How to Set Up VPN for Windows Home Server 2011

Mar 26, 2012 by

Most workplaces have a VPN server, so you can log in to your desktop at work from home.  I doubt very many have the similar luxury of logging into their desktop at home from work.  Windows Home Server allows you remote access to your files and some limited functionality related to managing the server.  Out of the box there is no notion of being able to remote desktop into your home desktop, laptop or HTPC.  Since WHS2011 is built upon Windows Server 2008R2 you can get at some of the functional bits under the hood to enable VPN  among other more advanced server features.  It seems a lot of people have given up and install something like LogMeIn or their LogMeIn Hamachi, which are fantastic in their own right, but these features are built into Windows Home Server.  You should take advantage of that.  VPN allows you to log into your home network as if you were sitting there connected to your home Wifi router.  You can remote into any machine and do whatever you want without worrying about that pesky RDP security vulnerability that was uncovered recently.  You can also remote into a machine on your network to hide from the prying sys-admin eyes at work as VPN traffic is encrypted.  You can also expose a single port (443) to the internet at large and VPN in and have access to whatever you want on  your home network.  Regardless of why you want to VPN into your home network, here is how you do it!

 

Setting up the VPN Server
  • Remote Desktop into your WHS2011 box (mstsc in the start menu)
  • Open up the server Manager
  • Right click on “Network Policy and Access Services”
  • Select “Add Role Services”
Server Manager Role
  • Tick the “Routing and Remote Access Services” check box
  • This should check both “Remote Access Service” and “Routing”
  • Click “Next>”
Select Role Services
  • Confirm these settings and click “Install”
Confirm installation
  • Click “Close” to finish
  • Back in Server Manager expand the Network Policy and Access Services
  • Right Click on Routing and Remote Access and select “Configure and Enable Routing and Remote Access”
Configure Remote Access
  • Click “Next>”
  • Select “Custom configuration”  Be careful here, if you select “Remote access” as one might think, you will get a conflict with NPS later in the process and it will disallow Remote Desktop once the services get started.  If that happens you can Remote Desktop into the server and disable the “Routing and Remote Access” service before it starts so you can reconfigure VPN.
Custom Configuration
  • Tick the box next to “VPN access”
Custom Configuration
  • Click “Finish” to finish the installation
  • You may get a warning about conflicting with NPS,  That should be fine. Click “OK” to dismiss it.
  • A dialog will pop up asking you to start the Routing and Remote Access service. Go ahead and click “Start service”
  • The server is now set up, but it does not know what IP address to hand out to the client.  You can either point it at a DHCP server or configure a static pool of IP address to be assigned.  Here we will perform the later.
  • Back at the Server manager right click on the “Routing and Remote Access” under the “Network Policy and Access” heading
  • Select “Properties”
  • Under the IPV4 tab and the IPv4 address assignment select “Static address pool”
  • Click “Add…”
IP Address Pool
  • Define an IP range with between “Start IP address” and “End IP address” that is outside of the range of your router’s DHCP
IP Address Configuration
  • Here is an example of my Linksys E200 DHCP range.  You will need to specify an IP address range outside of the range that the router uses otherwise you could get collisions.
DHCP Example
  • Click “OK” to save the IP address pool
  • Click “OK” to save.
  • Your VPN server is now set up and started!
  • Not so fast.  You need to allow access to a user before you can use it.  You will need to do the following per each user you want to grant access
  • Open the Computer Managment console
  • Expand “Local Users and Groups” and select “Users”
User Selection
  • Right click on the user and click properties
  • Select the “Dial-in” tab
  • In the “Network Access Permission” section select “Allow access”
Allow Access for single user
  • Click “OK” to save these settings.
  • The user should now be able to access the VPN server once you set it up on the client PC side.

Port Forwarding

  • You’ll need to forward port 443 for SSTP VPN to access the VPN server.  Head over to http://portforward.com/ to get specific instructions on how to forward a port on your specific router.
  • You will also need to ensure that VPN passthrough for SSTP is enabled.  On most routers it should be enabled by default.
Configuring the Clients
Assuming you are using Windows 7 as the client for the VPN connection, here is how to connect.  Any version of Windows that supports VPN should also work in a similar fashion.  For example, I’ve confirmed that the Windows 8 Consumer Preview will connect via VPN on WHS2011.  Here are the screen-by-screen instructions for Windows 7.
  • Open the network and sharing center and click “Set up a new connection or network”
Setup New Connection
  • Select “Connect to a workplace” and click “Next”
Connect to Workplace
  • Select “No, create a new connection” and click “Next”
Create new Connection
  • Select “Use my Internet connection (VPN)”
Use my internet connection
  • In the “Internet address:” box type the address of your homeserver, if you are using Microsofts DNS then that would be <Server_Name>.homeserver.com
  • Type in anything convenient in the “Destination name:” box
Server Name
  • Click “Next”
  • Fill in the credentials for the user you granted access to earlier

