Virtual non-public networks have risen from obscurity to change into the regularly most well-liked technique of linking non-public networks. Although VPNs turned widespread as a result of they enabled utilizing the Internet to safe community connections, thereby eliminating the necessity for costly devoted circuits, VPN adoption skyrocketed as a result of the expertise additionally proved comparatively easy, dependable, and safe.
Considering VPNs foolproof, nonetheless, results in a false sense of safety. Following state-sponsored assaults that used compromised VPNs to allow exploitative assaults, organizations acquired a wake-up name that VPN accounts require shut monitoring and safeguarding, too.
With correct safety practices, VPNs proceed to successfully fulfill a necessary have to reliably and securely join distant workers, department workplaces, approved companions, and different techniques. Yet VPN connection errors proceed to inevitably come up.
Often, Windows server-powered VPN connection points that come up typically fall into considered one of 4 classes:
- The VPN connection is rejected.
- An unauthorized connection is accepted.
- Locations past the VPN server show unreachable.
- A tunnel can’t be established.
Here’s the way to resolve these frequent Windows Server-powered VPN connection errors.
Working with the Windows Server Routing and Remote Access console
Once a VPN is ready up utilizing a Windows Server, connection points sometimes happen, even when a connection beforehand labored correctly. Troubleshooting typically includes working with Windows servers’ Routing and Remote Access console snap-in instrument, which is the place Microsoft concentrates many VPN configuration settings.
The Routing and Remote Access snap-in lives inside the Microsoft Management Console, often known as the MMC. There are a number of methods to entry the MMC. You can choose the console from the Start menu’s Programs choices, inside the Administrative Tools folder inside Windows server’s Control Panel or by typing mmc at a command immediate. You may also attain the MMC by urgent the Windows key and the letter R concurrently and coming into mmc and urgent the Enter key.
While the precise person interface and menu choices sometimes change subtly between particular server variations, directors ought to be capable to navigate the varied consoles — whether or not working with an older model or the present Windows Server 2022 iteration — utilizing the identical strategy.
How to repair the 4 greatest issues with failed VPN connections
1: The VPN connection is rejected.
Having a VPN shopper’s connection rejected is maybe the commonest VPN downside. Part of the rationale this downside is so frequent is that many points may cause a connection to be rejected.
If the Windows server-powered VPN rejects shopper connections, you first want to verify that the Routing and Remote Access Service is definitely working on the Windows server. You can test by opening the Windows server’s Services console, which you’ll entry by clicking Start | Control Panel | Administrative Tools | Services. With the Services console open, navigate inside the record of companies to the Routing and Remote Access entry to make sure its service is working.
The Services console shows the standing of the Routing and Remote Access entry. With the Routing and Remote Access entry highlighted inside the Services console, you possibly can click on Start the Service or right-click the entry and choose Restart. If the RRAS service was set to Manual or Disabled, you possibly can open the entry, change the Startup Type to Automatic, after which click on Start and OK.
After confirming the RRAS service is working, it’s a good suggestion to check the connection by pinging the VPN server first by IP tackle after which by its absolutely certified area title. If you encounter errors, a DNS downside is probably going occurring, and you may flip your consideration to resolving that concern.
If the VPN server pings work, although, and you continue to have connection points, tackle a possible authentication mismatch. Sometimes, the VPN shopper and VPN server are set to make use of totally different authentication strategies.
Confirm whether or not an authentication error is the issue by opening the server console. Yet one other technique of accessing the MMC is to kind Control+R to open a command immediate in which you’ll kind mmc and hit Enter or click on OK.
With the console open, navigate to the Routing and Remote Access entry. If the entry isn’t current, click on File, choose Add/Remove Snap-in, select the Routing and Remote Access choice from the alternatives, and click on Add, then OK.
With the Routing and Remote Access snap-in added, right-click on the VPN server and click on Properties. Then, overview the Security tab to verify the authentication technique. Windows Authentication is the commonest, though a distinct choice, resembling RADIUS could also be in place. Ensure the VPN shopper is ready to the authentication technique specified inside the Security tab.
More issues to test
Typically, the objects simply reviewed are accountable for most VPN connection refusal errors. But different fundamentals should be right, too.
For instance, if the Windows Server internet hosting the VPN hasn’t joined the Windows area, the server can’t authenticate logins. You’ll first have to attach the server to the area.
IP addresses are one other basic ingredient for which administration should be correctly set. Each Web-based VPN connection often makes use of two totally different IP addresses for the VPN shopper laptop. The first IP tackle is the one which the shopper’s ISP assigned. This is the IP tackle that’s used to determine the preliminary TCP/IP connection to the VPN server over the Internet.
However, as soon as the shopper attaches to the VPN server, the VPN server assigns the shopper a secondary IP tackle. This IP tackle sometimes possesses the identical subnet because the native community and thus permits the shopper to speak with the native community.
When you arrange the VPN server, you should configure a DHCP server to assign addresses to purchasers, or you possibly can create a financial institution of IP addresses to assign to purchasers instantly from the VPN server. In both case, if the server runs out of legitimate IP addresses, will probably be unable to assign an tackle to the shopper, and the connection shall be refused.
For DHCP server environments, a standard setup error is specifying an incorrect NIC. If you right-click on the VPN server inside the Routing and Remote Access snap-in and choose the Properties command from the ensuing shortcut menu, it’s best to see the server’s properties. The corresponding IP tab accommodates settings that allow specifying the DHCP supply. Ensure that if the DHCP server choice is enabled, the suitable community adapter is chosen. You should choose a community adapter with a TCP/IP path to the DHCP server.
2: An unauthorized connection is accepted.
