I am frequently asked about assigning IP’s to Windows VPN clients though RRAS (Routing and Remote Access Service). Most often this is done using DHCP, but there are several ways to handle DHCP within RRAS, and included are a couple of features that may seem a little unusual or unexpected.
- The first option, just to get it out of the way as it is not often implemented, is to assign static IP’s to the VPN client. This is done through the user’s profile in Active Directory on the Dial-In page, under “Assign a Static IP”. Should this be grayed out, it is due to the domain functional level being “Windows 2000 mixed”. Look into the repercussions of raising the DFL before doing so. For the record, it is not possible to use DHCP reservations to assign static IP’s to VPN clients.
- DHCP within RRAS is handled in numerous ways: through a DHCP relay agent, using RRAS itself with or without a static address pool, or within the NAT configuration.
- To use the DHCP relay, the DHCP server must reside on a different device than the RRAS server. It can be a router or any other Windows server. Installing the DHCP relay option is very straightforward. Right click on “general” under IP routing in the RRAS console, choose new routing protocol, and DHCP relay agent. Once the relay agent is created, right click on it, choose new interface, generally choose the LAN server adapter, and the defaults. Optionally you can assign the IP of the DHCP server by right clicking on the DHCP relay agent again, choose properties, and add the DHCP server’s IP.
- RRAS itself can assign DHCP addresses. This is set under the IP tab found by right clicking on the server name and choosing properties. DHCP is selected by default. With this option enabled, RRAS will select an IP from within the local DHCP service scope’s address pool. Alternatively you can select static address pool and define a range of addresses from which RRAS can draw an IP for the VPN client. If DHCP is not enabled on the server, RRAS will assign an APIPA address in the 169.254.0.0/16 subnet which will still allow client to connect to the server, but routing will need to be configured to reach the LAN.
- A final option is to use the DHCP allocator within the RRAS NAT configuration, but this does not apply to VPN clients, so I will not elaborate at this time.
One of the “unexpected” features of RRAS and DHCP occurs when the RRAS service is configured and started. Assuming the DHCP server is available, it reserves blocks of 10 IP’s for the VPN clients, with the first IP being assigned to the RRAS server itself. If enough VPN clients connect simultaneously to exceed the 10 reservations, another block of 10 IP’s is added. It is often disconcerting to see 10 addresses assigned in the DHCP address lease list, when there are no current connections. The RRAS leases can be distinguished by the RAS label in the “Unique ID” column. Should your available DHCP leases be limited, you can reduce the default block size of reserved IP’s by editing or adding the following registry key: HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Parameters\IP Change the DWord: InitialAddressPoolSize from the default value of 10 to your desired limit.
Another thing to point out is RRAS will not assign VPN clients additional connection information such as DNS or WINS address addressing, from the DHCP scope options. In order for these to be automatically added to the VPN client’s virtual adapter’s properties, they must be added to the RRAS server’s own network adapter’s configuration. They are then inherited by the VPN client.