How to Configure a PPTP VPN Server (RRAS) in Windows Server 2008 R2

1/ Preparation

We need to check the Network interface status. At the command prompt, type:

ncpa.cpl

As you can see, we do have a spare interface and currently it is disabled. In this exercise, we will use only one NIC; i.e., the active one for the LAN for the VPN connection as well.

At this point, the interface called LAN has the following IP address settings:

2/ Add the Network Policy and Access Services roles

In Server 2008 R2, the Routing and Remote Access Server is under the Network Policy and Access Services. So we need to add this role. Launch Server Manager and click Add Roles.

Click Skip this page by default and click Next.

Choose Network Policy and Access Services.

Click Next at the introduction screen.

Choose Routing and Remote Access Services and click Next.

Click Install.

Click Close when finish.

Click Start -> Administrative Tools -> Routing and Remote Access.

You will see this screen.

Right-click the server name and choose Configure and Enable Routing and Remote Access.

At the Welcome screen click Next.

Choose Custom Configuration and click Next.

Choose VPN access and click Next.

Click Finish.

Click Start service.

You will see that the status of the Server changes to Active (green icon with the up arrow).

Choose No to RADIUS server.

Click Finish when done.

After the configuration, the main Routing and Remote Access screen looks like this:

Now open Active Directory Users and Computers snap-in Console.

Select the user you want to give access to the VPN connection.

Right-click on the user and choose Properties. Click Dial-in tab. Choose Allow access. Click OK.

3/ Testing

Right now, since the firewall does not have a rule that forward port 1723 (PPTP) to the RRAS server, the VPN connection will not work. The firewall that I have is a Linux Shorewall. I am monitoring the live debug log while connecting to the RRAS server from remotely.

As you can see from the debug trace log, the Linux firewall says that the VPN traffic is being dropped due to the reason that port TCP/1723 is not processed properly.

Now on the network firewall, ensure that traffic destined to port TCP/1723 is forwarded to this VPN server:

vi /etc/shorewall/rules

DNAT net loc:192.168.0.4:1723 tcp 1723

Then restart shorewall: service shorewall restart

On a client computer outside of the network on the Internet, do the following to create a new connection.

Open Control Panel.

Click Setup a new connection or Network.

Choose Connect to a workplace and click Next.

Choose Create a new connection and click Next.

Choose Use my Internet Connection (VPN).

Enter the public IP address of the remote site (the site where the VPN RRAS server is located), input the connection name, and click Create.

Click Change adapter settings.

Double-click the newly created connection to connect.

Choose the VPN connection to connect, in this case, the “My Second VPN Connection” one that we just created and click Connect.

 

Enter credentials and click OK.

When connected, you will see the status changed to “Connected.”

Right-click on the connection and click Properties.

Click Networking tab, highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties.

Click Advanced.

Ensure that the Use default gateway on remote network is turned off and click OK.

Try to ping a local computer on the remote network.

When the connection is established, there are two interesting things one can observe. The RRAS server shows the active connection:

And also, on the local client computer, a route is added.

At the command prompt, type

route print

to see the routing table.

When disconnected, the route will disappear.

In this lab, we have successfully created a PPTP VPN connection on Windows 2008 R2 with one single NIC card. We also performed port forwarding on a Linux Firewall to allow PPTP traffic to be forwarded to the RRAS box. Using SOHO routers such as Linksys and DLINK, it would be very easy to perform this port forwarding so I did not want to cover it in this article. We have also successfully connected to the VPN server and accessed the network on the remote end.