How to set up VPN server on Windows Server 2019

Do you have to set up a VPN server on your company? Here are the steps to set up a VPN server using the Routing and Remote Access role available on Windows Server 2019.

Set up VPN on Windows Server 2019
Set up VPN on Windows Server 2019

On Windows Server 2019, a virtual private network (VPN) is a convenient method to allow users to access resources using an encrypted connection from a remote location and through the internet.

Typically, organizations use VPN to extend their private network to allow employees to work from home or another remote location to access files, apps, intranet websites, printers, and other resources through a public network as if they were directly connected into the company’s network.

The way you set up a VPN server hasn’t really changed in many years, which means that the same instructions to configure a virtual private network on Windows Server 2019 applies to older versions, including Windows Server 2016, 2012 R2, and older versions. If you have a Windows 10 device, you can use the “Incoming Connection” feature to set up a VPN server to connect remotely to your home network to access your computer’s files and peripherals, and even other computers in the network.

In this guide, you’ll learn the steps to set up a VPN server on Windows Server 2019.

How to add VPN role feature on Windows Server

To add the Routing and Remote Access role to set up a VPN server on Windows Server 2019, use these steps:

  1. Open Start.

  2. Search for Server Manager and click the top result to open the utility.

  3. Click the Manage menu button from the top-right corner and select the Add Roles and Features option.

    Windows Server add roles option
    Windows Server add roles option
  4. Click the Next button.

  5. Select the Role-based or feature-based installation option.

    Role-based or feature-based installation option
    Role-based or feature-based installation option
  6. Click the Next button.

  7. Choose the Select a server from the server pool option.

  8. Select the server name.

    Select destination server option
    Select destination server option
  9. Click the Next button.

  10. Check the Remote Access option.

    Remote access server role option
    Remote access server role option
  11. Click the Next button.

  12. Click the Next button again.

  13. Click the Next button one more time.

  14. Check the DirectAccess and VPN (RAS) option.

    DirectAcess and VPN RAS option
    DirectAcess and VPN RAS option
  15. Click the Add features button.

  16. Click the Next button.

  17. Click the Next button again.

  18. Click the Next button one more time.

  19. Click the Install button.

    Windows Server 2019 install VPN server option
    Windows Server 2019 install VPN server option
  20. Click the Close button.

Once you complete the steps, the VPN server module will install on the device, and you can proceed to configure the remote access feature.

How to set up VPN server on Windows Server

To configure a VPN server on Windows Server 2019, use these steps:

  1. Open Start.

  2. Search for Server Manager and click the top result to open the utility.

  3. Click the Manage menu button from the top-right corner and select the Routing and Remote Access option.

    Windows Server 2019 Routing and Remote Access option
    Windows Server 2019 Routing and Remote Access option
  4. Right-click the server name and select the Configure and Enable Routing and Remote Access option.

    Configure and Enable Routing and Remote Access
    Configure and Enable Routing and Remote Access
  5. Select the Custom configuration option.

    Custom configuration option
    Custom configuration option
  6. Click the Next button.

  7. Check the VPN access option.

    Windows Server 2019 VPN access option
    Windows Server 2019 VPN access option
  8. Click the Next button.

  9. Click the Finish button.

  10. Click the Start service button.

  11. Right-click the server name and select the Properties option.

    Windows Server 2019 VPN properties option
    Windows Server 2019 VPN properties option
  12. Click the IPv4 tab.

  13. Under the “IPv4 address assignment” section, check the Static address pool option (recommended).

    VPN server static address pool option
    VPN server static address pool option
    Quick note: If you have DHCP server configured, you can use the Dynamic Host Configuration Protocol (DHCP) option to handle the distribution addresses. However, if you want to control the access to the network, or you don’t have a DHCP server, then the static pool option is your best option. When using this option, make sure to assign an IP range it won’t assign to other devices in the local network.
  14. Click the Add button.

  15. Specify a start IP address.

  16. Specify an end IP address.

    VPN address range setup
    VPN address range setup
  17. Click the OK button.

  18. Click the Apply button.

  19. Click the OK button.

  20. Right-click “Remote Access Logging & Policies” and select the Launch NPS option.

    Windows Server 2019 launch NPS
    Windows Server 2019 launch NPS
  21. Select the Network Policies option from the left pane.

    Network Policies
    Network Policies
  22. Double-click the Connections to Microsoft Routing and Remote Access server policy.

  23. Under the “Access Permission” section, select the Grant access. Grant access if the connection request matches this policy option.

    Connection to VPN policy
    Connection to VPN policy
  24. Click the Apply button.

  25. Click the OK button.

  26. Double-click the Connections to other access servers policy.

  27. Under the “Access Permission” section, select the Grant access. Grant access if the connection request matches this policy option.

    Connection to other server policy
    Connection to other server policy
  28. Click the Apply button.

  29. Click the OK button.

  30. Close the Network Policy Server console.

After you complete the steps, the VPN server will be created on Windows Server 2019, but you’ll still need to configure the users who are allowed to connect, and you need to configure the firewall to allow connections.

Windows Server 2019, 2016, 2012 R2 and older versions include more options to set up a more secure and advanced VPN server. In this guide, we’re only covering the fast and secure way to get started with the remote access feature.

