Setup L2TP / IPSec VPN on Windows Server 2019
A VPN or Virtual Private Network is used to securely transfer data from a local computer to a remote server. You can visualize a VPN as a private network distributed over the Internet or the public network. With a VPN, different devices can talk to each other securely as if they were connected via a private network.
Several VPN tunneling protocols are available. In this tutorial, we will configure a new Windows Server 2019 VPS server as L2TP over IPSec VPN. L2TP or Layer 2 Tunneling Protocol is a tunneling protocol but it does not provide strong encryption. Shown here is IPSec, which provides very strong encryption of data exchanged between the remote server and the client machine.
We will make use of Remote and Remote Access Services (RRAS) which provides an easy-to-use interface to configure networking features such as VPN, NAT, dial-up access server, LAN routing, etc.
- Cloud VPS or a dedicated server with Windows Server 2019 installed.
- You must be logged on via Remote Desktop Protocol as an administrative user.
Step 1: Update the system
Find Windows Powershell and open it in administrative mode by right-clicking and selecting Open as administrator.
Install the Windows Update Module for Powershell by running the command.
Install the PSWindowsUpdate module
You may be asked to confirm, tap s and log in all the time.
Now get a list of the latest updates by running.
Get-WindowsUpdate Finally, install updates by running the command. Install – WindowsUpdate
Once the updates are installed, restart your computer by running the command.
Reboot the computer
Step 2: Install the remote access role
Open Powershell again in administrative mode and run the following command to install Remote Access with Direct Access, VPN (RAS) and Routing along with the management tools.
Install-WindowsFeature RemoteAccess Install-WindowsFeature DirectAccess-VPN-IncludeManagementTools Install-WindowsFeature Routing -IncludeManagementTools
Step 3: Configure Routing and Remote Access
Open Server Manager and go to Tools >> Remote Access Management.
In the left pane, right-click on the local server and click Configure and enable Routing and Remote Access.
in a Configure and enable the Routing and Remote Access Wizard, Determine custom configuration radio button where we will configure routing and access manually. click next one button.
Next, select VPN server And nat check boxes and click Next to see a summary of the selection.
Finally, when you click finish button, you will see a prompt to start Routing and Remote Access services. Click on start service button.
Step 4: Configure VPN Properties
Now that we have the VPN up and running, let’s go ahead and configure it. Under the Routing and Remote Access window, in the left pane, right-click on the local server and click Properties.
Go to the Security tab and click Allow custom IPSec policy for L2TP / IKEv2 connection And PSK mode is too long (pre-shared key). You can use any tool to generate a random key.
Make sure to note the PSK as we will need to share the PSK with every user who wants to connect to the VPN server.
Now, go to IPv4 Tab and under Set IPv4 Address, select Static Address Pool. click Add button and a popup will appear for setting IP address ranges. Put the starting address and the ending address of the range of IP addresses you want users to assign to.
tap on OK button to save the address range and then click OK to save the changes. You may get a warning that you need to restart Routing and Remote Access to apply the changes, you can safely click OK Ignore it for now as we will restart the service after completing the next step.
Step 5: Configure NAT
In the same right pane of the Routing and Remote Access window, expand and then expand your local server IPv4. You will see a NAT object there. Right click on NAT and click new interface Selection.
Choose Ethernet And click OK to move forward. On the NAT tab, select Internet-connected public interface radio button and also select Enable NAT on this interface check box.
Now, go to Services and Ports tab and select VPN server (L2TP / IPSec – running on this server) check box. It will open a new interface for editing the service.
Change private address from 0.0.0.0 to 127.0.0.1 And click OK to save.
Finally, click OK to save the NAT interface.
Step 6: Restart Routing and Remote Access
In the left pane of the Routing and Remote Access window, right-click on the local server and click Restart under all tasks.
This will restart the Routing and Remote Access services and all the changes we made will be applied.
Step 7: Configure Windows Firewall
In the start menu, search for and open Windows Defender Firewall. Click Advanced Settings on a windows defender firewall.
under Advanced Settings, Click Inside Rules in the right pane and then click new law in the right pane.
Windows Server 2019 has preset rules that we need to enable for the VPN to work. in a Incoming new rule handler Click Preset radio button and select file Routing and remote access from the dropdown menu.
Under Predefined rules, select Routing and Remote Access (L2TP-In) check box and click next one.
under a job Select option allow contact and click finish.
The firewall is now configured to allow incoming traffic on UDP port 1701.
Step 8: Create a VPN User
looking for computer management In the start menu and under computer management expand window Local and group users.
Right click Users and click New user under Local and group users To create a new user.
employment New user Prompt, provide a username, full name, and a strong password. Deselect User must change password at next login check box. click Creates To create a new user.
Once the user is created, go back to computer management interface and you will find the user you just created in the list of users. Right-click on the user and click Properties Selection.
On the characteristics of your VPN users, go to call tab. Now, select allow pass option Network access permissions settings. Click OK to save the properties.
The L2TP / IPSec VPN server is now ready and can accept connections.
Step 9: Connect VPN Clients.
You will need to share your PSK and Windows username and password with the user who wishes to connect to the remote VPN server. You can also follow the tutorials on the Snel website to learn how to connect to the remote server.
Step 10: Monitor VPN
looking for remote access management console in the Start menu and open the console. You should see the status of the VPN. If you have followed the tutorial correctly, you will see every green check mark on all services. You can also view the details of connected clients on this console.
In this tutorial, we have successfully configured a new Windows Server 2019 server as L2TP/IPSec VPN server. You can now use a VPN server to securely connect to other connected devices. You can also use this VPN server as a proxy server to securely access the internet.