rras ip address assignment

How to Install VPN using RRAS (Remote and Routing Access)

You must have heard about the VPN . VPN is a Virtual Private Network that provides security and privacy to your private and public networks. It creates a secure connection over public network. You can connect multiple systems to VPN server and use VPN’s bandwidth for public network connection.

There are various VPN protocols for secured communication viz. IPSec, SSL and TLS, PPTP and L2TP. Of which PPTP (Point-to-Pont Tunneling Protocol) is widely used protocol. It is one of the easiest protocol to setup and maintain as compared to other protocols.

A VPN is most efficient and inexpensive way to build a secured private network. Though, it is a most inexpensive, it requires fair amount of technical expertise to implement it successfully.

There are various paid VPN softwares in the market. But, if you are running windows server, you can use RRAS to configure your own VPN server without any additional cost. This article will walk you through to install VPN using Remote & Routing Access and connect to it from your local system ( With working Internet Access ). (The steps are performed on Windows server 2012 R2 OS)

• Login to your server through Remote Desktop in which you want to install VPN.
• In completing wizard, click on Finish. You will be prompted with a message for DHCP relay agent, simply click on Ok for this message.

Now, you will need to allow your RDP port in NAT services and ports . Follow the below mentioned steps for the same.

NOTE 1 : If this service is not added then you will not be able to access your server via RDP.

NOTE 2 : If you have firewall installed on your server, you will need to allow 1723 TCP port for PPTP.

Now, let’s tweak the setting of the user which will be used to make VPN connection from client/remote machine.

• Go to Administrative tools → Computer Management → Local Users and Groups → Users.

Your VPN server is ready for client/remote connections.

Now, let’s see how to configure client machine to connect to VPN server.

This is all. Now, your client machine will have the internet access via VPN. However, should you find any difficulty, feel free to raise your query here in this blog.

About The Author

Rahul vaghasia.

Rahul is CEO at AccuWebHosting.com . He shares his web hosting insights at AccuWebHosting blog. He mostly writes on the latest web hosting trends, WordPress, storage technologies, Windows and Linux hosting platforms.

Latest Comments

I was working on VPN installation from last 25 days with no luck. I was getting partial help from here and there. But, I got my goal of VPN installation (With working Internet) achieved with the help of your blog. Thanks a lot!!!

Thank you Hardik. Indeed I am happy to see that your problem is resolved using our blog.

This is an excellent blog post, really helped me to properly configured VPN on Windows SRV 2012 with NAT so that end user could also access the internet after connecting VPN. Just a quick addition in the above scenario: In case your machine has only one Ethernet card with public IP you need to add a loop-back network adopter as internal network card.

Thanks for nice efforts!

I am glad that my blog helped you to successfully configure VPN with working Internet.

I greatly appreciate your comment. Positive comments always encourage us to do better job. Thank you very much. I will surely improvise my blog with your suggestion.

Good work.Keep it up!! I haven’t seen such detailed and functional VPN steps on the web!

I couldn’t understand the reason of allowing RDP port in NAT services? any guesses?

Phil, Thanks for your appreciation.

RDP port is added in NAT service to allow remote access of machine when RRAS service is running. If you do not set this, you will not be able to access your machine via RDP when RRAS service is running.

This post is really helpful for those who want to install and configure working VPN in one shot. Thank you very much for sharing this precious work on the net.

In “Address Range Assignment”, you have entered 11 IP addresses. Is it required to enter 11 IPs only in this option?

You are most welcome Henry! In “Address Range Assignment”, you can enter more IP if required. In our example, we have added 11 IP so 10 concurrent connections can be made to VPN server. If you need more connection then you can add multiple ranges of IP’s or add each IP manually.

Thats a great article but do you have anything to setup VPN with RADIUS server

Hey Jimmy, unfortunately, we don’t have any tutorial to setup RADIUS (Remote Authentication Dial-In User Service) server. Though I’ll certainly forward this to our research team.

Seeing the screen capture, it looks like Windows Server 2012 OS. I’d like to setup VPS with Windows Server 2016. I guess steps would be same. What’s your opinion on this?

VPN is good but costly. Plus above steps for installing VPN are too technical. Instead, I would recommend using 3rd party easy to use remote access tools like logmein, R-HUB remote support servers etc. They work well.

Hello Prasanta, That is the same reason we have created steps with the screenshot, so anyone can configure a VPN server and connect to it.

Using a normal VPN service is very easy because now there is much useful software that gives VPN services but they will not provide RRAS (Remote and Routing Access). RRAS is the advanced secure platform for browsing and accessing the internet. You have to set up this service manually and this page will give you the details on how to set it up.

Hello, please, and how would this scenario that is tapped ensure that DHCP automatically adds the same IP address to the client, or that the client can set up its own IP, but it is not possible, then it will not connect …

Does this require two network cards installed on server?

we are changing Internet Providers. I want to know if Public IP change by changing providers will affect anything with remote Access/VPN. I do not believe it would. Any assistance would be greatly appreciated

Rahul.. I have a doubt that how can i connect local LAN server to cloud server?? can a local LAN client access without changing the local IP address?

Is necessary to have 2 NIC on server? We have only 1 NIC. Is it possible to set with 1 NIC?

It is not necessary to have 2 NICs. It is obvious that if you are renting server/virtual server with remote access, it will have only one NIC attached to your machine. In that you can use loop back network adapter. Just search for how to install loop back network adapter on the server. You will see lots of guide on it. Once you are done, you can use it in place of your second NIC.

Hello. I followed this guide to create a VPN network from my clients to our server, but despite all the configurations have been properly completed, the clients are not able to connect nor by SSTP SSL or PPTP. They will not reach out the server public ip address. Is it possible to get some assistance to get this working?

Thanks in advance.

