2020-04-22T23:25:54","guid":{"rendered":"http:\/\/www.RiptideHosting.com\/blog\/?p=1681"},"modified":"2020-04-25T09:11:33","modified_gmt":"2020-04-25T15:11:33","slug":"how-to-install-vpn-server-on-windows-server-2019","status":"publish","type":"post","link":"https:\/\/www.RiptideHosting.com\/blog\/how-to-install-vpn-server-on-windows-server-2019\/","title":{"rendered":"How to Install VPN server on Windows Server 2019"},"content":{"rendered":"\n

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong\/complex passwords are still very important.\u00a0 There are other protocols such as L2TP\/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN\/RRAS role on Windows Server.<\/p>\n\n\n\n

<\/p>\n\n\n\n

STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019<\/span><\/strong><\/p>\n\n\n\n

  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.<\/li>
  2. Open Server Manager, Dashboard, \u201cAdd Roles and Features\u201d wizard, next, then select \u201crole-based or feature-based installation\u201d, next, select your server, next, then on select server roles screen select \u201cRemote Access\u201d, on select features screen can use defaults and press next.  Under Remote Access Role Services select only \u201cDirectAccess and VPN (RAS)\u201d (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn\u2019t require a reboot). \"\"\"\"\"Installing\"Installing<\/li>
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select \u201cOpen the Getting Started Wizard\u201d or click on \u201cRemote Access\u201d in the left window and click on more in the right windows to get the \u201cOpen the Getting Started Wizard\u201d.\"Open<\/li>
  4. Select \u201cDeploy VPN only\u201d (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain \u2013 not workgroup mode) \"Open<\/li>
  5. Right click on Server name and select \u201cconfigure and enable routing and remote access\u201d \"Configure\"Configure<\/li>
  6. Select \u201cCustom<\/strong> configuration\u201d \"Configure<\/li>
  7. Select \u201cVPN access\u201d only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open\/enable firewall rules. \"Configure\"Configure\"Configure<\/li>
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select \u201cRouting and Remote Access\u201d.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab \u2013 see screenshots below: \"Configure<\/li>
  9. Next, open \u201cNetwork and Sharing Center\u201d and click on \u201cchange adaptor settings\u201d.  Right click on the ethernet adaptor, highlight the \u201cInternet Protocol Version 4 TCP\/IPv4\u201d row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above \u2013 in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made). \"Ethernet\"Ethernet<\/li>
  10. Next, adjust settings for each<\/strong> user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to \u201cDial-In\u201d tab and change \u201cNetwork Access Permission\u201d section to \u201cAllow Access\u201d (instead of \u201ccontrol access through NPS network policy\u201d.  You need to do this for each user you want to allow VPN access to the server.\"Change<\/li>
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): \"Windows<\/li>
  12. Usually it is a good idea to reboot server at this point even if it doesn\u2019t ask for a reboot.<\/li><\/ol>\n\n\n\n

    <\/p>\n\n\n\n

    SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)<\/u><\/strong><\/p>\n\n\n\n

    1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and \u201cSetup a new connection or network\u201d and then \u201cConnect to a workplace \/ setup a VPN\u201d or \u201cAdd a VPN connection\u201d.  Select \u201cUse My Internet Connection\u201d\"Setup<\/li>
    2. Enter IP address of server you will connect to \u2013 this is a public IP address (not private IP address you setup above 192.168.x.x)<\/li>
    3. Enter description name for connection, then create.<\/li>
    4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN<\/li>
    5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click \u201cConnect\u201d<\/li>
    6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.<\/li><\/ol>\n\n\n\n

      VERIFY THIS AND UNCHECK<\/span> THE BOX BY \u201cUSE DEFAULT GATEWAY ON REMOTE NETWORK\u201d OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE.<\/strong> NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP\/IPv4 row, click Properties, click Advanced, and uncheck \u201cuse default gateway on remote network\u201d.  (you may have to disconnect and reconnect before this change will apply)\"Local<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE<\/u><\/strong><\/p>\n\n\n\n

      Note: there are many adjustments you can make to the Windows Firewall and this is just one example\/method.  You should properly test any changes made.<\/p>\n\n\n\n

      1. Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.<\/li>
      2. First make sure the RAS interface on the server is set to private<\/u><\/strong> firewall profile in \u201cnetwork and sharing center\u201d on the server.  If it isn\u2019t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) \"RAS\"RAS\"RAS<\/li><\/ol>\n\n\n\n
        • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
          • \u201cRemote Desktop Services \u2013 User Mode (TCP-In)\u201d<\/li><\/ul>
            • \u201cRemote Desktop Services \u2013 User Mode (UDP-In)\u201d<\/li><\/ul>
              • \u201cRemote Desktop \u2013 User Mode (TCP-In)\u201d<\/li><\/ul>
                • \u201cRemote Desktop \u2013 User Mode (UDP-In)\u201d<\/li><\/ul><\/li><\/ul>\n\n\n\n

                  and turn it off for Public Profile.  You could\/should also modify other rules affecting the public profile to restrict access to private profile only. \"Adjust<\/p>\n\n\n\n

                  • Now it is time to connect and test your changes.<\/li>
                  • Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active.  You shouldn\u2019t be able to RDP to the public IP address.  You should test all scenarios after deployment.<\/li><\/ul>\n\n\n\n

                    Congratulations, Now your PPTP VPN should be setup and working!<\/p>\n\n\n\n

                    <\/p>\n\n\n\n

                    OPTIONAL STEPS TO SETUP\/CONFIGURE L2TP:<\/u><\/strong><\/p>\n\n\n\n

                    The steps above will create a \u201cpoint-to-point tunneling protocol\u201d (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with \u201cpre-shared key\u201d where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).<\/p>\n\n\n\n

                    How to enable L2TP\/IPsec VPN and disable PPTP protocol<\/strong><\/p>\n\n\n\n

                    Configure L2TP with preshared key:<\/p>\n\n\n\n

                    1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by \u201callow custom IPsec policy for L2TP\/IKEv2 connection\u201d and create\/enter a complex password in the \u201cpreshared key\u201d field.\"L2TP<\/li>
                    2. The preshared key is something that is the same for all users<\/li>
                    3. Now disconnect your current PPTP session and reconnect using L2TP\/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.\"L2TP<\/li>
                    4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. \"Disable<\/li>
                    5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP. <\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"

                      Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong\/complex passwords are still very important.\u00a0 There are other protocols such as L2TP\/IPSec, certificate authentication, etc. which can result […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,7,1,15,99,100],"tags":[103,102],"class_list":["post-1681","post","type-post","status-publish","format-standard","hentry","category-all-posts","category-remote-desktop-hosting","category-uncategorized","category-windows-server-2016","category-windows-server-2019","category-windows-vpn","tag-windows-server-ras","tag-windows-server-rras"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1681"}],"version-history":[{"count":13,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1681\/revisions"}],"predecessor-version":[{"id":2031,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1681\/revisions\/2031"}],"wp:attachment":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}