Cart

    Sorry, we could not find any results for your search querry.

    Installing a VPN-Server on Windows Server 2019

    A Virtual Private Network (VPN) connection is a private network that connects multiple devices remotely through the Internet. Traffic over the VPN network is sent encrypted. With a VPN connection, you add an extra layer of security to your (company) network. For a more detailed explanation of VPN networks, see our in-depth blog post "What is a VPN connection?".

    In this tutorial, we show you how to install a VPN server in Windows Server 2019 and make a VPN connection from another computer, for example, your computer at home.

    The steps in this tutorial require an SSL certificate via IIS on your VPN server.


    Installing a VPN server

     

    Step 1

    Connect to your Windows Server via Remote Desktop or the VPS console.


     

    Step 2

    Open the 'Server Manager' via the Windows Start button > Server Manager.

    windows search server manager


     

    Step 3

    Click on 'Add roles and features' in the dashboard of the Server Manager.

    windows server add role


     

    Step 4

    You will now see the 'Before You Begin' page. You can select not to see this page again when you add roles & features in the future. Click on 'Next' after you have read the points under 'before you continue'.

    windows server before you begin


     

    Step 5

    Under 'Installation Type' you can choose between 'Role-based or feature-based' and 'Remote Desktop Services installation'. Choose 'Role-based or feature-based' and continue to the next step.

    windows server add role based installation


     

    Step 6

    Select the desired VPS on which you want to perform the installation. If you use an Active Directory and it contains several VPSs, these are listed in this overview. If you do not use Active Directory, you will see the VPS on which you go through this tutorial.

    windows server - server selection


     

    Step 7

    On the next page, you can select a 'Server Role'. Select 'Remote Access' (including responsible for VPN) and click on 'Next'. You do not have to adjust any other options already checked.

    windows add role remote access


     

    Step 8

    You do not have to select or adjust features. Click immediately on 'Next' to continue.

    windows add role select features


     

    Step 9

    You will see a description of the Remote Access role. Click on 'Next' to continue.

    windows add role remote access description


     

    Step 10

    Then select the 'role services' of the Remote Access role you want to use. Click here on 'DirectAccess and VPN (RAS)'.

    windows add role remote access role services

    You should probably see a pop-up with an overview of role services and features that need to be added to use the DirectAccess and VPN (RAS). Click on 'Add Features' to have it added automatically.

    windows add role add directaccess features

    After this, you return to the 'Role Services' screen and the option 'DirectAccess and VPN (RAS)' is checked. Also, check the 'Routing' option and click 'Next' to proceed to the next step.

    windows add role remote access role services


     

    Step 11

    Before the installation starts, you will see a confirmation of the options you selected in the previous steps.

    Check 'Restart the destination server automatically if required': it is always important (if an installation requires it) to restart your server to ensure the proper functioning of the role/feature.

    Finally, click on 'Install'. The installation itself takes a few minutes, so feel free to grab a cup of coffee before proceeding to the next step.

    windows add remote access role confirmation


     

    Step 12

    Do not close the confirmation screen after installation, but click on 'Open the Getting Started Wizard'. It may take a minute to open. If not, click in the Server Manager on 'Tools'> 'Remote Access Management'.

    windows add remote access results


     

    Step 13

    You are greeted by the screen below. Before proceeding with the wizard, it is useful to first open the necessary ports in your firewall; otherwise, you will get an error after going through this wizard.

    rras wizard start basic

    Do not close the wizard and click the Windows Start button, type 'firewall' and click 'Windows Defender Firewall with Advanced Security' in the search results.

    windows search firewall


     

    Step 14

    Click on 'Inbound rules' and scroll down to the 'Secure Socket Tunneling Protocol (SSTP-in)'. This rule is probably already on. If not, right-click on the line and select 'Enable rule'.

