What Is RRAS and What Can It Do

Routing and Remote Access Service (RRAS) is a multi-purpose networking role in Windows Server 2022 that provides VPN server capabilities, NAT (Network Address Translation), LAN routing, and dial-up remote access from a single unified service. Understanding RRAS’s full capabilities is essential before deployment, because the configuration path differs depending on which features you need.

As a VPN server, RRAS accepts incoming VPN connections from remote clients using IKEv2, SSTP, PPTP, and L2TP/IPsec protocols. It assigns IP addresses to VPN clients, routes their traffic to the internal network, and optionally authenticates them via RADIUS (NPS) or local accounts. As a NAT gateway, RRAS allows a server with one public IP to share internet access with multiple internal machines, effectively functioning as a software router. As an IP router, RRAS forwards traffic between multiple network interfaces using static routes, RIP v2, or BGP. RRAS can also function as a site-to-site VPN gateway, creating persistent encrypted tunnels between two office locations using demand-dial interfaces.

This guide covers the complete installation, configuration, and management of RRAS on Windows Server 2022 for VPN, NAT, and routing scenarios.

Installing the RRAS Role

Install the Remote Access role with the VPN, DirectAccess, and Routing sub-features using PowerShell:

Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools
Install-WindowsFeature -Name RSAT-RemoteAccess-PowerShell
Install-WindowsFeature -Name RSAT-RemoteAccess-Mgmt

The DirectAccess-VPN feature is the core RRAS VPN component. The Routing feature adds multiprotocol LAN routing and NAT capabilities. The management tools include the RRAS MMC snap-in and the RemoteAccess PowerShell module. Verify the installation:

Get-WindowsFeature DirectAccess-VPN, Routing, RSAT-RemoteAccess-PowerShell | `
  Select-Object Name, InstallState, DisplayName

After installation, the RRAS service exists but is not configured or running. You must configure it before it starts accepting connections. Check the current service state:

Get-Service RemoteAccess | Select-Object Name, Status, StartType
Get-Service RasMan | Select-Object Name, Status, StartType

RRAS Configuration Wizard: Choosing Your Scenario

Open the Routing and Remote Access MMC by running rrasmgmt.msc. Right-click the local server name and select “Configure and Enable Routing and Remote Access”. The wizard presents several pre-configured scenario options:

Remote access (dial-up or VPN) — Configures RRAS as a VPN server accepting inbound client connections. This is the most common scenario for corporate remote access. RRAS will prompt you to select the internet-facing interface and configure IP address assignment.

Network address translation (NAT) — Configures RRAS as a NAT gateway, sharing an internet connection with internal clients. Useful for lab environments or small branch offices without a dedicated router.

Virtual Private Network (VPN) access and NAT — Combines both VPN server and NAT gateway functionality on the same server.

Secure connection between two private networks — Configures a site-to-site VPN using demand-dial interfaces. Used for permanent tunnels between office locations.

Custom configuration — Allows granular selection of features. Recommended for experienced administrators who want precise control. Select the checkboxes for: VPN Access, LAN Routing, and/or NAT as required.

Enabling and Configuring VPN Access

Configure RRAS as a VPN server via PowerShell without using the wizard:

Install-RemoteAccess -VpnType Vpn

After installation, configure the IP address pool for VPN clients:

Add-VpnServerIPv4AddressRange -StartIPAddress 10.100.0.10 -EndIPAddress 10.100.0.100

Configure DNS servers to push to VPN clients (so they can resolve internal hostnames):

Set-VpnServerConfiguration -DnsIPAddress 192.168.1.10 -DnsSuffix "contoso.com"

Configure which VPN protocols are enabled. Disable older/less secure protocols:

# View current protocol settings
Get-VpnServerConfiguration | Select-Object *

# Configure max simultaneous connections per protocol
Set-VpnServerConfiguration -MaximumVpnConnections 1000

# Disable PPTP (insecure, should not be used in modern environments)
# This is done via registry - PPTP uses TCP 1723
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesPptpMiniport" -Name "Start" -Value 4

Enable IPv4 forwarding (required for VPN clients to reach internal networks):

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" `
  -Name "IPEnableRouter" -Value 1 -Type DWord
# Apply without reboot:
Set-NetIPInterface -Forwarding Enabled

Configuring RRAS as a NAT Gateway

When RRAS is used as a NAT gateway, it translates private internal IP addresses to the server’s public IP address for outbound internet connections. First, identify the internet-facing interface name:

Get-NetAdapter | Select-Object Name, InterfaceDescription, LinkSpeed, Status

Configure NAT on the RRAS server via the MMC or PowerShell. In the RRAS MMC, navigate to IPv4 > NAT, right-click and add the internet-facing interface as the “Public” interface with NAT enabled. Add the internal interface as a “Private” interface.

