A virtual private network (VPN) extends a private network across a public network so that you will be able to access your data remotely through the public network securely. You can also use a VPN to secure your internet activity by using the VPN server as a proxy server.
This article will show you how you can set up an L2TP/IPsec VPN on a Windows Server 2016 Standard with step by step screenshots. This VPN can be used to get access to your business network.
We will configure the VPN with the built-in feature (Routing and Remote Access RRAS) which Microsoft is providing in Windows Server 2016. This can feature can be enabled in the Add Roles and Features wizard.
- Server with Windows Server 2016 Standard installed. If you do not have a server you can order a server on Snel.com
- Access to your Windows Server with administrator or a user with administrator permissions
Step 1 – Log in using RDP
You must be logged in via RDP as an administrator or a user with administrator permission. Please see this article for instructions if you don’t know how to connect.
Step 2 – Update Windows
Open Windows Start menu and click
Update & Security
Check for updates to check if there are any updates for your server.
Download and install all updates if there is any available.
Step 3 – Install Dependencies
Open Windows Start menu and click on
Manage -> Add Roles and Features
A new screen will be opened and click on
Role-based or feature-based installation and click on
Select a server from the server pool and click on
Remote Access and click on
DirectAccess and VPN (RAS) and
Routing. Once it’s selected a pop up will be shown and click on
Restart the destination server automatically if required
Once it’s selected a pop up will be shown and click on
Yes to allow the system to reboot if required.
The last step is to click on
Installation is finished.
Step 4 – Routing and Remote Access
Open Routing and Remote Access in
Server Manager -> Tools -> Routing and Remote Access.
A new screen will be opened. Right click on the server name and click on
Configure Routing and Remote Access.
A new screen will be opened to setup Routing Access Server and click on
Custom configuration and click on
VPN access and
NAT and click on
Complete the wizard by clicking on
After the wizard is completed a pop up will be shown with the question if you want to Start the Routing and Remote Acess Service. Click on
Step 5 – Configure Routing and Remote Access
Right click on the server name (VPN) and click on
Securitytab and select
Allow custom IPsec policy for L2TP/IKev2 connection. In our screenshot section
Preshared Key but you have to fill this with a strong password.
IPv4. In our setup we do not have a DHCP server, therefore, we have to select the option
Static address pool and click on
Addto enter your IP address range.
We used the following range:
Start IP address: 10.10.10.1 End IP address: 10.10.10.254 Number of addresses: 254
OK to save the IPv4 range.
OK to apply the changes which we made in the properties of the Routing and Remote Access service. You should get a warning pop up with the information to restart the service click
Step 6 – Configure NAT
Right click on NAT by navigating to
Routing and Remote Access -> VPN (server name) -> IPv4 -> NAT and click on
A new screen will be opened and select
Ethernet and click on
Public interface connected to the Internet and select
Enable NAT on this Interface
Services and Ports tab select
VPN Gateway (L2TP/IPsec - running on this server) from the list.
A new screen will be opened. Edit
Private address variable from
127.0.0.1 and click on
Step 7 – Restart Routing and Remote Access
Right click on server name (VPN) and navigate to
All Tasks and click on
Step 8 – Windows Firewall
Open Windows Start menu and click on
Open System and Security
Advanced settingsin the left menu
A new screen will be opened and open
Create a new rule by clicking on
New Rule... in the right menu.
A new screen will be opened. Select
Predefined: Routing and Remote Access and click on
Routing and Remote Access (L2TP-In) and click on
Verify that the rule is created
Step 9 – Configure User(s)
Before user(s) can start using VPN we have to give them permission to connect.
Right click on the Windows icon and click on
Local Users and Groups from the left menu and click on
You should see a list of users of your server. Right click on the user you want to enable VPN and click on
A new screen will be opened with User Properties. In our example it’s Administrator. Open
Dial-Intab and select
OK and close Computer Management. User
Administrator has now the permission to connect to the server via L2TP/IPsec VPN connection.
Step 10 – Remote Access Management
Open Windows start menu and click on
Tools -> Remote Access Management. A new screen will be opened with the Remote Access Dashboard. You can see in our overview that services are running without warnings.
More information regarding Remote Access Management can be found here.
Step 11 – Reboot the server
Open Windows Start menu
Right click on the power icon and click on
Step 12 – Client Connection
Congratulations, you have now configured an L2TP/IPsec VPN on your Windows Server 2016 Standard. If you need further assistance or help with configuring your Windows Server 2016 Standard get in touch with our support.