    There are several protocols you can use for a VPN server. For this tutorial, we choose the best of all worlds: a combination of security (256-bit encryption), stability and speed. The SSTP protocol using the HTTPS port 443 is the best fit, see this page for more information.

    windows firewall sstp rule


     

    Step 15

    Then close Windows Defender Firewall with Advanced Security and return to the 'Remote Access Server Setup Wizard' and click 'Next'.

    rras wizard start


     

    Step 16

    Click on 'Deploy VPN only'.

    configure rras vpn only


     

    Step 17

    The 'Routing and Remote Access Management Console' now opens. Right-click on the name of your VPS and click on 'Configure and Enable Routing and Remote Access'.

    configure rras


     

    Step 18

    Click on 'Custom configuration'> 'Next' in the Configuration screen. This gives you the option to specifically configure a VPN server instead of installing services that you don't need.

    rras custom configuration


     

    Step 19

    Select 'VPN Access' and 'NAT' and click 'Next'.

    rras vpn access


     

    Step 20

    That brings you to the end of the configuration wizard. Click on 'Finish' to complete the configuration.

    rras wizard finish

    Finally, you will be given the option to start your VPN server. Click here on 'Start service'.

    rras start service


     

    Step 21

    You are now back in the 'Routing and Remote Access Management Console', see step 17. Right-click on your VPN server and then 'Properties'.

    rras properties


     

    Step 22

    Check both 'IPv4 Router' and 'IPv6 Router' with both the option 'LAN and demand-dial routing' and the options 'IPv4 Remote access server' and 'IPv6 Remote access server'.

    rras server properties general

    Then, click on the 'IPv4' tab and select 'Static address pool' > 'Add'.

    rras ipv4 range


     

    Step 23

    Enter the IP range for your VPN network, for example from 10.10.0.0 to 10.10.255.255 and click 'OK' (a smaller range is of course also possible, such as 10.10.10.0 to 10.10.10.255).

    rras specify ipv4 range


     

    Step 24

    You will now return to the screen from the previous step. Now click on the 'IPv6' tab and enter an IPv6 prefix assignment, for example, fe80: 7c8: 7c8: f866::

    rras server properties ipv6

    Then click 'Apply' and 'OK' to apply the changes.

    You will probably now receive a message that RRAS (Routing and Remote Access) must restart. Allow this and after restarting proceed to the next step.


     

    Step 25

    Expand 'IPv4' and select 'NAT'. Then right-click on an empty spot on the right side of the screen and select 'New Interface ...'

    rras nat new interface


     

    Step 26

    Select 'Ethernet' as the interface for the routing protocol and click 'OK'.

    rras nat select interface


     

    Step 27

    Double click on 'Ethernet' and check 'Enable NAT on this interface'.

    rras nat properties


     

    Step 28

    Click on the 'Services and Ports' tab and check the options below one by one. When you click on them, a pop-up will appear with information about the service. Adjust the 'Private Address' value to 127.0.0.1 for:

    • IP Security (IKE)
    • IP Security (IKE NAT traversal)
    • Remote Desktop
    • Secure Web Server (HTTPS)
    • VPN Gateway (L2TP / IPsec - running on this server)
    • VPN Gateway (PPTP)
    • Web Server (HTTP)

    rras nat properties services and ports

    Do you use a custom port for Remote Desktop? Click on 'Add' and add a TCP line for the correct port and also use 127.0.0.1 as a Private address.

    Finally, click on 'Apply' and 'OK'.


     

    Step 29

    You should now be prompted to restart RRAS. If not, right-click on your VPN server > 'all tasks' > 'restart' in the 'Routing and Remote Access console' to process the changes.

    rras restart vpn

    Your VPN server is now ready to accept VPN connections. Great! but what next? In the following sections, we explain how to authorize users, connect to your VPN server and what you can use it for.


    Authorize users to connect to your VPN server
     

    Step 1

    Before a user can connect to your VPN server, that user must be authorized for Remote Access.

    Not using Active Directory? Then click on the Windows start button, search for 'computer' and click on 'Computer Management' in the results.

    Do you use an Active Directory? Then click on the Windows start button, search for 'group' and click on 'Group Policy Management' in the results.

    windows start computer management


     

    Step 2

    You are free to create a new user for your VPN connection or use an existing one. Click on 'Local Users and Groups' > 'Users'.

    • Existing user: Click on the name of the user
       
    • New user: Right-click on an empty piece and then 'New User'. Enter the name of the new user, optionally disable 'User must change password at next logon', and enter a password.
      computer management new user

    After creating the new user, close the 'New User' screen and double click on the name of the account.