1) You will need to make sure that Network Access Permission is Enabled for the server in which you have configured VPN. 2) If your server has firewall installed, please make sure that the port 1723 is accepting inbound connection. You may check this from your client machine. CMD: telnet 1723

Hello First of all, forgive me for my bad English I need Create a VPN server for change the IP address As you know, in some countries, such as Iran,many sites have filtering problems (Sites are blocks) I have a server in Germany. Can I create a VPN with this server to change the IP?

I was able to create a VPN server on a German server, but when User Connecting With the VPN the Internet is gon

I am very grateful for your help in this case

Looks like routing issue. You will need to make sure that 1) You have selected “Virtual Private Network (VPN) access and NAT” while configuring Routing and Remote access 2) You should recheck your NAT settings.

I have set up that VPN but my VPN client is only able to ping the private IP of the VPN server. Not able to ping/access any of the other servers in the remote LAN, I mean VPN client is not able to access all other servers / PC in VPN server’s LAN.

Hello, does this method circumvent the limit of 2 RDS users? will it be possible to connect multiple clients at the same time? Thanks so much!

Yes, you can certainly connect more than 2 clients at a time.

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

See our Cookie Policy

We use cookies to make your online experience easier and better. You consent to this by clicking on "I Agree" or by continuing your use of this website. For more information, See our Privacy Policy.

Success! We have sent an email verification link to your email address, please click it to verify. Thank you.

Richard M. Hicks Consulting, Inc.

• Consulting Services
• Always On VPN Book
• DirectAccess Book
• Absolute Secure Access

• Pluralsight

• Absolute Software
• Active Directory
• Active Directory Certificate Services
• Admin Center
• administration
• Always On VPN
• Always On VPN DPC
• Amazon Web Services
• application delivery controller
• Application Filter
• authentication
• Azure Active Directory
• Azure AD Join
• Azure App Proxy
• Azure Application Gateway
• Azure Application Proxy
• Azure Conditional Access
• Azure Load Balancer
• Azure Traffic Manager
• Azure Virtual WAN
• Azure VPN Gateway
• Certificate Authentication
• Certificate Authority
• Certificate Connector for Intune
• Certificate Services
• certificates
• Cisco Umbrella
• Cisco Umbrella Roaming Client
• Cloud Service
• Conditional Access
• Cryptography
• Device Management
• device tunnel
• DirectAccess
• DirectAccess Deprecated
• DirectAccess End of Life
• DirectAccess EOL
• DNS Policies
• Dynamic Profile Configurator
• Elliptic Curve Cryptography
• encapsulation
• end of life
• Endpoint Manager
• enterprise mobility
• Entra Global Secure Access
• Entra Internet Access
• Entra Private Access
• Entra Private Network Connector
• extensible authentication protocol
• force tunnel
• force tunneling
• Forefront TMG 2010
• Forefront UAG 2010
• Geographic Redundnacy
• global server load balancer
• Group Policy
• High Availability
• Hybrid Azure AD Join
• Hybrid Entra ID Join
• Hybrid Entra Join
• Important Links
• Infrastructure
• Intune Certificate Connector
• Intune PFX Connector
• IPv6 Transition
• Load Balancing
• local traffic manager
• Microsoft Endpoint Manager
• Microsoft Entra
• Microsoft Entra Global Secure Access
• Microsoft Entra ID
• Microsoft Entra Internet Access
• Microsoft Entra Private Access
• Microsoft Intune
• Mobile Device Management
• Multifactor Authentiction
• Name Resolution
• name resolution policy table
• NetMotion Mobility
• NetMotion Software
• Network Access Control
• network connectivity assistant
• network connectivity status indicator
• Network Device Enrollment Service
• Network Device Enrollment Services
• network policy server
• Offline Domain Join
• Operational Support
• PFX Connector
• Private Network Connector
• Professional Services
• Protected EAP
• Proxy Server
• public cloud
• public key infrastructure
• Recommended Reading
• Remote Access
• Remote Administration
• routing and remote access service
• Secure Access Service Edge
• Secure Service Edge
• Secure Socket Tunneling Protocol
• Secure Web Gateway
• Security Service Edge
• Security Update
• Server Core
• Simple Certificate Enrollment Protocol
• split tunnel
• split tunneling
• SSL and TLS
• Surface Pro
• Surface Pro 4
• System Center 2012
• System Center Configuration Manager
• systems management
• Traffic Filter
• transition technology
• Transport Layer Security
• troubleshooting
• Trusted Network Detection
• Trusted Platform Module
• Uncategorized
• user tunnel
• Visual Studio
• Visual Studio Code
• Vulnerability
• Web Application Proxy
• Web Proxy Server
• Windows 8.1
• Windows Admin Center
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Zero Trust Network Access

Always On VPN and RRAS in Azure

Supportability

It’s important to state once again that although it is possible to successfully deploy Windows Server with RRAS in Azure to support Always On VPN, as of this writing it is not a formally supported workload. If the administrator makes the decision to deploy RRAS in Azure, they must also accept that Microsoft may refuse to assist with troubleshooting in this specific deployment scenario.

Reference: https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines

Azure Prerequisites

The configuration of RRAS is identical to on-premises, with a few additional steps required by Azure infrastructure.

Windows Server

RRAS can be configured on any Windows Server virtual machine supported in Microsoft Azure. As with on-premises deployments, Server GUI and Core are supported. Domain-join is optional. The server can be deployed with one network interface or two.

A public IP address must be assigned to the VPN server’s external network interface, or the internal interface if the VPN server is configured with a single network adapter. The IP address can be static or dynamic. When using a dynamic IP address, configure a CNAME record in DNS that points to the name configured for the IP address in Azure. If using a static IP address, an A host record can be configured pointing directly to the IP address.

