Introduction to Routing and Remote Access Service on Windows Server 2019

Routing and Remote Access Service (RRAS) is a built-in Windows Server 2019 feature that provides multi-protocol routing, remote access VPN, and site-to-site VPN connectivity. RRAS can function as a software router supporting RIP, OSPF (through third-party plugins), BGP, and static routes; as a dial-up or VPN remote access server supporting PPTP, L2TP, SSTP, and IKEv2; and as a NAT gateway for sharing internet access. RRAS integrates tightly with NPS for RADIUS-based authentication and with Active Directory for user management.

This guide covers installing RRAS, configuring it as a VPN server, setting up NAT, and configuring basic static routing on Windows Server 2019.

Installing RRAS

Install the Remote Access role with the Routing and DirectAccess-VPN sub-features:

Install-WindowsFeature -Name RemoteAccess -IncludeManagementTools
Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools

Alternatively, install everything in one command:

Install-WindowsFeature -Name RemoteAccess, DirectAccess-VPN, Routing, RSAT-RemoteAccess -IncludeAllSubFeature

After installation, open the Routing and Remote Access MMC (rrasmgmt.msc) or use PowerShell to configure the service.

Configuring RRAS as a VPN Server

Configure RRAS for VPN remote access using PowerShell. This command enables VPN and configures the internal IP address range for VPN clients:

Install-RemoteAccess -VpnType VPN

After the wizard completes, configure the IP address assignment pool for VPN clients:

netsh ras ip set addrassign method=pool
netsh ras ip set pool startaddr=10.100.0.10 endaddr=10.100.0.100

Configure DNS servers that VPN clients will use:

netsh ras ip set dns primarydns=192.168.1.10 secondarydns=192.168.1.11

Set the maximum number of simultaneous VPN connections:

netsh ras set maxports device="WAN Miniport (IKEv2)" maxports=100
netsh ras set maxports device="WAN Miniport (SSTP)" maxports=100

Enabling and Configuring NAT

To configure RRAS as a NAT gateway (for sharing internet access), use the Network Address Translation routing protocol in RRAS. First, enable routing:

$router = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,"Registry32")
$key = $router.OpenSubKey("SYSTEMCurrentControlSetServicesRemoteAccessParameters",$true)
$key.SetValue("EnableRouter",[byte]1,[Microsoft.Win32.RegistryValueKind]::DWord)

Configure NAT via netsh, specifying the public (internet-facing) interface and the private interface:

netsh routing ip nat add interface "Ethernet 0 (Public)" full
netsh routing ip nat add interface "Ethernet 1 (Private)" private

Enable IP forwarding if not already enabled (RRAS usually does this automatically):

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1

Add static NAT port mappings (port forwarding) for services behind NAT:

netsh routing ip nat add portmapping "Ethernet 0 (Public)" tcp 0.0.0.0 443 10.0.0.10 443

Configuring Static Routes

Add static routes so the RRAS server can forward traffic between subnets. Add a static route for the 192.168.100.0/24 network via gateway 192.168.1.1:

netsh routing ip add persistentroute dest=192.168.100.0 mask=255.255.255.0 gateway=192.168.1.1 metric=1

Using the route command directly (non-persistent):

route add 192.168.100.0 mask 255.255.255.0 192.168.1.1 metric 1

For persistent routes that survive reboots:

route -p add 192.168.100.0 mask 255.255.255.0 192.168.1.1 metric 1

View the current routing table:

route print

Configuring RIP v2 Routing

Enable RIP v2 for dynamic route exchange between routers:

netsh routing ip rip add interface "Ethernet 1 (Private)" autosummary=enabled
netsh routing ip rip set interface "Ethernet 1 (Private)" updatemode=periodic acceptdefaultroutes=enabled announcedefaultroutes=enabled

Monitoring and Troubleshooting RRAS

View the RRAS service status:

Get-Service -Name RemoteAccess

View active remote access connections:

Get-RemoteAccessConnectionStatistics

Check RRAS event logs:

Get-WinEvent -LogName "System" | Where-Object {$_.ProviderName -eq "RemoteAccess"} | Select TimeCreated, LevelDisplayName, Message | Select-Object -First 20

View all configured VPN ports and their status:

netsh ras show ports

Enable RRAS tracing for detailed troubleshooting:

netsh ras set tracing * enabled
# (Traces are written to C:WindowsTracing)
netsh ras set tracing * disabled

RRAS on Windows Server 2019 is a versatile, cost-effective solution for organisations needing routing, NAT, and remote access VPN capabilities without investing in dedicated hardware appliances.