Setup and Configure VPN and NAT on a Private Server

Georg Dangl by Georg Dangl in Windows Server Monday, October 17, 2016

Monday, October 17, 2016

Lately, I've been on a business trip for a few days. While the trip itself was fine, I was annoyed about not being able to access my Amazon Prime Video content from the hotel due to geo-IP issues, namely me being in the wrong country for my account. Since I happen to have a low-cost virtual server that I'm using for a lot of stuff already, I've decided to set up a VPN on it as well. You'll find a lot of information on setting that up on "real" servers, with dedicated network cards for both internal and external connections, but the process in this post will work just fine in a single NIC setup.

In Windows Server 2012 R2 or 2016 it's a quite simple process, configuring your own VPN with NAT (Network Address Translation or just "Routing") is possible with built-in components.

Install the Routing and VPN Roles

 In the Server Manager, go to Add Role & Features and select Remote Access.

Windows Server 2012 - Install Remote Access Role

On the Role Services tab. make sure to check both DirectAccess & VPN (RAS) as well as Routing.

Windows Server - Add DirectAccess and Routing Services

After the installation is complete, you can open your Routing & RAS (RRAS) management console via your installed programs.

Windows Server - Routing & RAS (RRAS) Management Console Icon

Right-click on your server node, select Configure Routing and RAS and select Custom Configuration.

Windows Server - Configure Routing and RAS Setup Wizard

On the next screen, select both VPN (for connecting to the server) and NAT (so your VPN traffic gets routed to the internet). Click on next, approve your selection and wait until the service has started.

Configure VPN Access

There isn't a lot left to do for you, since the defaults are mostly correct for our use case here, but you'll want to configure some additional security settings and the assignment of local IPs to your connected devices.

Right-click again on your server node and select Properties, then go to the Security tab, activate Allow user defined IPsec policy for L2TP/IKEv2 connections and enter a random, hard to guess key (just like your WiFi key or any password, really). You'll need that Pre Shared Key (PSK) when you manually configure clients, such as Windows machines or iOS devices.

Windows Server VPN - Configure IPsec Pre Shared Key

Now, switch to the IPv4 tab and tell it to use a static address pool for client connections. Ideally, you'd specify a range for private networks, like 192.168.*.* or 10.*.*.*.

Windows Server VPN - Static IP Address Pool Configuration

After clicking OK, you'll have to select the server node again and navigate to All Tasks -> Restart in it's context menu to restart the service.

The next step is to either create a new user or modify an existing one. All you have to do is to open the users properties (which is in Computer Management -> Local Users and Groups if you're not in an Active Directory domain), switch to the Dial In tab and make sure to allow dial in network access.

Windows Server - Configure User to Allow Dial In Access

Configure NAT

NAT stands for Network Address Translation and is interesting because it’s basically using a single public IP address to serve multiple clients on the inside. It's essentially what a regular router does for you at home. In a VPN setup, you not only want to connect to the internal network (Which is quite boring, being on a single virtual server somewhere on the web, actually…) but to use the server as your gateway to the internet. This has two big advantages:

  • Your public IP will be your servers IP. You’ll finally be able to access your Amazon Prime Video from wherever you are!
  • Traffic between you and the VPN server is encrypted. This is huge, since it means that even non-secure web traffic is encrypted till it leaves your server, so no one is able to snoop your data while using a public WiFi.

To set it up, expand the IPv4 node below your server, right-click on NAT and select New Device. Just select your public network interface and enable NAT on it:

Windows Server - Enable NAT on Network Interface

Congratulations, you've just set up your private VPN!

Tip: If you’re experiencing troubles, check that your public network card does have some DNS servers configured. For me, my hosting company is using DHCP to assign my servers IP address and DNS servers, but I noticed that they’re not being passed on to connected clients. Just manually add some DNS servers (8.8.8.8 and 8.8.4.4, Googles public DNS servers, are good candidates) and you should be good to go.

Share this post


comments powered by Disqus

About me

Hi, my name's George! I love coding and blogging about it. I focus on all things around .Net, Web Development and DevOps.

DanglIT

Need a partner for DevOps, Web Services or Software Development?

Contact me at [email protected], +49 (173) 56 45 689 or visit my professional page!

Dangl.Blog();
// Just 💗 Coding

Social Links