Using remote client connections (VPN, ISDN, PPTP aso.) for routing in Windows

Published on
11,213 Points
1 Endorsement
Last Modified:
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.

The following batch script is needed to allow for routing on client XP. You will have to do this only once for the routing computer. On server OS, you can enable routing in the RRAS properties using the GUI instead (the script below works, too).
@echo off
  echo Windows Registry Editor Version 5.00
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
  echo "IPEnableRouter"=dword:00000001
) > %temp%\iproute.reg
start "" %temp%\iproute.reg
del %temp%\iproute.reg >nul
netsh routing ip nat install
net stop RemoteAccess >nul 2>nul
net start RemoteAccess

Open in new window

Next step is to implement the interface. For dial-out connections this is the connection name.
If you do not know about the exact names to use for interfaces, have a look at the output of
netsh interface show interface

Open in new window

to list all available interfaces. Some interfaces like Cisco VPN are not visible until you have a connection, so you might have to start that connection first.
Let's presume it is a Cisco VPN Client already installed; set the network information on the beginning accordingly.
@echo off
set routenet=
set routemask=
  echo nat add interface name="Cisco VPN" mode=full
  echo nat add interface name="LAN"       mode=private
  echo nat add interface name="internal"  mode=private
  echo add persistentroute dest=%routenet% mask=%routemask% name="Cisco VPN" proto=static pref=0 metric=1 view=both
) | netsh -c "routing ip"

Open in new window

Having done this, you only need to start the connection. Since that is different for each connection type, I'll show it for the more challenging Cisco VPN, running on computer RRAS (which allows for local login rras and password rras; Cisco VPN credentials are %login% and %pwd%, and the Cisco VPN Connectionname is %ConnectionName%):
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e "C:\Programme\Cisco Systems\VPN Client\vpngui.exe" -c -user %login% -pwd %pwd% %ConnectionName%

Open in new window

psexec is a tool of the famous free Sysinternals PsTools suite at www.sysinternals.com (now belonging to Microsoft).

We use similar technique to start OpenVPN and other clients. For dial-out connections, you will just have to set the interface state to connected. Since netsh has a lot of problems when running over network, we start it remotely on the routing computer, again with psexec:
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e netsh interface set interface %ConnectionName% enabled connected

Open in new window

Of course there are some possible refinements, like switching Cisco VPN into batch mode, error control, redirecting logs and error output ...
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free