How to Set Up VPN for Windows Home Server 2011
Most workplaces have a VPN server, so you can log in to your desktop at work from home. I doubt very many have the similar luxury of logging into their desktop at home from work. Windows Home Server allows you remote access to your files and some limited functionality related to managing the server. Out of the box there is no notion of being able to remote desktop into your home desktop, laptop or HTPC. Since WHS2011 is built upon Windows Server 2008R2 you can get at some of the functional bits under the hood to enable VPN among other more advanced server features. It seems a lot of people have given up and install something like LogMeIn or their LogMeIn Hamachi, which are fantastic in their own right, but these features are built into Windows Home Server. You should take advantage of that. VPN allows you to log into your home network as if you were sitting there connected to your home Wifi router. You can remote into any machine and do whatever you want without worrying about that pesky RDP security vulnerability that was uncovered recently. You can also remote into a machine on your network to hide from the prying sys-admin eyes at work as VPN traffic is encrypted. You can also expose a single port (443) to the internet at large and VPN in and have access to whatever you want on your home network. Regardless of why you want to VPN into your home network, here is how you do it!
Setting up the VPN Server
- Remote Desktop into your WHS2011 box (mstsc in the start menu)
- Open up the server Manager
- Right click on “Network Policy and Access Services”
- Select “Add Role Services”
- Tick the “Routing and Remote Access Services” check box
- This should check both “Remote Access Service” and “Routing”
- Click “Next>”
- Confirm these settings and click “Install”
- Click “Close” to finish
- Back in Server Manager expand the Network Policy and Access Services
- Right Click on Routing and Remote Access and select “Configure and Enable Routing and Remote Access”
- Click “Next>”
- Select “Custom configuration” Be careful here, if you select “Remote access” as one might think, you will get a conflict with NPS later in the process and it will disallow Remote Desktop once the services get started. If that happens you can Remote Desktop into the server and disable the “Routing and Remote Access” service before it starts so you can reconfigure VPN.
- Tick the box next to “VPN access”
- Click “Finish” to finish the installation
- You may get a warning about conflicting with NPS, That should be fine. Click “OK” to dismiss it.
- A dialog will pop up asking you to start the Routing and Remote Access service. Go ahead and click “Start service”
- The server is now set up, but it does not know what IP address to hand out to the client. You can either point it at a DHCP server or configure a static pool of IP address to be assigned. Here we will perform the later.
- Back at the Server manager right click on the “Routing and Remote Access” under the “Network Policy and Access” heading
- Select “Properties”
- Under the IPV4 tab and the IPv4 address assignment select “Static address pool”
- Click “Add…”
- Define an IP range with between “Start IP address” and “End IP address” that is outside of the range of your router’s DHCP
- Here is an example of my Linksys E200 DHCP range. You will need to specify an IP address range outside of the range that the router uses otherwise you could get collisions.
- Click “OK” to save the IP address pool
- Click “OK” to save.
- Your VPN server is now set up and started!
- Not so fast. You need to allow access to a user before you can use it. You will need to do the following per each user you want to grant access
- Open the Computer Managment console
- Expand “Local Users and Groups” and select “Users”
- Right click on the user and click properties
- Select the “Dial-in” tab
- In the “Network Access Permission” section select “Allow access”
- Click “OK” to save these settings.
- The user should now be able to access the VPN server once you set it up on the client PC side.
- You’ll need to forward port 443 for SSTP VPN to access the VPN server. Head over to http://portforward.com/ to get specific instructions on how to forward a port on your specific router.
- You will also need to ensure that VPN passthrough for SSTP is enabled. On most routers it should be enabled by default.
Configuring the Clients
Assuming you are using Windows 7 as the client for the VPN connection, here is how to connect. Any version of Windows that supports VPN should also work in a similar fashion. For example, I’ve confirmed that the Windows 8 Consumer Preview will connect via VPN on WHS2011. Here are the screen-by-screen instructions for Windows 7.
- Open the network and sharing center and click “Set up a new connection or network”
- Select “Connect to a workplace” and click “Next”
- Select “No, create a new connection” and click “Next”
- Select “Use my Internet connection (VPN)”
- In the “Internet address:” box type the address of your homeserver, if you are using Microsofts DNS then that would be <Server_Name>.homeserver.com
- Type in anything convenient in the “Destination name:” box
- Click “Next”
- Fill in the credentials for the user you granted access to earlier
- Click “Connect”
- You should get a success message of “You are connected”
- Once this is set up, you will only have to hit connect and provide the credentials to connect
- You should now be able to use the network as if you were at home!
And with that, sound off in the comments if you have any issues with this long, overly-complex process.