How to allow VPN connections through firewall on Windows Server

While configuring the Routing and Remote Access feature on Windows Server should automatically open the necessary Windows Firewall ports, you want to make sure the firewall is properly configured.

To allow VPN connections through the firewall on Windows Server 2019, use these steps:

  1. Open Start on Windows Server 2019.

  2. Search for Allow an app through Windows Firewall, and click the top result to open the experience.

  3. Click the Change settings button.

  4. Scroll down and make sure Routing and Remote Access is allowed on Private and Public.

    VPN server firewall configuration on Windows 10

  5. click the OK button.

After you complete the steps, the Windows Server VPN server should be able to receive connections remotely from other computers.

How to allow users access through VPN on Windows Server

To allow users access through the virtual private network, use these steps:

  1. Open Start.

  2. Search for Server Manager and click the top result to open the utility.

  3. Select the Active Directory Users and Computers option.

    Quick note: If you don’t have Active Directory configured on your server, select the Computer Management option, expand the Local Users and Groups branch from the left pane.
  4. Click on Users from the left pane.

  5. Double-click the user you want allow remote access.

  6. Click the Dial-in tab.

  7. Under the “Network Access Permission” section, select the Allow access option.

    Windows Server 2019 enable user VPN access
    Windows Server 2019 enable user VPN access
  8. Click the Apply button.

  9. Click the OK button.

Once you complete the steps, you may need to repeat the steps to enable other users to access the network using a VPN connection.

These instructions show you the steps to allow remote access on each user individually. If you need to configure access for a lot users, you can also create a group to configure VPN access for users more easily. 

How to set up port forwarding on router to enable VPN access

To be able to connect through a public network (such as the internet) to the VPN server, you’ll need to forward port 1723 (Point to Point Tunneling Protocol (PPTP)) to allow VPN connections.

Here are the instructions that will help you set up port forwarding on a router. You can also visit your router’s manufacturer website for more assistance to configure Port Forwarding.

In addition to the forwarding the required port, you’ll also need to know the public IP address assigned to you by your Internet Service Provider (ISP). You will need this information to contact your VPN server remotely.

To find out if your current public IP address, open your web browser, and using any search engine, perform a search for “What’s my IP”, and your information will appear in the first result.

If the network uses a dynamic public IP address, which can change at any time, then you’ll need to configure DDNS (Dynamic Domain Name System) in your router to avoid having to configure the VPN setup every time your public IP address changes.

Here are the instructions that will help you set up DDNS on your router. You can also visit your router’s manufacturer website for additional help to configure DDNS.

How to set up a VPN connection on Windows 10

After setting up the VPN server on Windows Server 2019, you’ll need to configure the devices that will be accessing your local network remotely. You can set up any device, including your desktop, laptop, tablet, and even phone (for example, Android and iPhone). Here are the instructions to set up a VPN connection on Windows 10.

After adding a VPN connection on your computer, you have to adjust the settings with these steps:

  1. Open Control Panel.

  2. Click on Network & Internet.

  3. Click on Network and Sharing Center.

  4. Click the Change adapter settings link from the left pane.

  5. Right-click the VPN adapter and select the Properties option.

    VPN Connection properties

  6. In the General tab, make sure you’re using the correct domain you created while configuring DDNS — or at least you’re using the correct public IP address.

    VPN Connection address properties

  7. Click on the Security tab.

  8. Under “Type of VPN,” select the Point to Point Tunneling Protocol (PPTP) option.

  9. Under “Data encryption,” select the Maximum strength encryption (disconnect if server declines) option.

    VPN Connection Security options on Windows 10

  10. Click the OK button.

  11. Click on the Networking tab.

  12. Uncheck the Internet Protocol Version 6 (TCP/IPv6) option.

  13. Check the Internet Protocol Version 4 (TCP/IPv4) option.

  14. Select the Internet Protocol Version 4 (TCP/IPv4) option.

  15. Click the Properties button.

    VPN Connection Networking options on Windows 10

  16. Click the Advanced button.

    VPN Connection TCP/IP properties on Windows 10

  17. Clear the Use default gateway on remote network option.

    Stop internet traffic through VPN connection

    Important: We’re disabling this option to prevent your web traffic to go through the remote connection, which can slow down your internet connection. However, if you’re looking to access the internet through a VPN connection, then don’t change this last setting.
  18. Click the OK button.

  19. Click the OK button again.

  20. Click the OK button once more.

  21. Open Settings.

  22. Click on Network & Internet.

  23. Click on VPN.

  24. Select the VPN connection option and click the Connect button.

    Windows 10 remote connection using VPN
    Windows 10 remote connection using VPN

Once you complete the steps, the device should be able to connect to VPN server from a remote location.

About the author

Mauro Huculak is a Windows How-To Expert who started Pureinfotech in 2010 as an independent online publication. He has also been a Windows Central contributor for nearly a decade. Mauro has over 15 years of experience writing comprehensive guides and creating professional videos about Windows and software, including Android and Linux. Before becoming a technology writer, he was an IT administrator for seven years. In total, Mauro has over 21 years of combined experience in technology. Throughout his career, he achieved different professional certifications from Microsoft (MSCA), Cisco (CCNP), VMware (VCP), and CompTIA (A+ and Network+), and he has been recognized as a Microsoft MVP for many years. You can follow him on X (Twitter), YouTube, LinkedIn and About.me. Email him at [email protected].