Internet Access through VPN server - need help please

All replies

• 

  

  0

  Sign in to vote

  at its default setting the vpn client uses the vpn server as default gateway, so there is not very much to setup on the clientside. If the server NPS/RAS Policy is configured to not restrict the vpn traffic and (instead) route it accordingly everything should work fine. As i understand, you use a special IP Network for your VPN Clients, which needs to be routed in your servers LAN:

  Maybe your IP range (192.168.100.2) is unknown the the other network devices on your network, so just add a route on your internet router that the router "knows" that it reach 192.168.100.2 through your VPN Server (which i assume on the same network as your internet-gateway/router).

   

  hth

  Gregor Stefka

  Monday, June 28, 2010 8:06 PM
• 

  

  0

  Sign in to vote

  Hi MikeZ

   

  Please perform "tracerter <internet address>" on your client when VPN  established , and please post a route table of your RRAS server here .

  By default , if checked option “Use default gateway on remote network” of VPN connection , when VPN established , all network traffic will go thought remote site  . I suspect that this issue caused because incorrect route set on your RRAS server.

   

  Thanks.

   

  Tiger Li

   

  On July 1st we will be making Windows Server 2008 R2 Networking forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the Network Infrastructure Servers Forum. So, until July 1st, we will start asking customers to redirect their questions to the Network Infrastructure Servers Forum. On June 11th, CSS engineers will move any new threads to the Network Infrastructure Servers Forum.

   

  Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Tuesday, June 29, 2010 5:11 AM
• 

  

  0

  Sign in to vote

  Thanks for your reply Gregor, appreciated.

  Unfortunately I don't have any control over the gateway/router as it's managed by a hosting company, and used by all their clients.

  So the only place I can add any routing is on the VPN server itself.

   

  • Proposed as answer by florian_r Monday, September 22, 2014 12:18 PM
  • Unproposed as answer by florian_r Monday, September 22, 2014 12:18 PM

  Tuesday, June 29, 2010 10:22 PM
• 

  

  0

  Sign in to vote

  Hi Tiger, thanks for your help.  I agree that it must be improper routing on the server.

   

  Here are the outputs as requested. If there's anything else I can provide, please let me know.

   

  Output of ROUTE PRINT command on VPN server:

  C:\Users\Administrator>route print
  ===========================================================================
  Interface List
   22...........................RAS (Dial In) Interface
   16...00 15 5d d2 d2 05 ......Microsoft Virtual Machine Bus Network Adapter #
    1...........................Software Loopback Interface 1
   12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
   13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
   14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
   23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
  ===========================================================================
  
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0     216.18.210.1   216.18.210.215    261
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.100.0    255.255.255.0     216.210.10.1   216.18.210.215    261
      192.168.100.1  255.255.255.255         On-link     192.168.100.1    306
       216.18.210.0    255.255.255.0         On-link    216.18.210.215    261
     216.18.210.215  255.255.255.255         On-link    216.18.210.215    261
     216.18.210.255  255.255.255.255         On-link    216.18.210.215    261
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link    216.18.210.215    261
          224.0.0.0        240.0.0.0         On-link     192.168.100.1    306
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link    216.18.210.215    261
    255.255.255.255  255.255.255.255         On-link     192.168.100.1    306
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0     216.18.210.1  Default
            0.0.0.0          0.0.0.0     216.18.210.1  Default
            0.0.0.0          0.0.0.0     216.18.210.1  Default
  ===========================================================================

   

   

  Output of TRACERT 192.168.100.1 from client when connected to VPN

  C:\>tracert 192.168.100.1
  
  Tracing route to 192.168.100.1 over a maximum of 30 hops
  
    1     *        *        *     Request timed out.
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5     *        *        *     Request timed out.....

   

  Output of TRACERT 216.18.210.x (my server's public IP) from client when connected to VPN

  (I have no idea how it's able to get to those IP's - doesn't appear to be going through the VPN server's gateway)
  

  C:\>tracert 216.18.210.x
  
  Tracing route to 216.18.210.x over a maximum of 30 hops
  
    1     *        *        *     Request timed out.
    2  1005 ms   265 ms   257 ms  10.99.6.35
    3   694 ms   316 ms   240 ms  213.42.9.170
    4   915 ms   345 ms   421 ms  194.170.0.234
    5   635 ms   359 ms   239 ms  195.229.1.101
    6   350 ms   300 ms   257 ms  195.229.1.166
    7   416 ms   437 ms   421 ms  195.22.198.41
    8   417 ms   456 ms   423 ms  89.221.34.107
    9   781 ms   521 ms   456 ms  195.22.211.54
   10   489 ms   481 ms   480 ms  63.218.42.194
   11  1111 ms   558 ms   581 ms  67.220.192.101
   12     *        *        *     Request timed out.
   13     *        *        *     Request timed out.
   14     *        *        *     Request timed out.
   15     *        *        *     Request timed out.
   16     *        *        *     Request timed out.
   17     *        *        *     Request timed out......

