How to set up a PPTP VPN on Windows Server 2016

Estimated reading time: 3 min


A virtual private network (VPN) extends a private network across a public network so that you will be able to access your data remotely through the public network securely. You can also use a VPN to secure your internet activity by using the VPN server as a proxy server.

This article will show you how you can set up a VPN on a windows server machine step-by-step. Follow these easy instructions to set up your own VPN server.

This article will cover the setup of a VPN server which is commonly used for small environments. We recommend using Direct Access for enterprise purposes.

This article is deprecated, please use this article to set up a VPN on Windows Server 2016


You will need a Windows Server machine to use this article. We will be using a Windows Server 2016 as an example.

Step 1 Routing and Remote Access

First, start with installing and setting up Routing and Remote Access. We will add the required features with the help of Server Manager. Open server manager and navigate to Manage>Add Roles and Features.

Server Manager

We want to add Remote access so proceed with checking ”Remote Access” in the Server Roles tab.

Server Roles

We will need the VPN role as well as Routing. We will be able to configure an internal NAT to assign internal IP addresses.  Check ”DirectAccess and VPN(RAS)” and “Routing” in the Role services tab.

Server Roles
Check and proceed to the installation by confirming on the next screen.


We can now start with the setup of Routing and Remote access. Go to Tools> Routing and Remote Access. And Right-click on your server name. This will open a menu where you can select ”Configure and Enabling Routing…..”

Routing and Remote Access

We will continue with Deploy VPN only this time to make this guide easy. Select “Deploy VPN only” in the new window

Deploy VPN only

It’s important to select “Custom Configuration” in the next screen

Custom Configuration

We have now the option to select the services which we need. Select “VPN access” and ”NAT” and proceed.

VPN access & NAT

Start the service and finish the setup. This can take a couple of minutes as the services are starting.

Start the service

Step 2: Windows Firewall

It is possible that you will need to manually configure the Firewall. Please proceed if that’s the case
Open Windows Firewall with Advanced Security  and go to  Inbound rules >  New Rule and select Predefined: Routing and Remote Access


Check the boxing according to the connection type you will use. We will check all three of the connection types in this case as we will have multiple clients which will need each of them. But you can limit it depending on your use to make it more secure.

Firewall Rules

Select ”Allow Connection” and Finish to complete the setup of the firewall.

Firewall Allow

Step 3: Configuring the IP range

We will now configure the IP range which the server will assign to the incoming VPN clients.

Open the Routing and Remote Access in Server Manager> Tools >Routing and Remote Access and right-click on your server name and go to Properties.

Routing and Remote Access

Go the IPv4 tab and select ”Static address pool” as the type of IPv4 address assignment.

Routing and Remote Access Properties

Add the range according to your needs. Each client will need his own IPv4 address. We will add a local range with 249 addresses.  And click OK and OK to close the configuration

IPv4 address range

Step 4: Enable NAT

Configure the NAT to give your VPN clients internet access from the VPN. This is important if you want your users to be able to connect to the web. Right-click on NAT and add New Interface

New Interface

Select your main external interface. This is the interface that is connected to the outbound network.


Check the following boxes to enable your clients to send and receive data using this interface.

Enable NAT

Go to the ”Service and Ports” Tab and select the following services. These services are required for a working NAT.

Services and Ports

Beware each time you select a service a windows will pop-up. Fill in the address field ”” and continue. This is the IPv4 address for your local network.
You want to configure this was as this will enable your clients to use your VPN as the gateway.


Step 5: Configure access

You will need to grant access for your local user(s) so that VPN users can use this account to authenticate.

Open your Computer management and go to Local Users and Groups. Right-click >”your user” and go to Properties.

Computer Management

Go to the tab Dial-in a select “Allow Access”

Allow Access

Step 6: Testing

You can check if the configuration works within the server and by testing it.
Open the Remote access Management console dashboard to see if all operation is up and running. You should see green icons next to the operations. Server Manager Tools &Remote access Management> Dashboard

Management Console

Connect to the VPN with your local machine. In this case, we will connect using a Windows 10 machine.
Go to Settings>Network &Internet> VPN > Add a VPN connection And fill in the form


Save it then select the connection and click connect and done. You can continue by adding a VPN connection to your client-side machine.


