VPN Setup on Windows 2003 Server

This will be another entry for work purposes. I’m in the process of migrating our network from two Windows 2000 servers down to one Windows 2003 server running pretty much everything.

I’m a little paranoid about having everything running off of one server, but… such is the need.

Right now I’m setting up VPN access to the new server and to the network. The goal is to have faculty be able to access the network from home and be able to connect to the campus email services as well (which means creating a route outside our subnet and to the Internet).

So really, in Windows 2003, everything is a Wizard. So it should easy like Borstch to set everything up. Right?

Ya.. sure.

Here’s the deal. Setting up VPN is easy at first, if all you want is to be able to access your own servers on the same subnet.

Basically, just tell it to create a VPN, assign the “Internet Connection” adapter to the adapter that clients will use to connect to VPN and the other adapter to another adapter connected to the network.

When it asks you how you want to assign IPs, I assign them using a DHCP server. It will warn you that you ahve to set a DHCP relay in order for things to be happy. Don’t forget that step!

So there ya go.. you should be well on your way. If you get to the end of the Wizard and you find that your server has suddenly lost its ability to connect to the Internet, disable the RRAS service and rerun the wizard using the Opposite Connections than you did before.

Now comes the tricky part.
If you want your clients to access resources outside the local network/subnet while their connected to VPN, you have to do so NOT with the VPN server, but rather with the DHCP server. Every client needs to be notified of this special route, that’s why it has to be done using the DHCP client.

In Windows 2003 you can set an option in the DHCP server scope called ‘Classless Static Routes’. Select that then enter in the route you need.

An example of a static route that worked for me.
Say the VPN address clients grab is on the 125.125.125.192 network with subnet mask 255.255.255.224

You need to set the “Destination” address as the VPN clients network (125.125.125.192) with the proper subnet then use the Gateway address of the VPN server (you can find this by checking the status an active VPN connection).

That’s it. Your VPN clients should now be able to connect to your local network as well as the Internet through the VPN connection.