Using remote client connections (VPN, ISDN, PPTP aso.) for routing in Windows

Qlemo"Batchelor", Developer and EE Topic Advisor
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.

The following batch script is needed to allow for routing on client XP. You will have to do this only once for the routing computer. On server OS, you can enable routing in the RRAS properties using the GUI instead (the script below works, too).
@echo off
                        echo Windows Registry Editor Version 5.00
                        echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
                        echo "IPEnableRouter"=dword:00000001
                      ) > %temp%\iproute.reg
                      start "" %temp%\iproute.reg
                      del %temp%\iproute.reg >nul
                      netsh routing ip nat install
                      net stop RemoteAccess >nul 2>nul
                      net start RemoteAccess

Open in new window

Next step is to implement the interface. For dial-out connections this is the connection name.
If you do not know about the exact names to use for interfaces, have a look at the output of
netsh interface show interface

Open in new window

to list all available interfaces. Some interfaces like Cisco VPN are not visible until you have a connection, so you might have to start that connection first.
Let's presume it is a Cisco VPN Client already installed; set the network information on the beginning accordingly.
@echo off
                      set routenet=
                      set routemask=
                        echo nat add interface name="Cisco VPN" mode=full
                        echo nat add interface name="LAN"       mode=private
                        echo nat add interface name="internal"  mode=private
                        echo add persistentroute dest=%routenet% mask=%routemask% name="Cisco VPN" proto=static pref=0 metric=1 view=both
                      ) | netsh -c "routing ip"

Open in new window

Having done this, you only need to start the connection. Since that is different for each connection type, I'll show it for the more challenging Cisco VPN, running on computer RRAS (which allows for local login rras and password rras; Cisco VPN credentials are %login% and %pwd%, and the Cisco VPN Connectionname is %ConnectionName%):
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
                       -e "C:\Programme\Cisco Systems\VPN Client\vpngui.exe" -c -user %login% -pwd %pwd% %ConnectionName%

Open in new window

psexec is a tool of the famous free Sysinternals PsTools suite at (now belonging to Microsoft).

We use similar technique to start OpenVPN and other clients. For dial-out connections, you will just have to set the interface state to connected. Since netsh has a lot of problems when running over network, we start it remotely on the routing computer, again with psexec:
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
                       -e netsh interface set interface %ConnectionName% enabled connected

Open in new window

Of course there are some possible refinements, like switching Cisco VPN into batch mode, error control, redirecting logs and error output ...
Qlemo"Batchelor", Developer and EE Topic Advisor

Comments (1)

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015


I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.