How to Configure RRAS on Windows Server 2012 R2

Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 is a multi-purpose networking role that provides routing, VPN connectivity, and dial-up access services. RRAS can function as a software router supporting static and dynamic routing protocols (RIP v2 and OSPF via add-ons), as a VPN server supporting PPTP, L2TP/IPsec, SSTP, and IKEv2, and as a network address translation (NAT) gateway. This guide covers deploying RRAS as a software LAN router with static routing, enabling dynamic routing, configuring demand-dial connections, and integrating with NPS for remote access authentication.

Prerequisites

The server should have at least two network interface cards for routing between subnets. For VPN scenarios, one NIC should be connected to the internal network and another to the internet (or DMZ). Active Directory integration with NPS is recommended for VPN user authentication. The server must have sufficient CPU and memory — RRAS is not particularly resource-intensive for routing, but VPN encryption at scale requires more resources. Domain Admin or local Administrator rights are required. Open the relevant firewall ports on any perimeter firewalls: UDP 500 and 4500 (IKEv2/IPsec), TCP 1723 (PPTP), TCP 443 (SSTP), UDP 1701 (L2TP).

Installing the Remote Access Role

# Install Remote Access with Routing and VPN components
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

# Install RAS Connection Manager Administration Kit (optional, for client package creation)
Install-WindowsFeature CMAK -IncludeManagementTools

# Verify installation
Get-WindowsFeature RemoteAccess, Routing, DirectAccess-VPN | 
    Select-Object Name, InstallState | Format-Table

Configuring RRAS as a LAN Router

Configure RRAS for LAN routing to route traffic between different subnets. This requires IP routing to be enabled on the server:

# Enable IP routing on the server (required for any RRAS routing)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" `
    -Name "IPEnableRouter" -Value 1 -Type DWord

# Install RRAS for LAN routing (no VPN, just routing)
Install-RemoteAccess -VpnType RoutingOnly

# Verify RRAS service is running
Get-Service -Name RemoteAccess | Select-Object Status, StartType

# Start RRAS service
Start-Service -Name RemoteAccess
Set-Service -Name RemoteAccess -StartupType Automatic

Configuring Static Routes

Add static routes to the routing table for networks reachable via RRAS:

# View current routing table
netstat -r
# Or:
Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric | 
    Format-Table -AutoSize

# Add a persistent static route
# Route to 10.20.0.0/16 via gateway 192.168.1.1
New-NetRoute -DestinationPrefix "10.20.0.0/16" `
    -NextHop "192.168.1.1" `
    -InterfaceAlias "Internal" `
    -RouteMetric 100 `
    -PolicyStore PersistentStore

# Add a host route (specific IP)
New-NetRoute -DestinationPrefix "172.16.5.10/32" `
    -NextHop "192.168.10.1" `
    -InterfaceAlias "Ethernet" `
    -PolicyStore PersistentStore

# Add via route add (legacy but useful for one-time routes)
route add 10.30.0.0 mask 255.255.0.0 192.168.1.254 -p  # -p makes it persistent

Configuring RRAS with the Management Console

The Routing and Remote Access MMC console (rrasmgmt.msc) provides full management capability. Key tasks via the console:

# Open RRAS management console
# rrasmgmt.msc

# Right-click the server > Configure and Enable Routing and Remote Access
# Select: "Custom Configuration"
# Choose: LAN routing (for pure routing)
#         VPN access (for VPN server)
#         LAN routing + NAT (for internet gateway with NAT)

# After enabling, configure interfaces:
# IPv4 > General > right-click interface > Properties
# Set metric, enable/disable routing on specific interfaces

Enabling RIP v2 Dynamic Routing

RIP v2 (Routing Information Protocol) is available in RRAS for small networks. Configure it for automatic route exchange with other RIP-capable routers:

# Add RIP v2 routing protocol via RRAS MMC:
# IPv4 > General > right-click > New Routing Protocol > RIP Version 2 for Internet Protocol

