I wanted to create a VPN server that I could use to access my home internet connection (Sky Fibre). I chose L2TP for this task as I want to connect to the VPN fairly frequently with the iPhone/iPad. As the IOS devices have a built in L2TP VPN client and I didn’t want to rely on a 3rd party one this made it an easy choice. For Windows 10 machines connecting in to my VPN I setup an SSTP VPN connection on the same server. The reason for this was that Windows 10 doesn’t play well with L2TP behind a NAT firewall. The setup for the L2TP VPN is as below.
Firstly build a Windows 2016 server, VM or physical it doesn’t really matter. I used a VM as I can spin it up/down and snapshot as needed. For notes on installing Windows 2016 Server please see here.
You then need to install the Remote Access role. To do this open Server Manager and start the Add Roles and Features wizard. Select the Remote Access Role and click Next.
Click Next again
Click Next again
Click Add Features and click Next
Click Next
Accept the Web Server Role service selections and click Next
Click Install
Wait for the installation to finish
Once the role has installed click the Open he Getting Started Wizard option from the server manager
Select Deploy VPN Only
You now have access to the Routing and Remote Access console
Right click on your server name and select Configure and Enable Routing and Remote Access
Click Next
If you only have one network interface select Custom configuration and click Next
Select VPN Access and click Next
.Click Finish
Click Start service
Wait for the service to start
Right click on your server name and click Properties. Leave the general tab as it is and click on Security
Ensure that you only have EAP and MS-CHAP v2 selected
Check the Allow custom IPsec policy for L2TP/IKEv2 connection box. Enter a strong password for this – I use 62 characters.
Click the IPv4 tab and select Static address pool. Enter a range of addresses to use for DHCP when on the VPN.
Select the Logging tab and check the Log additional Routing and Remote Access information box
Click OK and you will be prompted to restart the Routing and Remote Access Service, do this now.
Next we need to create a secure user account to access the VPN. Click Start>Run and type compmgmt.msc to access computer management. Right click on Users and click New User. Give the user a name and a strong password.
Right click on the user account and click Properties. Click the Dial-in tab and select Allow access, then click OK. If you want to use NPS to control access at this point select Control access through NPS Network Policy.
Open the Windows Firewall with Advanced Security applet.
Right click on Inbound Rules and click New Rule, click Port and click Next
Select UDP and type port 1701 then click Next
Click Allow the connection and then click Next
Apply the rule to all profiles and click Next
Give the rule a name and then click Finish. Once this rule is created repeat the process for UDP ports 500 and 4500.
the rules should appear as below
Now as I do not have a fixed external IP address for this server and am sitting behind a NAT firewall (Provided by my broadband supplier Sky – which I can’t change) I will need to forward ports from my router to the RRAS VPN server. To do this you will need to set up something like the below:
Now all you need to do is create a VPN profile on your client (in this case an iPhone). Enter the server name (this is the external DNS name or IP address for your internet connection). As I am restricted to a dynamic external IP address I use DuckDNS for a domain name so that I don’t lose track of the IP and can’t connect. I have created a step-by-step guide on how to set this up here. Select the type as L2TP and enter the account details that you created earlier and the shared secret.
You should now be able to connect without any issues
NAT-T does not seem to work well with Windows 10 and the basic home routers that come with some broadband connections. I could not get Protocol 50 ESP to forward correctly from the Windows 10 clients. For this reason I set up an SSTP VPN on the same server which I will discuss in my next post.
There is a registry fix which is supposed to encapsulate packets as UDP to get windows 10 clients to work but this never worked for me. The fix from Microsoft is listed here if you want to try. As I say it never actually worked for me but others say they have had success with it.
You basically need to create a new DWORD here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
name the DWORD:
AssumeUDPEncapsulationContextOnSendRule
Then give it a value of 2
Excellent article, Worked 100% for me.
I have been beating my head against a wall for the past 6 months trying to get the various VPN options working with a macOS laptop and a Windows Server; this worked for me in 5 minutes. Do you have an email address where I can PayPal you a beer?
Thanks for the kind feedback Justin! I have a link on my website that enables you to say thank you with a PayPal button.
I did everything by following steps, which works, but internet is blocked once connected. I assume this is a common problem, can you give some explanation about this? (OR write one in QA section would be better)
It’s not a common problem. You need to make sure your DHCP range is valid and doesn’t conflict with anything. Did you follow all the routing and remote access steps?
I also have the same problem. My iphone6s could connect the vpn successfully, but internet is blocked once connected. Would you give me some help,thank you.