Windows Server 2012 R2 provides support for secure client-based remote access VPN connections as part of the Routing and Remote Access Services (RRAS). Client-based VPN is very mature in Windows, originally introduced with Windows 2000 Server and also as a downloadable option for Windows NT 4.0.
Today, RRAS has broad client support with secure and robust VPN protocols such as IKEv2 and SSTP, while at the same time maintaining support for legacy VPN protocols such as L2TP/IPsec and PPTP.
The Case for Windows-based VPNHistorically, VPN has been implemented using firewalls or dedicated VPN appliances. So why use a Windows Server for VPN? Here are some things to consider.
- Easy to Implement – Installing and configuring a VPN server using Windows Server 2012 R2 is simple. By following the guidance in this article, a VPN server can be implemented in just a few minutes.
- Easy to Manage – Managing a VPN server running Windows Server 2012 R2 is no different than any other Windows server. Windows system management is mature and well understood, and the server can be maintained using existing platforms, tools, and procedures.
- Cost Effective – A Windows Server 2012 R2-based VPN server costs significantly less than it does to deploy dedicated and proprietary VPN hardware. The server can be deployed in existing virtual infrastructure and has no per-user licensing requirements. In addition, adding capacity is as easy as spinning up additional VMs, in most cases.
The VPN server should be configured with two network interfaces; one internal and one external. This configuration allows for a better security posture, as the external network interface can have a more restrictive firewall profile than the internal interface. A server with two network interfaces requires special attention to the network configuration. Only the external network interface is configured with a default gateway. Without a default gateway on the internal network interface, static routes will have to be configured on the server to allow communication to any remote internal subnets. For more information about configuring a multi-homed Windows server, click here.
The server does not have to be joined to a domain, but it is recommended to streamline the authentication process for VPN clients and to provide better management and security for the server.
Preparing the ServerOnce the server is provisioned and joined to the domain, installing the VPN role is simple and straightforward. To install the VPN role, enter the following command in an elevated PowerShell command window.
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install the VPN role using the Install-WindowsFeature PowerShell command.
Configure Remote AccessOpen the Routing and Remote Access management console. Right-click the VPN server and choose Configure and Enable Routing and Remote Access.
Configure and enable Routing and Remote Access.
Click Next, choose the Remote access (dial-up or VPN) option, and click Next.
Choose Remote access (dial-up or VPN).
Choose VPN and click Next.
Select the network interface that is Internet-facing. In addition, select the option to Enable security on the selected interface by setting up static packet filters and click Next.
Select the Internet-facing network interface.
Note:When configuring the server, it is helpful to rename the network interfaces using intuitive names such as Internal and External, as shown above.
IP addresses can be assigned to clients manually or via DHCP. For ease of management, it is recommended to use DHCP. Select the option to assign IP addresses automatically and click Next.
Choose automatic IP address assignment for remote clients.
Note:If the VPN server is to be deployed in a load-balanced cluster, IP addresses must be assigned to clients manually.
The VPN server can authenticate users itself, or forward authentication requests to an internal RADIUS server. For the scope of this article, native Windows authentication using RRAS will be configured. Choose No, use Routing and Remote Access to authenticate connection requests and click Next.
Use Routing and Remote Access to authenticate connection requests.
Review the configuration and click Finish.
The RRAS configuration wizard will indicate that the DHCP relay agent must be configured for remote access clients. Click OK to continue.
“To support the relaying of DHCP messages from remote access clients, you must configure the properties of the DHCP Relay Agent with the IP address of your DHCP server.”
DHCP Relay Agent configuration reminder.
Configure DHCP Relay AgentTo enable the internal DHCP server to provide IP address assignment for remote access clients, expand IPv4 and then right-click DHCP Relay Agent and choose Properties.
Configure DHCP relay agent.
Enter the IP address of the DHCP server and click Add. Repeat this process for any additional DHCP servers and click OK.
Configure DHCP relay agent.
Network Policy Server (NPS) ConfigurationThe VPN server is configured to allow remote access only to users whose domain account dial-in properties are set to allow access, by default. A better and more effective way to grant remote access is by using an
Active Directory (AD) security group. To configure remote access permissions for an AD group, right-click Remote Access Logging and choose Launch NPS.
Right-click Network Policies and choose New. Provide a descriptive name for the policy, select Type of network access server, and then choose Remote Access Server (VPN-Dial up) from the drop-down list and click Next.
Create a new network policy.
Click Add, select Windows Groups, and click Add.
Select Windows Groups.
Click Add Groups, specify the name of the AD security group that includes users to be authorized for remote access VPN, then click OK and Next.
Specify AD security group for remote access.
Choose Access Granted and click Next.
Specify access permission.
Uncheck the option to use Microsoft Encrypted Authentication (MS-CHAP). Click Add and select Microsoft: Secure password (EAP-MSCHAP v2). Click OK and Next three times and then click Finish.
Configure authentication methods.
Client Connectivity TestingThe VPN server is now configured to accept incoming remote access client connections, but only in a limited fashion. Only the PPTP VPN protocol will function without additional configuration. Unfortunately, PPTP suffers from some serious security vulnerabilities in its default configuration, and it should not be used as configured in a production environment. However, it is quick and effective to validate the network communication path and that authentication is working using it.
To test client connectivity on a Windows 10 client, click on the network icon in the system notification area, click Network Settings, click VPN, and then click Add a VPN Connection. Choose Windows (built-in) for the VPN provider, provide a descriptive name for the connection, enter the name or IP address of the VPN server, and then click Save.
Add a VPN connection.
Click on the test VPN connection and then click Connect.
Establish a VPN connection.
Enter domain credentials when prompted and click OK. If everything is working correctly, the connection should be established successfully.
VPN connection successful.