Network Security Group

A Network Security Group (NSG) must be configured and assigned to the VPN server’s external or public-facing network interface that allows the following protocols and ports inbound.

• TCP port 443 (SSTP)
• UDP port 500 (IKEv2)
• UDP port 4500 (IKEv2 NAT traversal)

RRAS in Azure

Below are the infrastructure requirements for supporting Windows Server RRAS VPN in Azure.

Client IP Subnet

Static IP address pool assignment must be used with RRAS. Using DHCP for VPN client IP address assignment in Azure is not supported and will not work. The IP subnet assigned to VPN clients by RRAS must be unique and not overlap with any existing Azure VNet subnets. If more than one VPN server is deployed, each server should be configured to assign a unique subnet for its clients.

IP Forwarding

IP forwarding must be enabled on the VPN server’s internal network interface. Follow the steps below to enable IP forwarding.

1. In the Azure portal, open the properties page for the internal network interface for the VPN server. 2. Click IP configurations in the navigation pane. 3. Click Enabled next to IP forwarding . 4. Click Save .

Azure must be configured to route IP traffic from VPN clients back to the VPN server. Follow the steps below to create and assign a routing table in Azure.

1. Click Create Resource . 2. Enter “Route Table” in the search field and press Enter . 3. Click Route Table . 4. Click Create . 5. Enter a descriptive name for the route table in the Name field. 6. Choose an appropriate subscription from the Subscription drop-down list. 7. Select the resource group where the VPN server(s) reside. 8. Select the best location to deploy the route table resource from the Location drop-down list. 9. If the administrator wants to have the VPN client IP subnet route information published automatically, select Enabled for Virtual network gateway route propagation . 10. Click Create .

Once complete, follow the steps below to define the route for VPN clients.

1. Open the properties page for the route table. 2. Click Routes in the navigation pane. 3. Click Add . 4. Enter a descriptive name in the Route name filed. 5. Enter the IP subnet assigned to VPN clients in the Address prefix field. 6. Select Virtual appliance from the Next hop type drop-down list. 7. Enter the IPv4 address assigned to the VPN server’s internal network interface in the Next hop address field. 8. Click Ok . 9. Repeat the steps above for each VPN server configured in Azure.

Finally, follow the steps below to assign the route table to an Azure VNet subnet.

1. Open the properties page for the route table. 2. Click Subnets in the navigation pane. 3. Click Associate . 4. Click Virtual network . 5. Choose the appropriate Azure VNet. 6. Click Subnet . 7. Choose an Azure VNet subnet to assign the route table to. 8. Click Ok . 9. Repeat the steps above to assign the route table to any Azure VNet subnet that must be accessible by VPN clients. If VPN clients need access to on-premises resources via Azure site-to-site gateway, assign the route table to the Azure VPN gateway subnet.

Note: Azure only supports the assignment of one route table per subnet. If a route table is currently assigned, the VPN client subnet route can be added to an existing route table, if necessary.

Administrators have many choices when it comes to support Always On VPN connections hosted in Azure. RRAS on Windows Server can be an effective solution, assuming you can live without formal support. If having a formally supported solution is a hard requirement, consider deploying Always On VPN using the native Azure VPN gateway or another third-part Network Virtual Appliance (NVA).

Additional Information

Windows 10 Always On VPN with Azure Gateway

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN Multisite with Azure Traffic Manager

Share this:

Posted by Richard M. Hicks on September 9, 2019

https://directaccess.richardhicks.com/2019/09/09/always-on-vpn-and-rras-in-azure/

46 Comments

Thanks Richard for another great post! I’m feeling very frustrated with Azure P2P VPN options. We have a Expressroute and the Azure P2P can’t work with this due to Gateway transit restrictions allowing only one gateway on a vnet peer and p2p VPN and Expresroute won’t work on single Vnet. Thinking about trying the RRAS option with no support. Were you able to get the p2p VPN working with Azure VPN Gateway and Expressroute ? I need the users to be able to connect to the VPN and then traffic flow over the Expressroute to on premise. I was able to get the p2p VPN working with Azure VPN Gateway but could not access any resources either in Azure or on premise over Expressroute.

Sorry this is meant to be P2S VPN not P2P.

Richard M. Hicks

I’ve not tested with Express route myself, but I can tell you that using the Azure VPN gateway isn’t the ideal solution due to some of the limitations imposed by the infrastructure. Limited scalability is another challenge. RRAS does work well, is flexible and scalable, and if you can accept the non-supportability it can be a good solution.

Richard, thanks for the Azure guide; do you have similar guides for AWS routing?

Not at the moment. It is in the queue however. Look for that blog post in the near future! 🙂

Richard, Thank you for this article. We are working on implementing this in AWS. Did you ever write the equivalent post for AWS. Having searched the site, I have been unable to find one that addresses routing and site-to-site access in AWS for AoVPN.

I have implemented RRAS in AWS, but haven’t yet published a post on it. It’s on my list of things to do. I hope to have something posted on this topic in the future at some point.

[email protected]

Hi Richard Thank you so much for this article. I have always-on vpn working now in Azure with RRAS and clients being able to route back to on-prem through a express route. The missing information for me to get it working was to associate the route to the gateway subnet where the express is connected to.

Great to hear! Indeed, if you want to be able to route VPN client traffic back on-premises via site-to-site or ExpressRoute you must assign the route to the gateway subnet. It’s easy to overlook that crucial bit of information for sure. 🙂

Hi Richard, awesome article! We’re seeing the same issue as Ed though. Applying the static route to the gateway subnet doesn’t allow RRAS VPN client traffic to the on-prem subnets connected to Azure via IPSec VPN. Almost seems like that subnet needs to be created in Azure and added to the existing encryption domains for the existing IPSec tunnels? Any help appreciated!

