Connect to Windows Server 2016 Essentials VPN without direct access
Windows Server Essentials is a great option for your home network. I use it mostly for DNS, DHCP, client backups, storage, and VPN but, really, you can do just about anything with it. The built-in connector for Windows clients makes accessing your home network from anywhere very easy, and Microsoft gives you a free domain *.remotewebaccess.com with dynamic DNS and automatic configuration on top of that. External clients connect via Microsoft DirectAccess at home. In case you haven’t heard of it, it’s basically a Windows-only proprietary VPN.
Before upgrading to Server 2016, I used a VPN extensively on my iPhone and iPad to access my home network. I chose to use L2PT with PreSharedKey to connect my iOS devices. Where I can simply use the GUI in Server 2012 R2, Server 2016 is less collaborative:
If you do not speak German fluently, Routing and RAS The app tells me that I can’t use the configuration GUI because the old mode is disabled. And I can’t enable it. That’s bad, but since then Microsoft, PowerShellThere are commandlets for everything! Just make sure to get Windows Powershell Remote Access Tools Feature installed (comes automatically with Essentials role).
User mazo22 at HomeServerShow nicely explained the command to set the PreShared key:
Set-VpnAuthProtocol -SharedSecret “YourSecretValueHere” -TunnelAuthProtocolsAdvertified PreSharedKey
PreSharedKey does not persist during reboots for security reasons. For reasons of convenience, there is the Windows Task Scheduler. Create a function, make it run at system startup and call C:WindowsSystem32WindowsPowerShellv1.0Powershell.exe as a program and provide the path to SetPreSharedKey.ps1 as an argument.
But, for real: here’s a complete sample script that shows you how to keep the secret secure, even in script. Do not store PreSharedKey as plain text in the script!
Connect your iPhone or iPad to your home server
Just set up a new VPN connection in your device, and use L2TP Type and your usual Active Directory username/password (without domain specifier). SharedSecret is what you just set up.