Configuring VPN on Windows Server 2008 with no DHCP
It's easiest if the RRAS server connection is set up as VPN with NAT. I'm not sure how much control you have over your cloud environment, but you should put all of your private servers (SQL server, etc) in a private network with the 192.168.x.x, 10.x.x.x, or 172.[16-32].x.x private IP ranges.
Add a second NIC to the VPN server put the that is in the private subnet.
In the RRAS MMC, you'll have to reconfigure your connection. right click the server, click configure. Chose VPN with NAT. Select the NIC that has public access. Click Next chose from a specified range of addresses, next set up a new range using the private network subnet, next chose how you want to set up authentication (RADIUS or RRAS, depends on your configuration) And you're done.
Alternatively, you can set it up so that the clients use the DHCP server. instead of selecting "From a range of addresses" chose DHCP server. After you finish configuring the server, expand the server->ipv4 and click properties on the DCHP Relay Agent. Add the address of all the DHCP servers in your environment.
You can check and see if you can configure the static pool of addresses by right clicking the server in the RRAS MMC, properties and looking on the IPv4 tab where it says IP address assignment.
If that doesn't solve the problem, verify the ports are opened to the server from the outside (1723 and IP protocol 47). Check your event logs on the server (application and security are the most helpful), crank up the even logging to log all events and check the log additional RRAS info button on the server properties (you can find the logs for these in the %windir%\tracing directory).
It might also be helpful if you configure it on an internal network and have servers that are on the same subnet try to VPN just to test to make sure it can work without the internet in the way. If you can connect internally but not externally, it could be the firewall or you might be trying to connect to the wrong server, if you can configure something on a common port (like IIS on port 80) to see if you can reach the server from the outside.
Let me know if you find anything more in the logs or if this helps.
Related videos on Youtube
Seany84
Updated on September 18, 2022Comments
-
Seany84 almost 2 years
Please see the revised section at the bottom as the original question seems to have been a little convoluted
I have a cloud based virtual machine from my client's hosting company. The sole purpose of the VM instance is for the clients public facing ASP.net web site.
The VM instance had just a bare installation of Windows Server 2008 R2 on it and I installed the following:
- IIS
- Network Policy and Access Server
- MSSQL 2012
I am able to remote desktop and connect to MSSQL remotely as I have opened the respective firewall ports via the hosting company control panel firewall.
Recently, I have noticed that there is a group of computers with IP addresses all over the world attempting to brute-force the
Administrator
andsa
account. I subsequently disabled both of those accounts as a precaution and do not plan on re-enabling them. However, the repeated brute force continues on these accounts.I tried to set up VPN access on the Windows Server but can not get it working. I followed the tutorials: here and here and here..
When I try to connect via VPN I notices the following messages in the event viewer:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.xxx.xx will be assigned to dial-in clients. Clients may be unable to access resources on the network.
This indicates that DHCP was not installed. When I go to install DHCP I am presented with so many options it is beyond me.
So, my questions is: Since I have a working live client ASP.net application running on the VM instance with a fixed IP (4x.2x.13x.xx) /
www.clientssite.com
. Will installing the DHCP role potentially mess-up / take down the live site? Will DHCP keep my site working under IIS and I can just create the DHCP with a range of something like 10.9.8.10 to 10.9.8.50 ? Is this likely to fix my VPN connection issue which is the ultimate goal.
REVISED QUESTION
I have a cloud based virtual machine running Windows Server 2008R2.
- Dedicated IP address (from my hosting company) 46.130.22.99
- Gateway IP: 46.130.22.1
- DNS: 81.17.240.194
- Roles installed: Application Server, Web Server, Network Policy and Access Services (with just Routing and Remote Services, Remote Access Services and Routing)
In the
Routing and Remote Services
I have added a static address pool from46.130.22.5
to46.130.22.9
When I try to establish a VPN connection to the server it just stalls and then shows a message saying
Error 800: The remote connection was not made because the attempted VPN tunnel fails..
Is there something else I need to do to set this up?
