This guide is intended for Windows Server 2012, but can also be implemented on Windows Server 2008 as well.

Below I’ll show how to prepare your server – and your client as well since there are two sides to the equation and both are needed for a secure environment. This is applicable whether your servers are hosted in your own office (security needs to be addressed there too!) or whether you are usingWindows Cloud VPS Server hosting.

To begin, you will need to launch Server Manager, Add Roles and Features.

Make sure to select Role-based or feature-based installation and then click next until you reach the Server Roles screen, make sure to select Remote Access and then continue.

Continue to follow the wizard until you reach the Role Services section and make sure to select both options DirectAccess and VPN (RAS) and Routing.

Continue the wizard to completion, and ensure you check the box to allow reboot to finish the role installation, as this will require a reboot. Once the server is back online, launch Server Manager and wait for the wizard to re-appear and complete the role installation.

Now you will see a Remote Access section on the left side of Server Manager. Click that, and then click the More… link to complete the configuration required to setup the role.

Launch the Getting Started wizard, and here we want to do VPN only, as DirectAccess requires a domain-joined machine.

The Routing and Remote Access console will launch. Right-click on your server, it should have a red stop icon on it, and then click Configure and Enable Routing and Remote Access to launch the wizard.

In this wizard we want to select the Custom option and then select the features we want to add to our Routing and Remote Access Server (RRAS). We want VPN Access, NAT, and LAN routing.

Complete the wizard and then it will say that the service is ready to use, click Start. Once the service is started we’ll need to configure a few items. Right-click on your server name, which should have a green up arrow icon on it at this point in the console, and select Properties. On the Security tab, make sure that you click the checkbox, Allow custom IPsec policy for L2TP/IKEv2 connection, and then enter a pre-shared key (recommend setting a complex password here). Then click Apply and move over to the IPv4 tab.

On the IPv4 tab, we need to setup a static IP range. This can be whatever you would like, you can always change it to suit your needs. Make your selections, click Apply and OK to close the windows.

Next, we need to configure our server to NAT our traffic. If you do not configure this, when a client connects to the VPN and sends all traffic, it will be unable to communicate beyond the VPN server with the internet. With NAT, the server is able to route traffic sent over the VPN, from a connected client, through to the internet and then back to the client again.

In the RRAS console, open the IPv4 group, right-click on NAT and then select New Interface, choose the External adapter. Next, select the new adapter and then open the properties and change the interface type to Public interface connected to the Internet, and then click the Enable NAT on this interface checkbox. Click apply and OK to close the properties.

You will be prompted that your changes will not take effect until you restart the Routing and Remote Access service. Access Services and restart the service (win+R services.msc).

Now that RRAS is configured, we need to turn our attention to the firewall. We need to ensure that the following ports are open, that traffic is allowed:

L2TP UDP: 1701; IPsec UDP 500; IKEv2 UDP: 4500

Launch firewall management, create a new custom inbound rule, include these three ports and name it what you like.

The last thing to do on the server is to make sure we select which local accounts are allowed to login to the VPN. Launch Server Manager > Tools > Computer Management. Then under Local Users and Groups, for each user you want to have VPN access, right click the user and select Properties. Then on the Dial-Up tab, in the Network Access Permission section, select Allow access.

Note – if you don’t change the VPN option on the client, you can still connect as soon as you complete the new VPN adapter wizard. It will connect via PPTP. To learn more about the differences between PPTP and L2TP/IPsec see this article.

Once connected, if you run “ipconfig” from the command prompt you should see an IP address in the range you specified in the IPv4 tab above. If you search google for “what is my ip address” you should see something like this:

Mac OSX user? No problem! Launch System Preferences, Network, add a new VPN interface,L2TP over IPSec, and then enter in the proper information. Once completed you should be able to connect.

Problems connecting only on Mac OSX? You may need to edit a configuration file. See this guidehere.

Want to connect from a Linux client too? We can help you with that. For Ubuntu, follow these steps. You’ll need to add a PPA and to install the software:

sudo apt-add-repository ppa:werner-jaeger/ppa-werner-vpn

sudo apt-get update

sudo apt-get install l2tp-ipsec-vpn

Next, reboot your machine. Then launch the L2TP/IPsec configuration tool from launcher. Enter in the correct information, and then in the top bar you will should see a network applet, where you can connect to your VPN.

Make sure to uncheck the three less secure authentication options and go ahead and enter the username if you like. You set the pre-shared key on the IPsec tab.

This concludes the L2TP/IPsec VPN setup on Windows server 2012 and a brief walkthrough of configuring the connection of Windows, Mac, and Linux clients. Do you have any questions about the VPN setup or want to know how to configure other Linux distributions to connect to L2TP/IPsec? Let us know in the comments