• ARTICLES
SEARCH

How-To Geek

How to Create a VPN Server on Your Windows Computer Without Installing Any Software

create-vpn-server-in-windows

Windows has the built-in ability to function as VPN server, although this option is hidden. This trick works on both Windows 7 and Windows 8. The server uses the point-to-point tunneling protocol (PPTP.)

This could be useful for connecting to your home network on the road, playing LAN games with someone, or securing your web browsing on a public Wi-Fi connection – a few of the many reasons you might want to use a VPN.

Limitations

While this is a pretty interesting feature, it may not be the ideal way to allow VPN connections to your local network. It has some limitations:

  • You will need the ability to forward ports from your router.
  • You have to expose Windows and a port for the PPTP VPN server directly to the Internet, which is not ideal from a security standpoint. You should use a strong password and consider using a port that isn’t the default port.
  • This isn’t as easy to set up and use as software like LogMeIn Hamachi and TeamViewer. Most people will probably be better off with a more complete software package like those two.

Creating a VPN Server

First, you’ll need to open the Network Connections window. The quickest way to open it is to press the Windows key, type ncpa.cpl, and press Enter.

open-ncpa.cpl-on-windows-8

Press the Alt key, click the File menu that appears, and select New Incoming Connection.

windows-new-incoming-connection

You can now select the user accounts that can connect remotely. To increase security, you may want to create a new, limited user account rather than allow VPN logins from your primary user account. (Click Add someone to create a new user account.) Ensure the user you allow has a very strong password, as a weak password could be cracked by a dictionary attack.

windows-select-vpn-user-accounts

Select the Through the Internet option to allow VPN connections over the Internet. You can also allow incoming connections over a dial-up modem, if you have the dial-up hardware.

allow-vpn-connections-through-the-internet

You can then select the networking protocols that should be enabled for incoming connections. For example, if you don’t want people connected to the VPN to have access to shared files and printers on your local network, you can uncheck the File and Printer Sharing option.

select-vpn-networking-protocols

Click the Allow access button and Windows will set up a VPN server.

allow-vpn-access-in-windows

If you want to disable the VPN server in the future, you can delete the Incoming Connections item from your Network Connections window.

delete-incoming-connections-vpn-server

Router Setup

You will now need to log into your router’s setup page and forward port 1723 to the IP address of the computer where you set up the VPN server. For more instructions, read How to Forward Ports on Your Router.

For maximum security, you may want to create a port forwarding rule that forwards a random “external port” – such as 23243 – to “internal port” 1723 on your computer. This will allow you to connect to the VPN server using port 23243, and will protect you from malicious programs that scan and attempt to automatically connect to VPN servers running on the default port.

You can also consider using a router or firewall to only allow incoming connections from specific IP addresses.

To ensure you can always connect to the VPN server, you may want to set up a dynamic DNS service like DynDNS on your router.

Connecting to Your VPN Server

To connect to the VPN server, you will need your computer’s public IP address (its IP address on the Internet) or its dynamic DNS address, if you set up a dynamic DNS service above.

Use the Connect to a network option in Windows and enter your computer’s public IP address. Provide the username and password you created to log in.

For more instructions on connecting, read How to Connect to a VPN on Windows.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 02/3/13

Comments (10)

  1. hakuga

    That’s quite simple indeed but first PPTP has some security flaws (prefer OpenVPN) and moreover setting up a VPN server without making a DMZ with a Firewall that logs connections is unaware.

  2. Dave

    Thank you for this, it is exactly the tutorial I have been looking for.

  3. Robert

    cool

  4. Richard Steven Hack

    “You will need the ability to forward ports from your router. You have to expose Windows and a port for the PPTP VPN server directly to the Internet, which is not ideal from a security standpoint.”

    That is generally true of ANY VPN that doesn’t use an external “mediation server” which is what Hamachi and Teamviewer do. There has to be a port exposed either at the router or at the PC and obviously if your VPN end point isn’t terminated at the router, you’re exposing the OS. It’s not that big a problem if: “You should use a strong password and consider using a port that isn’t the default port” as you suggest.

    The problem with using a “mediation server” are twofold: 1) performance, and 2) reliability. The mediation server may be slow (especially if the service is free) and the server may be down when you need it. Not to mention that depending on who you choose as the mediation server, you don’t know who you’re dealing with.

    So it ends up being “six of one and a half dozen of the other.”

    Actually not using the default port isn’t all that protective either, since many hackers will scan the entire port range for any active port. There are scanners that can scan specifically for VPN, SSH and other remote access servers.

    The more serious issue here is PPTP which Microsoft now considers to broken. See here:

    Microsoft says don’t use PPTP and MS-CHAP
    http://www.h-online.com/security/news/item/Microsoft-says-don-t-use-PPTP-and-MS-CHAP-1672257.html

    While Microsoft does not mention openVPN, at this point that seems the best option other than using an external mediation server service. The other options – basically IPSEC – require more or less equal technical setup.

  5. Saroj Kumar Agrawal

    While this is not the subject of this ‘HowTo”, I would like to learn how to interconnect two separate LANs, both connected to Internet, so that I can share file between nodes of the two LANs?

  6. Spydey

    Nice write up. Very informative. Now all that you need to do is include the next step: RDP over VPN. Once you have created the VPN, what if one wishes to RDC into one of several computers on their home network or small/home business network? Doing a straight RDC using RDP over the internet and port forwarding is 1.) not secure & 2.) very ineffective because in order to do just a straight RDC you would need to setup port forwarding to the computer you wish to RDC. This limits you to that single computer. Granted you could do an RDC within an RDC or you could setup port forwarding to different internal ports (3389, 3390, 3391, etc., each “assigned” to a different computer), but both ways are very clunky and really not as efficient as tunneling through a VPN to do a RDC via RDP. So, I think it would be very very beneficial to have a write up showing how to setup the VPN to allow internal network traffic to other computers on the same network, and how to setup the VPN server to act as a DNS without editing the local host file. :D Could be very very interesting!!! It actually isn’t too hard to do. ;D

    -Spydey

  7. n00873r4817

    I’m very interested on a Linux tutorial for creating a VPN without software. if someone know how to please post a tutorial.

  8. RAbo

    Which port does this use?

  9. Eagle

    Does windows use tun or tap? This is not any good for gamers unless it allows broadcast traffic to be routed. Which is why OpenVPN is the preferred choice utilizing a TAP.

  10. Curtis

    excellent tutorial; keep them coming.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!