Lazy loaded image
Collections
How To Setup A L2TP/SSTP Client Access RRaS Server In Azure ~ Bauer-Power Media
00 min
Dec 9, 2023
Apr 13, 2024
type
status
date
summary
tags
category
URL
password
slug
icon
Some of us still haven't outgrown the use of Microsoft RRaS as a VPN server. Why should we? It is simple to setup, easy to configure and just plain works!
The other day I decided to setup a RRaS server in Azure to replace an old one we had on premise. It turns out that RRaS isn't officially supported in Azure, but that isn't going to stop us is it?
The reason it apparently isn't supported is because of how routing is configured in Azure. At least, that's the Cliffs Notes version I gathered. I read an article from Richard Hicks that says that you can make it work by enabling IP forwarding on your RRaS VM, then adding a routing table to your vnet to make it work. He's half right, you should enable IP forwarding on your VM's NIC like this:
notion image
You'll also want to allow ports 443, 1701, 500 and 4500 to your VPN server in your Network Security Group:
notion image
That being said, the rest is easy!
  • Install the Remote Access role, and select Direct Access and VPN (RAS) and Routing.
notion image
  • After the install, run the getting started wizard and select the Deploy VPN only option (Unless you need direct access, but that is outside the scope of this post)
  • When you open the RRaS console, right click your server name and select Configure and Enable Routing and Remote Access.
  • Click Next, then select Custom Configuration (Since we're setting this up with a single NIC host)
notion image
  • Next select all options, then click Next again and follow the rest of the prompts to install RRaS.
notion image
Now you're ready to configure everything. The only two things you need to know about setting up RRaS in Azure:
  1. You can't point RRaS to an internal DHCP server in Azure, and you can't point RRaS to Azure's DHCP services, so you have to assign IP's from a static address pool in the IPv4 tab under your RRaS server properties. This IP range can't be one that exists in Azure, or matches the host that you're using as your RRaS server..
    1. notion image
  1. Since we're not using a custom routes, we need to configure NAT by adding both the Ethernet interface and the internal interface under NAT in the RRaS console.
notion image
The Ethernet properties should look like this under NAT:
notion image
The Internal interface properties should look like this:
notion image
After that, configure your SSL certificate, authentication, etc the way you normally would for RRaS. You'll find that this method is pretty easy and works pretty well. With the NAT setup, you are translating your static pool of RRaS addresses to the network interface of the Azure VM, so you don't have to worry about routes!
I originally setup the route table method way without NAT that was suggested in Richard Hick's post, but when I connected with my client, I couldn't access the internet. In order to access the internet through the VPN tunnel, I had to enable NAT. With NAT enabled, you don't need the routes!
Did this post help you out? Did you did it a different way? Let us know in the comments!
上一篇
Greenbone Community Containers 22.4 - Greenbone Community Documentation
下一篇
Let's Configure Azure Site-to-Site VPN with RRAS in Azure Resource Manager! | Microsoft Learn