Routing and Remote Access port Forwarding
What is VPN?
A Virtual Private Network (VPN) is a way of using a secure network tunnel to carry all traffic between between different locations on the internet – for example between your local office workstations and servers in your ElasticHosts account, or from your office workstations to your ElasticHosts cloud servers and then out into the internet from there.
In this tutorial, we’ll set up a VPN server using Microsoft Windows’ built-in Routing and Remote Access Service.
To do this, we’ll be using the Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec, commonly referred to as an ‘L2TP/IPsec’ (pronounced “L2TP over IPsec”) VPN. For more information, see the L2TP/IPsec standard (RFC 3193).
Step 1: Initial setup
If you are looking to use the VPN to connect to several servers within ElasticHosts, make sure that the others are connected to the VPN server by a VLAN as described in our tutorial on VLANs.
If you don’t intend to connect to other machines within your ElasticHosts account (for example, if you want to use the VPN for increased privacy while browsing), you won’t need the second server – but you will still need to add a second network card and configure it with a private IP as described at the link above. Windows will not allow you to install the Routing and Remote Access Service unless this is true. By default, Windows Firewall will allow IPsec traffic with no modification. However if you are using a more restrictive set of rules, or the built-in ElasticHosts firewall, you may need to allow UDP traffic to ports 500 (IKE) and 4500 (for IPsec Nat traversal). For the purposes of this tutorial, we will give our VPN server an address of 10.0.5.1 on the VLAN, and connect a second server over the VLAN at 10.0.5.2.
Step 2: Install the Routing and Remote Access Service
First, we make our Windows server into a router by installing the Routing and Remote Access Services (RRAS) role.
- Click Start, click Administrative Tools, and then click Server Manager.
- In the Server Manager navigation tree, click Roles, and then under Roles Summary, click Add Roles.
The Add Roles Wizard will appear.
- On the Before You Begin page, click Next.
- On the Select Server Roles page, select Network Policy and Access Services, and then click Next.
- On the Network Policy and Access Services page, click Next.
- On the Select Role Services page, select Routing and Remote Access Services, and then click Next. This automatically selects all services for the RRAS role.
- On the Confirm Installation Selections page, click Install.
- On the Installation Results page, click Close.
Step 3: Enable the Routing and Remote Access Service
Having installed the service, we must now start it and enable the components we want to use.
- If this server is a member of an Active Directory domain, then add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. You can use Active Directory Users and Computers or the netsh ras add registeredserver command. If this server is using local authentication or is not part of a domain, skip this step.
- Open the Routing and Remote Access MMC snap-in. In Server Manager, expand Roles, expand Network Policy and Access Services, and then click Routing and Remote Access.
- In the navigation tree, right-click Routing and Remote Access, and then click Configure and Enable Routing and Remote Access.
- On the Welcome page, click Next.
- On the Configuration page, select the option that contains the RRAS components you need, and then click Next. For the purposes of this tutorial, we will build a simple VPN server for remote clients, so we will select the first option, titled Remote access (dial-up or VPN).
- On the Remote Access page, select VPN and Dial-up check boxes as required, and then click Next. Here, we choose VPN.
- On the VPN Connection page, select the network interface that is connected to the public network, and then click Next.
A checkbox on this page will ask whether you want to enable static packet filters: these are simple, stateless packet filters which will block everything except VPN traffic. How you configure these will depend on your security stance and whether this server will fulfil any other roles. Be careful! If you are working on this server over RDP, enabling these filters without making any changes will cause you to lose your RDP connection. If that happens, you can still use VNC to connect to the server.
For more information on static packet filters, see: Microsoft’s advice on configuring static packet filters and the “Do’s and Don’ts" of static packet filters.
Should you choose to enable this, you can allow services through as described at the first link above – for example, to enable RDP simply add an inbound filter allowing TCP traffic to port 3389, and an outbound filter allowing TCP traffic from port 3389.