[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 863
  • Last Modified:

Using RRAS Nat inside a VPN connection

Hi. I have a Windows 2008 machine configured with RRAS and am connecting through a SSTP VPN tunnel to it. While it was no small miracle to get SSTP working, I am facing another issue at this time.

I have configured RRAS to hand out IP addresses in the 192.168.254.x range (the server's NIC is and that subnet is full, so I have to use NAT for VPN clients) and when I connect to the server with VPN, I am getting an IP address from RRAS and successfully pinging the "Internal" interface ( as well as the NIC interface ( The problem I am having is with NAT.

I would like outgoing requests from the VPN clients to translate to the server's IP of so I can have VPN clients connect to other servers on the 192.168.2.x subnet. I don't care about getting port address translation working, as the 192.168.2.x subnet does not have to initiate connections to any VPN computers.

I have fiddled around with the NAT module configuring adapters and IP ranges and static routes and all the like, but just can not get this working. It seems the NAT module is not even doing anything, since "total mappings" and "inbound packets transmitted" are all 0.

The clients routing tables should be set up correctly, as I have statically routed the 192.168.2.x subnet to go through the gateway. Still no luck.

Could someone please advise as to the proper configuration to get a VPN client with a private IP translating packets to reach destinations outside the RRAS server?
  • 2
1 Solution
Rob WilliamsCommented:
You likely need to add routes to the VPN client computers and a return route to the servers to which you want to connect because they are more than a single hop away.
On the client:
route add  mask
on the other server's (assuming the VPN server's LAN IP is not their default gateway, if it is this route is not necessary):
route add
If this works you could add these routes to the local router rather than each client and server.
lbgausAuthor Commented:
Wow. That was incredibly simple, I almost feel stupid for missing it.

Thank you VERY much. You rock!
Rob WilliamsCommented:
Thanks lbgaus. Glad to hear it worked for you.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now