After following all these steps, your Windows Server should now be set up for VPN connections. As mentioned in the introduction, a VPN is appropriate for smaller network deployments. Now you should have everything you need for your VPN use!

Was this article helpful?
Dislike 3
Views: 62428

Reader Interactions


  1. Mik says

    Under Configure and Enable Routing and Remote Access, is there any specific reason why you selected "[x] Custom configuration" (and then checked "[x] VPN access" and "[x] NAT"), rather than "[x] Virtual private network (VPN) access and NAT" in the first place?


    • Ahmet Bas says

      The reason why we using "[x] Custom configuration" instead of "[x] Virtual private network (VPN) access and NAT" is that "[x] Virtual private network (VPN) access and NAT" requires to have two or more network interfaces. It does not allow you to select this option if you have one network interface. See the warning here

  2. Tom says

    This is a really great article. I successfully got it running on my first attempt, but ended up having to reformat the server and start over. The only difference is that I'm not using the machine as a Domain name controller. Could this have anything to do with why I can't connect from the outside?

      • Tom says

        Thanks for the reply. I've got a dual port modem with the server hooked to the wan port but can't seem to hit via the external IP or the DNS address (mapped through no-IP). I can connect successfully from inside the network, and I can also ping my public IP and DNS address. Any other suggestions? Thank you for taking the time to read this and reply!

        • Yavuz Aydin says

          Is your server behind NAT? You need to forward port 3389 from your modem to your server to have this working from the outside!

          Take a look at portforward dot com if you need help forwarding ports on your modem.

          [edit] I’m sorry, I must be thinking RDP. 3389 (tcp) is for RDP and won’t help with VPN.

          It’s advisable to run the VPN service on your router (if your router supports that). If your router doesn’t support that or you really want the VPN service on your Windows Server you may try the following:
          – Enable VPN passthrough on your router (if your router has that option)
          – Forward port 1723 tcp and Protocol 47 (GRE) for PPTP
          – Forward port 500 and 4500 udp and Protocol 50 (ESP) for L2TP

          Unfortunately not all of this is supported by every router.

          We haven’t tried this and since this is heavily dependent on your router it’s worth giving it a shot but I can’t assure it works.

          • Tom says

            You are a genius, thanks so much. I’m going to try that when I get home.

            Just another thing to let you know, this is one of the best guides I found for setting this up. There are tons of others, but they all missed the (super important) step of enabling the NAT for Internet sharing of connected clients. I pulled my hair out for hours before I found your guide. Thanks again!

          • Mo says

            Don't confuse protocols with ports.
            Most common routers don't allow enabling or disabling protocols (usually all protocols are allowed)
            Only reason I say this is that I've seen people forward port 47 and that is incorrect.

  3. Tun says

    Yavuz Aydin, I assumed you wrote the above post on Introduction: Step-by-step guide VPN setup on Windows server.

    Honestly, I had been browsing through google and most of them left out NAT setting. Your article really made my day, after struggling setting up for 3 weeks, now I am able to make it running. Thanks


  4. Billy Carvalho says


    Thanks for the great info. Much Appreciated.

    I got an issue. My client connect successfully to my remote server however I cannot access the internet. Am I missing something ?

    I can RDP into my server in the cloud when VPN is connected.

    Please assist

  5. Ziyad Jemal says

    i'm having issue to setup once i reached until Go to Tools> Routing and Remote Access. And Right click on my server name the server by itself missing i only see server status on stuck over there

  6. Robert Koernke says

    I have followed all of your steps. But my 'Remote Access Dashboard' does not show green. The 'active clients' information shows 'Unavailable'.

    The only step that I could think of adding, and I've looked. Is opening a port in the ISPs firewall, which I did. For port 1723. But that port does not show open, when doing a port-scan. Yes I've added the rules in the Windows in-bound as it is stated above.

    Anything else that I should be checking as to why it does not work?

  7. Naveen says

    Hey can anyone please advice is it secure or not because directly we are opening 1723 port on firewall to access RAS on server i am getting IPS and IDS alerts, even i checked event log of RAS hackers are trying to reach on server. Something like. How can we make it more secure ??

    ""CoId={NA}: The user vpn connected from but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.""

  8. Sathish says

    Hi, Thank you for the nice article it was very helpful, I was able to connect to pptp vpn but can't access the shared drives from server, any idea what went wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *