How to Install and Configure RRAS on Windows Server 2012 R2

How to Install and Configure RRAS on Windows Server 2012 R2

Routing and Remote Access Service (RRAS) is a comprehensive Windows Server feature that provides a wide range of network services including VPN server, dial-up remote access, network address translation (NAT), demand-dial routing, and multi-protocol LAN-to-LAN and LAN-to-WAN routing. On Windows Server 2012 R2, RRAS has been significantly enhanced with improved performance, support for modern protocols, and better integration with DirectAccess. This guide covers the complete installation and configuration of RRAS, including remote access VPN, NAT, and basic routing capabilities.

Prerequisites

You need Windows Server 2012 R2 with at least two network adapters for most RRAS scenarios: one connected to the internet (or external network) and one connected to the internal LAN. Administrative rights are required. For VPN scenarios, an appropriate authentication infrastructure (Active Directory with NPS, or local accounts) must be in place. For NAT configurations, the external network adapter should have a public IP or access to the internet. Domain membership is recommended but not required for all RRAS functions.

Step 1: Install RRAS Role Services

Install RRAS along with the required role services using PowerShell:

Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools

To include NPS for VPN authentication:

Install-WindowsFeature NPAS -IncludeManagementTools

Verify the installation:

Get-WindowsFeature RemoteAccess, Routing, DirectAccess-VPN, NPAS | Select-Object Name, InstallState

Step 2: Configure Network Adapters

Properly label your network adapters to avoid confusion during configuration:

Rename-NetAdapter -Name "Ethernet" -NewName "External_WAN"
Rename-NetAdapter -Name "Ethernet 2" -NewName "Internal_LAN"

# Configure the external adapter (public IP or DHCP from ISP)
New-NetIPAddress -InterfaceAlias "External_WAN" -IPAddress "203.0.113.50" -PrefixLength 24 -DefaultGateway "203.0.113.1"
Set-DnsClientServerAddress -InterfaceAlias "External_WAN" -ServerAddresses "8.8.8.8"

# Configure the internal adapter
New-NetIPAddress -InterfaceAlias "Internal_LAN" -IPAddress "192.168.1.1" -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias "Internal_LAN" -ServerAddresses "192.168.1.10"

Step 3: Enable and Configure RRAS

RRAS is installed but not enabled by default. Use PowerShell to configure it for VPN and NAT:

Install-RemoteAccess -VpnType VPN

Alternatively, launch the RRAS Setup Wizard from the console:

mmc.exe

Add the Routing and Remote Access snap-in, right-click the server name, and select Configure and Enable Routing and Remote Access. Choose the appropriate configuration (NAT, VPN, or custom). After configuration, start RRAS:

Start-Service RemoteAccess
Set-Service RemoteAccess -StartupType Automatic

Step 4: Configure RRAS for Network Address Translation (NAT)

To configure NAT to share an internet connection with internal clients:

netsh routing ip nat install

netsh routing ip nat add interface "External_WAN" full

netsh routing ip nat add interface "Internal_LAN" private

Add a static address pool for NAT (public IPs to translate to), if applicable:

netsh routing ip nat add addressrange name="External_WAN" startaddress=203.0.113.50 endaddress=203.0.113.50 mask=255.255.255.0

Step 5: Configure VPN Protocols

RRAS supports PPTP, L2TP/IPsec, SSTP, and IKEv2. Configure which protocols are enabled and set the number of ports:

# Set number of IKEv2 ports
Set-VpnServerConfiguration -TunnelType Ikev2 -EncryptionType RequireEncryption

# Configure RRAS ports via registry (set max ports per protocol)
# PPTP: HKLM:SYSTEMCurrentControlSetServicesRasPPPoE
# L2TP: HKLM:SYSTEMCurrentControlSetServicesRasL2tp

Configure L2TP with a pre-shared key for environments without certificate infrastructure:

Set-VpnAuthProtocol -L2tpPsk "SharedKeyForL2TP"

Step 6: Configure RRAS Authentication

Configure the authentication provider for RRAS. Using Windows Authentication (local accounts or AD):

netsh ras set authenticationprovider windows

Using RADIUS (NPS server) for centralized authentication:

netsh ras set authenticationprovider radius

netsh ras add authenticationserver primaryserver="192.168.1.20" score=10 secret="RadiusSecret123" timeout=5 port=1812

Step 7: Configure Logging

Enable RRAS logging to track connections and troubleshoot issues:

netsh ras set tracing * enabled
netsh ras diagnostics set rastracing enabled

Configure RADIUS accounting for connection logging:

netsh ras set accountingprovider radius
netsh ras add accountingserver server="192.168.1.20" score=10 secret="RadiusSecret123" port=1813

Step 8: Configure Static Routes

Add static routes to direct traffic to specific networks through RRAS:

netsh routing ip add persistentroute dest=10.10.0.0 mask=255.255.0.0 name="Internal_LAN" nhop=192.168.1.254

# View routing table
route print

Enable IP routing in the registry (required if not already enabled during RRAS setup):

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1

Step 9: Configure RRAS Firewall Rules

Open necessary firewall ports depending on VPN protocols in use:

# Enable the RRAS firewall rule group
netsh advfirewall firewall set rule group="Routing and Remote Access" new enable=yes

# PPTP (TCP 1723 + GRE protocol 47)
New-NetFirewallRule -DisplayName "PPTP VPN" -Direction Inbound -Protocol TCP -LocalPort 1723 -Action Allow
New-NetFirewallRule -DisplayName "PPTP GRE" -Direction Inbound -Protocol 47 -Action Allow

# L2TP/IPsec (UDP 500, 4500, 1701)
New-NetFirewallRule -DisplayName "L2TP IPsec IKE" -Direction Inbound -Protocol UDP -LocalPort 500 -Action Allow
New-NetFirewallRule -DisplayName "L2TP IPsec NAT-T" -Direction Inbound -Protocol UDP -LocalPort 4500 -Action Allow
New-NetFirewallRule -DisplayName "L2TP" -Direction Inbound -Protocol UDP -LocalPort 1701 -Action Allow

# IKEv2 (UDP 500, 4500)
New-NetFirewallRule -DisplayName "IKEv2 VPN" -Direction Inbound -Protocol UDP -LocalPort 500,4500 -Action Allow

Step 10: Verify RRAS Operation

Verify RRAS is running and configured correctly:

Get-Service RemoteAccess | Select-Object Status, StartType

netsh ras show activeservers

Get-RemoteAccessConnectionStatistics

netsh ras show config

Monitor the RRAS event logs for errors:

Get-EventLog -LogName System -Source "RemoteAccess" -Newest 30 | Format-Table TimeGenerated, EntryType, Message -AutoSize

Summary

RRAS on Windows Server 2012 R2 is a versatile multi-role networking service that handles VPN server, routing, and NAT functions. By installing the appropriate role services, configuring network adapters correctly, enabling the right VPN protocols, and setting up authentication through Windows or RADIUS, administrators can deploy a comprehensive remote access solution. RRAS’s integration with NPS, Active Directory, and Windows Firewall makes it a flexible platform for organizations of all sizes needing reliable remote connectivity.