Interesting. And you are sure that you have configured the on-premises gateway correctly? VPN client subnet is routed to Azure form on-premises? Traffic selectors updated accordingly?

We are trying the same configuration, however we are not seeing the user-defined route (client VPN subnet) being advertised into our express route. We have applied the route table to the Gateway Subnet, but it is still not working. Perhaps you can share some further detail about how you got this working?

Kind regards,

Hi Richard, a bit of a late reply.Thanks for all your help! I decided to use the RAS VPN option on an Azure VM over the Azure VPN Gateway after having so much trouble with it. I’ve been using the RAS VPN for a couple of months now and had no problems, works like BOSS. The route on the GW subnet also helped me thanks. I’m now able to communicate back over the Expressroute and access resources on-premise, the fix for me was to use Force tunneling on the adapter. When I was using split tunneling I could only get it to work with static routes which was quite messy and also allowed local internet breakout which defeats the object of the security of a VPN for me.

Hi Richard, I’m having an issue with AOVPN user tunnels when plugging an ethernet cable into a laptop that is currently connected to the VPN over wifi. What seems to be happening is that the VPN is not disconnecting even though it is on the trusted corporate network. We don’t want our users connecting over the VPN when on our corporate LAN. It seems to me that the trusted network detection is working intermittently even though I have the tag configured in the script. I’m just wondering if you have come across this before and might be able to point me in the right direction? To add we are not using lockdown mode. Thanks, Richard appreciate all your help so far!

Always On VPN and Trusted Network Detection is actually working just fine. However, if you have an existing wireless connection to the network established and you later connect directly with wired Ethernet, the Always On VPN connection just remains up (by design). You can fix this behavior by setting two specific group policy options. The settings are in the following location:

Computer Configuration > Administrative Templates >> Network >> Windows Connection Manager

The two settings that you should enable are:

Enable Windows to soft-disconnect a computer from a network = Disabled Minimize the number of simultaneous connections to the Internet or a Windows Domain = Enabled (1 – Minimized simultaneous connections)

Let me know if that helps at all!

sergiibiletskyi

Hi Richard, Here is the update to my previous message. Issue has been solved by simply adding VPN client network to source gateway address space:) Really missed the place where all GW’s network ranges are added:)

P.S. Looks my main message has not been sent:( So the issue was that i couldn’t make VPN clients be available from other VNETs via vnet-to-vnet tunnels.

Great article Richard, thanks for this. Getting AOVPN setup was a snitch in Azure following your advice, any pointers for trying to get the clients to connect to the on-premises over ExpressRoute at all? am I missing anything obvious at all?? ExpressRoute is configured with BGP.

Funny you should ask this. I just learned yesterday that you can’t access on-premises resources via Azure VPN gateway point-to-site connections! Somehow that is not supported. You can certainly connect via site-to-site, but Express route doesn’t work for some reason. Apparently this is supported using Virtual WAN though. I haven’t done much work with Virtual WAN, but I’m hoping to in the near future. It really looks like the way to go in the future.

Hi Richard, and thank you for a great article! The only problem i noticed using RRAS on Azure is when you need to let clients to reach specific public resources routed via VPN. In this case there is a need to enable NAT protocol on RRAS server and with NAT enabled there is no need to add extra routes on Azure networking side. Also, strangely enough, one of my RRAS servers with NAT enabled experience RRAS service error after restart. Faulting application name: svchost.exe_RemoteAccess, version: 10.0.17763.1, time stamp: 0xb900eeff Faulting module name: ntdll.dll, version: 10.0.17763.1131, time stamp: 0x4dc06dfc Exception code: 0xc0000374 Fault offset: 0x00000000000fb049 Faulting process id: 0xdd4 Faulting application start time

The only way to start service back is to remove NAT, start service and add NAT back in my case.

That’s certainly less than an ideal configuration (using NAT for VPN traffic), but if it works for you I can’t argue with that. 😉 Odd issue with the service crash though. I’d say opening a support case with Microsoft would be a good idea, but RRAS in Azure isn’t supported. Unless you can reproduce the issue on-premises they won’t likely give you much help.

I’d love to avoid NATing VPN clients but looks like that’s the only option with RRAS server on Azure. The private routing according to your guide works perfect but in my case i need some public resources be routed via VPN and that’s not only web services so web proxy is not an option in my case.

If you have the requirement to route Internet traffic over the VPN, then you’ll have to live with the NAT to make it work. There’s always tradeoffs! 🙂

Thanks Richard I was stuck on this for a week until I found your great article 🙂

Hi Richard, I just ran across this article and really hoped it would solve my issue but so far, no luck. My clients connect successfully to the RRAS server with SSTP. I can access resources on the RRAS server but not beyond. For example, I can ping the server’s NIC but not 8.8.8.8. What I see in Wireshark (or Network Watcher) are the packets from the client being sent but no packet ever gets a response. I am not sure what is blocking the outbound (or possibly inbound) packets. My goal is to force tunnel all traffic through the VPN when the client is connected, including internet bound traffic. For clarity, my Azure based RRAS server IP is 10.2.0.4, the static pool for VPN is 192.168.3.50 – 64 so the server’s virtual interface is 192.168.3.50 and clients get addresses in the pool above .50. All routes on the server are created by RRAS – I do not define any static routes myself. Everything works except the final route beyond the server. BTW, the RRAS server itself has no issues pinging or communicating to internet sites. Any thoughts on what step I may have missed? Also, why is a CNAME required on DNS for the public IP? Thanks

For some reason Azure does not support routing traffic to the Internet in this scenario. If you plan to use Azure, you must enable split tunneling. It is possible there’s a workaround for this, but I’m not aware of it. The CNAME is required so the subject name on your TLS certificate used for SSTP matches the FQDN used by VPN clients.

