How to Configure Always On VPN with Windows Server 2012 R2

Always On VPN is a remote access solution that provides seamless, persistent VPN connectivity for domain-joined Windows clients. Unlike traditional VPN solutions that require users to manually initiate connections, Always On VPN automatically establishes and maintains VPN tunnels without user intervention. On Windows Server 2012 R2, Always On VPN is implemented using the Routing and Remote Access Service (RRAS) along with Network Policy Server (NPS) for authentication. The solution supports IKEv2 tunnels with device certificates, providing a highly secure and reliable remote access experience for corporate devices.

Prerequisites

You need Windows Server 2012 R2 with RRAS and NPS roles available. An Active Directory Certificate Services (AD CS) infrastructure with an Enterprise CA is required to issue both server authentication and client/device certificates. Client devices must be running Windows 8.1 or Windows 10 and must be domain-joined. The VPN server must have a public IP address or be reachable from the internet. DNS and NPS servers must be accessible from the VPN server. Group Policy is used to deploy the VPN profile to client devices.

Step 1: Install RRAS and NPS Roles

Install the required role services on the VPN server:

Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools
Install-WindowsFeature NPAS -IncludeManagementTools
Install-WindowsFeature NPAS-Policy-Server

Verify the installation:

Get-WindowsFeature RemoteAccess, Routing, NPAS | Select-Object Name, InstallState

Step 2: Configure RRAS for VPN

Initialize RRAS for VPN-only access (without NAT or routing):

Install-RemoteAccess -VpnType VPN

Alternatively, use the Routing and Remote Access Server Setup Wizard from Server Manager: Tools → Routing and Remote Access, right-click the server name, and select Configure and Enable Routing and Remote Access.

Configure the RRAS service to start automatically:

Set-Service -Name RemoteAccess -StartupType Automatic
Start-Service RemoteAccess

Step 3: Configure VPN Server Authentication Certificate

The VPN server requires a server authentication certificate issued by your Enterprise CA. The certificate Subject or SAN must match the DNS name clients use to connect. Request a certificate using the MMC Certificates snap-in or PowerShell:

$certTemplate = "VPNServerAuthentication"
$vpnHostname = "vpn.contoso.com"

$cert = Get-Certificate -Template $certTemplate `
    -DnsName $vpnHostname `
    -CertStoreLocation Cert:LocalMachineMy

Write-Host "Certificate Thumbprint: $($cert.Certificate.Thumbprint)"

Bind the certificate to RRAS for IKEv2 machine certificate authentication:

$certThumbprint = (Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like "*vpn.contoso.com*"}).Thumbprint

Set-VpnAuthProtocol -RootCertificateNameToAccept $certThumbprint -TunnelAuthProtocolsAdvertised Certificate

Step 4: Configure VPN IP Address Pool

Configure the IP address pool that VPN clients will be assigned when connected. Using a static address pool:

$vsapools = [Microsoft.Management.Infrastructure.CimInstance[]] @(
    New-CimInstance -Namespace root/Microsoft/Windows/RemoteAccess `
        -ClassName VpnS2SInterface `
        -Property @{Name="VPNPool"; AddressRanges=@("10.0.100.1","10.0.100.200")}
)

Using the RRAS management console, navigate to IPv4 → Static Address Pool and add a range such as 10.0.100.1 to 10.0.100.200. Ensure these addresses do not conflict with your internal LAN.

Step 5: Configure NPS as RADIUS Server

NPS provides authentication and authorization for VPN connections. Register NPS in Active Directory:

netsh nps add registeredserver domain=contoso.com server=VPNSRV01

Add the VPN server as a RADIUS client in NPS. Open NPS console (nps.msc), navigate to RADIUS Clients and Servers → RADIUS Clients and add a new client:

netsh nps add client friendlyname="VPN Server" ipaddress="192.168.1.50" secret="RadiusSharedSecret123"

Step 6: Create NPS Network Policy for VPN Users

Create a network policy in NPS that allows members of the VPN Users group to authenticate:

# Create the VPN Users AD group
New-ADGroup -Name "VPN-Users" -GroupScope Global -GroupCategory Security -Path "OU=Groups,DC=contoso,DC=com"

# Add users to the group
Add-ADGroupMember -Identity "VPN-Users" -Members "jsmith", "tjones"

In NPS, create a Connection Request Policy and a Network Policy that match VPN connections and grant access to the VPN-Users group. Use the NPS management console or netsh:

netsh nps add policy name="Allow VPN Users" accesstype="Allow-Access"

Step 7: Configure VPN Server RRAS Settings

Configure RRAS to use NPS for authentication and set IKEv2 as the preferred protocol:

Set-VpnServerConfiguration `
    -TunnelType Ikev2 `
    -EncryptionType RequireEncryption `
    -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES256 `
    -DHGroup Group14 `
    -IntegrityCheckMethod SHA256 `
    -PfsGroup PFS2048

Step 8: Deploy VPN Profile via Group Policy

Create a VPN profile XML and deploy it via Group Policy to client computers. On a reference Windows 8.1/10 client, create the profile and export it:

Add-VpnConnection -Name "Contoso Always On VPN" `
    -ServerAddress "vpn.contoso.com" `
    -TunnelType Ikev2 `
    -AuthenticationMethod MachineCertificate `
    -EncryptionLevel Required `
    -RememberCredential $true `
    -AllUserConnection $true

# Export profile as XML for GPO deployment
Get-VpnConnection -AllUserConnection -Name "Contoso Always On VPN" | ConvertTo-Xml | Out-File "C:VPNProfile.xml"

Deploy the profile through Group Policy using the VPN client configuration script or a PowerShell startup script pushed via GPO.

Step 9: Configure DNS and Routing for Split Tunneling

Configure split tunneling to route only corporate traffic through the VPN while internet traffic goes directly from the client:

Set-VpnConnection -Name "Contoso Always On VPN" `
    -SplitTunneling $true `
    -AllUserConnection $true

# Add specific routes for corporate subnets
Add-VpnConnectionRoute -ConnectionName "Contoso Always On VPN" `
    -DestinationPrefix "10.0.0.0/8" `
    -AllUserConnection $true

Add-VpnConnectionRoute -ConnectionName "Contoso Always On VPN" `
    -DestinationPrefix "172.16.0.0/12" `
    -AllUserConnection $true

Step 10: Verify and Test the VPN Connection

From a client machine outside the corporate network, verify the VPN connects automatically:

Get-VpnConnection -AllUserConnection
rasdial "Contoso Always On VPN"
ipconfig /all

Verify on the VPN server that the client is connected:

Get-RemoteAccessConnectionStatistics | Select-Object UserName, IPAddress, ConnectionDuration, AuthenticationMethod

Summary

Always On VPN on Windows Server 2012 R2 using RRAS and NPS provides a transparent, always-connected remote access experience for corporate devices. By leveraging IKEv2 with certificate-based machine authentication and deploying profiles via Group Policy, administrators can deliver seamless VPN connectivity that activates automatically whenever devices are outside the corporate network, improving security and user productivity.