Configure Windows XP Professional to be a VPN server

For the Small Office/Home Office (SOHO), Windows XP Professional VPN features are a real boon. Travelingusers with laptops or handheld computers will inevitably want files on the home network; you just can’t bringeverything with you. This is where the beauty of the Windows XP Professional computer connected to analways-on connection, such as DSL or cable modem, shines. That always-on link can be used to acceptincoming VPN connections and allow your mobile users to access shared folders and files on your privatenetwork.

In this article, I’ll explain how to configure a Windows XP Professional computer to accept incoming VPNconnections and discuss some tips on improving the remote access experience for the VPN client computer user.

Windows XP’s all-in-one VPN solutionWindows XP Professional is designed as the one-stop solution for the SOHO, taking all the usability featuresavailable to Windows Me users and adding the powerful networking features available in Windows 2000. Thecombination lets you create the ideal remote access solution for the SOHO.

The Windows XP Professional remote access server capabilities are very similar to those available in Windows2000 Professional. A Windows XP computer can accept a single incoming connection on each interface that canaccept a connection. For example, a Windows XP machine can accept incoming connections on each of thefollowing interfaces:

Dial-up modem serial interface

Infrared interface

Parallel port interface

VPN interface

While it’s unlikely, a Windows XP Professional machine with the above configuration could conceivably acceptup to four simultaneous RAS connections. However, the typical configuration consists of a single RAS clientconnection, either through a dial-up modem interface or a VPN interface.

Create an incoming connection with the New Connection WizardLike Windows 2000 Professional, Windows XP Professional includes a New Connection Wizard. I’ll show youhow to use the New Connection Wizard to create the new VPN server interface. In this example, I’ll assume theWindows XP Professional machine is not a member of a Windows NT 4.0 or Windows 2000 domain. Themachine has two network interface cards; one is directly connected to the Internet, and the other is connected tothe internal LAN. In addition, the external interface of the machine is configured for Internet ConnectionSharing (ICS). While ICS changes the IP address of the LAN interface of the ICS computer to 192.168.0.1through 16, it's easy to change the IP address to one that fits the existing network environment. The IP addressof the LAN interface of the ICS computer was changed to 10.0.0.1 through 24 to fix the preexisting networkconfiguration.

Running ICS and incoming VPN connections on the same interfaceI have been able to run ICS and incoming VPN connections on the same interface. However, to preventproblematic configuration issues, you should configure the VPN interface before you configure ICS on the samecomputer.

How to create the VPN server interface, step-by-step

1. Click Start | Control Panel.

2. In the Control Panel, open the Network Connections applet.

3. In the Network Connections window (see Figure A), open the New Connection Wizard.

Figure A

The Network Connections window

4. On the Welcome To The New Connection Wizard page, click Next.

5. On the Network Connection Type page (see Figure B), select the Set Up An Advanced Connectionoption.

Figure B

6. On the Advanced Connection Options page (see Figure C), select the Accept Incoming Connectionsoption and click Next.

Figure C

Configuring XP to accept incoming connections

7. On the Devices For Incoming Connections page (see Figure D), you can select optional devices onwhich you want to accept incoming connections.

Figure D

Note that you are not presented with any of the network interfaces on the computer.

8. On the Incoming Virtual Private Network (VPN) Connection page (see Figure E), select the AllowVirtual Private Connections option and click Next.

Figure E

9. On the User Permissions page (see Figure F), select the users that are allowed to make incoming VPNconnections. Click Next.

Figure F

Any user that isn’t selected won’t be able to initiate an incoming connection.

10. On the Networking Software page (see Figure G), click on the Internet Protocol (TCP/IP) entry andclick the Properties button.

Figure G

Configuring TCP/IP properties

11. In the Incoming TCP/IP Properties dialog box (see Figure H), place a check mark in the Allow CallersTo Access My Local Area Network check box. This will allow VPN callers to connect to othercomputers on the LAN. If this check box isn’t selected, VPN callers will only be able to connect toresources on the Windows XP VPN server itself. Click OK to return to the Networking Software pageand then click Next.

Figure H

Granting LAN access to callers

Configure Windows XP Professional to be a VPN server Page 4 of 5

12. On the Completing The New Connection Wizard page, click Finish to create the connection.

After the Incoming Connection is complete, right-click on the connection in the Network Connections windowand select the Properties command (see Figure I).

Figure I

Accessing the properties of the VPN server link

Note that on the General tab of the Incoming Connections Properties page (see Figure J) that no devices arelisted. The comment No Hardware Capable Of Accepting Calls Is Installed isn’t true, since you can now createVPN connections to both network interface cards. In practice, there is no point in creating a VPN connection tothe internal interface card.

Figure J

VPN clients will only call the external IP address of the Windows XP Professional VPN server.

VPN server optimization tipsThe New Connection Wizard made it easy to create the VPN server interface, but you can still do more tooptimize your VPN connections. First, note that you can create PPTP or L2TP/IPSec VPN connections. FigureK shows the connection status dialog box of a Windows XP VPN client connected to a Windows XP VPNserver. Note that MPPE 128-bit encryption is automatically enabled and that Microsoft CHAP v2 is used forauthentication.

Figure K

If both machines had machine certificates from the same Certification Authority installed, an L2TP/IPSec VPNlink could have been negotiated.

Configure Windows XP Professional to be a VPN server Page 5 of 5

If you want the VPN client to access resources on the internal network, the IP address assigned to the VPNclient should be on the same network ID as the internal interface of the Windows XP VPN server computer. Inaddition, all the machines on the internal network should have a default gateway set using the IP address of theinternal interface of the Windows XP VPN server.

In the unlikely event that the SOHO has multiple network segments, the routing table on the Windows XP VPNserver needs to be configured with paths to the various internal network IDs. You can use the ROUTE ADDcommand to create these routing table entries.

Small networks that use a Windows XP Professional machine for a VPN server probably won’t have networkservices such as WINS or DNS. If name resolution on the private network is an issue for the VPN client, thenyou should create a LMHOSTS file, a simple text file that contains name and IP address mappings. Forexample, the following line could represent an entry in an LMHOSTS file:10.0.0.2 DEFIANTNotepad tipWhen you save the LMHOSTS file to the <system_root>\system32\drivers\etc folder, make sure that the filedoesn’t contain a file extension. To prevent Notepad from appending a file extension to the filename, when yousave the file in Notepad, put quotes around LMHOSTS.

The VPN client must be configured with an IP address or host name for the Windows XP Professional VPNserver. If the Windows XP Professional client has a dedicated link to the Internet and a static IP address, youcan use that IP address in the VPN client configuration interface. However, if the Windows XP ProfessionalVPN server is assigned an IP address via DHCP, you’ll have to use an Internet host name and a method of

registering the host name dynamically. A couple of services you might want to look into are TZO andDYNDNS. Both of these services will let you dynamically register a computer’s IP address into the public DNSdatabase.

ConclusionWindows XP Professional provides simple VPN server capabilities that let you connect single VPN clients toyour internal network, one at a time. If the Windows XP Professional computer has a dedicated connection tothe Internet, you can connect to that computer from virtually anywhere in the world using a VPN link. The VPNserver setup is simple and can accept calls from any Windows PPTP or L2TP/IPSec client.