Thanks for the quick reply. Do you happen to know if P2S VPN would allow me to route all traffic over the VPN, including to the Internet? Split tunneling is what I want to avoid.

I don’t believe so, but it’s not something I’ve tested. Perhaps it works differently, not sure. Let me know if you try it!

Thanks a million for this article, Richard!

There is one small thing that we cant get to work the same way as in our current in-house infrastructure (which we are moving to Azure):

Once we have created the client’s VPN-configuration, we must set the DNS suffix to “internal.ourcompany.se” for IPv4. Without that, we have to use the FQDN when accessing resources over VPN. Also (which is strange to me), internet connection is lost for the client.

Any ideas why this is? (We don’t need to do this in our current in-house infrastructure, which uses the same setup, although we host our own DHCP-server)

Configuring the DNS suffix for the VPN connection is pretty standard. I do it for every deployment. Although it may not be strictly required (you could be providing it via group policy for example) I still do it just be certain it is there.

Hi, thanks very much for this article. Have you seen this error with this configuration “A connection between the VPN server and the VPN client IPADDRESS has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).” – A bit of googling suggests this might be getting blocked at the azure level but I see comments here of people having success with this working

Not seen that myself. I’ve deployed RRAS in Azure numerous times without issue, so it should work. I’d suspect VPN server configuration. What specifically I’m not certain though.

Thanks for this guide, was really, really helpful – I have a problem however where I can VPN in and route packets within the azure tenant, but can’t get packets across our VPN to on premise, I’ve added the route to the route table (the same route table that gets everything else down to on prem) but no luck – any tips?

Assuming your link from Azure to on-premises is a site-to-site link and not ExpressRoute it should work. If that’s the case it is either a routing issue, firewall issue, or combination of the two. 🙂

Ian Campbell

Bless your heart! I struggled with this for a day and a half before I found this article. Routing the subnet to the Virtual Appliance was what fixed it. You rule!

This is similar to kdurigan’s issue but different behavior. We’ve been running RRAS in Azure for a year with very few issues. Recently there’s been a new need to route select Internet IPs over the VPN to simplify our IP ACLs and we’re running into an odd issue. RRAS has two NICs (internal/external), and both NICs have NAT enabled so that we didn’t have to add routes to all of our SNets. IP forwarding is off on both NICs because it wasn’t needed with NAT enabled. During the initial build, I added static routes in RRAS for our internal subnets to route out of the internal NIC’s gateway and an OS-level persistent default route to use the external NIC’s gateway. Traffic didn’t route properly and clients couldn’t connect until I configured it this way. Now that VPN clients need to get to Internet IPs, I found that I needed to add a default route in RRAS as well to use the external NIC’s gateway. This works… for a little while. Some time later (minutes to an hour or two), clients are no longer able to connect to that RRAS server but it’s still online in Traffic Manager. When I remove the default route from RRAS (and reboot for good measure), it still takes about 30 minutes before clients are able to connect consistently. It seems like something with the RRAS default route is propagating into and breaking the VNet or something even though the same persistent route is set at the OS level. Has anyone run into this?

Thanks, Nate

I’ve never had success getting Internet traffic routed over an RRAS server hosted in Azure. Not sure if anyone else has had any success with that either.

Thanks, Richard. If my failure helps anyone else to not bother: I also tried using RRAS routes for individual Internet IPs (instead of a default route), since we had only a handful of them, and I had pretty good success when testing it myself. As soon as I added a few more users to the pilot, it immediately fell apart. It seemed to allow only one VPN client at a time to access an Internet route to a specific IP, like a one-to-one relationship cap between VPN clients and the Internet route. I would LOVE to know how this works under the hood; it makes little sense from an Azure user perspective. So, back to the drawing board. By the way, thanks again for all your help Richard. You’re the main reason why I have a successful implementation to begin with. You are very much appreciated.

Thanks for the kind words, Nate! 🙂

Ken Durigan

Re Richard’s comment: “I’ve never had success getting Internet traffic routed over an RRAS server hosted in Azure. Not sure if anyone else has had any success with that either.” – I have to ask… Is this only a problem in Azure or is this a cloud agnostic problem? I never did get it to work in Azure no matter what I tried.

I’ve not tried this with any other cloud provider. It could very well work in AWS, just not something I’ve tried myself.

• Always On VPN Load Balancing for RRAS in Azure | Richard M. Hicks Consulting, Inc.
• Always On VPN RRAS Monitoring and Reporting | Richard M. Hicks Consulting, Inc.
• Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN | Richard M. Hicks Consulting, Inc.
• Always On VPN Client IP Address Assignment Methods | Richard M. Hicks Consulting, Inc.

