Windows Server 2022 VPN Lab
Published July 3, 2023, 3:20 p.m. by Courtney
You may also like to read about:
i'm in a windows 2022 server as you see
in the lower right hand corner
and what i'm going to do is i'm going to
add in a vpn server so i'm going to
click on add roles and features
click next click next
next again and now i want to choose
remote access if it asks you to add any
features just go ahead and do that as
well
click next next
next now here's your options for the
type of vpn
so i'm going to choose the direct access
and vpn
click add features and now i can click
next
and i'm just going to choose the default
ones that you see here what it's going
to do is it's going to automatically add
internet information services so that's
basically just the web service
and it's going to add the features that
it needs with it
and now click install
there's several different types of vpn
that windows server 2022 supports
such as sstp l2tp and others
if i go into device manager and choose
to view
hidden devices as you see here we can
see all the different types
of adapters that show the different
types of vpn it supports
so we see sstp pptp l2tp
ikev2 gre is part of pptp actually but
it can also be a tunnel by itself so
i'll go ahead and close
that by default a pptp or a
point-to-point
tunneling protocol is going to be
enabled once you
set up this vpn server you don't do
anything else other than just allow
access to the individual users
sstp is going to need a certificate
since it's
sort of like the ssl technology you
would use to go out to a shopping
website
you need to add in a certificate so i'll
show you that area l2tp and
ikev2 are going to need to either use a
certificate or
a shared secret and the shared secret is
much easier to set up but of course the
certificate is
more secure you can add the certificate
in a couple different ways one is you
can go
into internet information services which
it installs by default
and you can do a request for a
certificate to either a public authority
or
a root certificate authority or you can
create your own root certificate or
certification authority on the server
and then create your own certificate
that way the public way
turns out to be a little bit more
expensive because you have to pay for it
but in the long run it's much easier
because
the clients that try to connect to it
are looking for that public certificate
so you'd have to do a whole bunch more
things
in order to get it to trust a
self-signed or a private certificate
from your
active directory domain so if i click on
tools
and i go into routing and remote access
we'll get to see the new manager that
shows up now i can right click and
choose to configure enable routing to
remote access because by default it's
going to be turned off
so you've got to do this but there's
several different types of routing and
remote access that comes in here
and most people are going to be setting
up with using a single network
connection
that's internal or if you may have
multiple network cards but they're all
internal behind
a firewall such as a cisco asa or a
sonicwall that kind of thing
so because of that you want to choose
custom configuration
if you choose any one of these other
options then it just won't work right
because
a lot of these options are designed for
having a
public ip and network card on the
outside
facing the internet and we're not most
people aren't doing that
so now i'm going to choose the vpn
access click
next and finish and now it's going to
prompt to start i'll go ahead and start
and as soon as this is started it's
going to enable the firewall ports
inbound for all the different vpn types
that it supports
so you should not have to go in and make
any changes but it's not a bad idea if
you get
into any errors so now i'm going to
right click and choose
properties and we see all the different
types of properties if i go to security
and here's where we can set up l2tp and
ikev2 so if i click on
allow custom ipsec or
for l2tp or ipv2 you'll go ahead and
type in the pre-shared key that you'd
want for that
that's one of the first steps for l2tp
there's a lot of other steps
i have another video on this for the
entire setup for l2tp you can check
out but by default the
point-to-point timing protocol is ready
to go if you want to use it now the
other option you can choose
is sstp or ssl certificate binding
and hit the certificate choose the drop
down and i don't see a certificate here
so we need to either create a
certificate
or we need to do a certificate request
i'm going to go up to ipv4 and by
default it's going to look to the dhcp
server to assign an ip
address to your clients now if you don't
have a dhcp server you'll want to click
on static address pool and you'll want
to add in
a group of ip addresses that are not
being used out on your network
now make sure that you keep an extra ip
address for the server itself so if you
want
10 vpn connections for instance then
make sure you set up 11 here
because one is going to be used for the
server itself
here are your options for ikev2
and one of the advantages to ikev2 is
that if you get disconnected it will
automatically reconnect without having
to re-authenticate so it's great for
really slow
connections that may disconnect often so
right now this is ready to go
for point-to-point tunneling protocol
change that back to dhcp
click ok i'm going to go in and create a
certificate
using iis for the sstp
now one of the reasons why you'd want to
use sstp above all others
is it's the one that for sure won't get
blocked at hotels and
and uh restaurants things like that
where you may want a vpn in
almost all the other ones are going to
be blocked in most places
so if i click on server certificates in
the root
then here i can create a certificate
request
and this would be for say a public
certification authority or
a root one on your domain controller but
just for these these
testing purposes i'm going to click on
create
a self-signed certificate so click on
that specify the name
i'm just going to call it vpn dot and
then whatever your
active directory domain name is and this
one is my domain
dot internal
and leave it at personal and click ok so
now there's
my certificate that's all set up now i'm
going to go back
into routing and remote access
and when i go back into the properties i
should see that certificate there
and there it is so now i
have enabled sstp
in order to use the ssl type of vpn
on your firewall you'll need to enable
port forwarding for the point-to-point
tunneling protocol
ports such as gre and tcp 1723
or the sstp port which is just port 443
and forward it on to this server you're
also going to want to set up a dns host
record now if
this is again public you're going to
want to set up a host record say network
solutions or godaddy
and point the public ip address to the
one that's on your firewall port
forwarding into your server
but since this is all internal for
testing purposes
i'm just going to go ahead and add in an
a record
call it vpn and point it to itself so
this ip address is dot 244.
