Virtual Private Network


Home     Sitemap logo

Setup a VPN Server

Need to use a VPN Server for connecting from off site or away from home?

A strange thing happened about six months ago ...

My VPN Server stopped working, and it was after doing a set of Security updates for my firewall / proxy server which the Routing and Remote Access was also installed.

After troubleshooting the problem for a long time (off and on for a couple of months) I came to the conclusion that Microsoft has changed something in the service packs, which one I don't know.

Here are some of the troubleshooting steps I took to determine that a firewall / proxy service (software) will not reside peacefully with the new and improved Routing and Remote Access service for Windows Server 2003.

While traveling last summer I wanted to connect to my home network to check my mail and get some stats on my web sites. When I tried to connect to the network I would get an "Error 678" that "The remote computer did not respond." So to get my email and stats I used an open network. Something I really dislike doing since my Pay Pal account was stolen in 2007 while at Dallas-Fort Worth airport coming home from a trip to the UK. (I resolved that by contacting Pay Pal and getting a new account, lost 14 USD to the thief and learned that the "WiFi hot spots" were hot for thieves.)

My first step was to remove the RRA (Routing and Remote Access) service from my firewall /proxy server check the registry to see if there were any remnants of the service left. Then reinstall it, configure it, then test it.

Still getting the Error 678 I decided to put the image I had made of the Operating System partition when I did an upgrade for the server hardware on the drive and see what would happen. When I try to connect it connects but...

That is the rub the "but...", I couldn't get outside of my network when using the VPN tunnel. That is it connects and authenticates my user id and password. When trying to ping a computer inside the network the ping times out. When using the proxy settings on my browser the target web site page never loads.

When I could get the VPN Server to work the proxy service would quit, there is an incompatibility with the RRA and the proxy software. Upgrading the proxy software (Wingate by did not make any difference and to activate the built in VPN software was over 50 USD which I didn't want to buy because well Routing and Remote Access is free with the Server OS...

Need a server? You can build your own!

For over six months I would try different things that forum posters said they tried and worked. Maybe those things worked for them but they didn't work for me.

When I checked Microsoft Technet no one said that they using the same Server to have their RRA/VPN and firewall / proxy services installed on.

Technet has a couple of white papers on setting up a Routing and Remote Access and the VPN client, what I noticed with the two I downloaded was that the RRA server was behind a firewall (on the router) but outside the internal network much like a DMZ server but not open to the public the way a DMZ server is.

With an extra computer (a ASUS Netbook) I decided to see if the Routing and Remote Access service would do what I wanted:

A secure connection anywhere I traveled to get my email and check the stats on my web sites. With the ability to check the servers I leave running while I am gone.

Setting up the hardware and Server Operating System ...

The little netbook gave me a few problems when I loaded the Server OS on it, at first the video drivers wouldn't load, then the desktop went corrupt, then the wireless drivers wouldn't load (wrong version of the OS, they were for XP or Windows 2000). And so on. It took three attempts at loading the OS before the netbook would be ready to try to make the RRA service work.

One of the things I found out from the white paper was the "example" company had three intranet (internal networks) that needed to connect to the "campus" the home office intranet using the internet (www) for access.

To do this the corporate network and the three satellite networks would each use a separate VPN Server with Routing and Remote Access service that would use the VPN to connect. The setup would be basically the same for all the RRA servers with the exception of the in/out bound connection for each intranet which is the ISP provided IP address of the local router.

Once the VPN Server operating system is installed, all the current security service packs installed, and the server is locked down then bring the VPN Server into your domain, you should do this before installing the Routing and Remote Access service. You need domain security, group policies, and rights on the server before installing the RRA service on the VPN Server.

If you do the service before adding the server to the domain some of the rights in the Routing and Remote Access policies have to be manually set. See the help function for the RRA service if you have problems with the installation.

Before the service pack (I may research this sometime in the future) that changed the static route option you didn't have to have the Static Routes under the IP Routing section. This is why my Routing and Remote Access and VPN stopped working, now you have to configure the static route for both the WAN connection and the LAN connection. Such as:

Static Routes under the IP Routing section

The image, table, or PDF was removed because it will not display on your device. Check back on a PC....

IP Routing section of the RRA MMC.

LAN Static Route

LAN Static Route, when you connect by VPN you will have access to the you intranet the same as you have locally.

WAN Static Route

All the octets (numbers) for the WAN Static Route settings are zero.

Note: These IP addresses are fictitious by the way.

The first three tries to get the connection to work failed because the IP range I was using was "outside the scope of the base IP address." uh -- ya.

Note on the LAN image the last octet (last number) of the IP address is 0 (zero), I was trying to get the route to my Domain Controller and was using it's last octet as the number for the route, what I needed to realize is this route is for all of my LAN not just my Domain Controller... My DOH! moment.

Now it has been over  fifteen years since I did any network design to set up a network with the subnet mask to fit. It took me a few tries to figure out the real number I needed to use to get to the intranet and be able to use the proxy server to get to the www securely.

Instead of having one computer to have access from the network to the internet and then access to the intranet from the internet I now have two servers, one for the firewall / proxy to access the internet from my business network and another one for access to my business network from the internet while traveling.

This is not an optimum configuration because I have to use two computers not one but the VPN Server and Wingate programs will not work properly on one server, that is if one is working the way it was designed the other program (or service) will not work at all.

Now you ask why use a VPN Server and Routing and Remote Access service to connect?

You have to understand how a VPN works, basically it is a connection inside a connection, that is you connect to the internet through a router, it could be wired or wireless. Then you connect to the RRA service with the VPN, the VPN is an encrypted connection, call it a tunnel inside a tunnel. Read here for configuring one.

The first tunnel is your connection to the internet, the second tunnel is encrypted and connects to the RRA service.

You can have different levels of encryption from none to 40, 56, or 128 bit which is quite strong when you consider that to crack this encryption the thief would have to have over two hours of data to sample. If you need to use a WiFi hot spot to connect and only stay connected for a short period of time a thief would not have enough data to hack into your VPN and gain access to your network.

And now my VPN works again.   Smile...

Emergency Repair
isk (ERD) - Will Yours Work?

Repair Disk

Custom made for you...

You keyboard isn't thirsty, and it doesn't need calcium. Milk and other liquids will ruin a keyaboard!

This Web
Site is a
labor of Love
But Love
doesn't pay
the bills!

Please chip in $5 to keep it live...

Need A Checklist?

Need A Repair Manual?

    Page copy protected against web site content infringement by Copyscape

You can:

Return to
previous page:





Thank you for visiting my web site, and please come back again.

This website is not intended for children under the age of 18

Author of this web site: Monte Russell

FTC Endorsement Rules
All testimonials on the DIY Computer Repair web site are from customers who were not paid to comment on any products!

The Flag of The United States of America!   Proudly Made in The U. S. A.

Copyright and Registered to, all thieves will be prosecuted to the fullest extent of international law!

From the Desert South West ~ Arizona, U. S. A.
Copyright DIY-Computer-Repair.Com 2006-2016


"You found this web site through:"

Active Search Results

Return to top of VPN Server

Connecting to VPN Server while off site will enhance your data security...

Home    About    Sitemap
Fix It Blog!

From the Desert South West ~ Arizona, USA
Copyright 2006-2015