Leave a Reply Cancel reply

• Search Search

Recent Posts

• Always On VPN Security Updates August 2024
• Microsoft Security Service Edge Now Generally Available
• Always On VPN Device Tunnel Fails to Connect Automatically
• Workplace Ninja Summit Switzerland 2024
• Cloud PKI for Microsoft Intune on RunAs Radio
• Absolute Secure Access Enterprise VPN
• Absolute Secure Access Purpose-Built Enterprise VPN Advanced Features In Depth
• Absolute Secure Access Zero Trust Network Access
• Absolute Secure Access ZTNA
• Always On VPN and Multifactor Authentication
• Always On VPN DPC Advanced Features
• Always On VPN DPC with Intune
• Always On VPN Training
• Choosing an Enterprise VPN
• Citrix NetScaler ADC Load Balancing
• Digital Certificates and TPM
• DirectAccess Consulting and Troubleshooting Services
• DirectAccess Consulting Services
• DirectAccess End of Life (EOL)
• DirectAccess is now Always On VPN
• DirectAccess Training
• Drawbacks of Multifactor Authentication
• Enterprise Mobility
• Enterprise PKI
• Enterprise VPN
• F5-BIG-IP Load Balancing
• How Do VPNs Protect You From Cyber Threats?
• Implementing Always On VPN
• Implementing DirectAccess with Windows Server 2016
• Kemp LoadMaster Load Balancing
• Multifactor Authentication (MFA)
• NetMotion Mobility Enterprise VPN
• NetMotion Mobility Purpose-Built Enterprise VPN
• NetMotion Mobility Purpose-Built Enterprise VPN Advanced Features In Depth
• Network Security and Virtual Private Networks (VPNs)
• PowerON Platforms
• Richard M. Hicks Consulting Named in Enterprise Networking Magazine’s Top 10 VPN Consulting Services for 2020
• Secure Access Service Edge (SASE)
• Secure Service Edge (SSE)
• Security Service Edge (SSE)
• SSE vs. SASE
• Virtual Private Network (VPN)
• Virtual Private Networking (VPN) and the Cloud
• What Is a Secure Web Gateway?
• What is a VPN?
• What Is Always On VPN
• What's The Difference Between SSE and SASE?
• Zero Trust Network Access (ZTNA)

Always On VPN Resources

• Always On VPN Advanced Features
• Always On VPN Enhancements
• Always On VPN Features
• Always On VPN Remote Access
• Always On VPN Technology Overview
• Always On VPN Troubleshooting
• Deploy Always On VPN

DirectAccess Resources

• DirectAccess Kemp Load Balancer Deployment Guide
• DirectAccess Mailing List
• DirectAccess on Microsoft TechNet
• DirectAccess Play-by-Play Video
• DirectAccess Video Training
• DirectAccess Videos on YouTube
• Remote Access on Microsoft TechNet

Active Directory ADC Always On VPN AOVPN application delivery controller authentication Azure bug CA certificate certificates Certification Authority cloud configuration device tunnel DirectAccess DNS EAP education encryption endpoint manager enterprise mobility error F5 firewall Forefront Forefront UAG GPO group policy high availability hotfix IKEv2 Important Links InTune IP-HTTPS IPsec IPv6 IPv6 transition technology Kemp learning load balancer load balancing LoadMaster management Manage Out MDM MEM Microsoft Microsoft Endpoint Manager Microsoft Intune Mobility multisite NetMotion NetMotion Mobility Networking network location server network policy server NLB NLS NPS NRPT PEAP performance PKI PowerShell ProfileXML public cloud RADIUS RAS RasClient redundancy Remote Access routing routing and remote access service RRAS SCCM security SSL SSTP System Center Configuration Manager TLS training troubleshooting UAG update user tunnel VPN vulnerability Windows Windows 7 Windows 8 Windows 10 Windows 11 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 XML

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

IPv6 routing in Routing & Remote Access Services VPN

I am trying to configure IPv6 IP Pool on Microsoft RRAS VPN Server the RRAS server is assigning the IPv6 IP Address to the remote access clients but when I test the IPv6 address assignment from "test-ipv6.com/" it says "No IPv6 address detected" inspite that the RRAS server is assigning the IPv6 address to connected clients. A brief info of my config .

IPv6 Pool : 2602:ff84:1::

IPV6 IP on server Network Adaptor : 2602:ff84:1::2/64

Gateway on IPv6 interface on server : 2602:ff84:1::1

IPv6 Pool on RRAS : 2602:ff84:1::

"Enable IPv6 Forwarding" Checkbox selected in RRASVPN server "Enable Default route advertisement" Checkbox selected in RRASVPN server

Clients are assigned the IPv6 IP address from the RRAS server pool. When I try to ping the IPv6 address assigned to server (2602:ff84:1::2) ping responds but when I try to ping the gateway set on the server (2602:ff84:1::1) ping doesn't responds and show connection time out. Any ideas what could be the problem.

Any help is highly appreciated.. Thanks Frank

• windows-server-2008
• windows-server-2012

• Have you looked at the routes? For instance Get-NetRoute -AddressFamily IPv6 And try a traceroute, e.g. tracert -d -6 www.google.com –  Michael Hampton Commented Nov 10, 2015 at 3:11
• When I take tracert to google from the client side the first hop it shows is the the IP of the internal interface(RAS (Dial In) Interface) of the RRAS server after that the packet drops..... –  Frank Commented Nov 10, 2015 at 8:49
• That suggests that either the RRAS server isn't forwarding, or it doesn't have IPv6 connectivity configured properly for itself. –  Michael Hampton Commented Nov 10, 2015 at 8:51
• Exactly you are right ........When I tracert -6 google.com from server the response is normal I can also ping the IPv6 address of google.com from server the IPV6 connectivity is fine at the RRAS server but from the client this wierd problem is coming.....by the way what do you suggest in this case.... I am having the same exact issue this user has on the technet social.technet.microsoft.com/Forums/windowsserver/en-US/… –  Frank Commented Nov 10, 2015 at 9:15
• Any suggestions...???? –  Frank Commented Nov 10, 2015 at 15:24

You must log in to answer this question.

Browse other questions tagged windows-server-2008 vpn windows-server-2012 ipv6 rras ..