# Or configure via netsh
netsh routing ip rip install
netsh routing ip rip add interface name="Internal" mode=0 updatemode=0
# mode=0 = Periodic Update; mode=1 = No Horizon; mode=2 = Split Horizon
# updatemode=0 = Periodic; updatemode=1 = Triggered; updatemode=2 = no updates

Configuring RRAS for VPN (Multiple Protocol Support)

Enable RRAS as a VPN server supporting multiple protocols:

# Configure RRAS for VPN with both PPTP and L2TP/IPsec
Install-RemoteAccess -VpnType VPN

# Configure the number of VPN ports for each protocol
# Via RRAS console: Ports > Properties > Configure port count
# Or via netsh:
netsh ras set type vpnserver=true dailupserver=false

# Configure PPTP ports (default is 128)
netsh ras set wanports tunneltype=pptp numberofports=50

# Configure L2TP ports
netsh ras set wanports tunneltype=l2tp numberofports=50

# Configure IKEv2 ports (Windows 7+ clients)
netsh ras set wanports tunneltype=sstp numberofports=50

Configuring L2TP/IPsec Pre-Shared Key

L2TP over IPsec requires either certificates or a pre-shared key (PSK) for the IPsec layer. For quick deployment, configure a pre-shared key (less secure than certificates):

# Configure L2TP/IPsec pre-shared key on the VPN server
# Via registry:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIkeV2" `
    -Name "PSKRequired" -Value 1 -Type DWord

# For L2TP PSK:
# HKLMSYSTEMCurrentControlSetServicesRasManParameters
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRasManParameters" `
    -Name "ProhibitIpSec" -Value 0 -Type DWord

# Configure PSK via netsh (applies to L2TP and IKEv2)
netsh ras set ikev2connection psk="YourPreSharedKey123!"

# Note: Certificate-based authentication is strongly preferred over PSK for production

Configuring IP Address Assignment for VPN Clients

# Configure static IP pool for VPN clients via registry
# HKLMSYSTEMCurrentControlSetServicesRemoteAccessParametersIP
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesRemoteAccessParametersIp" `
    -Name "AllowClasslessStaticRoutes" -Value 1

# Configure via RRAS console:
# Server Properties > IPv4 tab
# Select "Static address pool"
# Add range: From 172.16.100.1 To 172.16.100.100

# Or use DHCP server to assign addresses to VPN clients
# Server Properties > IPv4 > "Dynamic Host Configuration Protocol (DHCP)"

Configuring RRAS Demand-Dial Interface

Demand-dial interfaces create WAN connections on demand, useful for site-to-site VPN:

# Create a demand-dial interface for site-to-site VPN
# Via RRAS console: Network Interfaces > New Demand-dial Interface Wizard
# Or via netsh:

# Create a VPN demand-dial interface to a remote site
netsh routing ip add interface "SiteBConnection"
netsh interface set interface name="SiteBConnection" adminstatus=enabled

# Add route that triggers the demand-dial connection
New-NetRoute -DestinationPrefix "10.20.0.0/16" `
    -InterfaceAlias "SiteBConnection" `
    -NextHop "0.0.0.0"

Verification

# Check RRAS service and configuration
netsh ras show config

# Check active connections
netsh ras show activeconn

# View routing table in RRAS
netsh routing ip show rtmroutes

# Check VPN port status
netsh ras diagnostics show ports

# View RRAS event log
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='RemoteAccess'} `
    -MaxEvents 20 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

Summary

RRAS on Windows Server 2012 R2 is a versatile role supporting LAN routing, software-based VPN, NAT, and demand-dial WAN connectivity. For routing scenarios, enable IP routing in the registry and configure static routes or RIP v2 for dynamic routing. For VPN deployments, configure multiple protocol support (PPTP, L2TP/IPsec, SSTP, IKEv2) with certificate-based IPsec authentication for production security. Integrate with NPS for centralized RADIUS-based VPN user authentication and policy enforcement. The RRAS console (rrasmgmt.msc) and netsh are complementary tools — use PowerShell Get-NetRoute and routing cmdlets for scripted management of static routes.