Introduction to VPN Server on Windows Server 2019
A Virtual Private Network server allows remote users and branch offices to establish encrypted tunnels over the public internet to access internal corporate resources securely. Windows Server 2019 includes built-in VPN server capabilities through the Routing and Remote Access Service (RRAS) and supports multiple modern protocols including IKEv2, SSTP, L2TP/IPsec, and PPTP. For modern enterprise deployments, IKEv2 is recommended due to its support for mobility and multihoming (MOBIKE), which allows VPN connections to survive network changes such as switching from Wi-Fi to cellular. SSTP is excellent for environments where only TCP 443 is permitted outbound through firewalls.
Planning Your VPN Architecture
Before deploying a VPN server, plan the architecture carefully. Determine whether you need a remote access VPN for individual clients or a site-to-site VPN for connecting offices. Choose the VPN protocol based on your client operating systems and firewall constraints. Decide on the authentication method: certificates for IKEv2, a pre-shared key for L2TP/IPsec, or username and password via NPS. Plan the IP address pool or DHCP scope for VPN clients. Ensure the VPN server has a public IP address and that your external firewall forwards the necessary ports to the server. Document the internal subnets that should be accessible via VPN for split tunneling configuration.
Installing Required Roles and Features
Install the Remote Access role with VPN support using PowerShell:
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools
Install-WindowsFeature NPAS -IncludeManagementToolsVerify the installation completed:
Get-WindowsFeature DirectAccess-VPN, Routing, NPAS | Select-Object Name, InstallStateObtaining an SSL Certificate for SSTP
If using SSTP, the VPN server requires a machine certificate. The certificate Subject or Subject Alternative Name must match the DNS name clients use to connect. Request a certificate from an internal CA or a public CA. To request a certificate from an internal Windows CA:
$dnsName = "vpn.contoso.com"
$cert = New-SelfSignedCertificate -DnsName $dnsName -CertStoreLocation Cert:LocalMachineMy -KeyUsage DigitalSignature, KeyEncipherment -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(2)
Write-Host "Thumbprint: $($cert.Thumbprint)"For a production certificate from an internal CA using certreq:
certreq -new VPNRequest.inf VPNRequest.req
certreq -submit -attrib "CertificateTemplate:WebServer" VPNRequest.req VPNCert.cer
certreq -accept VPNCert.cerConfiguring RRAS as a VPN Server
Open the Routing and Remote Access console from Server Manager Tools. Right-click your server and select Configure and Enable Routing and Remote Access. Choose Custom configuration in the wizard, select VPN access, and click Finish. Start the service when prompted. Alternatively, configure via PowerShell:
Install-RemoteAccess -VpnType VpnAfter installation via PowerShell, configure the VPN server properties:
Set-VpnServerConfiguration -TunnelType IKEv2, SSTP, L2TP -CustomPolicy $true
Set-VpnServerIPsecConfiguration -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048 -CipherTransformConstants GCMAES256 -PassThruConfiguring the IP Address Pool
VPN clients require IP addresses when connected. Configure a static address pool dedicated to VPN clients. In the RRAS console, right-click the server and select Properties, then the IPv4 tab. Select Static address pool and click Add. Specify the start and end IP addresses in a range that does not conflict with your DHCP scopes or other statically assigned addresses:
netsh ras ip set addrassign method=pool
netsh ras ip add range from=192.168.200.100 to=192.168.200.200Verify the pool:
netsh ras ip show rangeConfiguring IKEv2 VPN
IKEv2 is the recommended protocol for Windows clients. It requires machine certificates on both the server and optionally the client for certificate-based authentication. Configure the IKEv2 settings on the server:
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -PassThru