  
  

   

  Tuesday, June 29, 2010 10:55 PM
• 

  

  0

  Sign in to vote

  Hi MikeZ,

   

  Thanks for you feedback

   

  After reading your tracert result , I found that when VPN connection established , client can’t access remote VPN address 192.168.100.1.

   

  C:\>tracert 192.168.100.1

   

  Tracing route to 192.168.100.1 over a maximum of 30 hops

   

    1     *        *        *     Request timed out.

    2     *        *        *     Request timed out.

    3     *        *        *     Request timed out.

    4     *        *        *     Request timed out.

    5     *        *        *     Request timed out.....

   

  Please check rout table of your client when vpn connection established  , to verify if there is an route “0.0.0.0 0.0.0.0 192.168.100.2” exist.

  Please change the bind order, make sure the remote connection at top on your client.

  I assume you are running windows vista or 7 on your client

  ·         Open “ network and sharing center “ | “change adapter setting”  | click “alt” key to show menu

  ·         Click “advanced “ | “Advanced setting” |make “remote access connections” top of list.

  ·         Redial to check if can reach remote address via ping 192.168.100.1

  And for test , please temporary disable firewall on your server and client.

   

  I Need to Disable Windows Firewall

   

  http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

   

  Thanks.

   

  Tiger Li

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, June 30, 2010 2:53 AM
• 

  

  0

  Sign in to vote

  Hello Tiger,
  
  Thanks for your continued assistance. I have taken these steps:
  - Disabled all my other network adapters on the client (just for tidiness really)
  - Set the binding order so that Remote Connections is at the top of the list  (I'm on XP by the way)
  - Verified there is a route "0.0.0.0 0.0.0.0 192.168.100.2"  (see below ROUTE PRINT output)
  - Tested with both firewalls turned off. Ping from client to server (PING 192.168.100.1) was successful, but there was still no access to anything other than the VPN server.
  
  
  Here is the output from running ROUTE PRINT on the client, while the VPN was connected.
  I note there are two default routes (i.e. destination = 0.0.0.0), but I presume that is normal and the metric will ensure any traffic goes over the VPN.
  
  
  C:\>route print
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x4 ...00 22 fa e0 19 14 ...... Intel(R) WiFi Link 5100 AGN - Packet Scheduler
  iniport
  0xa0002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0        10.10.0.1     10.10.0.103       21
            0.0.0.0          0.0.0.0    192.168.100.2   192.168.100.2       1
          10.10.0.0      255.255.0.0      10.10.0.103     10.10.0.103       20
        10.10.0.103  255.255.255.255        127.0.0.1       127.0.0.1       20
     10.255.255.255  255.255.255.255      10.10.0.103     10.10.0.103       20
     69.245.128.109  255.255.255.255        10.10.0.1     10.10.0.103       20
          127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.100.2  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.100.255  255.255.255.255    192.168.100.2   192.168.100.2       50
     216.18.210.215  255.255.255.255        10.10.0.1     10.10.0.103       20
          224.0.0.0        240.0.0.0      10.10.0.103     10.10.0.103       20
          224.0.0.0        240.0.0.0    192.168.100.2   192.168.100.2       1
    255.255.255.255  255.255.255.255      10.10.0.103     10.10.0.103       1
    255.255.255.255  255.255.255.255    192.168.100.2   192.168.100.2       1
  Default Gateway:     192.168.100.2
  ===========================================================================
  Persistent Routes:
    None
  
  
  
  Any further thoughts?

   

  Wednesday, June 30, 2010 9:33 PM
• 

  

  0

  Sign in to vote

  Hi MikeZ,

   

  Thanks for you feed back

   

  After reading your result, I thought maybe the IP Forward feature not been enabled on your VPN server.

  Please check by following steps:

   

  ·         Disconnect any VPN connection

  ·         Open RRAS MMC snap-in on your VPN server

  ·         Right click Route and remote access and click properties .

  ·         In Route and remote access properties form ,Click IPv4 tab.

  ·         Please make sure “ Enable IPv4 forwarding” option been selected .

  ·         Then please establish VPN connection and test if the traffic  route correct via tracert.

   

  If it worked , you need to set DNS address for your VPN connection .

   

  ·         Right click your VPN connection on you client.

  ·         In properties form ,click Networking ,double click TCP\IPv4 .

  ·         Click “using following DNS server address” and set any public DNS address or same DNS address as RRAS server setting.

   

  Based on my test , after all settings above , user could access internet through remote server.

   

  Thanks.

   

  Tiger Li

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Thursday, July 1, 2010 7:19 AM
• 

  

  0

  Sign in to vote

  Thanks Tiger, I appreciate you sticking with me on this!  =)

   

  I have checked, and the IPv4 port forwarding is already enabled on the RRAS server. I did not have the DNS servers 'hard coded' on the client though, so I have now done that.

