Set up L2TP/IPSec VPN on Windows Server 2019

Estimated reading time: 4 min


A VPN or Virtual Private Network is used to securely tunnel the data from a local computer to a remote server. You can visualize VPN as a private network distributed across the internet or public network. Using VPN, different devices can securely talk to each other as if they are connected over a private network.

There are various VPN tunneling protocols are available. In this tutorial, we will configure a fresh VPS running Windows Server 2019 as an L2TP over IPSec VPN. L2TP or Layer 2 Tunneling Protocol is a tunneling protocol but it does not provide strong encryption. IPSec comes into picture here, which provides very strong encryption to data exchanged between the remote server and client machine.

We will leverage on Remote and Remote Access Services (RRAS) which provides easy to use interface to configure networking features such as VPN, NAT, Dial-Up Access server, Lan Routing, etc.


  • Cloud VPS or Dedicated Server with Windows Server 2019 installed.
  • You must be logged in via Remote Desktop Protocol as an administrative user.

Step 1: Update System

Search for Windows Powershell and open it in Administrative mode by right-clicking and selecting Open as Administrator.

Install Windows update module for Powershell by running the command.

Install-Module PSWindowsUpdate

You may be prompted for confirmation, press Y and enter all the time.
Now get the list of latest updates by running.

Finally, install the updates by running the command.

Once updates are installed, restart the computer by running the command.


Step 2: Install Remote Access Role

Open Powershell again in administrative mode and run the following command to install the Remote Access feature with Direct Access and VPN (RAS) and Routing along with management tools.

Install-WindowsFeature RemoteAccess
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

Step 3: Configure Routing and Remote Access

Open Server Manager and navigate to Tools >> Remote Access Management.

On the left pane, right-click on your local server and click Configure and Enable Routing and Remote Access.

In Configure and Enable Routing and Remote Access Wizard, select Custom Configuration radio button as we will manually configure the routing and access. Click Next button.

Next, select VPN Server and NAT checkboxes and click next to see a summary of the selection.

Finally, on clicking Finish button, you will see a prompt to start the Routing and Remote Access Services. Click on the Start Service button.

Step 4: Configure VPN Properties

Now that we have our VPN running, let’s go ahead and configure it. Under the Routing and Remote Access window, on the left pane, right-click on your local server and click Properties.

Navigate to the security tab and click on Allow custom IPSec policy for L2TP/IKEv2 connection and put a very long PSK(Pre-shared key). You can use any tool to generate a random key.

Make sure to note down the PSK as we will need to share the PSK with every user who wants to connect to the VPN server.

Now, go to IPv4 tab and under IPv4 address assignment select static address pool. Click Add button and you will get a pop up to put IP address ranges. Put the starting address and ending address of the IP address range you want the users to assign to.

Click the OK button to save the address range and finally click OK to save the changes. You may get a warning saying you need to restart the Routing and Remote Access for changes to apply, you can safely click OK and ignore it for now as we will restart the service after completing next step.

Step 5: Configure NAT

On the same left pane of Routing and Remote Access window, expand your local server and then expand IPv4. You will see the NAT object there. Right-click on NAT and then click on New Interface option.

Select Ethernet and click OK to proceed further. On NAT tab, select Public interface connected to Internet radio button and also select Enable NAT on this interface checkbox.

Now, go to Services and Ports tab and select VPN Server(L2TP/IPSec – running on this server) checkbox. It will open up a new interface for editing the service.

Change the private address from to and click OK to save.

enter image description here

Finally, Click OK to save the NAT interface.

Step 6: Restart Routing and Remote Access

On the left pane of Routing and Remote Access window, right-click on your local server and click on Restart under All Tasks.

This will restart the Routing and Remote Access services and all the changes we have made will be applied.

Step 7: Configure Windows Firewall

On the start menu, search for Windows defender firewall and open it. Click on Advanced settings on windows defender firewall.

Under Advanced setting, click on Inbound Rules on the left pane and then click on New Rule on right side pane.

Windows Server 2019 has predefined rules which we need to enable for VPN to work. In New Inbound Rule Wizard click on Predefined radio button and select the Routing and Remote Access from the drop-down.

Under Predefined Rules select Routing and Remote Access(L2TP-In) checkbox and click Next.