Credentials

  • Click “Connect”
  • You should get a success message of “You are connected”
Connected!
  • Once this is set up, you will only have to hit connect and provide the credentials to connect
  • You should now be able to use the network as if you were at home!
And with that, sound off in the comments if you have any issues with this long, overly-complex process.

Sponsor

  • Anonymous

    You can also connect to this VPN server from your iPhone or iPad. I do this with my WHS v1. It secures web browsing when on public access points and allows access to devices on your home network. Unfortunately, Bonjour doesn’t work over VPN, so Wi-Fi sync will not work.

  • Chris Barnes

    Yup! You can even remote desktop with an iOS device and VPN. Could potentially access your remote potato streaming this way as well.

  • http://twitter.com/byobpodcast BYOB Podcast

    Great article.  Thanks for the information.

  • http://SimplPixl.com/ Ben Wade

    Wow.  Totally doing this when I get home tonight.  Nice article Chris.

  • http://packageology.com Dan Gough

    Thanks for posting this.  I was always under the impression that the built in VPN needed 2 NICs?  If not then great timing, I was just about to try Hamatchi!

  • Chris Barnes

    In my admittedly limited understanding, the router gets the (internet) VPN traffic and passes you through to the (intranet) server. What you are thinking of is one NIC for LAN and one NIC for the internet. That is what your router does already! So as long as you have a router with VPN passthrough you should be fine with one NIC.

  • Mark Myers

    Very cool info and well written, thank you!  Do you know if this same VPN functionality is built into Server 2003 (i.e. WHS V1)?

    So in the 2nd to last screen shot, if you selected the checkbox to remember the password, will the client then automatically connect to the server via the VPN whenever it is turned on without further interaction?   Just thinking of remote backups for relatives who may (or more likely may not) remember to log in each time.  Currently using Hamachi, but they are playing games with the number of allowed users for the free subscription.

  • Chris Barnes

    If you save the credentials it will not log in automatically, but you only have to hit connect. You don’t have to remember the password and neither does anyone who picks up your laptop (read: security risk). Anyway I have no idea how to set this up on Server 03 which is what WHS V1 is built upon. I am sure there is a way, but it is probably a very different process.

  • http://blog.jussipalo.com/ Jussi Palo

    For some reason this doesn’t work (error 800, “The remote connection was not made because the attempted VPN tunnels failed”). I do have proper TCP443 port forward as I can access web sites on my WHS from outside. Also I have all three VPN settings enabled in my dd-wrt router (IPSec, PPTP, L2TP).

    Are there any other port forwards required in addition to this TCP443? What Firewall rule should I be looking at in my WHS box to allow VPN?

  • Chris Barnes

    Looks like your installation of dd-wrt does not support SSTP. I have not tested this, but you can try one of the other protocols. I am not terribly sure if there needs to be other changes for these. WHS should poke the necessary holes in the Windows firewall, but the rules are called “Routing and Remote Access” and there is one rule per protocol both inbound and outbound. You will also want to make sure that the traffic is being encrypted. SSTP is encrypted by definition. That is why I used it for this guide. Anyway here are the ports:
    PPTP: TCP 1723
    L2TP: UDP500, UDP 4500, UDP 1701
    Not sure about IPSec, you might have to google for that one.
    I’d also recommend that you find which protocol works and then turn off the other passthrough types and un port forward the ports corresponding with the protocols that are not being used. Do come back and let us know how it went!

  • http://twitter.com/NapaValSecurity Paul |Diana Woodward

    VPN connected fine but not seeing computers connected to the WHS 2011 although I can ping them.  I’m planning to move DHCP management from the Router to the WHS 2011 and add the DNS role there to see if this fixes the issue.  Any suggestions?

    The other bothersome issue is I see “Not NAP-capable” for the Windows 7 machine I’m using to VPN to the WHS 2011 server.  I turned on the Network Access Protection and Health Key and Certificate Management services but still get this status.  Any ideas?
     

