Configuring VPN on Windows Server 2008 with no DHCP

windows windows-server-2008 vpn dhcp

5,188

It's easiest if the RRAS server connection is set up as VPN with NAT. I'm not sure how much control you have over your cloud environment, but you should put all of your private servers (SQL server, etc) in a private network with the 192.168.x.x, 10.x.x.x, or 172.[16-32].x.x private IP ranges.

Add a second NIC to the VPN server put the that is in the private subnet.

In the RRAS MMC, you'll have to reconfigure your connection. right click the server, click configure. Chose VPN with NAT. Select the NIC that has public access. Click Next chose from a specified range of addresses, next set up a new range using the private network subnet, next chose how you want to set up authentication (RADIUS or RRAS, depends on your configuration) And you're done.

Alternatively, you can set it up so that the clients use the DHCP server. instead of selecting "From a range of addresses" chose DHCP server. After you finish configuring the server, expand the server->ipv4 and click properties on the DCHP Relay Agent. Add the address of all the DHCP servers in your environment.

You can check and see if you can configure the static pool of addresses by right clicking the server in the RRAS MMC, properties and looking on the IPv4 tab where it says IP address assignment.

If that doesn't solve the problem, verify the ports are opened to the server from the outside (1723 and IP protocol 47). Check your event logs on the server (application and security are the most helpful), crank up the even logging to log all events and check the log additional RRAS info button on the server properties (you can find the logs for these in the %windir%\tracing directory).

It might also be helpful if you configure it on an internal network and have servers that are on the same subnet try to VPN just to test to make sure it can work without the internet in the way. If you can connect internally but not externally, it could be the firewall or you might be trying to connect to the wrong server, if you can configure something on a common port (like IIS on port 80) to see if you can reach the server from the outside.

Let me know if you find anything more in the logs or if this helps.

5,188

Seany84

Updated on September 18, 2022

Comments

Seany84 almost 2 years
Please see the revised section at the bottom as the original question seems to have been a little convoluted

I have a cloud based virtual machine from my client's hosting company. The sole purpose of the VM instance is for the clients public facing ASP.net web site.

The VM instance had just a bare installation of Windows Server 2008 R2 on it and I installed the following:
- IIS
- Network Policy and Access Server
- MSSQL 2012
I am able to remote desktop and connect to MSSQL remotely as I have opened the respective firewall ports via the hosting company control panel firewall.

Recently, I have noticed that there is a group of computers with IP addresses all over the world attempting to brute-force the Administrator and sa account. I subsequently disabled both of those accounts as a precaution and do not plan on re-enabling them. However, the repeated brute force continues on these accounts.

I tried to set up VPN access on the Windows Server but can not get it working. I followed the tutorials: here and here and here..

When I try to connect via VPN I notices the following messages in the event viewer:

Unable to contact a DHCP server. The Automatic Private IP Address 169.254.xxx.xx will be assigned to dial-in clients. Clients may be unable to access resources on the network.

This indicates that DHCP was not installed. When I go to install DHCP I am presented with so many options it is beyond me.

So, my questions is: Since I have a working live client ASP.net application running on the VM instance with a fixed IP (4x.2x.13x.xx) / www.clientssite.com. Will installing the DHCP role potentially mess-up / take down the live site? Will DHCP keep my site working under IIS and I can just create the DHCP with a range of something like 10.9.8.10 to 10.9.8.50 ? Is this likely to fix my VPN connection issue which is the ultimate goal.

REVISED QUESTION

I have a cloud based virtual machine running Windows Server 2008R2.
- Dedicated IP address (from my hosting company) 46.130.22.99
- Gateway IP: 46.130.22.1
- DNS: 81.17.240.194
- Roles installed: Application Server, Web Server, Network Policy and Access Services (with just Routing and Remote Services, Remote Access Services and Routing)
In the Routing and Remote Services I have added a static address pool from 46.130.22.5 to 46.130.22.9

When I try to establish a VPN connection to the server it just stalls and then shows a message saying

Error 800: The remote connection was not made because the attempted VPN tunnel fails..

Is there something else I need to do to set this up?

