How to Configure Windows Server 2016 Routing and Remote Access
The Routing and Remote Access Service (RRAS) in Windows Server 2016 provides software-based routing, VPN gateway, and dial-up remote access capabilities. RRAS can function as an IPv4 and IPv6 router connecting multiple network segments, a NAT gateway for internet sharing, a site-to-site VPN endpoint using IKEv2 or L2TP/IPsec, and a remote access VPN server supporting PPTP, L2TP, SSTP, and IKEv2 protocols. This guide covers configuring RRAS as a LAN router and remote access VPN server.
Prerequisites
For RRAS to route between networks, the server needs at least two network interfaces connected to different network segments. Ensure each adapter has a static IP address configured before starting the RRAS setup. Verify adapter configuration:
Get-NetAdapter | Select Name, Status, InterfaceDescription, MacAddress
Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.PrefixOrigin -ne "WellKnown" } | Select InterfaceAlias, IPAddress, PrefixLength, AddressStateStep 1: Install the Remote Access Role
Install the Remote Access role with the Routing and DirectAccess-VPN sub-features:
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN -IncludeManagementToolsVerify all required features are installed:
Get-WindowsFeature RemoteAccess, Routing, DirectAccess-VPN | Select Name, InstallState, DisplayNameStep 2: Configure RRAS as a LAN Router
To configure RRAS purely as a LAN-to-LAN router without VPN, use the Install-RemoteAccess cmdlet with the VpnType parameter set to VpnS2S (site-to-site only) or use Routing only:
Install-RemoteAccess -VpnType RoutingOnly
# Verify RRAS is running as a router
Get-RemoteAccess
netsh ras show typeEnable IP forwarding and configure static routes:
# Enable IP routing in registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1
# Add a static route
New-NetRoute -DestinationPrefix "192.168.2.0/24" -InterfaceAlias "Ethernet 2" -NextHop "192.168.1.1" -RouteMetric 1
# View routing table
Get-NetRoute -AddressFamily IPv4 | Where-Object { $_.RouteMetric -lt 256 } | Sort-Object DestinationPrefix | Format-TableStep 3: Configure RRAS for Remote Access VPN
Configure RRAS to accept incoming VPN connections from remote clients:
Install-RemoteAccess -VpnType Vpn
# Verify the RRAS service is configured for VPN
netsh ras show activeservers
Get-Service RemoteAccess | Select Status, StartTypeConfigure the IP address assignment method for VPN clients:
# Use static address pool
netsh ras ip set addrassign method=pool
netsh ras ip set pool startaddr=172.16.0.100 endaddr=172.16.0.200
# Or use DHCP
netsh ras ip set addrassign method=dhcp
# Verify IP assignment configuration
netsh ras ip show configStep 4: Configure VPN Protocols and Ports
RRAS supports multiple VPN protocols. Configure the number of ports available for each protocol based on your expected concurrent connections:
# View current VPN port configuration
netsh ras show ports
# Configure port counts via WMI
$routerConfig = Get-WmiObject -Namespace rootMicrosoftWindowsRemoteAccessServer -Class PS_RasServerConfiguration
$routerConfig
# Set the authentication and encryption settings
netsh ras set conf authmode auth=windows
netsh ras set conf encryption=allowedEnable IKEv2 VPN which is the most modern and recommended protocol:
# Check IKEv2 configuration
Get-VpnServerConfiguration
# Set IKEv2 parameters
Set-VpnServerConfiguration -TunnelType IKEv2 -EncryptionType MaximumEncryption -PassThruStep 5: Configure OSPF Dynamic Routing
For environments using dynamic routing, RRAS supports RIP (Routing Information Protocol) for IPv4. Configure RIP on the internal interfaces:
# Add RIP routing protocol
netsh routing ip rip install
# Add an interface to RIP
netsh routing ip rip add interface "Local Area Connection" 2
netsh routing ip rip set interface "Local Area Connection" mode=2 updatemode=periodic period=30
# View RIP neighbors and routes
netsh routing ip rip show neighbor
netsh routing ip rip show globalstatsStep 6: Configure Demand-Dial Routing for Site-to-Site VPN
Site-to-site (demand-dial) VPN connects two network locations over a VPN tunnel automatically when traffic needs to be routed between them:
# Add a site-to-site VPN interface
Add-VpnS2SInterface -Name "Branch-Office" -Destination "203.0.113.10" -Protocol IKEv2 `
-AuthenticationMethod MachineCertificates `
-EapMethod None `
-SourceIpAddress "198.51.100.5" `
-IPv4Subnet @("192.168.2.0/24:100") `
-Persistent $true
# Connect the S2S interface
Connect-VpnS2SInterface -Name "Branch-Office"
# View S2S interface status
Get-VpnS2SInterface | Select Name, Destination, ConnectionState, IPv4SubnetStep 7: Configure Windows Firewall for RRAS
Ensure the required firewall ports are open for RRAS operation:
# PPTP
New-NetFirewallRule -DisplayName "RRAS PPTP" -Direction Inbound -Protocol TCP -LocalPort 1723 -Action Allow
New-NetFirewallRule -DisplayName "RRAS GRE" -Direction Inbound -Protocol 47 -Action Allow
# L2TP/IPsec
New-NetFirewallRule -DisplayName "RRAS L2TP" -Direction Inbound -Protocol UDP -LocalPort 1701 -Action Allow
New-NetFirewallRule -DisplayName "RRAS IPsec-IKE" -Direction Inbound -Protocol UDP -LocalPort 500 -Action Allow
New-NetFirewallRule -DisplayName "RRAS IPsec-NAT-T" -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Allow
# SSTP
New-NetFirewallRule -DisplayName "RRAS SSTP" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
# IKEv2
New-NetFirewallRule -DisplayName "RRAS IKEv2" -Direction Inbound -Protocol UDP -LocalPort 500,4500 -Action AllowStep 8: Monitor RRAS Connections
Monitor active remote access connections and routing statistics:
# View active VPN connections
netsh ras diagnostics show all
Get-RemoteAccessConnectionStatistics
# View routing table via RRAS
netsh routing ip show rtmdestinations
netsh routing ip show bestroutes
# View RRAS event logs
Get-EventLog -LogName System -Source RemoteAccess -Newest 25 | Select TimeGenerated, EntryType, MessageRRAS on Windows Server 2016 is a versatile and cost-effective solution for organizations that need routing, VPN, or remote access capabilities without investing in dedicated hardware appliances. Its deep integration with Active Directory, NPS, and other Windows Server roles makes it a natural fit for Windows-centric environments.