Via PowerShell (using the routing module which wraps netsh):

# Configure NAT on the public interface
$PublicInterface = "Ethernet 2"  # Internet-facing NIC
$PrivateInterface = "Ethernet"   # Internal NIC

# Add NAT interface
netsh routing ip nat add interface name="$PublicInterface" mode=FULL
netsh routing ip nat add interface name="$PrivateInterface" mode=PRIVATE

For port forwarding (e.g., forward inbound TCP 443 to an internal web server):

netsh routing ip nat add portmapping name="$PublicInterface" proto=TCP publicip=0.0.0.0 publicport=443 privateip=192.168.1.20 privateport=443

Internal clients must have their default gateway set to the RRAS server’s internal IP address to use it as a NAT gateway. Alternatively, add a static route on the upstream router pointing internal subnets toward the RRAS server.

Configuring Static Routes

RRAS can route traffic between subnets using static routes or dynamic routing protocols. Add static routes via the RRAS MMC (IPv4 > Static Routes) or via PowerShell/netsh:

# Add a static route: traffic to 10.20.0.0/24 goes via gateway 192.168.1.254
route add 10.20.0.0 mask 255.255.255.0 192.168.1.254 -p

# Or via PowerShell (New-NetRoute)
New-NetRoute -DestinationPrefix "10.20.0.0/24" -NextHop "192.168.1.254" -InterfaceAlias "Ethernet" -RouteMetric 1

# View routing table
Get-NetRoute -AddressFamily IPv4 | Sort-Object RouteMetric | Format-Table DestinationPrefix, NextHop, InterfaceAlias, RouteMetric

For environments requiring dynamic routing, RRAS supports BGP via the RemoteAccess PowerShell module. This is particularly useful in Azure hybrid scenarios. Add BGP routing:

Install-RemoteAccess -VpnType VpnS2S

# Configure the local BGP router
Add-BgpRouter -BgpIdentifier 192.168.1.1 -LocalASN 65001

# Add a BGP peer (e.g., Azure VPN Gateway)
Add-BgpPeer -Name "AzureVPNGW" -PeerIPAddress 10.255.0.1 -PeerASN 65515 -LocalIPAddress 192.168.1.1

# Advertise local networks via BGP
Add-BgpCustomRoute -Network 192.168.0.0/16

RRAS Firewall Rules

When RRAS is configured, it automatically creates Windows Firewall rules for the configured protocols. Verify these rules are active:

Get-NetFirewallRule | Where-Object DisplayName -like "*VPN*" | Select-Object DisplayName, Enabled, Direction, Action
Get-NetFirewallRule | Where-Object DisplayName -like "*Remote Access*" | Select-Object DisplayName, Enabled, Direction, Action

The required ports for each VPN protocol:

# IKEv2 (recommended modern protocol)
New-NetFirewallRule -DisplayName "RRAS IKEv2 UDP 500" -Direction Inbound -Protocol UDP -LocalPort 500 -Action Allow
New-NetFirewallRule -DisplayName "RRAS IKEv2 UDP 4500" -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Allow

# SSTP (firewall-friendly, uses HTTPS port)
New-NetFirewallRule -DisplayName "RRAS SSTP TCP 443" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

# L2TP/IPsec
New-NetFirewallRule -DisplayName "RRAS L2TP UDP 1701" -Direction Inbound -Protocol UDP -LocalPort 1701 -Action Allow
New-NetFirewallRule -DisplayName "RRAS L2TP IPsec UDP 500" -Direction Inbound -Protocol UDP -LocalPort 500 -Action Allow
New-NetFirewallRule -DisplayName "RRAS L2TP IPsec UDP 4500" -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Allow

If RRAS is behind an external firewall (recommended in production), ensure these ports are forwarded to the RRAS server’s external IP. Additionally, GRE (IP protocol 47) must be forwarded for PPTP if it is in use — though PPTP should be avoided due to known security weaknesses.