  • http://packageology.com Dan Gough

    If you can ping them what do you mean by ‘not seeing them’? I can access other machines by entering \ComputerName in Explorer, but I cannot see any machines in Homegroup. I think the reason for this is that Homegroup relies on IPv6.

  • Chris Barnes

    You should be able to remote into any machine that supports it. Not Home Premium for example. Pro and up support RDP. To remote you have to use the machine’s IP address.
    Not sure about the Not NAP-capable issue. I have not experienced that.
    I’ve also wanted to move DHCP and DNS onto the home server, but a) the little router works just fine for now and b) I just have not done it yet, so maybe another post for another time.

  • Chris Barnes

    That sounds about right. Forget Homegroup, use the public shares and homeserver shares to access the same information. Homegroup is like a poor-mans decentralized homeserver of sorts. Is there anything you do with homegroups that cannot be done better with WHS?

  • Anonymous

    Great guide but i cannot connect to my server with my Netgear DG834GT even if i have forwarded the 443 port both TCP and UDP. Any suggest? Thanks

  • Chris Barnes

    This may sound weird, but can you VPN while you are inside the network? If not you likely have the server configured incorrectly. If you can, then it is the router. Not sure how to fix this, but you could always try to use one of the other protocols. Using the same config I have tested PPTP. Just be careful as SSTP is encrypted by definition and these are not. Try one of these:
    PPTP: TCP 1723
    L2TP: UDP500, UDP 4500, UDP 1701

  • Chris Barnes

    While replying to someone else above I had an idea. “This may sound weird, but can you VPN while you are inside the network? If not you likely have the server configured incorrectly. If you can, then it is the router.” Might that give us some insight?

  • http://twitter.com/A_lex_B alexb

    I believe there’s a mistake in this article with regard to port forwarding.  There are 2 ports you need to forward: 1723 and 47.  (both TCP)  Like other commenters, I couldn’t connect either until I did some googling and discovered you need 1723 and 47 forwarded, not 443.  

  • Chris Barnes

    Sort of. There are a handful of VPN protocols. PPTP goes over 1723, so you can use that and it will work. The article specifically calls out SSTP over port 443. That is what I am using and should work, but you can fall back to PPTP if it doesn’t. So it sounds like you are actually using PPTP, meaning you can remove the port forwarding for 443 and stick to 1723. Also port 47 does not need to be forwarded. For PPTP it must be IP Protocol 47 which is done when you allow for PPTP pass through. Hope that helps clear things up a bit!

  • Anonymous

    I am able to connect following the instructions (great by the way – thanks).  I however continue to get an “authentication failed” message when loggin in via my ipad2.  Any suggestions?

  • http://www.barnesian.com/ Chris Barnes

    iPad 2 does not support SSTP aka VPN over SSL on port 443, so you will have to use PPTP.  Port forward TCP 1723 and make sure you have VPN passthrough  enabled on your router and you should be good to go! 

  • http://twitter.com/A_lex_B alexb

     Amending my earlier comment.  Port 443 is correct for SSTP, but if you’re using PPTP (like many of us) it’s port 1723.  (and optionally port 47 – not entirely sure about that) 

  • http://packageology.com Dan Gough

    It might be unrelated, but shortly after setting this up the LAN performance on my server dropped through the floor, getting transfers of around 1MB/sec on a 100Mb LAN.  I tried disabling it but no change, had to reinstall the server.  I will try this again and see how I go, and will make a backup this time!

  • http://www.barnesian.com/ Chris Barnes

    Correct it is port 1723 for PPTP, although port 47 is not needed.  It is ip protocol 47 which is what gets opened up when you enable VPN passthrough on the router.  

  • http://www.barnesian.com/ Chris Barnes

    Yikes.  I never encountered this.  Sounds like something got mixed up.  If that happens again you might try a wireshark capture to see what kind of traffic it is spewing out.

  • Pingback: BYOB Episode 85 » RacecarMike

  • bjerha

    Hi,
    thanks for the guide.

    I got a problem tough. When I connect, after some seconds, I get a “Link to failed, and I get the option of redial. When I try to redial, it shows up after a second again.

  • http://www.facebook.com/john.lahr.9 John Lahr

    I am for some reason able to successfully connect to the HTTPS pages on the home server and also the management page but not to the connector at http://serverip/connect/. Any ideas what is wrong? Should the client PC see a default gateway on the subnet and should the server have an address on the VPN network or not as currently it is showing x.x.x.0 as the ip for the VPN’s virtual adaptor.
    The WHS is running on a 2008r2 server as a Hyper-V machine.
    I have bound the WHS VPN to the network card as seen on the home server and not allowed it to see hamachi to avoid confusion.
    Any ideas would be useful…
    John

  • http://www.facebook.com/ITBeast John M Keller

    Hey Chris, great Article. I was wondering if I could link this article from ConnectedDigitalWorld, This would be great to circulate to other Windows Home Server Users.

