Setting up the Vista Point-to-Point Tunneling Protocol (PPTP)
Virtual Private Network (VPN) Server
This Mini-How-To was created as an example of one way to remotely access a home office network using a Point-to-Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) connection over the public internet using technologies built-in to the Vista operating system. Configurations are based on remote user access to this example local area network. Note the setup and configuration procedure should be run while logged on as a user with Administrator privileges.
This procedure applies to the following versions of Vista: Home Basic, Home Premium, Business, Enterprise, Ultimate.
Setup the Vista PPTP VPN Server
(Screen shots are from a Vista Ultimate desktop PC)
Logon the Vista PC as a user with Administrator privileges. The Vista VPN Server is configured by navigating to Start | Control Panel | Network and Internet | Network and Sharing Center and selecting Manage network connections.
Select File | New Incoming Connection from the drop down menu. If the Menu bar is not visible press the
Select user's that will be allowed to login to the PPTP VPN server through the VPN connection. Click Next. In the example shown a special standard user account protected by a strong password that is only used for remote VPN access is selected. Click on Add someone... to add the special user account.
Select the Through the Internet check box then click on Next.
Select Internet Protocol Version 4 (TCP/IPv4) and then click on Properties.
If remote VPN users will be allowed to access the home local area network check the Allow callers to access my local area network checkbox. Configure the IP address assignment window using IP addresses in the same subnet as the VPN server PC and LAN (see the example local area network). In the following example the From: address is the address assigned to the VPN gateway and the To: address is assigned to the incoming VPN client. Click OK when finished. Note that by design Vista will only accept one incoming VPN connection at a time.
Click on Close.
When finished the Network Connections window will indicate the new Incoming Connections icon.
Configure the Network Firewall/NAT Router for PPTP VPN access
If the Vista PPTP VPN server PC is behind a broadband router, the router must be configured to allow PPTP VPN access. Both TCP Port 1723 and GRE Protocol 47 are used to pass PPTP VPN traffic through the firewall. Some router manufacturers call enabling GRE Protocol 47 traffic PPTP Pass Through or VPN Pass Through. Check the users manual for your specific router for details. The example screen shots are from a Network Everywhere NR041 4-Port Broadband Router. See the example local area network.
The Vista Windows Firewall will be automatically configured to allow PPTP VPN access. GRE Protocol 47 traffic is automatically enabled through the Windows Firewall when TCP Port 1723 is opened. For more information about the Windows Firewall see The New Windows Firewall in Windows Vista and Windows Server "Longhorn" article by the Cable Guy.
Configure the Vista PPTP VPN client and a client lmhosts file
The Vista PPTP VPN client can be configured using the procedure detailed on the online Vista Help and Support site.
An lmhosts file that maps computer names to LAN IP addresses on the remote network may be created in the C:\Windows\system32\drivers\etc folder on the VPN client computer. The client can then use the form \\ComputerName\ShareName to access shared folders on the remote network. See this Microsoft article for file syntax help. An example lmhosts file can be downloaded here. The example lmhosts file is based on remote user access to this example local area network.
Enhance client to server security
WARNING: The following are recommendations for Small Office/Home Office (SoHo) users connecting to a standalone Vista host computer with the Vista PPTP VPN client software only. Users connecting to remote computers in a corporate or domain environment should check with their network administrators for configuration guidance.
Client users are encouraged to use a strong password when logging onto a remote PC with a PPTP VPN connection. The client user can configure these properties by navigating to Start | Control Panel | Network and Internet | Network and Sharing Center and selecting Manage network connections. Right-click the VPN connection that you want to edit then click Properties.
The Vista PPTP VPN server computer administrator can configure these properties by navigating to Start | Control Panel | Network and Internet | Network and Sharing Center and selecting Manage network connections. Right-click the Incoming Connections icon then click Properties. Check the Require all users to secure their passwords and data checkbox.
Troubleshooting the PPTP VPN server - client data link
The Vista PPTP VPN server to client link can be tested using the detailed test procedure in the PPTP Ping and VPN Traffic sections of the Testing Network Paths for Common Types of Traffic article by the Cable Guy. The pptpsrv.exe and pptpclnt.exe programs on the XP SP2 CD may be used. To extract the programs on a Vista PC insert the CD in the CD drive and select Open folder to view files from the AutoPlay window.
Select the Support folder.
Select the Tools folder.
Select the Support cabinet file.
Highlight the pptpsrv.exe and pptpclnt.exe files then right-click the mouse button and select Extract from the menu window.
Save the files to a temporary folder. Click on X in the upper right corner of the window to close and eject the CD from the CD drive. Copy the pptpsrv.exe file to the server PC and the pptpclnt.exe file to a client PC and run the test procedure as detailed in the VPN Traffic section of the Testing Network Paths for Common Types of Traffic article by the Cable Guy.