Using remote client connections (VPN, ISDN, PPTP aso.) for routing in Windows

Published on
11,008 Points
1 Endorsement
Last Modified:
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.

The following batch script is needed to allow for routing on client XP. You will have to do this only once for the routing computer. On server OS, you can enable routing in the RRAS properties using the GUI instead (the script below works, too).
@echo off
  echo Windows Registry Editor Version 5.00
  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
  echo "IPEnableRouter"=dword:00000001
) > %temp%\iproute.reg
start "" %temp%\iproute.reg
del %temp%\iproute.reg >nul
netsh routing ip nat install
net stop RemoteAccess >nul 2>nul
net start RemoteAccess

Open in new window

Next step is to implement the interface. For dial-out connections this is the connection name.
If you do not know about the exact names to use for interfaces, have a look at the output of
netsh interface show interface

Open in new window

to list all available interfaces. Some interfaces like Cisco VPN are not visible until you have a connection, so you might have to start that connection first.
Let's presume it is a Cisco VPN Client already installed; set the network information on the beginning accordingly.
@echo off
set routenet=
set routemask=
  echo nat add interface name="Cisco VPN" mode=full
  echo nat add interface name="LAN"       mode=private
  echo nat add interface name="internal"  mode=private
  echo add persistentroute dest=%routenet% mask=%routemask% name="Cisco VPN" proto=static pref=0 metric=1 view=both
) | netsh -c "routing ip"

Open in new window

Having done this, you only need to start the connection. Since that is different for each connection type, I'll show it for the more challenging Cisco VPN, running on computer RRAS (which allows for local login rras and password rras; Cisco VPN credentials are %login% and %pwd%, and the Cisco VPN Connectionname is %ConnectionName%):
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e "C:\Programme\Cisco Systems\VPN Client\vpngui.exe" -c -user %login% -pwd %pwd% %ConnectionName%

Open in new window

psexec is a tool of the famous free Sysinternals PsTools suite at www.sysinternals.com (now belonging to Microsoft).

We use similar technique to start OpenVPN and other clients. For dial-out connections, you will just have to set the interface state to connected. Since netsh has a lot of problems when running over network, we start it remotely on the routing computer, again with psexec:
psexec \\RRAS -accepteula -u RRAS\rras -p rras ^
 -e netsh interface set interface %ConnectionName% enabled connected

Open in new window

Of course there are some possible refinements, like switching Cisco VPN into batch mode, error control, redirecting logs and error output ...
1 Comment
LVL 74

Author Comment

I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month