  • jpollarddmz

    feel free John

  • http://packageology.com Dan Gough

    By the way, DirectAccess in Windows Server 2012, and presumably also the Essentials edition which is replacing Windows Home Server, now works with a single NIC. I look forward to trying it out, it should be a simpler and more secure way of accessing home machines than this VPN solution!

  • SMurph

    I’ve set this up and it appears to work fine for PC connections, but I’ve been unable to connect with my Android devices. Should I assume it’s similar to the iPad situation, in which case I’d need port forwarding on 1723? If so, should I deactivate the 443 forwarding? Thanks!

  • http://www.barnesian.com/ Chris Barnes

    I’ve done this with Android before and it does work. Exactly right, port forward 1723. You will no longer need to port forward 443.

  • http://www.barnesian.com/ Chris Barnes

    Agreed! Can’t wait to have a look at that. Also MS-CHAP v2 in conjunction with PPTP is vulnerable to brute forcing from a wireshark capture.

  • ANTHONY

    HOW ARE YOU CONFIG USER VPN IN WINDOWS 8

  • http://www.barnesian.com/ Chris Barnes

    IT’S THE SAME PROCESS, ONLY START THE NETWORK AND SHARING FROM THE DESKTOP. FROM THE START SCREEN JUST TYPE “NETWORK AND SHARING” AND CLICK SETTINGS ON THE RIGHT PANEL. YOU WILL THEN HAVE A CONNECTION OPTION ON THE SAME PANEL THAT YOU CONNECT TO WIFI FROM :)

  • Steven G

    Hi Paul were you able to get this resolved? I am having the same problem having the capability to ping via ip address but not host names.

  • http://www.facebook.com/dscruton Douglas Scruton

    This worked great, thanx. Except for the ipad/iPhone/iTouch. I read about forwarding port 1723 and turning on VPN Passthrough which is port 47 but can not get the VPN connect with the i devices. Could be work is blocking 1723 so I’ll try from somewhere else. I’m assuming 1723 is PTPP VPN. What is the RSA SecureID?

  • Pingback: Setting up VPN with Surface and Home Server 2011 | kenn-blog

  • Rob Shaw

    I’ve had my WHS V1 for a few years and never knew I could set up VPN on it so easily. Maybe lack of research on my part, but anyway I’m glad I found this article! I got it set up and running great (so far) on the V1 with Windows Server 2003 sp2. I didn’t ever find the “Server Manager” in step 1, but you can get to the same stuff in the all programs > administrative tools. I did need to port forward 1723 on my router as others have mentioned to get it to connect. Thanks for the article… VPN is so much better than the web folders setup I had going before!

  • Pingback: Setup a VPN for WHS 2011

  • andrew

    having exactly the same problem. any ideas?

  • http://www.facebook.com/thomas.boudreaux.7 Thomas Boudreaux

    I set up the VPN however I cannot connect from my windows PC, or my ipad?

  • http://www.facebook.com/thomas.boudreaux.7 Thomas Boudreaux

    it says that the DNS server is unavailable on the Windows machine

  • MrMontana1889

    I’m running into this issue as well.
    Does anyone have any ideas on how to resolve this? I’ve verified that my router (a 2wire provided by AT&T) is forwarding 443 and 1723.
    Thought I’m not exactly sure how to “enable” PPTP, L2TP and IPSec on my router. I don’t think I’ve found them and I believe I’ve looked on every page.
    I also checked the windows firewall on my WHServer2011 and I am pretty sure the correct rules are enabled.
    Any ideas would be greatly appreciated.

  • Pingback: VPN Verbindung Homeserver (N40L/W921V)

  • Cory Notrica

    VPN connected perfectly. This was extremely helpful. Thank you!

  • callaghn

    I have followed this guide several times now but I am still experiencing problems. I am able to connect to the VPN and access local network resources, but I am unable to connect to external internet sites. I have forwarded ports as seen in the image. I have also read elsewhere that I have to enable VPN/PPTP passthrough, which is only possible when the firewall is activated. I would add that I did have a VPN many years ago but have never used this feature (same router). Could anyone please advise me as to any solutions to this problem. Any help is much appreciated.