Introduction
In this article we will explain how to set up L2TP/IPSec VPN on Windows Server 2019.
A VPN or Virtual Private Network is used to securely tunnel the data from a local computer to a remote server. You can visualize VPN as a private network distributed across the internet or public network. Using VPN, different devices can securely talk to each other as if they are connected over a private network.
There are various VPN tunneling protocols are available. In this tutorial, we will configure a fresh VPS running Windows Server 2019 as an L2TP over IPSec VPN. L2TP or Layer 2 Tunneling Protocol is a tunneling protocol but it does not provide strong encryption. IPSec comes into picture here, which provides very strong encryption to data exchanged between the remote server and client machine.
We will leverage on Remote and Remote Access Services (RRAS) which provides easy to use interface to configure networking features such as VPN, NAT, Dial-Up Access server, Lan Routing, etc.
Prerequisites
- Cloud VPS, Pure performance VPS or Dedicated Serverwith Windows Server 2019 installed.
- You must be logged in via Remote Desktop Protocol as an administrative user.
Step 1: Update System
Search for Windows Powershell and open it in Administrative mode by right-clicking and selectingOpen as Administrator.
Install Windows update module for Powershell by running the command.
Install-Module PSWindowsUpdate
You may be prompted for confirmation, press Y and enter all the time.
Now get the list of latest updates by running.
Get-WindowsUpdate
Finally, install the updates by running the command.
Install-WindowsUpdate
Once updates are installed, restart the computer by running the command.
Restart-Computer
Step 2: Install Remote Access Role
Open Powershell again in administrative mode and run the following command to install the Remote Access feature with Direct Access and VPN (RAS) and Routing along with management tools.
Install-WindowsFeature RemoteAccessInstall-WindowsFeature DirectAccess-VPN -IncludeManagementToolsInstall-WindowsFeature Routing -IncludeManagementTools
Step 3: Configure Routing and Remote Access
Open Server Manager and navigate toTools >> Remote Access Management.
On the left pane, right-click on your local server and clickConfigure and Enable Routing and Remote Access.
InConfigure and Enable Routing and Remote Access Wizard, selectCustom Configurationradio button as we will manually configure the routing and access. ClickNextbutton.
Next, selectVPN ServerandNATcheckboxes and click next to see a summary of the selection.
Finally, on clickingFinishbutton, you will see a prompt to start the Routing and Remote Access Services. Click on theStart Servicebutton.
Step 4: Configure VPN Properties
Now that we have our VPN running, let’s go ahead and configure it. Under the Routing and Remote Access window, on the left pane, right-click on your local server and clickProperties.
Navigate to the security tab and click onAllow custom IPSec policy for L2TP/IKEv2 connection and put a very long PSK(Pre-shared key). You can use any tool to generate a random key.
Make sure to note down the PSK as we will need to share the PSK with every user who wants to connect to the VPN server.
Now, go toIPv4tab and under IPv4 address assignment select static address pool. ClickAddbutton and you will get a pop up to put IP address ranges. Put the starting address and ending address of the IP address range you want the users to assign to.
Click theOKbutton to save the address range and finally clickOKto save the changes. You may get a warning saying you need to restart the Routing and Remote Access for changes to apply, you can safely clickOKand ignore it for now as we will restart the service after completing next step.
Step 5: Configure NAT
On the same left pane of Routing and Remote Access window, expand your local server and then expandIPv4. You will see the NAT object there. Right-click on NAT and then click onNew Interfaceoption.
SelectEthernetand click OK to proceed further. On NAT tab, selectPublic interface connected to Internetradio button and also selectEnable NAT on this interfacecheckbox.
Now, go toServices and Portstab and selectVPN Server(L2TP/IPSec – running on this server)checkbox. It will open up a new interface for editing the service.
Change the private address from 0.0.0.0 to 127.0.0.1 and click OK to save.
Finally, Click OK to save the NAT interface.
Step 6: Restart Routing and Remote Access
On the left pane of Routing and Remote Access window, right-click on your local server and click onRestartunderAll Tasks.
This will restart the Routing and Remote Access services and all the changes we have made will be applied.
Step 7: Configure Windows Firewall
On the start menu, search for Windows defender firewall and open it. Click onAdvanced settingson windows defender firewall.
UnderAdvanced setting, click onInbound Ruleson the left pane and then click onNew Ruleon right side pane.
Windows Server 2019 has predefined rules which we need to enable for VPN to work. InNew Inbound Rule Wizardclick onPredefinedradio button and select theRouting and Remote Accessfrom the drop-down.
Under Predefined Rules selectRouting and Remote Access(L2TP-In)checkbox and clickNext.
UnderAction select, the optionAllow the connectionand clickFinish.
The firewall is now configured to allow inbound traffic on UDP port 1701.
Step 8: Create VPN User
Search forComputer Managementin the start menu and underComputer Managementwindow expandLocal users and group.
Right-click onUsersand click onNew UserunderLocal users and groupto create a new user.
OnNew Userprompt, provide a username, full name, and strong password. UncheckUser must change the password on next logincheckbox. ClickCreateto create a new user.
Once the user is created, return toComputer Managementinterface and you will find the user which you have just created in the list of users. Right-click on the user and clickPropertiesoption.
On your VPN users properties, navigate toDial-intab. Now, selectAllow accessoption forNetwork Access Permissionssetting. Click OK to save the properties.
Our L2TP/IPSec VPN server is now ready and can accept the connections.
Step 9: Connecting VPN Clients.
You will need to share the PSK and Windows username and password to the user who wishes to connect to the remote VPN server. You can also follow the tutorials on Snel website to learn how to connect to the remote server.
- How to connect L2TP/IPsec VPN on Mac OS X
- How to connect L2TP/IPsec VPN on Windows 10
Step 10: Monitoring VPN
Search forRemote Access Management Consolein the start menu and open the console. You should see the status of the VPN. If you have followed the tutorial correctly, you will see all green checkmark on all services. You can also view the details of connected clients on this console.
Conclusion
In this tutorial, we have successfully configured a fresh Windows Server 2019 server as an L2TP/IPSec VPN servers. You can now use the VPN server to securely connect to the other connected devices. You can also use this VPN server as a proxy server to securely access the internet. You have nowset up L2TP/IPSec VPN on Windows Server 2019.