Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Using remote client connections (VPN, ISDN, PPTP aso.) for routing in Windows

Published on
10,087 Points
1 Endorsement
Last Modified:
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.

The following batch script is needed to allow for routing on client XP. You will have to do this only once for the routing computer. On server OS, you can enable routing in the RRAS properties using the GUI instead (the script below works, too).
@echo off
  echo Windows Registry Editor Version 5.00
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
  echo "IPEnableRouter"=dword:00000001
) > %temp%\iproute.reg
start "" %temp%\iproute.reg
del %temp%\iproute.reg >nul
netsh routing ip nat install
net stop RemoteAccess >nul 2>nul
net start RemoteAccess

Open in new window

Next step is to implement the interface. For dial-out connections this is the connection name.
If you do not know about the exact names to use for interfaces, have a look at the output of
netsh interface show interface

Open in new window

to list all available interfaces. Some interfaces like Cisco VPN are not visible until you have a connection, so you might have to start that connection first.
Let's presume it is a Cisco VPN Client already installed; set the network information on the beginning accordingly.
@echo off
set routenet=
set routemask=
  echo nat add interface name="Cisco VPN" mode=full
  echo nat add interface name="LAN"       mode=private
  echo nat add interface name="internal"  mode=private
  echo add persistentroute dest=%routenet% mask=%routemask% name="Cisco VPN" proto=static pref=0 metric=1 view=both
) | netsh -c "routing ip"

Open in new window

Having done this, you only need to start the connection. Since that is different for each connection type, I'll show it for the more challenging Cisco VPN, running on computer RRAS (which allows for local login rras and password rras; Cisco VPN credentials are %login% and %pwd%, and the Cisco VPN Connectionname is %ConnectionName%):
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e "C:\Programme\Cisco Systems\VPN Client\vpngui.exe" -c -user %login% -pwd %pwd% %ConnectionName%

Open in new window

psexec is a tool of the famous free Sysinternals PsTools suite at www.sysinternals.com (now belonging to Microsoft).

We use similar technique to start OpenVPN and other clients. For dial-out connections, you will just have to set the interface state to connected. Since netsh has a lot of problems when running over network, we start it remotely on the routing computer, again with psexec:
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e netsh interface set interface %ConnectionName% enabled connected

Open in new window

Of course there are some possible refinements, like switching Cisco VPN into batch mode, error control, redirecting logs and error output ...
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 71

Author Comment

I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month