• The Overflow Blog
• Where does Postgres fit in a world of GenAI and vector databases?
• Mobile Observability: monitoring performance through cracked screens, old...
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Is there a way to resist spells or abilities with an AOE coming from my teammates, or exclude certain beings from the effect?
• Image Intelligence concerning alien structures on the moon
• How is it possible to know a proposed perpetual motion machine won't work without even looking at it?
• Displaying a text in the center of the page
• In Top, *how* do conjugate homorphisms of groups induce homotopies of classifying maps?
• Why did the Fallschirmjäger have such terrible parachutes?
• How do you end-punctuate quotes when the entire quote is used as a noun phrase?
• Does the order of ingredients while cooking matter to an extent that it changes the overall taste of the food?
• How do we reconcile the story of the woman caught in adultery in John 8 and the man stoned for picking up sticks on Sabbath in Numbers 15?
• Maximizing the common value of both sides of an equation
• How specific does the GDPR require you to be when providing personal information to the police?
• bash script to run a python command with arguments in batch
• Coding exercise to represent an integer as words using python
• How does the summoned monster know who is my enemy?
• Reusing own code at work without losing licence
• How to remove obligation to run as administrator in Windows?
• Why is the movie titled "Sweet Smell of Success"?
• take measures to-infinitive
• All stationary martingales are constant?
• How can judicial independence be jeopardised by politicians' criticism?
• Could someone tell me what this part of an A320 is called in English?
• AM-GM inequality (but equality cannot be attained)
• Whatever happened to Chessmaster?
• What does "seeing from one end of the world to the other" mean?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How to assign static IPv6 address to RRAS VPN client

Hi, Community.

How to assign static IPv6 address to MS Windows RRAS VPN client?

There is a Windows Server 2019 instance with RRAS role configured. RAS/VPN server is configured well - clients can connect. IPv6 prefix for RRAS is fd8f::

Then I would like to assign static IPv6 address to a VPN client. I navigated to user's account -> dial-in -> assign static IP address. There I enabled IPv6 and specified prefix as fd8e:: and interface ID as ::10 . Then I pressed "Apply" - no any errors arrised. When the user reconnected - it got a IPv6 address dynamically assigned by RRAS from its IPv6 prefix, however expected IPv6 address should be fd8e::10

It looks as if RRAS accepts static IPv4 address configuration (it works perfect) but fully ignores static IPv6 address configuration.

Could anybody clarify it?

Thank you in advance.

Windows Server 2019 A Microsoft server operating system that supports enterprise-level management updated to data storage. 3,677 questions Sign in to follow Follow

Windows Server Infrastructure Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements. 532 questions Sign in to follow Follow

Thanks for posting in Q&A platform.

I did a lab per your description in my environment and here are results for your reference.

Scenario 1: the IPv6 prefix assignment was set "fd8e::" on VPN server

User account settings

VPN server settings

VPN client side

Scenario 2: the IPv6 prefix assignment was set "fd8f::" on VPN server

Best Regards, Sunny

============================================

If the Answer is helpful, please click " Accept Answer " and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi, SunnyQi

And what we can see from your comment? How your comment can help me? Were you able to configure a static IPv6 address for VPN client in your tests or not?

From your screenshots, we all can see that only IPv6 prefix is changed and IPv6 address is still auto-cnfigured. You even selected it by RED border. My question (as you can see from description) is:

For example, I would like to assign IPv6 address fd8e::10 to a VPN client. How to do it?

Thank you so much in advance for being more attentive in future.

Thanks for your update and sorry for didn't clarify my comment clearly.

Per my lab result as above screenshots, the prefix and interface ID set in Dial-in tab of user account didn't take effect for VPN client. And only the prefix set in VPN server can take effect for VPN client.

Although we set prefix and interface ID in user account, the VPN client only obtained prefix as per settings on VPN server and cannot obtain expected prefix and interface ID which set in user account. It seems that your conclusion "It looks as if RRAS accepts static IPv4 address configuration (it works perfect) but fully ignores static IPv6 address configuration." was correct!

I also did some research from my side and it seem that there is no official document regarding of how to assign static IPv6 address to RRAS VPN client.

Thank you for your understanding.

If the Answer is helpful, please click " Accept Answer " and upvote it. Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Thank you for reply and clarification.

It is the weird thing: functionality exists, interface element exist - documentation is absent. Yes, I know that these settings impact nothing. I dug Internet for 2 months while tried to understand this oddity. And I found nothing. Nothing. Just imagine: I spent two months of my life trying to clarify very easy functionality which is declared by Microsoft as working "just out from the box". How many non-working functionality inside Windows? Nobody cares.

Windows is a weird thing - it contains very wide functionality which doesn't work. I opened tons of requests to Microsoft support and even they weren't able to answer at least something. Closed as not resolved, not resolved, not resolved, not resolved.....

Anyway. Thank you for your time and attention.

The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows Server. You can report this issue to Microsoft directly with the Feedback Hub app.

Sharing your feedback is quick and easy. Please logon your Windows 10 device and use the Feedback Hub application. In the app, click the Report a problem button. Please enter your feedback and then choose the Windows Server category and then the appropriate subcategory for submitting your feedback.

For more information on using the app, click here: https://support.microsoft.com/en-us/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app

As you have provided me the link to this discussion, I post this update as proof that this discussion was initiated by me. You didn't read this page at all but if you will spend just 5 minutes reading it - you will find that there are no useful answers.

SunnyQi-MSFT just confirmed that functionality doesn't work in Microsoft OS.

Best regards.

• Configure RRAS with a Computer Authentication Certificate

Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2)-based virtual private networks (VPNs) use certificate-based authentication methods. To support SSTP or IKEv2-based VPNs, you must install a properly configured certificate on the VPN server.

The computer certificate you configure on the RRAS server must have either the Server Authentication or All-Purpose enhanced key usage (EKU) property. This computer certificate is used by the VPN client to authenticate the RRAS server when the session is established.

Where to install certificates

On the RRAS server:

• Install the root CA certificate for the certification authority (CA) that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities.
• Install the server authentication certificate that was issued by the CA into the store Local Computer\Personal.

On the remote VPN client:

• Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.
• If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.

