How to Install and Configure Routing and Remote Access (RRAS) on Windows Server 2025

How to Install and Configure Routing and Remote Access (RRAS) on Windows Server 2025

Routing and Remote Access Service (RRAS) is one of Windows Server’s most versatile networking roles. A single RRAS deployment can simultaneously serve as a VPN concentrator, a NAT gateway, a LAN router, and a software-defined BGP routing peer. On Windows Server 2025, RRAS has been updated to work alongside the Windows Subsystem for Networking and integrates cleanly with PowerShell and the NetTCPIP module for route management. Whether you are building a simple NAT gateway for a lab environment, deploying an enterprise VPN solution, or implementing dynamic routing between VLANs, RRAS provides the foundation. This tutorial covers the complete installation, the major operational modes, NAT configuration, static and dynamic routing, and compares RRAS capabilities with dedicated router operating systems like Cisco IOS.

RRAS Roles Overview

RRAS consolidates multiple networking functions under a single service (RemoteAccess). Before installing, decide which functions you need:

• VPN Server: terminates IKEv2, SSTP, L2TP/IPsec, and PPTP VPN connections from remote clients or site-to-site peers
• NAT (Network Address Translation): shares a single public IP across multiple internal hosts, common for branch office internet access or lab environments
• LAN Routing: routes packets between multiple network interfaces attached to different subnets — replaces or supplements physical routers in smaller environments
• DirectAccess / Always On VPN: provides always-connected, user-transparent VPN for domain-joined Windows clients
• BGP Router: peers with upstream routers to exchange routing information dynamically, useful in hybrid cloud scenarios with Azure VPN Gateway or ExpressRoute

Prerequisites

• Windows Server 2025 (Standard or Datacenter) with at least two network adapters for routing/NAT scenarios
• Static IP addresses on all interfaces
• Administrative access
• For VPN: a public IP or NAT port forwarding, and a valid SSL certificate for SSTP or machine certificates for IKEv2
• For BGP: a BGP Autonomous System Number (ASN) allocated for your environment
• For NAT: an external interface connected to the upstream network and one or more internal interfaces

Step 1 — Install the Remote Access Role

Install the Remote Access server role and its management tools. The Routing sub-feature is required for LAN routing, NAT, and BGP. The DirectAccess-VPN sub-feature is required for VPN and Always On VPN functionality.

# Install all RRAS components
Install-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPN `
    -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name RemoteAccess, Routing, DirectAccess-VPN |
    Select-Object Name, InstallState

# Confirm RRAS service exists
Get-Service -Name RemoteAccess | Select-Object Name, Status, StartType

For VPN-only deployments without routing, you can omit the Routing sub-feature. For NAT and LAN routing without VPN, you can omit DirectAccess-VPN.

Step 2 — Choose Your Configuration Mode

RRAS is initialized differently depending on the desired mode. Use Install-RemoteAccess for VPN or Always On VPN, or Install-RemoteAccess -VpnType RoutingOnly for pure LAN routing. For NAT you will configure the NAT routing protocol separately after enabling routing.

VPN Mode

# Initialize RRAS for VPN (client-to-site and site-to-site)
Install-RemoteAccess -VpnType Vpn

# Verify
Get-RemoteAccess | Select-Object VpnStatus, DAStatus, RoutingStatus

LAN Routing Mode

# Initialize RRAS for LAN routing only (no VPN)
Install-RemoteAccess -VpnType RoutingOnly

# Enable IP forwarding on all interfaces (also done automatically by RRAS)
Set-NetIPInterface -Forwarding Enabled

Combined VPN and Routing

# Enable both VPN and routing
Install-RemoteAccess -VpnType VpnS2S

# Start the Remote Access service
Start-Service RemoteAccess
Set-Service RemoteAccess -StartupType Automatic

Step 3 — Configure NAT

NAT allows multiple internal hosts to share a single external IP address. RRAS implements NAT as a routing protocol that runs on the external interface. Configure it after RRAS is initialized in routing mode.

# Enable the RRAS routing service
# Identify interface names
Get-NetAdapter | Select-Object Name, InterfaceIndex, Status

# Configure NAT via netsh (PowerShell-native NAT cmdlets target a different NAT subsystem)
# RRAS NAT is configured through the routing infrastructure

# Add NAT routing protocol to the router
netsh routing ip nat install

# Set the external interface (connected to the internet/upstream network)
netsh routing ip nat add interface name="Ethernet 1" mode=full

# Set the internal interface (connected to the LAN)
netsh routing ip nat add interface name="Ethernet 2" mode=private

# Verify NAT configuration
netsh routing ip nat show interface

For static NAT (port forwarding) to expose an internal server through the NAT public IP:

# Forward TCP port 8080 on the public IP to an internal web server (192.168.1.50:80)
netsh routing ip nat add portmapping name="Ethernet 1" proto=TCP publicip=0.0.0.0 `
    publicport=8080 privateip=192.168.1.50 privateport=80

# List all port mappings
netsh routing ip nat show portmapping

Step 4 — Configure Static Routes

For LAN routing between subnets, add static routes to direct traffic to the correct interfaces or next-hop routers. Use the New-NetRoute cmdlet or the classic route add command for persistent routes.

# Add a persistent static route
# Route traffic for 10.20.0.0/24 through the gateway at 10.10.0.1 via interface index 12
New-NetRoute `
    -DestinationPrefix "10.20.0.0/24" `
    -NextHop "10.10.0.1" `
    -InterfaceIndex 12 `
    -RouteMetric 10 `
    -PolicyStore PersistentStore

# List all current routes
Get-NetRoute | Where-Object { $_.RouteMetric -lt 256 } |
    Select-Object DestinationPrefix, NextHop, InterfaceIndex, RouteMetric |
    Sort-Object DestinationPrefix |
    Format-Table -AutoSize

# Classic route command (also persistent with -p flag)
route add 10.30.0.0 MASK 255.255.255.0 10.10.0.1 -p

# Print routing table
route print

Step 5 — Configure BGP Routing

BGP (Border Gateway Protocol) enables RRAS to dynamically exchange routing information with other routers, such as Azure VPN Gateway, ExpressRoute circuits, or upstream ISP routers. RRAS on Windows Server 2025 supports BGP via the RemoteAccess module.

