Forum Discussion

hzhang's avatar
hzhang
Copper Contributor
May 07, 2025

VPN on Windows Server 2016 not working

I followed the stand procedure to set up VPN on Windows Server 2016. Let me jump to where I am now. The event viewer has the following two entries when a client connects to the VPN server: A co...
management
networking
windows server
micheleariis's avatar
micheleariis
MCT
May 12, 2025

Hi, enable RRAS in PPTP mode on Server.

-On server, client and router open TCP port 1723 and protocol 47 (GRE).

-Do a packet capture (WS or netsh trace) to check if GRE packets arrive.

  • hzhang's avatar
    hzhang
    Copper Contributor
    May 12, 2025

    My settings:

    Server: Windows Server 2016 VPS

    Client: Windows 11 Pro behind a Fios Router.

    Here is what I did (I probably overdid it):

    I ran the following on BOTH server and client:

    New-NetFirewallRule -DisplayName "Allow VPN" -Direction Inbound -Protocol TCP -LocalPort 1723,443 -Action Allow
New-NetFirewallRule -DisplayName "Allow VPN UDP" -Direction Inbound -Protocol UDP -LocalPort 500,1701,4500 -Action Allow

    I enabled GRE traffic for the firewall on both the server and client.

    I forwarded ports 1723 and 47 to the Windows 11 Pro PC on the client side.

    Here is the traffic on the server side captured on port 1723:

     

    Traffic on the client side:

    Error message for the client connection:

    Any tip will be greatly appreciated.

    • micheleariis's avatar
      micheleariis
      MCT
      May 12, 2025

      Hi Aran, i see that the client opens TCP correctly on port 1723 but then receives a FIN/ACK followed by RST: it is almost always a symptom that the GRE (protocol 47) is not actually transported by the router. On many Fios routers the only “port” you can open is TCP/1723, while the GRE only passes through the “PPTP passthrough” option.

      Try this:

      -On the Fios router explicitly enable PPTP Passthrough (or “VPN Passthrough”) to ensure that the GRE is forwarded.

      -Verify in RRAS (Routing and Remote Access) of the server that the service is started, that PPTP support is enabled and that the public card is correctly “binding”.

      -Check in Event Viewer - “Routing and Remote Access” for any errors at the time of the call: often there you find the real reason for the RST.

      If you have the means, test a VPN client from another network (e.g. phone hotspot) to rule out NAT issues on the client.

      If you continue to have problems, consider switching to a more “NAT-friendly” protocol such as SSTP or L2TP/IPsec, which bypass the GRE issue entirely.

      • hzhang's avatar
        hzhang
        Copper Contributor
        May 13, 2025

        It is challenging to post it here. I replied to your post with answers to your questions. It took quite a few hours for it to show up, but it is displayed at the top instead of beneath your post. My post was rejected a few times because I used the phrase that is pronounced why-phi (I cannot write it here because it will be rejected), another phrase pronounced "sellula connection", and some other jargons.

Resources