Configure VPN device tunnels in Windows 10

  • Commodity
  • v minutes to read

Applies to: Windows Server 2022, Windows Server 2019, Windows 10 version 1709

Ever On VPN gives yous the ability to create a dedicated VPN profile for device or machine. Always On VPN connections include 2 types of tunnels:

  • Device tunnel connects to specified VPN servers earlier users log on to the device. Pre-login connectivity scenarios and device management purposes use device tunnel.

  • User tunnel connects just later a user logs on to the device. User tunnel allows users to access organization resources through VPN servers.

Different user tunnel, which just connects after a user logs on to the device or machine, device tunnel allows the VPN to found connectivity before the user logs on. Both device tunnel and user tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings every bit appropriate. User tunnel supports SSTP and IKEv2, and device tunnel supports IKEv2 just with no support for SSTP fallback.

User tunnel is supported on domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices to allow for both enterprise and BYOD scenarios. It is available in all Windows editions, and the platform features are available to 3rd parties by manner of UWP VPN plug-in support.

Device tunnel can merely be configured on domain-joined devices running Windows 10 Enterprise or Educational activity version 1709 or afterward. There is no support for third-party control of the device tunnel. Device tunnel does not support using the Name Resolution Policy table (NRPT). Device tunnel does not support Force tunnel. You must configure it as Divide tunnel.

Device Tunnel Requirements and Features

You must enable machine certificate authentication for VPN connections and define a root certification say-so for authenticating incoming VPN connections.

              $VPNRootCertAuthority = "Common Proper noun of trusted root certification potency" $RootCACert = (Go-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "*$VPNRootCertAuthority*" }) Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

Device Tunnel Features and Requirements

VPN Device Tunnel Configuration

The sample contour XML below provides expert guidance for scenarios where just client initiated pulls are required over the device tunnel. Traffic filters are leveraged to restrict the device tunnel to management traffic but. This configuration works well for Windows Update, typical Group Policy (GP) and Microsoft Endpoint Configuration Director update scenarios, as well as VPN connectivity for get-go logon without cached credentials, or password reset scenarios.

For server-initiated button cases, like Windows Remote Management (WinRM), Remote GPUpdate, and remote Configuration Managing director update scenarios – you must let entering traffic on the device tunnel, and so traffic filters cannot be used. If in the device tunnel profile you turn on traffic filters, then the Device Tunnel denies entering traffic. This limitation is going to exist removed in future releases.

Sample VPN profileXML

Following is the sample VPN profileXML.

              <VPNProfile>   <NativeProfile> <Servers>vpn.contoso.com</Servers> <NativeProtocolType>IKEv2</NativeProtocolType> <Authentication>   <MachineMethod>Certificate</MachineMethod> </Hallmark> <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  <!-- disable the addition of a class based route for the assigned IP accost on the VPN interface --> <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>   </NativeProfile>   <!-- use host routes(/32) to preclude routing conflicts -->   <Road> <Address>10.10.0.2</Address> <PrefixSize>32</PrefixSize>   </Road>   <Road> <Address>ten.ten.0.three</Address> <PrefixSize>32</PrefixSize>   </Route> <!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel -->   <TrafficFilter> <RemoteAddressRanges>ten.x.0.two, 10.10.0.3</RemoteAddressRanges>   </TrafficFilter> <!-- need to specify always on = true -->   <AlwaysOn>truthful</AlwaysOn> <!-- new node to specify that this is a device tunnel -->  <DeviceTunnel>true</DeviceTunnel> <!--new node to annals client IP address in DNS to enable manage out --> <RegisterDNS>true</RegisterDNS> </VPNProfile>

Depending on the needs of each detail deployment scenario, another VPN characteristic that tin can be configured with the device tunnel is Trusted Network Detection.

                              <!-- inside/exterior detection -->   <TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection>

Deployment and Testing

Yous can configure device tunnels by using a Windows PowerShell script and using the Windows Management Instrumentation (WMI) bridge. The Always On VPN device tunnel must be configured in the context of the LOCAL SYSTEM account. To reach this, it volition exist necessary to utilise PsExec, one of the PsTools included in the Sysinternals suite of utilities.

For guidelines on how to deploy a per device (.\Device) vs. a per user (.\User) contour, meet Using PowerShell scripting with the WMI Bridge Provider.

Run the post-obit Windows PowerShell command to verify that you take successfully deployed a device contour:

              Get-VpnConnection -AllUserConnection

The output displays a list of the device-wide VPN profiles that are deployed on the device.

Instance Windows PowerShell Script

You can utilize the following Windows PowerShell script to assist in creating your ain script for contour creation.

              Param( [string]$xmlFilePath, [string]$ProfileName )  $a = Test-Path $xmlFilePath echo $a  $ProfileXML = Get-Content $xmlFilePath  echo $XML  $ProfileNameEscaped = $ProfileName -supersede ' ', '%20'  $Version = 201606090004  $ProfileXML = $ProfileXML -replace '<', '&lt;' $ProfileXML = $ProfileXML -replace '>', '&gt;' $ProfileXML = $ProfileXML -replace '"', '&quot;'  $nodeCSPURI = './Vendor/MSFT/VPNv2' $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_VPNv2_01"  $session = New-CimSession  try { $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Central') $newInstance.CimInstanceProperties.Add($holding) $property = [Microsoft.Direction.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Fundamental') $newInstance.CimInstanceProperties.Add($property) $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property') $newInstance.CimInstanceProperties.Add($holding)  $session.CreateInstance($namespaceName, $newInstance) $Message = "Created $ProfileName profile." Write-Host "$Message" } grab [Exception] { $Message = "Unable to create $ProfileName profile: $_" Write-Host "$Message" get out } $Message = "Complete." Write-Host "$Message"

Boosted Resources

The following are boosted resources to assist with your VPN deployment.

VPN client configuration resources

The following are VPN client configuration resource.

  • How to Create VPN profiles in Configuration Director
  • Configure Windows 10 Client Always On VPN Connections
  • VPN contour options

Remote Access Server Gateway resources

The post-obit are Remote Access Server (RAS) Gateway resources.

  • Configure RRAS with a Computer Hallmark Certificate
  • Troubleshooting IKEv2 VPN Connections
  • Configure IKEv2-based Remote Access

Important

When using Device Tunnel with a Microsoft RAS gateway, you lot will need to configure the RRAS server to support IKEv2 machine certificate authentication past enabling the Allow machine document hallmark for IKEv2 authentication method every bit described here. Once this setting is enabled, it is strongly recommended that the Set-VpnAuthProtocol PowerShell cmdlet, along with the RootCertificateNameToAccept optional parameter, is used to ensure that RRAS IKEv2 connections are merely permitted for VPN client certificates that chain to an explicitly defined internal/private Root Certification Authority. Alternatively, the Trusted Root Certification Authorities store on the RRAS server should be amended to ensure that it does non contain public certification authorities every bit discussed here. Similar methods may also need to be considered for other VPN gateways.