RRAS DHCP options

 


I am frequently asked about assigning IP’s to Windows VPN clients though RRAS (Routing and Remote Access Service).  Most often this is done using DHCP, but there are several ways to handle DHCP within RRAS, and included are a couple of features that may seem a little unusual or unexpected.


 


  • The first option, just to get it out of the way as it is not often implemented, is to assign static IP’s to the VPN client. This is done through the user’s profile in Active Directory on the Dial-In page, under “Assign a Static IP”. Should this be grayed out, it is due to the domain functional level being “Windows 2000 mixed”. Look into the repercussions of raising the DFL before doing so. For the record, it is not possible to use DHCP reservations to assign static IP’s to VPN clients.

 



 


  • DHCP within RRAS is handled in numerous ways: through a DHCP relay agent, using RRAS itself with or without a static address pool, or within the NAT configuration.

 


  • To use the DHCP relay, the DHCP server must reside on a different device than the RRAS server. It can be a router or any other Windows server. Installing the DHCP relay option is very straightforward. Right click on “general” under IP routing in the RRAS console, choose new routing protocol, and DHCP relay agent. Once the relay agent is created, right click on it, choose new interface, generally choose the LAN server adapter, and the defaults. Optionally you can assign the IP of the DHCP server by right clicking on the DHCP relay agent again, choose properties, and add the DHCP server’s IP.

 



 


  • RRAS itself can assign DHCP addresses. This is set under the IP tab found by right clicking on the server name and choosing properties. DHCP is selected by default. With this option enabled, RRAS will select an IP from within the local DHCP service scope’s address pool. Alternatively you can select static address pool and define a range of addresses from which RRAS can draw an IP for the VPN client. If DHCP is not enabled on the server, RRAS will assign an APIPA address in the 169.254.0.0/16 subnet which will still allow client to connect to the server, but routing will need to be configured to reach the LAN.

 



 


  • A final option is to use the DHCP allocator within the RRAS NAT configuration, but this does not apply to VPN clients, so I will not elaborate at this time.

 



 


 


 


One of the “unexpected” features of RRAS and DHCP occurs when the RRAS service is configured and started. Assuming the DHCP server is available, it reserves blocks of 10 IP’s for the VPN clients, with the first IP being assigned to the RRAS server itself. If enough VPN clients connect simultaneously to exceed the 10 reservations, another block of 10 IP’s is added. It is often disconcerting to see 10 addresses assigned in the DHCP address lease list, when there are no current connections. The RRAS leases can be distinguished by the RAS label in the “Unique ID” column. Should your available DHCP leases be limited, you can reduce the default block size of reserved IP’s by editing or adding the following registry key: HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Parameters\IP    Change the DWord: InitialAddressPoolSize from the default value of 10 to your desired limit.


 


Another thing to point out is RRAS will not assign VPN clients additional connection information such as DNS or WINS address addressing, from the DHCP scope options. In order for these to be automatically added to the VPN client’s virtual adapter’s properties, they must be added to the RRAS server’s own network adapter’s configuration. They are then inherited by the VPN client.


 

17 thoughts on “RRAS DHCP options”

  1. thanks million, i was looking for this registry where u can reduce the default block size of reserved IP’s for VPN connection,

    thankas once more

  2. This is great info… I have on win2k8 rras server for vpn and a sepetate server that is DC + DHCP . I have RRAS configured to use DHCP to automatically assign IPs which is working fine, users get assigned 192.168.2.x … but I would like to know how I can configure NPS/DHCP to assign vpn clients IP addresses from a different scope (192.168.4.x).

    could you please point me in the right direction ?

  3. Hello Rob,

    Thank you for a very helpful article.

    I hope you don’t mind if I ask for a small clarification on one of your points.

    I have a Windows 2008 VPS at a US web hosting company, and want to be able to VPN to it in order to access server resources (i.e. file shares) and also get internet access through it. This is because I am currently in a country that heavily blocks and monitors web traffic.

    I have the VPN working, but I’m not able to access server resources or the internet once connected. I presume that I have to:
    a) get DHCP working properly so i can access server resources, and
    b) put in some routing to allow access to the internet

    On both these fronts I’m a bit lacking in knowledge.
    The server was handing out APIPA addresses, so I set RRAS to use a static pool (192.168.1.100-110). However this hasn’t helped.

    To be clear, I can connect with the VPN, but cannot access resources.

    Any ideas?

    Thanks,
    Mike

  4. Thank you Mike, glad you found the article helpful.
    If your country “heavily blocks and monitors web traffic”, it might not be appropriate for me to go into assisting you with thwarting those regulations. However, one quick comment, most likely your problem is the subnet at either end of the tunnel is the same. 192.168.1.x is the most common subnet. In order for packets to be routed between network segments, all subnets in the path must be different. If not the VPN will connect, but no resources will be available, and you will not be able to ping devices at the remote end of the tunnel.
    –Rob

  5. On a new server, W2k3 standard, am unable to get DHCP and RRAS to coexist. Starting RRAS server results in no DHCP. Am using 1 (one) NIC with a Linksys router for internet, so there are no dual NIC issues.
    Hoping you can shed some light if you would be so kind.
    Thanks!

  6. When enabling RRAS are you also enabling NAT? This could conceivably cause conflicts. Use the custom option and do not select NAT and see if that resolves the problem.
    –Rob

  7. It’s possible to get most of the options from DHCP scope:
    1) The DHCP relay must be installed. The ‘internal’ interface must be added to DHCP relay agent configuration.
    2) If you have DHCP server on the separate machine and are happy with VPN client’s IPs and options assigned from your LAN scope (I do not) it’s all done, else the additional tricks are required.
    2) Install the “MS Loopback adapter” driver. Assign
    IP address from the subnet you planned to use for VPN clients to the loopback interface.
    3) In the “IP” tab in the RRAS server properties below the “DHCP/Static Pool” option select the loopback adapter.
    4) Set appropriate DHCP server IP in the DHCP relay properties. If DHCP is running on the same machine,
    set the loopback adapter IP address (not 127.0.0.1 or LAN address!)

  8. I used the static address pool setting, and set it up to use 40 addreses……..but I see nothing regarding the lease time of the addresses.

  9. Hi Rob,

    Great info – Thanks.

    We have a Windows Server 2008 r2 machine which is our Primary DC running AD, DNS, DHCP and have just enabled RRAS.

    I have enabled the static address pool and have specified a range of 20 addresses. I’ve tested this and it’s all working as it should, but, RRAS is also assigning an IP address to our DC (which has a static IP address assigned).

    Any Ideas?

    Thanks,
    Craig

  10. That is the typical behavior. The RRAS server will be assigned a virtual NIC and IP in the same subnet as the VPN clients to allow communication. The IP is usually the first IP in the block of addresses.

    Just a heads up, check the DNS management console under properties of the server on the Interfaces tab. Make sure the RRAS VPN IP is NOT checked.

  11. Thanks for the response Rob,

    I’ve had a look under the Interfaces Tab under Properties in DNS Manager and we currently have the radio button “All IP addresses” selected (under the “Listen on: section”) Do we need to only specify our DC here?

  12. The main issue is don’t have the VPN IP checked if it is present. It is not always, but if it is, it can cause LAN name resolution issues. Generally you only want the LAN IP of your DNS server, which is also the DC in most cases.

  13. Thanks Rob,

    I will make sure that only the IP of our DNS / DC Server is selected and not the “All IP Addresses” option and see how that goes.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>