How-To: Windows 2003 VPN Server
Using Windows 2003 Server as a VPN server is one of the better (read: overkill) remote access solutions for a SOHO network. This how-to will show how to create a simple yet effective VPN solution with certain limitations. Mainly, it assumes the Windows 2003 server has only one network card and sites behind a router/firewall. Make sure you have administrator privileges before continuing.
- Open Routing and Remote Access by going to
Control Panel -> Administrative Tools -> Routing and Remote Access.
- Right-click on the server name.
- In the context menu, select Configure and Enable Routing and Remote Access. Click Next on the wizard.
- On the Configuration page, select Custom Configuration. (Note: This particular option is chosen because we are using a single network card.)
- On the next screen, pick VPN Access then click Next. Then hit Finish to close out the wizard.
- A dialog box will appear asking if you want to start the service. Click Yes.
At this point there are a few more items left to configure. In this example, my configuration uses a custom firmware Linksys WRT54G router to handle DHCP, firewall and connection sharing. Regardless of DHCP being available, I’ve assigned a static IP range to VPN clients.
- In Routing and Remote Access, right-click the server name as before.
- In the context menu, select Properties.
- Click the IP tab.
- Select the radio-button next to Static address pool.
- Click the Add button.
- In the New Address Range window, enter the appropriate start and end IP addresses. The addresses should follow the convention of the rest of your network.
- Click Okay and Apply until returning to the Routing and Remote Access window and close that as well.
User accounts must be given VPN access via user properties.
- Open Active Directory Users and Computers and click the Users folder.
- Double-click on a user name to be given VPN access in the right hand window.
- Click the Dial-in tab.
- Select the radio-button next to Allow access in the Remote Access Permission (Dial-in or VPN) section. (Note: If you have multiple users, then it might be easier to create a new user group with VPN access. Then the add user profiles to the group as necessary.)
- Close out the window. Repeat as necessary for any other users.
Since my test server sits behind a router/firewall, the next step involves forwarding ports on the router/firewall to the local IP address of the VPN server. My Linksys WRT54G router requires PPTP Passthrough being enabled. Port listing:
- PPTP: 1723.
- IPSec: 500, 50-51.
Realize that once the ports are opened to the VPN server, the local network is open to the possibility of malicious attacks. Make sure users comply with a good password policy and monitor access logs. I highly doubt home users will be running out to purchase a copy of Window Server 2003 any time soon but if, like me, you happen to be tinkering with a free 120-day trial version then it is prudent to be vigilant.
Configuring an XP client is straight forward. The only caveat is knowing the IP address of the server. If you are on a static IP, then there is no problem. If you happen to be on a dynamic IP address (i.e. an IP that changes regularly), then a service like DynDNS will give you a resolvable host name.
These are the steps to configure the XP machine for VPN access:
- Go to
Start -> Settings -> Network Connections.
- Open the New Connection Wizard.
- Pick Connect to the network at my workplace then click Next.
- Pick Virtual Private Network connection then click Next.
- In the text box, provide a connection name then click Next.
- Since I have broadband available from wherever I need to access my network, I have no need to dial an internet provider. If this is the case in your set up, then pick Do not dial the initial connection.
- On the next screen enter the host name or IP address of the VPN server then click Next. Then pick Finish.
To connect to your VPN server, double-click on the connection icon just created on the client machine.
Troubleshooting: Some routers do not function properly in a VPN over NAT environment. Consult this list of affected routers.