click add host so now when we get the
resolution for vpn.mydomain.internal it
should work for us on the windows 10
computer
another thing we need to do is to allow
the user to be able to vpn in there's a
couple of different ways to do that
one way is going to be to go into active
directory users and computers
and i'm just going to use the
administrator as an example so i'll
double click on administrator and choose
dial in so i can either choose to allow
access
denied of course which is not what i
want or allow it through the nps network
policy
i'm going to choose allow access just
for a single user but i do want to show
you that nps policy because if you want
to do a whole bunch of users
it's a lot easier to do it that way so
network policy server
and then you want to expand policies
network policies
and then you want to make sure that
these are going to be enabled so i'm
going to go to properties
and i'm going to choose grant access
policy enabled
and there's my other one properties
i'm going to choose to grant access and
policies enabled so now if you leave it
at the default to control through
network policy this will work
let's go to the windows 10 computer
on the windows 10 computer i'm going to
go to network and sharing settings
by right clicking on the network icon
and choose open network and internet
settings
and you can either use the traditional
network and sharing center
or you can choose the new vpn option
either one should work fine i'm going to
choose the newer one just because it's
possible they're going to turn off the
old one at some point
and i'll click on add a vpn connection
and the vpn provider just leave it
windows built
in the connection name now if you're
going to use the sstp connection you're
going to want to put in the name of the
certificate otherwise it won't work
right so vpn
dot my domain dot
internal and then the server name and
address
could be the same thing again or you
could put in
the address i'm just going to right
click and copy since i created that host
record
i don't need to use the internal address
now we want to choose the vpn type
so you could leave it at automatic but
if you know you're going to be using
point to point or l2tp or one of these
other ones
then i would choose that because it
won't scroll through all the different
ones it'll just go directly to it
for this one i'm just going to choose
pptp and i'll put in the username now if
you're using point-to-point tunneling
protocol you don't use the domain name
you just put in the
username and the password if you're
doing sstp or any other type of vpn you
will put
the domain name backslash username so
i'll click
save and then there's my option
now before i connect i just wanted to
make sure that i'm getting resolution so
i did a ping
vpn.mydomain.internal but if for some
reason you
you're not pointing your dns to the
internal dns you're not going to get
resolution
so what you've got to do is you've got
to go into windows system32
drivers etc go to your hosts file
and then in your host file you're going
to want to add in
the pointer that will go to this
particular server
so in my case i put in the ip address
and then i put in the
name vpn.mydomain
so now i can get resolution but if
you're using the
dns server internally then you won't
have to worry about that so let's click
on vpn.mydomain.internal click connect
and make sure we can connect
i'll click on the connect button and
look at that
connected right away so if i go to
my command prompt and i type ipconfig
all i'll now see more than one ip
address
so i see my original ip address but i
also
see my vpn which is the ppp adapter that
you see here ip address
as well you now have the knowledge to
set up a windows vpn server and client
to set up an l2tp or ikv2 it will take
significantly more steps
check out my l2tp video to set up this
type of vpn connection
you
![What is a virtual private network (VPN)? [2023] image](https://i.ytimg.com/vi/UUIydCoXV1g/default.jpg)
