# VPN L2TP
#### Windows Server: Eth1: NAT Eth2: Custom (192.168.10.1/24)
#### Windows 10: Eth1:Custom (192.168.10.100/24 , GW: 192.168.10.1)
### Step 1: Configure Routing and Remote Access
Open Server Manager and Add **Roles and Feature> Add Remote Access “RAS and Routing”**
### Step 2: Configure Routing and Remote Access
On the left pane, right-click on your local server and click **Configure and Enable Routing and Remote Access**.
In *Configure and Enable Routing and Remote Access Wizard*, select **Custom Configuration** radio button as we will manually configure the routing and access. Click *Next* button.
Next, select **VPN Access** and **NAT** checkboxes and click next to see a summary of the selection.
Finally, on clicking *Finish* button, you will see a prompt to start the Routing and Remote Access Services. Click on the *Start Service* button.
### **Step 3: Configure VPN Properties**
Now that we have our VPN running, let’s go ahead and configure it. Under the Routing and Remote Access window, on the left pane, right-click on your local server and click **Properties**.
Navigate to the security tab and click on **Allow custom IPSec policy for L2TP/IKEv2 connection** and put a very long PSK(Pre-shared key). You can use any tool to generate a random key.
**Make sure to note down the PSK as we will need to share the PSK with every user who wants to connect to the VPN server.**
Now, go to *IPv4* tab and under IPv4 address assignment select static address pool. Click **Add** button and you will get a pop up to put IP address ranges. Put the starting address and ending address of the IP address range you want the users to assign to.
Click the *OK* button to save the address range and finally click **OK** to save the changes. You may get a warning saying you need to restart the Routing and Remote Access for changes to apply, you can safely click *OK* and ignore it for now as we will restart the service after completing the next step. Take a screenshot of your range of IP addresses.
### **Step 4: Configure NAT**
On the same left pane of Routing and Remote Access window, expand your local server and then expand *IPv4*. You will see the NAT object there. Right-click on NAT and then click on *New Interface* option.
Select **Ethernet** and click OK to proceed further. On the NAT tab, select *Public interface connected to Internet* radio button and also select *Enable NAT on this interface* checkbox.
Now, go to *Services and Ports* tab and select *VPN Server(L2TP/IPSec – running on this server)* checkbox. It will open up a new interface for editing the service. Take a screenshot
Change the private address from **0.0.0.0** to **127.0.0.1** and click OK to save.
Finally, Click OK to save the NAT interface.
### **Step 5: Restart Routing and Remote Access**
On the left pane of the Routing and Remote Access window, right-click on your local server and click on *Restart* under *All Tasks*.
This will restart the Routing and Remote Access services and all the changes we have made will be applied.
### **Step 6: Configure Windows Firewall**
On the start menu, search for Windows defender firewall and open it. Click on *Advanced settings* on the windows defender firewall.
Under *Advanced setting*, click on *Inbound Rules* on the left pane and then click on *New Rule* on right side pane.
Windows Server 2019 has predefined rules which we need to enable for VPN to work. In *New Inbound Rule Wizard* click on *Predefined* radio button and select the *Routing and Remote Access* from the drop-down.
Under Predefined Rules select *Routing and Remote Access(L2TP-In)* checkbox and click *Next*.
Under *Action* select, the option *Allow the connection* and click *Finish*.
The firewall is now configured to allow inbound traffic on UDP port 1701.
### **Step 7: Create VPN User**
Search for *Computer Management* in the start menu and under *Computer Management* window expand *Local users and group*.
Right-click on *Users* and click on *New User* under *Local users and group* to create a new user.
On *New User* prompt, provide a username, full name, and strong password. Uncheck *User must change the password on next login* checkbox. Click **Create** to create a new user. Take a screenshot
Once the user is created, return to the Computer *Management* interface and you will find the user which you have just created in the list of users. Right-click on the user and click the Properties option.
On your VPN users properties, navigate to *Dial-in* tab. Now, select *Allow access* option for *Network Access Permissions* setting. Click OK to save the properties. Take a screenshot
Our L2TP/IPSec VPN server is now ready and can accept the connections.
### **Step 8: Connecting VPN Client**
You will need to share the PSK and Windows username and password to the user who wishes to connect to the remote VPN server. Create a VPN connection L2TP on windows and enter the key under the security tab for your connection.
### **Step 9: Monitoring VPN**
Search for *Remote Access Management Console* in the start menu and open the console. You should see the status of the VPN. If you have followed the tutorial correctly, you will see all green checkmark on all services. You can also view the details of connected clients on this console.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://talebi.gitbook.io/windows-server/vpn/vpn-l2tp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