Integrating RRAS with NPS for RADIUS Authentication

Local authentication on RRAS is only appropriate for small deployments or testing. Production environments should use RADIUS via NPS for centralized authentication, authorization, and accounting. Configure RRAS to use NPS as the RADIUS server:

Set-RemoteAccessRadius `
  -ServerName "nps01.contoso.com" `
  -SharedSecret "R@diusSecret!2024" `
  -Score 10 `
  -AccountingOnOffMsg Enabled `
  -ComputerName "RRAS01"

# Add a secondary RADIUS server for redundancy
Add-RemoteAccessRadius `
  -ServerName "nps02.contoso.com" `
  -SharedSecret "R@diusSecret!2024" `
  -Score 5 `
  -ComputerName "RRAS01"

View currently configured RADIUS servers:

Get-RemoteAccessRadius | Select-Object ServerName, Score, Purpose, SharedSecret

On the NPS server, register it in Active Directory and add the RRAS server as a RADIUS client. Create a network policy granting VPN access to authorized users or groups. Ensure the NPS Network Policy specifies the correct authentication method matching what RRAS is configured to offer (MS-CHAPv2 for password-based auth, EAP-TLS for certificate-based auth).

Monitoring Active RRAS Connections

View currently connected VPN clients:

Get-RemoteAccessConnectionStatistics | Format-Table -AutoSize

# Or via netsh:
netsh ras show activeconn

# Detailed info including tunnel type, IP addresses, and uptime:
Get-RemoteAccessConnectionStatistics | Select-Object UserName, ClientIPAddress, ServerIPAddress, TunnelType, ConnectionDuration | Format-Table

Disconnect a specific user (for security incidents or maintenance):

Disconnect-VpnUser -UserName "DOMAINjohn.smith"

View cumulative connection statistics and bandwidth usage:

Get-RemoteAccessConnectionStatisticsSummary | Format-List

Monitor RRAS with Performance Monitor by adding RRAS-specific counters:

# Performance counters available under "RAS Total" and "RAS Port" objects:
# RAS TotalTotal Connections
# RAS TotalTotal Errors
# RAS PortBytes Received/sec (per-port granularity)
Get-Counter -Counter "RAS TotalTotal Connections" -Continuous

RRAS Logging Configuration

RRAS supports connection logging to Windows Event Log and to text files. Configure logging level:

# Set logging level: 0=None, 1=Error, 2=Warn, 3=Info, 4=Verbose
Set-RemoteAccessConfiguration -LogLevel 3

Enable RADIUS accounting logging (logs all connection start/stop events to NPS):

Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -EnableAccountingType Local
Set-RemoteAccessAccounting -InboxAccountingStore Enable

View RRAS events in the System event log:

Get-WinEvent -LogName System | Where-Object { $_.ProviderName -like "*RemoteAccess*" -or $_.ProviderName -like "*RasMan*" } | Select-Object -First 30 TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Enable detailed RRAS tracing for troubleshooting connection failures:

netsh ras set tracing * enabled
# Trace files appear in: C:Windowstracing
# Key trace files:
# C:WindowstracingRASMAN.LOG - RAS Manager
# C:WindowstracingIASHLPR.LOG - IAS/NPS helper
# C:WindowstracingRTIPX.LOG - IP routing
netsh ras set tracing * disabled

RRAS Performance Tuning

For high-volume RRAS deployments handling hundreds or thousands of simultaneous VPN connections, consider these performance optimizations:

Increase the maximum connection limit (default varies by edition). Windows Server 2022 Standard/Datacenter support unlimited VPN connections:

Set-VpnServerConfiguration -MaximumVpnConnections 5000

For IKEv2 performance, adjust the IPsec cryptographic algorithms to balance security and performance. AES-256-GCM with SHA-256 and DH Group 14 provides strong security at good performance. Weaker older algorithms (3DES, DH Group 2) should be disabled:

# Configure IKEv2 cryptography via PowerShell
Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption
Set-VpnServerIPsecConfiguration -DHGroup Group14 -CipherTransformConstants GCMAES256 -AuthenticationTransformConstants GCMAES256 -PfsGroup PFS14 -IntegrityCheckMethod SHA256

For high-throughput scenarios, ensure the RRAS server’s RSS (Receive Side Scaling) is enabled on the network adapters to distribute network interrupt processing across multiple CPU cores:

Get-NetAdapterRss | Select-Object Name, Enabled, NumberOfReceiveQueues
Set-NetAdapterRss -Name "Ethernet" -Enabled $true -NumberOfReceiveQueues 8

Monitor CPU and memory usage during peak load. RRAS is CPU-intensive for IKEv2/IPsec due to encryption. For very large deployments, consider offloading IPsec to NICs that support hardware IPsec offload, or deploy multiple RRAS servers behind a Network Load Balancer (NLB) for horizontal scaling. With proper hardware sizing, logging, and monitoring, RRAS on Windows Server 2022 provides a capable, cost-effective VPN and routing platform for enterprise environments of all sizes.