Cannot reach beyond the RRAS server from VPN clients?

Many a time we face this issue - after making a VPN connection to the Routing and Remote Access server, we are unable to reach the machine on the network behind the VPN server. Here are a few tips to troubleshoot this.

Let's consider this example to understand this better.

VPN Client <---Internet---> RRAS server <----------------> LAN client


                                           (Internal Interface)

     Static pool configured on RRAS server: - [This means that the VPN clients will get a 10.0.0.X address from this pool]

Public interface of RRAS server to which clients connect:

Private interface of RRAS server: (The LAN clients on this network will have addresses 192.168.0.X)

We want to reach the LAN client from the VPN client The following are the things that we need to ensure for this

(1) Need to have proper routes on the VPN client to reach the machines behind the RRAS server

For our example, on the VPN client we need to have a route to reach the LAN client i.e. for as the destination with the VPN server ( as the gateway as follows.

route add mask if <interface_index_of _PPP adapter>

This route makes sure that any packet destined to the LAN clients will go out through the PPP adapter of the client to the server's internal interface. As the RRAS server has one interface on the same network as the LAN client, it will route it accordingly to the LAN client.

On the VPN client side, a default route can also be added which can be used to reach the internet [otherwise even internet requests will go through the RAS server]. This concept is called split- tunneling and is explained in the below article.

(2) Need to have correct routes on the LAN clients behind the RRAS server for the VPN clients

The packet from the VPN client will reach the LAN client if the route on VPN client is proper which is ensured by (1) above. However, for the packet from LAN client to reach the VPN client, we should have correct routes on the LAN client too. For example, when you try to ping from the VPN client, the routes on the VPN client will aid in the echo request to reach However, for the echo reply from to reach the VPN client, you LAN client should have a route for the VPN client with gateway as the private interface of RRAS server as follows:

route add mask if <i/f_index_of _192.168.0.16>

This way, the echo reply destined to will reach the RRAS server which is the next hop according to the above route. Once it reaches the RRAS server, the server knows how to send it to the client as it will have a route for all clients conencted to it.

Note: On the LAN clients, a reverse route can be added individually on all the clients or all LAN clients may be pointing to some router which then can have a reverse route for network OR RRAS server itself can be the default router for LAN clients


Janani V

Software Desing Engr/Test,

RRAS, Windows Enterprise Networking,

"This posting is provided "AS IS" with no warranties, and confers no