Under Action select, the option Allow the connection and click Finish.

The firewall is now configured to allow inbound traffic on UDP port 1701.

Step 8: Create VPN User

Search for Computer Management in the start menu and under Computer Management window expand Local users and group.

Right-click on Users and click on New User under Local users and group to create a new user.

On New User prompt, provide a username, full name, and strong password. Uncheck User must change the password on next login checkbox. Click Create to create a new user.

Once the user is created, return to Computer Management interface and you will find the user which you have just created in the list of users. Right-click on the user and click Properties option.

On your VPN users properties, navigate to Dial-in tab. Now, select Allow access option for Network Access Permissions setting. Click OK to save the properties.

Our L2TP/IPSec VPN server is now ready and can accept the connections.

Step 9: Connecting VPN Clients.

You will need to share the PSK and Windows username and password to the user who wishes to connect to the remote VPN server. You can also follow the tutorials on Snel website to learn how to connect to the remote server.

Step 10: Monitoring VPN

Search for Remote Access Management Console in the start menu and open the console. You should see the status of the VPN. If you have followed the tutorial correctly, you will see all green checkmark on all services. You can also view the details of connected clients on this console.


In this tutorial, we have successfully configured a fresh Windows Server 2019 server as an L2TP/IPSec VPN servers. You can now use the VPN server to securely connect to the other connected devices. You can also use this VPN server as a proxy server to securely access the internet.

Was this article helpful?
Dislike 2
Views: 44632

Reader Interactions


  1. Ray Tracy says

    I've tried following this, and have one issue: NAT does not show up in the IPv4 column as shown in Step 5. I tried it several times, and also tried just installing NAT on its own but it still isn't there. The server I'm working with is just set up as a workgroup server, and isn't a DC. Is that the reason?

    • Ahmet Bas says

      Did you select NAT during "Routing and Remote Access Server Setup Wizard", for and more detailed article you can check

  2. Ray Tracy says

    Yes, I did. Twice (tried it 2X.) I also tried running the wizard and just installing NAT. I'm presuming that's what's keeping me from using L2TP, which is a must considering how many services are blocking PPP these days. I'll see if the other link has anything to add and let you know. Thanks.

  3. Vip says

    Hi I am trying to setup the VPN on my server 2019 for remote access from my Android over l2tp IPsec. I followed this tutorial but cannot connect to the VPN from the Android device. Can you help?

  4. Vip says

    Update, when android is connected to home wireless network I can connect to VPN. But from 4g it is unsuccessful. I have my router forwarding ports 1701, 500 and 4500 in Udp (eg external port 1701 to internal 1701, etc).

  5. Vip says

    OK so its connecting but I have two issues:
    1) I now need to connect to VPN even when i am on the same network as the server (server is connected to router via ethernet and phone connected to router via wifi).
    2) When connected to VPN the download speed is a third of not connected. But when at work on their network i can connect to vpn and connect via smb to server drive. This is amazingly slow to access any files… 2.8Mbjpeg took 36seconds to load.

    Any help on these issues pease?

  6. Marcus says

    Thanks for that but I am still running into connections problem and port 1701 say closed when I open them on both firewall aswell as router but for some reason it wont communicate with my server outside and my isp say they do not block those ports

  7. Miki says

    I've had the same problem, but I used the GUI to install the necessary features and forgot to install the Server Role\Remote Access\Routing. After I installed it, and disabled the original configuration and repeat the steps from the Configuration wizard, NAT showed up.

  8. Nedeljko says

    Will this work with Windows Server configured with remote desktop services?
    We have a server configured to be used as a RDS, and one VM on it, to work as an Active Directory server (as Windows Server 2019 requires it), and we'd like to configure l2tp/ipsec, for some additional security in regards of server access…

  9. HamidReza says


    Thanks for your helpful articles.

    This setup just working fine in Windows Server 2016.
    In the 2016 (Control Panel\Network and Internet\Network and Sharing Center)
    RAS (Dial In) Interface exist.

    But i did everything exactly in Windows Server 2019 and NOT WORKING at all!
    And RAS (Dial In) Interface NOT exist in Network and Sharing Center!

    Is there any solution?

    Thank you guys again.

Leave a Reply

Your email address will not be published. Required fields are marked *