Set-VpnServerIPsecConfiguration -CustomPolicy -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -CipherTransformConstants AES256 -AuthenticationTransformConstants SHA256128 -PfsGroup PFS2048 -PassThruOn the client machine, create the IKEv2 VPN connection:
Add-VpnConnection -Name "Corp VPN" -ServerAddress "vpn.contoso.com" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -SplitTunneling $false -RememberCredential $true -PassThruConfiguring L2TP/IPsec with Pre-Shared Key
For environments where certificate infrastructure is not available, L2TP/IPsec with a pre-shared key provides reasonable security. Configure the pre-shared key in the RRAS console by right-clicking the server, selecting Properties, and on the Security tab entering the pre-shared key. Using PowerShell:
$psk = ConvertTo-SecureString "YourStrongPreSharedKey123!" -AsPlainText -Force
Set-VpnServerConfiguration -L2tpPsk $psk -PassThruOn the client, create an L2TP connection:
Add-VpnConnection -Name "Corp L2TP VPN" -ServerAddress "vpn.contoso.com" -TunnelType L2tp -AuthenticationMethod MSChapv2 -L2tpPsk "YourStrongPreSharedKey123!" -EncryptionLevel Required -RememberCredential $true -PassThruConfiguring Network Policy Server for VPN Authentication
NPS acts as the RADIUS server to authenticate VPN clients. Register the NPS server in Active Directory and configure RRAS to use it:
netsh nps add registeredserver
Register-NpsServer -Domain contoso.comCreate a RADIUS client entry for the RRAS server in NPS. Open the NPS console, expand RADIUS Clients and Servers, right-click RADIUS Clients, and select New. Provide the RRAS server’s IP address and a shared secret. Create a Network Policy allowing VPN connections for members of the VPN Users group:
New-NpsNetworkPolicy -Name "VPN Access Policy" -ProcessingOrder 1 -Condition @("NAS-Port-Type=5","Windows-Groups=contosoVPN-Users") -AuthenticationMechanism "MSChapV2" -State "Enabled"Configuring Windows Firewall for VPN
Open the required ports in Windows Firewall on the VPN server. IKEv2 uses UDP 500 and UDP 4500. SSTP uses TCP 443. L2TP uses UDP 1701, UDP 500, and UDP 4500. PPTP uses TCP 1723:
New-NetFirewallRule -DisplayName "IKEv2 VPN UDP 500" -Direction Inbound -Protocol UDP -LocalPort 500 -Action Allow
New-NetFirewallRule -DisplayName "IKEv2 VPN UDP 4500" -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Allow
New-NetFirewallRule -DisplayName "SSTP VPN TCP 443" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
New-NetFirewallRule -DisplayName "L2TP UDP 1701" -Direction Inbound -Protocol UDP -LocalPort 1701 -Action AllowConfiguring Split Tunneling
Split tunneling directs only corporate-destined traffic through the VPN while internet traffic goes directly out the client’s local connection, reducing VPN server bandwidth load. Configure split tunneling for a client VPN connection and add routes for internal subnets:
Set-VpnConnection -Name "Corp VPN" -SplitTunneling $true
Add-VpnConnectionRoute -ConnectionName "Corp VPN" -DestinationPrefix "10.0.0.0/8"
Add-VpnConnectionRoute -ConnectionName "Corp VPN" -DestinationPrefix "172.16.0.0/12"
Add-VpnConnectionRoute -ConnectionName "Corp VPN" -DestinationPrefix "192.168.0.0/16"Testing and Monitoring VPN Connections
Test the VPN connection from a client and verify connectivity to internal resources. On the server, monitor active connections:
Get-RemoteAccessConnectionStatistics
netsh ras show activeconn
Get-VpnConnection -AllUserConnectionCheck VPN client connection details and diagnose authentication failures in Event Viewer under Windows Logs > Security, filtering for event IDs 6272 (Access granted by NPS) and 6273 (Access denied by NPS). For IKEv2 troubleshooting, enable IPsec diagnostic logging:
netsh ras diagnostics show all
netsh ras set tracing ikeext enabled
netsh ras set tracing rasman enabledA properly configured VPN server on Windows Server 2019 provides a secure, scalable remote access solution that integrates with Active Directory for authentication and NPS for granular access control policies.
