How To Set Up VPN Server on Windows Server 2016

This article will guide you through the steps to set up VPN Server on Windows Server 2016. 

VPN server leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2) with the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE). This tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN). 

The scenario permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.

Installing Certificates on VPN Server and VPN Client  

First you need to create certificate templates. Open up Certification Authority Console and from CA console, right click Certificate Templates > Manage > Right Click IPSec > Duplicate template

On Request Handling tab click Allow private key to be exported

Click Extension tab > Application Policies > Edit

Remove IP Security IKE intermediate > then click Add

and choose Server Authentication > OK


Click Key Usage > Edit

Make sure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

In the Security tab click Object Types > Computers > Add Domain Computers

Make sure Read, Enroll and Autoenroll is selected

In General tab provide a name to template

Now, right click Certification Template > New > Certificate Template to Issue

Choose newly created template, click OK

Enrolling Certificate on VPN Server

Now, on your VPN Server, open up Run  and type mmc > Add/remove snap-in

Click Certificates > Add > Computer Account

Right click Personal > All tasks > Request New Certificate

Check Certificate templates > Properties

Click Subject tab > Subject Name > Common name (from drop-down menu) choose FQDN for VPN Server > Click Add

In the Alternative Name, choose DNS, set FQDN for VPN Server, Click Add

New certificate should be created as shown in image below.

This certificate should be exported and then imported to client machine.

To export certificate, Right-click certificate > All tasks > Export

Export private key, Set password and specify file in which certificate should be saved. Copy file to client computer

To import file on client machine, certificate should be imported into Trusted Root Certification Authority on client.

Open up Run, type mmc > Add > Certificate snap-in-local computer

Right-click Trusted Root Certification Authorities > All task > import

Browse to copied file and enter password to import it.

Installing Roles

You need to add Network Policy Server and Remote Access roles on your VPN Server. Open up Server Manager > Add Roles and Features and select the following to install.

Open up Routing and Remote Access console, right-click on Server > Configure and Enable Routing and Remote Access

Select Remote access (dial-up or VPN)

Check VPN

Select internet facing interface accordingly

Define VPN address pool according to your environment

We’ll use NPS instead of RADIUS

Right click Remote Access Logging > Launch NPS

Click Network Access Policies

Right click Connections to Microsoft Routing and Remote Access Server > Properties

Check Grant access

Click Constraints > Select Microsoft:Secured password (EAP-MSCHAP v2)

If it’s not selected Add it

Enable user VPN access

In ADUS right click Dial-in > Allow access

Client Setting

Open in notepad Windows/System32/Drivers/etc/hosts file and add entry for VPN server (name must be equal to one specified in SSL certificate)

Creating VPN client connection

Use my internet connection (VPN)

I’ll set up an internet connection later

In Internet address type your VPN Server name

Specify username/password

In Security tab,for Type of VPN select IKEv2 > Data encryption > Require encryption > Authentication:Microsoft:Secured password (EAP-MSCHAP v2)

We can see that IKEv2 is used,client got address from our VPN pool (

Here you can see one client is connected to VPN Server with user Administrator.

We have successfully completed VPN Server deployment on Windows Server 2016. I hope this article will be helpful to deploy VPN Server in your environment.


  1. Natalia SantanderFebruary 12, 2017

    NPS far better than old RADIUS

  2. Joshua WortzFebruary 12, 2017

    What if i don't want to use DHCP pool for ip addresses instead using static?

  3. Alexander LayshaFebruary 12, 2017

    very detailed and helpful indeed

  4. Trevor SullivanFebruary 12, 2017

    I don't like Windows as VPN Server.

  5. Thomas MaurerFebruary 12, 2017

    Windows VPN is Easy and effortless solution rather buying a Juniper or Cisco device

  6. wow not easier then Juniper or Cisco

  7. I can’t exactly recall how I finally overcame this, but if I remember correctly, it had to do with the REmote Access Management Service not starting properly. I think that I had to change the account under which the service runs and make sure that the service was started before trying to re-install. It finally worked... andy michael


Powered by Blogger.