Additional references

• Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444)
• Configuring RRAS

Table Of Contents

• Common Remote Access Scenarios
• Common Routing Scenarios
• Requirements for Installing RRAS as a VPN Server
• Dial-Up Networking
• Permissions for Remote Access Users
• IP Address Assignment
• Remote Access Authentication Protocols
• Network Policies
• Checklist: Installing and Configuring an RRAS VPN Server
• Checklist: Installing and Configuring an RRAS Router
• Checklist: Configuring Remote Access Behind a NAT-Enabled Router
• Checklist: Connecting Remote Sites
• Install RRAS
• Open the RRAS MMC Snap-in
• Configure a Dial-Up Remote Access Server
• Configure the Way RRAS Assigns IP Addresses to VPN Clients
• Configure Logging Levels for RRAS
• Configure Network Access Protection Enforcement for VPN
• Configure Ports for Remote Access
• Configure the IPv4 DHCP Relay Agent
• Configure the IPv6 DHCP Relay Agent
• Configure TCP/IP on the RRAS Server
• Create a Demand-Dial Interface
• Create a Static Route
• Enable and Configure NAT
• Enable and Configure RIP
• Enable IPv6 Remote Access
• Enable RRAS as a LAN and WAN Router
• Enable RRAS as a VPN Server
• Enable RRAS as a VPN Server and a NAT Router
• Remove RRAS from a Server
• View Information in RRAS
• Troubleshooting RRAS
• Resources for RRAS
• RRAS Setup Wizard - Configuration Page
• RRAS Setup Wizard - Remote Access
• RRAS Setup Wizard - Remote Access - Dial-up - Network Selection
• RRAS Setup Wizard - Remote Access - IP Address Assignment
• RRAS Setup Wizard - Remote Access - Managing Multiple Remote Access Servers
• RRAS Setup Wizard - Remote Access - VPN Connection Page
• RRAS Setup Wizard - Custom Configuration
• RRAS Setup Wizard - Address Range Assignment
• RRAS Setup Wizard - NAT Internet Connection Page
• RRAS Setup Wizard - Demand-Dial Connections Page
• RRAS Setup Wizard - Closing Page
• RRAS Server Properties Page - General Tab
• RRAS Server Properties Page - Security Tab
• RRAS Server Properties Page - IPv4 Tab
• RRAS Server Properties Page - IPv6 Tab
• RRAS Server Properties Page - IKEv2 Tab
• RRAS Server Properties Page - PPP Tab
• RRAS Server Properties Page - Logging Tab
• Network Interfaces - Demand-dial - Properties Page - General Tab
• Network Interfaces - Demand-dial - Properties Page - Options Tab
• Network Interfaces - Demand-dial - Properties Page - Security Tab
• Network Interfaces - Demand-dial - Properties Page - Networking Tab
• Network Interfaces - Demand-dial - Set IP Demand-dial Filters
• Network Interfaces - Demand-dial - Set IPv6 Demand-dial Filters
• Remote Access Clients
• Remote Access Logging & Policies
• IPv4 - General - Properties Page - Logging Tab
• IPv4 - General - Properties Page - Preference Levels Tab
• IPv4 - General - Properties Page - Multicast Scopes Tab
• IPv4 - General - Interface - Properties Page - General Tab
• IPv4 - General - Interface - Properties Page - Multicast Boundaries Tab
• IPv4 - General - Interface - Properties Page - Multicast Heartbeat Tab
• IPv4 - Static Routes - New IPv4 Static Route
• IPv4 - DHCP Relay Agent - Properties Page
• IPv4 - DHCP Relay Agent - Interface - Properties Page
• IPv4 - IGMP - Properties Page
• IPv4 - IGMP - Interface - Properties Page - General Tab
• IPv4 - IGMP - Interface - Properties Page - Router Tab
• IPv4 - NAT - Properties Page - General Tab
• IPv4 - NAT - Properties Page - Translation Tab
• IPv4 - NAT - Properties Page - Address Assignment Tab
• IPv4 - NAT - Properties Page - Name Resolution Tab
• IPv4 - NAT - Interface - Properties Page - NAT Tab
• IPv4 - NAT - Interface - Properties Page - Address Pool Tab
• IPv4 - NAT - Interface - Properties Page - Services and Ports Tab
• IPv4 - RIP - Properties Page - General Tab
• IPv4 - RIP - Properties Page - Security Tab
• IPv4 - RIP - Interface - Properties Page - General Tab
• IPv4 - RIP - Interface - Properties Page - Security Tab
• IPv4 - RIP - Interface - Properties Page - Neighbors Tab
• IPv4 - RIP - Interface - Properties Page - Advanced Tab
• IPv6 - General - Properties Page
• IPv6 - General - Interface - Properties Page
• IPv6 - Static Routes - New IPv6 Static Route
• IPv6 - DHCPv6 Relay Agent - Properties Page - General Tab
• IPv6 - DHCPv6 Relay Agent - Properties Page - Servers Tab
• IPv6 - DHCPv6 Relay Agent - Interface - Properties Page
• Demand-Dial Interface Wizard - Connection Type Page
• Demand-Dial Interface Wizard - VPN Type Page
• Demand-Dial Interface Wizard - Protocols and Security Page
• Dialog Box - Add Address Pool
• Dialog Box - Add or Edit IPv4 Filter
• Dialog Box - Add or Edit IPv6 Filter
• Dialog Box - Add or Edit Service
• Dialog Box - Add RADIUS Accounting Server
• Dialog Box - Add RADIUS Authentication Server
• Dialog Box - Add Reservation
• Dialog Box - Authentication Methods
• Dialog Box - Configure Device
• Dialog Box - Inbound and Outbound Filters
• Dialog Box - Port Status
• Dialog Box - PPP Settings
• Dialog Box - Reserve Addresses
• Dialog Box - Smart Card or Other Certificate Properties
• Dialog Box - VPN Advanced Properties