# Add a BGP router instance
Add-BgpRouter `
    -BgpIdentifier 10.10.1.1 `
    -LocalASN 65001

# Add a BGP peer (e.g., Azure VPN Gateway)
Add-BgpPeer `
    -Name "AzureVPNGW" `
    -LocalIPAddress 10.10.1.1 `
    -PeerIPAddress 10.10.0.254 `
    -PeerASN 65515 `
    -OperationMode Mixed `
    -PeeringMode Automatic

# Verify BGP router configuration
Get-BgpRouter

# Check BGP peer status
Get-BgpPeer | Select-Object PeerName, PeerIPAddress, PeerASN, ConnectRetryCount, SessionState

# View BGP learned routes
Get-BgpRouteInformation | Format-Table -AutoSize

BGP on RRAS is particularly useful in Azure hybrid networking where RRAS acts as the on-premises VPN device and needs to advertise local prefixes to Azure while learning Azure routes dynamically.

Step 6 — Configure RIP Routing

Routing Information Protocol (RIP) version 2 is supported by RRAS for legacy environments. RIP is a distance-vector protocol suitable only for small networks (hop count limited to 15) and is not recommended for new deployments, but remains useful for compatibility with older routers or network appliances.

# Install the RIP routing protocol on RRAS
# Ensure the Routing feature is installed first
netsh routing ip rip install

# Add RIP to the LAN interface
netsh routing ip rip add interface name="Ethernet 2" `
    updatemode=Periodic announcemode=RIP2Only

# Set RIP authentication (MD5 key for security)
netsh routing ip rip set interface name="Ethernet 2" authmode=MD5 authkey=MyRIPKey123

# View RIP neighbors
netsh routing ip rip show neighbor

# View RIP routing table entries
netsh routing ip rip show routetable

Step 7 — Monitor Routes and RRAS Health

Comprehensive route monitoring ensures RRAS is forwarding traffic correctly and allows early detection of routing problems.

# Full routing table view
Get-NetRoute | Format-Table DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol

# Filter for non-link-local routes only
Get-NetRoute | Where-Object {
    $_.DestinationPrefix -notlike "fe80*" -and
    $_.DestinationPrefix -notlike "ff00*" -and
    $_.DestinationPrefix -ne "::/0"
} | Sort-Object DestinationPrefix | Format-Table -AutoSize

# Classic route print (includes persistent and session routes)
route print

# Check RRAS routing statistics
netsh routing ip show rtmdest

# Monitor RRAS connections (for VPN mode)
Get-RemoteAccessConnectionStatistics | Format-Table -AutoSize

# Check RRAS event log
Get-WinEvent -LogName "Application" |
    Where-Object { $_.ProviderName -eq "RemoteAccess" } |
    Select-Object -First 20 TimeCreated, LevelDisplayName, Message

RRAS vs Cisco IOS — Capability Comparison

Understanding where RRAS fits relative to purpose-built routing platforms helps you make the right infrastructure decisions.

• Routing protocols: Cisco IOS supports OSPF, EIGRP, ISIS, BGP, RIP, and PBR natively with decades of hardening. RRAS supports BGP (well-implemented) and RIP v1/v2. RRAS does not natively support OSPF — third-party OSPF stacks (such as ExaBGP or Quagga on a Linux VM) are required if OSPF is needed alongside RRAS.
• Performance: Cisco routers use dedicated ASICs for hardware-accelerated forwarding. RRAS is software-only and uses the Windows TCP/IP stack and server CPU for all forwarding decisions. At low traffic volumes the difference is negligible; at multi-gigabit rates, purpose-built hardware wins decisively.
• VPN: RRAS supports IKEv2, SSTP, L2TP, and PPTP. Cisco supports AnyConnect (SSL VPN), IPsec IKEv2, and FlexVPN. RRAS is better integrated with Windows-native authentication (AD/NPS); Cisco AnyConnect offers cross-platform client support.
• Management: RRAS is managed via PowerShell, RRAS MMC, and Windows Admin Center. Cisco IOS uses CLI, NETCONF/YANG, and Cisco DNA Center. PowerShell automation for RRAS is straightforward; Cisco automation uses Ansible, Python netmiko/napalm, or Cisco NSO.
• Cost: RRAS is included in the Windows Server license at no additional cost. Cisco routers require hardware purchase plus IOS licensing (often subscription-based).

Use RRAS when you need VPN, NAT, BGP, or basic LAN routing integrated with Windows Server at zero additional cost. Use Cisco IOS (or equivalent) when you need OSPF, EIGRP, advanced QoS, hardware-accelerated forwarding, or carrier-grade reliability for network backbone infrastructure.

Conclusion

Routing and Remote Access on Windows Server 2025 is a multi-role networking service that covers VPN, NAT, static routing, BGP, and legacy RIP in a single Windows Server role. By methodically choosing the correct initialization mode, configuring NAT with the appropriate internal and external interface designations, building static or BGP-learned route tables, and monitoring the routing infrastructure with PowerShell and netsh, you build a functional and cost-effective routing platform that integrates naturally with Active Directory authentication and Windows management tooling. For environments already investing in Windows Server infrastructure, RRAS eliminates the need for a dedicated router appliance in many common scenarios — making it a practical first choice before evaluating dedicated networking hardware.