Scenario / Questions

I want to set up a VPN on a remote server to route all my Internet traffic for privacy reasons. I can set up an incoming connection and connect to it successfully. The problem is, I can just see the remote computer and no other Web sites will open. I want the remote server to act like a NAT. How can I do that?

Note that I don’t want to split Internet traffic. I actually want to send all the traffic to the remote server but need to make it relay the traffic.

For the record, my remote server is Windows Web Server 2008 which does not have routing and remote access service.


I’m mostly interested in server configuration. I don’t have any problems configuring the client. By the way, Windows Web Server 2008 seems to have the same VPN features built in client OSes (like Vista) and specifically, it doesn’t include the RRAS console in MMC. I’m also open to suggestions regarding third party PPTP/L2TP daemons available, if they are free.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

You were able to create a dial-up VPN connection between Vista and Windows Web Server 2008 without the Network Policy Server role? If so, I’m curious as to what the subnet/IP looked like to the client in that scenario once the tunnel was up.

If you have a VPN up, then you’ve transferred your problem domain from one of VPN to one of routing. I’m pretty confident that you’ll be able to bridge connections using the Web edition and that you can also use Internet Connection Sharing. If not, there are cheap and possibly free “internet sharing” programs available (NAT32).

This assumes that your client machine somehow has an IP on the server’s (internal?) network.

Also, when you say Internet traffic, it’s possible your definition may include only traffic that is proxy-able. In which case you can shift the domain again from routing to proxying, and use a free proxy server bound to the IP on the other end of the tunnel.

Suggestion: 2

This will happen by default if the VPN is configured correctly.

When you make a VPN connection from Windows CLIENT, there is an advanced option called Use Default Gateway on Remote Network which is checked by default.

For example, in Windows XP:

  • Go to Network Connections
  • Right click on your VPN connectoid
  • Choose Properties
  • Go to the Networking Tab
  • Choose Internet Protocol (TCP/IP) from the list
  • Click Advanced
  • In the General tab, check Use Default Gateway on Remote Network

It is possible that the default gateway is not configured correctly on your remote server.

Suggestion: 3

Unfortunately you cannot install RRAS on Server 2008 Web Edition, its not an allowed role. So you would need to use a third party application, Open VPN is one of the most common and one I have used successfully on server 2003 before.

Once you have that setup, Joel’s advice for the client setup will make sure your web traffic goes through the VPN.

Suggestion: 4

There may be a special place in purgatory for UNIX people who make suggestions along the following lines but I have used this for a purpose similar to yours (getting ip range-restricted US-only data securely from the US to Mexico City):

Install OpenSSH on the server, here is how you can do that on Vista/2008: (I noticed that this is an .il TLD, if that is a problem from Iran maybe try looking for the cache or I can repost it if you leave a comment. Also maybe an example of why we need secure borderless internet access.)

Create a dynamic ssh connection using Putty. Here are instructions and an explanation.

Point your browser, mail client, etc., to the local proxy. In effect, what you are doing is this: you open a dynamic ssh session on the remote host. You have a local proxy that this connection is bound to. You make all requests to this local proxy, the proxy then makes an encrypted request to the server, the server fetches and returns whatever you have requested from the outside world via a secure tunnel to the local proxy and thence to your application. You can confirm that it is working by opening a website that provides geolocation of ip addresses. I’m sure it can be automated too. (If this is an outright abominable thing to do on a Windows Server, let me know in the comments.)

Suggestion: 5

This is a rather old thread but I found myself searching for an answer to this same exact question as well. I did find a couple of things during my research. I’m posting here just to add to this information so in case anyone else is looking for answers, they can find it here.

First, there’s a free service available at that lets you connect to their vpn servers. Once connected, all your internet traffic is tunneled through that VPN interface. The initial setup and connection is easy enough; any modern Windows installation 2000/XP/Vista and higher has the VPN client software already built in. Only downside is that their servers are stationed in europe so your packets has quite some ways to travel. I needed something closer to home to reduce packet latency and ping and as such this wasn’t the ideal solution. So I kept looking…

On my continuing search I found the dd-wrt firmware. Creating a VPN server right on the router itself happens to be one of dd-wrt’s nice features. The setup is pretty easy and straightforward: set the VPN server IP of the router, set the possible IP ranges for the clients and the VPN client login info. This is all done from the dd-wrt router config through the browser. VPN client setup follows the same procedures as outlined from, with a different VPN server IP of course.

Finally, I have also attempted to make one of the computers a vpn server using the accept incoming connections method like the OP. The VPN clients and server can ping each other but the problem is I couldn’t get the VPN server to properly route the internet traffic from the clients. I tried fiddling with the route table on both client and server ends. Short-story was I couldn’t get it to work fully. Locate LAN services work fine(eg. FTP server on a LAN computer), but I never got the internet traffic to route through properly — perhaps someone else might have better luck.

So all in all if you have a router that supports dd-wrt, this is worth looking into. This is the solution I settled on. It was easy to get setup and working.