SCREENSHOTS

IPCONFIG OUTPUT
```
Windows IP Configuration

   Host Name . . . . . . . . . . . . : removed
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Xen Net Device Driver
   Physical Address. . . . . . . . . : 00-16-3E-08-9B-64
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::193b:c0b:7cc0:daeb%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 46.22.130.99(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 46.22.130.1
   DHCPv6 IAID . . . . . . . . . . . : 285218366
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-AF-1C-90-00-16-3E-08-9B-64

   DNS Servers . . . . . . . . . . . : 81.17.240.194
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{184042A4-4F78-48AE-8BC9-A37E53E8D556}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:248b:25e4:d1e9:7d9c(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::248b:25e4:d1e9:7d9c%10(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:2e16:8263::2e16:8263(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 81.17.240.194
   NetBIOS over Tcpip. . . . . . . . : Disabled
```
- Hannah Vernon over 11 years
  
  turn off outside access to your SQL Server immediately unless you are 100% certain you can afford to lose everything on the server. All it takes is one mistake on your behalf and you will regret ever opening that can of worms. For the VPN, you can configure a static range of IPs to be handed out by the Server.
- Seany84 over 11 years
  
  I have finished the latest round of development and have now removed remote SQL access. What would be an example of a static IP address that I could use? The default gateway is 4x.2x.13x.1 and my site's ip is 4x.2x.13x.9x. Could I create a static IP e.g. 4x.2x.13x.2 ?
- MikeAWood over 11 years
  
  you would want to pass out inside or reserved IP ranges. 192.168.x.x or 10.x.x.x are two such examples...
- Seany84 over 11 years
  
  I have added a static IP address pool 10.9.8.7 to 10.9.8.9 under the IPV4 Address Pool section in Routing and Remote Access but my VPN connection still comes up with an error connecting: Error 800: The remote connection was not made because the attempted VPN tunnel fails. The VPN server might be unreachable. ...
- Ryan Ferretti over 11 years
  
  You'll need to add an IP on that subnet to a NIC on the server before it's going to work.
- Seany84 over 11 years
  
  @mrdenny where can I do this? I presume it's somewhere under Server Manager and Routing and Remote Access ?
- Ryan Ferretti over 11 years
  
  It'll be in there somewhere. Honestly I don't have a machine with RRAS installed on it at the moment as none of my clients use it, and I don't have a lab setup for that (but that's a great thing to add to the next edition of my SQL Security book).
- Ryan Ferretti over 11 years
  
  If memory server installing DHCP doesn't require a reboot or bringing the TCP stack offline at all. It does require that all the IPs on the server are static IPs. If you are using DHCP to get your IPs that'll be a problem. You'll also need to restrict the NICs that DHCP is listening on to just the virtual NIC so that you aren't broadcasting DHCP to your hosting providers network. You might want to work with them to make sure it's setup correctly. They may have a solution in place you can use.
- Seany84 over 11 years
  
  I have updated the original question. Hopefully I have simplified it enough into providing an answer.
Seany84 over 11 years

I have setup DHCP on the server 192.168.1.2 - 192.168.1.50. When I try to connect via client I get a message in the server's event viewer: Unable to contact a DHCP server. The Automatic Private IP Address 169.254.32.58 will be assigned to dial-in clients. Clients may be unable to access resources on the network.
Snowburnt over 11 years

Did you set up a DHCP server or did you configure IP address assignment? I think if you have a DHCP server you have to tell it what server to use on that same tab, if the DHCP server is the same as the VPN you can set to to localhost or the IP address of the server.
Seany84 over 11 years

I have added some screenshots as I'm a bit lost. DHCP is not in the same IP range as the fixed IP the web site works off if that makes sense.
Snowburnt over 11 years

Sorry, I can't see imgur at work, but I'll work from my environment. Okay, I reinstalled the RRAS in my lab. If you use DHCP in your environment and not a fixed IP Range configured on the RRAS server you have to configure the DHCP Relay Agent. The DHCP Relay agent is located in the RRAS snap-in->server->ipv4->dhcp relay agent. Go to properties and add the address of the DHCP server. That will allow the RRAS to function as a proxy serving DHCP addresses to clients.
Snowburnt over 11 years

I updated my answer with tips on the DHCP relay agent
Seany84 over 11 years

I think the issue is that the DHCP server is not installed correctly. I have updated my original post with the output from ipconfig /all p.s. Your help is really appreciated!