  When I run TRACERT 74.125.79.99    (a Google server), I get this result:

  C:\>tracert 74.125.79.99
  
  Tracing route to 74.125.79.99 over a maximum of 30 hops
  
    1   308 ms   301 ms   299 ms  192.168.100.1
    2     *        *        *     Request timed out.
    3     *        *        *     Request timed out.
    4     *        *        *     Request timed out.
    5     *        *        *     Request timed out.....

   

  Do any particular firewall rules need to be set on the server to allow vpn traffic to go off-server?

   

   

   

  Thursday, July 1, 2010 3:57 PM
• 

  

  9

  Sign in to vote

  Hello Tiger,

   

  I have it working!    I came across someone mentioning NAT during (yet another) google search on this topic, and that prompted me to go see what my NAT settings in RRAS were. Once there, I created a NAT entry, and everything is now working perfectly! 

  So for the benefit of anyone else looking at this post in the future, here is what I did exactly. Hopefully this saves someone a few hours!

  1. Open Server Manager
  2. Network Policy and Access Services
  3. Routing and Remote Access
  4. IPv4
  5. NAT
  6. Right mouse, New Interface
  7. Choose a NIC (in my case the options were 'Local Area Connection 3' and 'Internal', so I went with the first one)
  8. On the NAT tab, selected "Public Interface connected to the internet"
  9. Ticked "Enable NAT on this interface"
  10. Click OK
  11. All done - now test your VPN connection from the client

  So thank you so much Tiger. Without your assistance I may have given up and not gotten this far.And the DNS settings tip was very useful too.

   

  So now I have a nicely protected internet connection using a PPP VPN, I just have to figure out how to use a different VPN type that isn't as commonly blocked - apparently a number of authoritarian regimes block PPP so they can more easily monitor internet use.   Anyway, that's another mission for another time. Right now I'm just happy to have it all working.

   

  Thanks again,
  Mike

   

   

  • Marked as answer by MikeZ Thursday, July 1, 2010 5:48 PM

  Thursday, July 1, 2010 5:39 PM
• 

  

  0

  Sign in to vote

  Hi MikeZ,

  Glad you find out how to achieve this goal.

  Hope you will enjoy in our TechNet forum.

  Thanks.

  Tiger Li

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Friday, July 2, 2010 1:25 AM
• 

  

  1

  Sign in to vote

  Thank you so much, saved me tons of time. However, one thing which i did have to look for was step 5. NAT, This wasn't under my IPv4 list. So i right clicked on IPv4/General -> New Routing Protocol -> NAT. Then i followed the rest of the steps.

   

  Thanks again!

  Bhavic

  Thursday, October 21, 2010 4:23 AM
• 

  

  0

  Sign in to vote

  Dear All,

            I have followed the method given above but i still cannot use the internet. I am very new to this field (I mean server things) so, please guide me on this.

  Thanks

  Omar F. Kalson

  Saturday, December 3, 2011 5:50 PM
• 

  

  0

  Sign in to vote

  Thanks alot.. for other people that need this solution from scratch here you have a solution.
  
  Enable RRAS as a VPN Server and a NAT Router
  
  http://technet.microsoft.com/en-us/library/dd458971 . aspx <- ( i can't use urls in this post)
  
  I dont use an Active Directory User, I'm using a local user.
  
  regards

  
  

  Thursday, October 10, 2013 8:15 PM
• 

  

  0

  Sign in to vote

  Hello Mike,

  I have one question. You have given "Server:  192.168.100.1". Is it a second network card with local IP 192.168.100.1?

  And Client: 192.168.100.2, is this an IP of the static IP pool which is assigned to client?

  Regards,

  C

  Wednesday, June 1, 2016 10:47 AM
• 

  

  0

  Sign in to vote

  Hi Craval,

  No - the .1 address is not a separate NIC.

  Because I never have more than one connected client at a time, I set my IPv4 static address pool to start at .1 and finish at .2.  When a connection is made, the server always grabs the first one, and the client grabs the second.

  I have no idea if that's the "right" way to do it, but it works for me.

  Cheers,
  Mike

  Wednesday, June 1, 2016 12:47 PM
• 

  

  0

  Sign in to vote

  Hi MikeZ, 

  thank you for sharing all the information you got about this.

  I've been working on my own VPN server for 2 days without a success. Whatever I tried - failed. I did the exact steps but without any luck. We are exactly in the same situation with you, running a dedicated server and gateway/ip configuration are handled by the datacenter.

  I am, as client, can successfully connect to my VPN server but no internet access. I am trying to connect while pinging google (with ping -t), and after the connection succeeds, I can get reply from only first 3 pings and then they all go timeouts. I understand that those 3 last successfull pings are going thru VPN server because the reply time goes much higher than the local ones for those 3 pings, as expected due to server location.

  Can you also share what your Static Route(s) is/are ? 

  Sunday, April 21, 2019 2:17 PM
• 

  

  0

  Sign in to vote

  Follow this https://www.purevpn.com/blog/vpn-for-windows-server/

  Saturday, October 26, 2019 12:14 PM