     

    Step 3

    Click on the 'Dial-in' tab, under 'Network Access Permission' check the option 'Allow access' and finally click 'Apply' and 'OK' to confirm your changes.

    windows user properties dialin

    That's it! You can now connect to your VPN server. We explain how this works in the next section.


    Connect to your VPN network

    • This tutorial assumes a Windows computer/laptop. For MacOS, you can use this guide from Apple. To connect to your VPN server, enter the IP address of your VPS and as VPN type 'SSTP'.
       
    • You go through the steps once per computer. You only need the last step to connect to your VPN server from now on.

    Step 1

    Now that your VPN server is ready and your user is authorized, it's time to connect to your VPN server. First, you need to add the VPN connection to your (client) computer/laptop once.

    Click the Windows Start button and the Settings icon.

    windows start settings


     

    Step 2

    Then click on 'Network & Internet'.

    windows settings network and internet


     

    Step 3

    Click on 'VPN' on the left and then on 'Add a VPN connection'.

    windows settings vpn


     

    Step 4

    Enter the details on the 'Add a VPN connection' screen that appears. Mind the following:

    • Select 'Windows (built-in)' as the VPN provider
    • As 'Server name or address', use the IPv4 address of your server, or a domain name that refers to your VPS.
    • Choose as VPN type: 'Secure Socket Tunneling Protocol (SSTP)'.

    windows settings add vpn


     

    Step 5

    All your internet traffic is standard over the VPN and uses the default gateway of the VPN server. This means that if you navigate on a client computer in a browser, you are using the connection of your VPS.

    We assume in this tutorial that for your regular internet traffic you would like to use your own connection. You can achieve this by setting your own connection as the default gateway for your VPN as follows:

    Click on the Windows Start button, type 'Internet Options' and click on the top result.

    windows start search internet options


     

    Step 6

    Go to the 'Connections' tab, select your VPN connection and click 'Settings'.

    internet properties - connections settings


     

    Step 7

    In the window that appears, click on 'Properties'.

    internet properties and settings - properties


     

    Step 8

    Go to the 'Networking' tab and select 'Internet Protocol Version 4 (TCP / IPv4)' followed by 'Properties'.

    vpn properties - networking properties


     

    Step 9

    Click on 'Advanced'.

    vpn ipv4 properties - advanced


     

    Step 10

    Uncheck 'Use default gateway on remote network' and click 'OK'.

    vpn ipv4 advanced tcp settings

    You will now return to the window from step 9. Click on 'OK' there as well and repeat steps 8 to 10, but then for 'Internet Protocol Version 6 (TCP / IPv6)'.

    Then click 'OK' at each screen where you return until you return to the 'Internet Properties' screen from step 6 and click 'Apply' and 'OK' there.


     

    Step 11

    Finally, click on the network icon at the bottom right of your screen and click on the name of your VPN connection, followed by 'Connect'. From now on, this is the only step you need to go through to reconnect to your VPN server.

    windows connect to vpn


    Use Cases
     

    Now that your VPN connection is working, you may be wondering what you can do with it. A VPN connection is powerful in combination with a firewall. You can set a scope for a rule in most firewall software, for example in Windows Defender Firewall with Advanced Security, see for example our tutorial on changing the Remote Desktop port.

    By only allowing the range or specific addresses of your VPN connection as Remote IP address in the scope of your firewall rule, you limit access to the associated service to those IP addresses. Some examples of applications are:

    • Restrict access to the Remote Desktop port to the IP range of your VPN network (10.10.0.0/24 for example).
       
    • Restrict access to a website that you host on a server in your VPN network. This is useful, for example, for an internal administration system that can be reached via a web interface/website. You achieve this by limiting access to ports 80 and 443 on the server hosting your website to the IP range of your VPN network.
       
    • Restrict access to an SMB server by restricting access to port 445 on the SMB server to the IP range of your VPN network.

     

    That brings us to the end of this tutorial for setting up a VPN server in Windows Server 2019.

    If you have any questions regarding this article, please do not hesitate to contact our support department. You can reach them via the button 'Contact us' at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us