Preface

We already posted an article to set up a VPN on Windows Server 2019 using Secure Socket Tunneling Protocol (SSTP) using a third-party certificate. This one, we are going to discuss ‘How to Setup VPN using PPTP’ based article . The Point to Point Tunneling Protocol using the Generic Routing Encapsulation feature along with tunneling over TCP/IP wrapped transmission. The PPTP creates a tunnel on TCP/IP and transfer the packets securely—this very old and reliable method of transferring or accessing the private network over the internet. We can deploy this method to connect a Home or a user with a laptop to access their home network or small office network efficiently and quickly.

Configuring Point to Pointing Tunneling Virtual Private Network on a Windows Server 2019 is straightforward. We can use this method of deploying a VPN where the Secure Socket Layer type of VPN is not possible. In this method of configuring VPN, we need to open the port 1723 and enable a feature called Generic Routing Encapsulation (GRE) on the edge firewall or router under security settings. I am going to explain the step by step and cover the entire setup process from install and configure Remote Access Role to configure Client device to connect the network where we have installed the PPTP VPN.

So, let get to the server and start the Remote Access Role installation and subsequently look at configuring VPN policy on the Network Policy Server on the Windows Server 2019. If you are ready to take a configuration task, we are here, to begin with, so let us get started.

• Add Remote Access Server Role
• Configure Remote Access with VPN Access
• Configure Remote Access Settings for VPN
• Configure Dian-in connection on the user object
• Configure Dial-in policy on Network Policy Server
• Crete VPN network connection on Windows 10 device
• Connect VPN Server over the Internet

Add Remote Access Server Role

The first step in deploying a VPN server is Adding the Remote Access Server Role on the server—the remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through this wizard to complete the Remote Access role installation.

The wizard will start with instructions on using this tool to add the roles and features. If you don’t want to see this page, you can click the checkbox next to ‘Skip this page by default,’ and you won’t be prompted with this page anymore.

In this wizard, we are going to use the role-based installation to add this role, so select Role-based or Feature-based Installation to begin with and click Next to continue.

Make sure the local server in the server pool and select it and click Next.

In the Select Server Role page, select Remote Access checkbox, and click Next.

On the next page, leave the Features as it is and click Next.

If you need more details, you may go through the details about remote access on this page, and once you are ready to move, click Next.

This step is significant, select the Direct Access and VPN (RAS) alone, and you would be prompted with related features on the pop-up and click Add Features, which will return to select the role services page.

We have selected the roles services and its feature, and we are right to move to continue, click Next.

The next page is an information page, and it describes that adding this role service also install the Web Server (IIS) role, Click Next to continue.

The Web Server (IIS) role will install this role services, leave the default selection, and click Next.

On the confirmation page, verify that the Roles mentioned above and Role Services correct and click Install to start the Remote Access role installation. Sit back and relax for a few minutes to get the installation to complete.

The Remote Access role installation started. Let wait till the installation complete, and then we start the configuration.

You would notice the installation succeeded message and there is a link to open the getting started wizard to start the configuration of the Remote Access Role, click the link.

Clicking the link will start Configure Remote Access Wizard, on the wizard click Deploy VPN only tab as in the screen below.

Configure Remote Access with VPN Access

On the Configure Remote Access prompt select the Deploy VPN Only to define the Remote Access multiple configuration methods.

The Routing and Remote Access management console will be opened and right-click on the server node and click ‘Configure and Enable Routing and Remote Access.’

The Routing and Remote Access Server Setup Wizard will start with a Welcome Screen, Click Next to begin the wizard.

Select the Radio button next to Custom Configuration and click Next.

On the Custom Configuration page, select the checkbox next to VPN Access and click Next.

The VPN Access configuration selected on the wizard, and that is the end of the wizard and click Finish.

Click OK to the warning message that the Remote Access Configuration couldn’t open the required port. We will open the port on the Windows Firewall manually.

As we have configured Routing and Remote Access services with VPN Access and the wizard will end by prompting to start service.

Once the Routing and Remote Access Service Started, you will see a green arrow on the server node implying that the service started and running.

Configure Remote Access Settings for VPN

There are specific settings we need to update to set the VPN to function securely and get the IP4 IPs to the client system.

Right-click the server node and click properties as in the screen below.

