How to Install and Configure Routing and Remote Access (RRAS) on Windows Server 2016

Routing and Remote Access Service (RRAS) is a Windows Server role that provides routing, remote access VPN, and NAT (Network Address Translation) capabilities. RRAS can function as a software-based router connecting multiple network segments, a VPN server for remote workers, a dial-up server, and a NAT gateway allowing multiple internal hosts to share a single public IP address. Windows Server 2016 includes RRAS as part of the Remote Access server role, and it is commonly deployed in branch office routing scenarios, small business internet gateways, and as the back-end for VPN services.

Common RRAS Deployment Scenarios

RRAS is used in several common scenarios. As a software router, it routes traffic between internal subnets or connects branch offices via demand-dial connections. As a VPN server, it accepts inbound VPN connections using PPTP, L2TP/IPsec, SSTP, or IKEv2 protocols. As a NAT gateway, it allows a small network to share a single internet connection. As a site-to-site VPN gateway, it creates persistent encrypted tunnels between office locations over the internet.

Step 1: Install the Remote Access Role

Install the Remote Access role with the required role services. For a combined VPN and routing server, install both DirectAccess-VPN and Routing:

Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools
Restart-Computer -Force

After rebooting, verify the features are installed:

Get-WindowsFeature -Name DirectAccess-VPN, Routing

Step 2: Configure RRAS Using the Wizard

Open the Routing and Remote Access console from Server Manager. Right-click the server name and select Configure and Enable Routing and Remote Access to launch the configuration wizard. Choose the configuration type: Custom configuration allows you to select individual capabilities. For a VPN access server with NAT:

# Use PowerShell for a scripted installation
Install-RemoteAccess -VpnType VPN
Start-Service RemoteAccess
Set-Service RemoteAccess -StartupType Automatic

Step 3: Configure VPN Protocols and Ports

RRAS supports multiple VPN protocols. Configure the number of ports available for each protocol based on your expected concurrent user count. The settings are managed through the RRAS console under Ports. To view current port counts:

netsh ras show type

To configure RRAS to use L2TP/IPsec and set a pre-shared key (for environments without PKI):

netsh ras set authmode mode=mixed
$regPath = "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIKEv2"
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRasManParameters" -Name "ProhibitIpSec" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRasManParameters" -Name "AllowL2TPWeakCrypto" -Value 0 -Type DWord

Step 4: Configure NAT

To configure RRAS as a NAT gateway, enabling multiple internal clients to share a single public IP address, first ensure the server has at least two interfaces: one public-facing and one connected to the internal network. Enable NAT using PowerShell or the RRAS console:

# Add NAT on the public interface (replace "Ethernet 2" with your public interface name)
netsh routing ip nat install
netsh routing ip nat add interface name="Ethernet 2" mode=full
netsh routing ip nat add interface name="Ethernet" mode=private

Alternatively, use the RRAS Management Console to navigate to IPv4 > NAT, right-click and select New Interface, then configure the public interface as Full NAT and the internal interfaces as Private.

Step 5: Configure IP Address Assignment for VPN Clients

Configure how VPN clients receive IP addresses when they connect. You can use DHCP from an internal server or define a static address pool:

# Using a static pool
netsh ras ip set addrassign method=static
netsh ras ip add range from=172.16.100.10 to=172.16.100.100

# Or use DHCP forwarding
netsh ras ip set addrassign method=dhcp

Configure DNS and WINS server addresses pushed to VPN clients:

netsh ras ip set access mode=all
$rassrv = Get-RemoteAccessRadius
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIP" -Name "TcpIpDnsAddress" -Value "192.168.1.10" -Type String

Step 6: Configure Static Routes

Add static routes to direct traffic for specific subnets through RRAS. This is important for routing traffic between network segments:

# Add a persistent static route
New-NetRoute -DestinationPrefix "10.20.0.0/24" -InterfaceAlias "Ethernet" -NextHop "192.168.1.1" -RouteMetric 10 -PolicyStore PersistentStore

# View routing table
Get-NetRoute | Where-Object {$_.RouteMetric -lt 256} | Sort-Object DestinationPrefix

Step 7: Configure Logging and Accounting

Enable connection logging to track VPN sessions, which is valuable for security auditing and troubleshooting. Configure RRAS logging settings:

netsh ras set conf confstate = enabled
netsh ras set tracing * enabled

For production environments, send accounting data to a RADIUS/NPS server for centralised logging:

Add-RemoteAccessRadius -ServerName "192.168.1.20" -SharedSecret "NPS_SharedKey!" -AccountingOnOffMsg Enabled -Score 30 -Timeout 5 -MsgAuthenticator Enabled

Step 8: Verify RRAS Operation

Verify that RRAS is running correctly and review active connections:

Get-Service RemoteAccess | Select-Object Name, Status, StartType
netsh ras show activeconn
netsh ras diagnostics show configuration

Check the Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > RemoteAccess-PPP and RemoteAccess-VPN for detailed connection and error information. With RRAS properly configured on Windows Server 2016, your server can handle multi-protocol VPN connections, route traffic between network segments, and provide NAT services, all from a single, manageable Windows Server role.