Next, let’s overview the other downside, wherein unauthorized connections are accepted. This downside is way much less frequent than not connecting, however the issue is far more severe due to the potential safety points and resultant unauthorized visitors.
Suppose you have a look at a person’s properties sheet within the Active Directory Users and Computers console. In that case, the Dial In tab often accommodates an choice to manage entry by way of the distant entry coverage. If this feature is chosen and the efficient distant entry coverage is ready to permit distant entry, the person can connect to the VPN.
Although I’ve been unable to re-create the state of affairs personally, I’ve heard rumors {that a} bug exists in older Windows servers that may trigger the connection to be accepted, even when the efficient distant entry coverage is ready to disclaim a person’s connection. Therefore, and particularly on older server platforms, permitting or denying connections instantly by way of the Active Directory Users and Computers console is finest.
A number of different safety fundamentals must be in place, too, to assist stop unauthorized VPN entry. Unnecessary VPN accounts ought to all the time be disabled and even deleted when doable. Users must be required to alter their corresponding passwords regularly, and people passwords ought to want to satisfy complexity necessities.
Multi-factor authentication must be required for all VPN connections, and community firewalls and safety companies ought to frequently monitor for unauthorized or suspicious connections to generate high-priority alerts at any time when doable points floor. Implementing these steps will assist scale back the chance an unauthorized connection is accepted.
3: Locations past the VPN server show unreachable.
Another frequent VPN downside is {that a} connection is efficiently established, however the distant person can’t entry the community past the VPN server. By far, the commonest reason for this downside is that permission hasn’t been granted for the person to entry all the community.
To enable a person to entry all the community, go to the Routing and Remote Access console and right-click on the VPN server that’s having the issue. Select the Properties command from the ensuing shortcut menu to show the server’s properties sheet, then choose the properties sheet’s IP tab. At the highest of the IP tab is an Enable IP Routing test field.
If this test field is enabled, VPN customers can entry the remainder of the community, assuming community firewalls and security-as-a-service settings allow. If the checkbox just isn’t chosen, these customers can entry solely the VPN server and nothing else.
The downside is also associated to different routing points. For instance, if a person is dialing instantly into the VPN server, it’s often finest to configure a static route between the shopper and the server.
You can configure a static route by going to the Dial In tab of the person’s properties sheet in Active Directory Users and Computers and choosing the Apply A Static Route test field. This will trigger Windows to show the Static Routes dialog field. Click the Add Route button and enter the vacation spot IP tackle and community masks within the offered house. The metric must be left at 1.
If you’re utilizing a DHCP server to assign IP addresses to purchasers, there are a few different issues that might trigger customers not to have the ability to transcend the VPN server. One such downside is duplicate IP addresses. If the DHCP server assigns the person an IP tackle that’s already in use elsewhere on the community, Windows will detect the battle and stop the person from accessing the remainder of the community.
Another frequent downside is that the person doesn’t obtain an tackle in any respect. Most of the time, if the DHCP server can’t assign the person an IP tackle, the connection received’t make it this far. However, there are conditions the place an tackle project fails, so Windows mechanically assigns the person an tackle from the 169.254.x.x vary. If the shopper is assigned an tackle in a variety that’s not current inside the system’s routing tables, the person shall be unable to navigate the community past the VPN server.
Other points can contribute to this downside, too. Ensure the assets the person is making an attempt to entry are literally on the community to which the person is connecting.
With the rising variety of servers, cloud platforms, and utility as a service choices, it’s doable the person is looking for a useful resource on the mistaken community or on a subnet to which the community the person linked can’t attain. A VPN connection to the opposite subnet may, actually, be required. A firewall or safety as a service resolution is also guilty, so don’t neglect to overview these options’ settings, if such elements are current between the VPN server and the assets the person seeks to succeed in.
4: A tunnel can’t be established.
If every little thing appears to be working properly, however you possibly can’t appear to determine a tunnel between the shopper and the server, there are two principal prospects of what could possibly be inflicting the issue.
The first chance is that a number of routers carry out IP packet filtering. IP packet filtering may stop IP tunnel visitors. I like to recommend checking the shopper, the server, and any machines in between for IP packet filters. You can do that by clicking the Advanced button on every machine’s TCP/IP Properties sheet, choosing the Options tab from the Advanced TCP/IP Settings Properties sheet, choosing TCP/IP Filtering, and clicking the Properties button.
The different chance is a proxy server between the shopper and the VPN server. A proxy server performs NAT translation on all visitors flowing between the shopper and the Internet. This implies that packets look like coming from the proxy server moderately than from the shopper itself. In some circumstances, this interplay may stop a tunnel from being established, particularly if the VPN server expects the shopper to have a selected IP tackle.
You should additionally keep in mind that older or low-end proxy servers (or NAT firewalls) don’t assist the L2TP, IPSec, or PPTP protocols typically used for VPN connections.
In different circumstances, firewall safety companies or safety as a service resolution may block the formation of a VPN tunnel. Review the settings inside these numerous units or companies to make sure the Windows server-powered VPN visitors is correctly supported.
SEE: Securing Linux Policy (TechRepublic Premium)
Other VPN issues
Windows server-powered VPNs stay an necessary resolution for securely connecting distant customers and techniques. While precise menus and particular server properties change over time, the basics reviewed above are sometimes accountable for the commonest points. As new server variations, updates, and repair packs are launched, totally different VPN connection and distant entry issues and options will come up.
Fortunately, Microsoft repeatedly posts VPN connection troubleshooting updates and steering, which you’ll monitor and view on its web site right here.
This article was initially revealed in June 2022. It was up to date by Luis Millares in January 2025.