How-To: Windows 2003 VPN Server

Using Windows 2003 Server as a VPN server is one of the better (read: overkill) remote access solutions for a SOHO network. This how-to will show how to create a simple yet effective VPN solution with certain limitations. Mainly, it assumes the Windows 2003 server has only one network card and sites behind a router/firewall. Make sure you have administrator privileges before continuing.

Main configuration:

  1. Open Routing and Remote Access by going to Control Panel -> Administrative Tools -> Routing and Remote Access.
  2. Right-click on the server name.
  3. In the context menu, select Configure and Enable Routing and Remote Access. Click Next on the wizard.
  4. On the Configuration page, select Custom Configuration. (Note: This particular option is chosen because we are using a single network card.)
  5. On the next screen, pick VPN Access then click Next. Then hit Finish to close out the wizard.
  6. A dialog box will appear asking if you want to start the service. Click Yes.

At this point there are a few more items left to configure. In this example, my configuration uses a custom firmware Linksys WRT54G router to handle DHCP, firewall and connection sharing. Regardless of DHCP being available, I’ve assigned a static IP range to VPN clients.

  1. In Routing and Remote Access, right-click the server name as before.
  2. In the context menu, select Properties.
  3. Click the IP tab.
  4. Select the radio-button next to Static address pool.
  5. Click the Add button.
  6. In the New Address Range window, enter the appropriate start and end IP addresses. The addresses should follow the convention of the rest of your network.
  7. Click Okay and Apply until returning to the Routing and Remote Access window and close that as well.

User accounts must be given VPN access via user properties.

  1. Open Active Directory Users and Computers and click the Users folder.
  2. Double-click on a user name to be given VPN access in the right hand window.
  3. Click the Dial-in tab.
  4. Select the radio-button next to Allow access in the Remote Access Permission (Dial-in or VPN) section. (Note: If you have multiple users, then it might be easier to create a new user group with VPN access. Then the add user profiles to the group as necessary.)
  5. Close out the window. Repeat as necessary for any other users.

Since my test server sits behind a router/firewall, the next step involves forwarding ports on the router/firewall to the local IP address of the VPN server. My Linksys WRT54G router requires PPTP Passthrough being enabled. Port listing:

Realize that once the ports are opened to the VPN server, the local network is open to the possibility of malicious attacks. Make sure users comply with a good password policy and monitor access logs. I highly doubt home users will be running out to purchase a copy of Window Server 2003 any time soon but if, like me, you happen to be tinkering with a free 120-day trial version then it is prudent to be vigilant.

Configuring an XP client is straight forward. The only caveat is knowing the IP address of the server. If you are on a static IP, then there is no problem. If you happen to be on a dynamic IP address (i.e. an IP that changes regularly), then a service like DynDNS will give you a resolvable host name.

These are the steps to configure the XP machine for VPN access:

  1. Go to Start -> Settings -> Network Connections.
  2. Open the New Connection Wizard.
  3. Pick Connect to the network at my workplace then click Next.
  4. Pick Virtual Private Network connection then click Next.
  5. In the text box, provide a connection name then click Next.
  6. Since I have broadband available from wherever I need to access my network, I have no need to dial an internet provider. If this is the case in your set up, then pick Do not dial the initial connection.
  7. On the next screen enter the host name or IP address of the VPN server then click Next. Then pick Finish.

To connect to your VPN server, double-click on the connection icon just created on the client machine.

Troubleshooting: Some routers do not function properly in a VPN over NAT environment. Consult this list of affected routers.

Comments

5 Responses to “How-To: Windows 2003 VPN Server”

  1. gssatya on January 26th, 2008 8:51 pm

    Hi Rana,

    Thank you very much for providing the detailed step by step instructions. I have gone through serveral postings but this one is very clear, simple and I did it. Thanks again.

    Regards,
    satya

  2. jorge on April 15th, 2008 1:41 am

    hi there

    this is the first “easy step by step” manual i have found, but didnt work for me.

    im getting a 800 error code, looks like my home computer (local network 10.0.0.0/24) its not able to connect trough vpn to my work (also 10.0.0.0/24…) altough rdp its working perfectly.

    maybe is this network configuration (same on both side) causing the problem?

    logs dont seem to say anithing, and im stuck

    if you can help me, or i make any success, ull know

    thanks!

  3. Hisham on April 15th, 2008 1:53 am

    @jorge:

    10.0.0.0/24 is a private network address range. You need to find the public IP addresses on both sides and try again. If it still doesn’t work then try this page:

    http://www.chicagotech.net/VPN/vpncase800.htm

  4. zillah on November 5th, 2009 5:27 am

    Thanks Hisham for this How-to article, it helped me to configure my network.

    ((User accounts must be given VPN access via user properties. ))
    I realized that even for administrator user name we have to enable VPN access.

    ((then pick Do not dial the initial connection.))
    You would not be able to see this if you have ethernet connection to your LAN , but if you have dialup connection then you would be able to see this option.

    ((IPSec: 500, 50-51.))
    I did not need to enable those port on my FVS318 V3 netgear router

  5. Jo on November 8th, 2009 3:13 pm

    Great tutorial!!! I find this is easy-to-read tutorial!

    Do you think it’s better to use Windows Default VPN (as per tutorial) or SSH connection?

    I normally use SSH connection through Ubuntu server and remotely access the XP client through SSH port forwarding (I know it’s totally harder than the above steps), but is VPN more secure than SSH connections?