On the Remote Access, Server Properties go to the IPV4 tab and Select the Static Address pool radio button under IPv4 Assignment and click add to add IP address pool. Choose an IP address Pool and type start and end IP address of the pool. The IPV4 address pool is a static one, and if you are running the DHCP server on the server, you can leave the IP address to assign from the DHCP server. As we are not running a DHCP service, we are creating a static address pool in this example.

Choose IP address pool and type start and end IP address on the Add dialog box. We have chosen 172.16.1.1 to 172.16.1.10 range to assign the IP addresses to the VPN clients.

Click OK once the IP address properly typed.

How to Setup VPN using PPTP

Configure VPN Policy on Network Policy Server

Open the Server Manager window and on the Tools menu select Network Policy Server to begin with configuring VPN Policy

Expand the Network Policy Server and select New to create a new policy for VPN access.

On the New Network Policy Window type VPN Access as Policy Name and in the drop-down list of typer of network access server select Remote Access Server (VPN-Dial Up) and Click Next.

On the Specify Condition page, select Windows Group and Click Add.

I have already created an Active Directory group called “vpngroup” for this purpose, and we are going to add that group. Please note that we are adding all users who need VPN access to this group.

How to Setup VPN using PPTP

Once we confirmed the group added, click Next to continue.

As we are granting access to this AD Group users, we are selecting Access Granted and Clicking Next.

On the Configure Access methods, select Add and Microsoft Secure Password (EAP-MSCHAP v2 as Extensible Authentication Protocol on the list of authentication methods.

Also, uncheck the boxes near Less Secure Authentication methods.

How to Setup VPN using PPTP

Once the Authentication method has been selected, click Next.

On the Configure Constraints page, leave the defaults and click Next.

Also, Configure Settings page leave the default and click Next.

Click Finish to end the wizard.

Create a Windows Firewall rule to open port PPTP VPN

Go to Control Panel>System and Security>Windows Defender Firewall and click Advanced settings.

Select Inbound Rule from the left navigation and New Rule on the Actions Menu

Select Port as Rule type and click Next

How to Setup VPN using PPTP

The PPTP port number is 1723, Select Rule “Apply to TCP” and Specific local ports 1723 and, click Next.

Select Allow Connections and click Next.

Select all the Network Locations and click Next.

Type a name for the Rule and Click Finish

Create VPN Network Connection

So, we have completed all server configurations, now is the time to create a VPN connection on the Windows 10 client computer.

Right-click network Icon on the taskbar and select ‘Open Network & Connection Sharing.’ On settings, windows click ‘Network and Sharing Center’ that will open the ‘Network and Sharing Center’ where we need to select ‘Set up a New Connection or Network’ as in the steps provided on the screenshot below.

How to Setup VPN using PPTP

Select the steps as in the steps below.

1. Open Network & Internet Sharing
2. Network Sharing Center
3. Set up a New Connection or network

There is a Wizard start, and in the connection options, select ‘Connect to a workplace’ and click Next.

In the destination name type, a name implies the connection purpose. I left the default name in this example.

Leave the selection of ‘Remember my credentials’ and click create.

1. Type the VPN server’s internet hostname or IP address.
2. Give a name to the VPN Connection.
3. Click Create to create a workplace connect.

To change the type of VPN, right-click newly created Network Connection and select properties.

On the Security tab, select Point to Point Tunneling Protocol (PPTP) and click OK.

How to Setup VPN using PPTP

Click Network icon on the taskbar and the newly created VPN connection will appear on the list of connections, click that, and there will be a credentials box open.

On the Sign-in prompt type, the AD user and password and click OK.

The VPN connection will show connected. Now we can access the internal devices on the office network using their private IP address.

Conclusion

In this article, we have gone through step by step instructions on how to 1. Install and configure Remote Access VPN role 2.  Network Policy Server VPN policy 3. Creating windows firewall rule and 4. Making a VPN Connection on the Windows client system and connected to Office network remotely using PPTP. Also, we have one more step to that on the router or Firewall device connecting to the internet we need to add a port forwarding rule to point the VPN server connecting port 1723. On the security settings on the firewall, we need to enable Generic Routing Encapsulation to connect the VPN from remote windows client to the VPN Server that we just configured.

You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.