SCREENSHOTS
IPCONFIG OUTPUT
Windows IP Configuration Host Name . . . . . . . . . . . . : removed Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Xen Net Device Driver Physical Address. . . . . . . . . : 00-16-3E-08-9B-64 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::193b:c0b:7cc0:daeb%14(Preferred) IPv4 Address. . . . . . . . . . . : 46.22.130.99(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.254.0 Default Gateway . . . . . . . . . : 46.22.130.1 DHCPv6 IAID . . . . . . . . . . . : 285218366 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-AF-1C-90-00-16-3E-08-9B-64 DNS Servers . . . . . . . . . . . : 81.17.240.194 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{184042A4-4F78-48AE-8BC9-A37E53E8D556}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 9: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:248b:25e4:d1e9:7d9c(Pref erred) Link-local IPv6 Address . . . . . : fe80::248b:25e4:d1e9:7d9c%10(Preferred) Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter 6TO4 Adapter: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft 6to4 Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2002:2e16:8263::2e16:8263(Preferred) Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 81.17.240.194 NetBIOS over Tcpip. . . . . . . . : Disabled
-
Hannah Vernon over 11 yearsturn off outside access to your SQL Server immediately unless you are 100% certain you can afford to lose everything on the server. All it takes is one mistake on your behalf and you will regret ever opening that can of worms. For the VPN, you can configure a static range of IPs to be handed out by the Server.
-
Seany84 over 11 yearsI have finished the latest round of development and have now removed remote SQL access. What would be an example of a static IP address that I could use? The default gateway is
4x.2x.13x.1
and my site's ip is4x.2x.13x.9x
. Could I create a static IP e.g.4x.2x.13x.2
? -
MikeAWood over 11 yearsyou would want to pass out inside or reserved IP ranges. 192.168.x.x or 10.x.x.x are two such examples...
-
Seany84 over 11 yearsI have added a static IP address pool
10.9.8.7
to10.9.8.9
under theIPV4 Address Pool
section in Routing and Remote Access but my VPN connection still comes up with an error connecting:Error 800: The remote connection was not made because the attempted VPN tunnel fails. The VPN server might be unreachable. ...
-
Ryan Ferretti over 11 yearsYou'll need to add an IP on that subnet to a NIC on the server before it's going to work.
-
Seany84 over 11 years@mrdenny where can I do this? I presume it's somewhere under Server Manager and Routing and Remote Access ?
-
Ryan Ferretti over 11 yearsIt'll be in there somewhere. Honestly I don't have a machine with RRAS installed on it at the moment as none of my clients use it, and I don't have a lab setup for that (but that's a great thing to add to the next edition of my SQL Security book).
-
Ryan Ferretti over 11 yearsIf memory server installing DHCP doesn't require a reboot or bringing the TCP stack offline at all. It does require that all the IPs on the server are static IPs. If you are using DHCP to get your IPs that'll be a problem. You'll also need to restrict the NICs that DHCP is listening on to just the virtual NIC so that you aren't broadcasting DHCP to your hosting providers network. You might want to work with them to make sure it's setup correctly. They may have a solution in place you can use.
-
Seany84 over 11 yearsI have updated the original question. Hopefully I have simplified it enough into providing an answer.
-
Seany84 over 11 yearsI have setup DHCP on the server
192.168.1.2
-192.168.1.50
. When I try to connect via client I get a message in the server's event viewer:Unable to contact a DHCP server. The Automatic Private IP Address 169.254.32.58 will be assigned to dial-in clients. Clients may be unable to access resources on the network.
-
Snowburnt over 11 yearsDid you set up a DHCP server or did you configure IP address assignment? I think if you have a DHCP server you have to tell it what server to use on that same tab, if the DHCP server is the same as the VPN you can set to to localhost or the IP address of the server.
-
Seany84 over 11 yearsI have added some screenshots as I'm a bit lost. DHCP is not in the same IP range as the fixed IP the web site works off if that makes sense.
-
Snowburnt over 11 yearsSorry, I can't see imgur at work, but I'll work from my environment. Okay, I reinstalled the RRAS in my lab. If you use DHCP in your environment and not a fixed IP Range configured on the RRAS server you have to configure the DHCP Relay Agent. The DHCP Relay agent is located in the RRAS snap-in->server->ipv4->dhcp relay agent. Go to properties and add the address of the DHCP server. That will allow the RRAS to function as a proxy serving DHCP addresses to clients.
-
Snowburnt over 11 yearsI updated my answer with tips on the DHCP relay agent
-
Seany84 over 11 yearsI think the issue is that the DHCP server is not installed correctly. I have updated my original post with the output from
ipconfig /all
p.s. Your help is really appreciated!