Setup a VPN Server From Scratch Part 3

Windows Server Setup

User Setup

We need to first setup a user that can use the VPN once running. To do this:

  1. Open the Server Manager.
  2. Go to Tools->Active Directory Users and Computers.
  3. Right click on the user and select Properties.
  4. Select the Dial-In tab and select “Allow access”.

Add Roles and Features

Now we need to enable the server to run a VPN.

  1. Open the Server Manager.
  2. Click on Manage->Add Roles and Features.
  3. Click Next.
  4. Select “Role-based or feature-based installation” and click on Next.
  5. Select “Select your server from the server pool” and click on Next.
  6. Select “Remote Access” and click on Next.
  7. Click Next.
  8. Click Next.
  9. Select “DirectAccess and VPN (RAS)” and Routing. Once it is selected a pop up will be shown and click on “Add Features”.
  10. Keep clicking Next until you get to the final screen where you need to click Install.

Configuring Remote Access and Routing

  1. Open Server Manager -> Tools ->Routing and Remote Access.
  2. Right click on your server name and click on “Configure Routing and Remote Access”.
  3. The “Routing and Remote Access Server Setup Wizard” will now open. Click Next.
  4. Select Custom configuration and click on Next.
  5. Select “VPN access” and NAT and click on Next.
  6. Click Finish.
  7. Click “Start Service”.
  8. Right click on your server and click on Properties.
  9. Navigate to Security tab and select Allow custom IPsec policy for L2TP/IKev2 connection. Set “Accounting Provider” to “Windows Accounting” and check the “Allow custom IPSec policy for L2TP/IKEv2 connection”. Enter a 32+ digit key.
  1. Navigate to IPv4 and select “Static address pool”. The address range you enter here refers to the internal addresses that will be allocated to VPN clients.
  1. Click OK.
  2. Click OK.

Configure NAT

  1. Right click on NAT by navigating to Routing and Remote Access ->VPN (server name) ->IPv4->NAT and click on “New Interface…”.
  2. A new screen will be opened and select the NIC that connects to the internet. Click OK.
  3. Select “Public interface connected to the Internet” and select “Enable NAT on this Interface”.
  4. Open Services and Ports tab select “VPN Gateway (L2TP/IPsec – running on this server)” from the list.
  5. Edit Private address variable from 0.0.0.0 to 127.0.0.1 and click on OK.
  6. Click OK,
  7. Right click on your server and navigate to “All Tasks” and click Restart.

Windows Firewall

  1. Open Control Panel->System and Security->Windows Firewall->Advanced Settings.
  2. Go to “Inbound Rules”.
  3. Create a new rule by clicking on “New Rule…” in the right menu.
  4. Select “Predefined: Routing and Remote Access” and click Next.
  5. Select Routing and Remote Access (L2TP-In) and click on Next.
  6. Click Finish.
  7. The new rule should now be visible at the top of the “Inbound Rules”.
  8. Reboot the server.

Part 2, Part 4