How to Set Up Always On VPN on Windows Server 2016

How to Set Up Always On VPN with Windows Server 2016

Always On VPN is a remote access solution introduced with Windows 10 and Windows Server 2016 that replaces the older DirectAccess technology. Unlike traditional VPN solutions where users must manually initiate a connection, Always On VPN automatically establishes a VPN tunnel whenever a Windows 10 or later device connects to the internet. It supports both device tunnels (established before user logon for domain authentication) and user tunnels (established after user logon for application access), providing a seamless and secure connectivity experience for remote workers.

Infrastructure Requirements

Deploying Always On VPN requires several server roles. You need a VPN server running Routing and Remote Access Service (RRAS) on Windows Server 2016, a Network Policy Server (NPS) for RADIUS authentication, an Active Directory Certificate Services (AD CS) server to issue certificates to users and devices, and Active Directory Domain Services. The VPN server must have at least two network interfaces: one connected to the internet (external) and one connected to the internal network.

Step 1: Install RRAS and NPS

On the VPN server, install the Remote Access role with the DirectAccess and VPN (RAS) role service and the Routing role service:

Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools

On the NPS server (can be a separate server or the same), install Network Policy Server:

Install-WindowsFeature -Name NPAS -IncludeManagementTools

Step 2: Configure RRAS for VPN

Configure RRAS to act as a VPN server. Open the Routing and Remote Access console or use PowerShell. Run the configuration wizard to set up VPN access only:

Install-RemoteAccess -VpnType VPN

After the initial configuration, enable IKEv2 and SSTP as the VPN protocols. Configure the address pool that will be assigned to VPN clients:

Set-VpnServerConfiguration -TunnelType IkeV2 -EncryptionType Required -SstpPorts 443
Add-VpnServerAddress -IPAddressRange "192.168.100.1","192.168.100.100"

Step 3: Issue Certificates

Always On VPN uses certificate-based authentication. You need three types of certificates. First, a server authentication certificate on the VPN server (issued to the external FQDN of the VPN server). Second, a VPN server authentication certificate trusted by clients. Third, user authentication certificates issued to domain users from the internal CA. Request a certificate for the VPN server:

# On the VPN server, request a certificate from the internal CA
$cert = Get-Certificate -Template "WebServer" -CertStoreLocation "Cert:LocalMachineMy" -DnsName "vpn.company.com"

# Bind the certificate to SSTP
Set-RemoteAccess -SslCertificate $cert.Certificate

Create a certificate template for VPN user authentication in AD CS with Smart Card Logon or User authentication EKU. Ensure auto-enrollment is configured via Group Policy so domain users receive certificates automatically.

Step 4: Configure Network Policy Server

Register the NPS server in Active Directory and configure it as a RADIUS server for VPN authentication. On the NPS server:

Register-NpsServer -ServiceName "IAS"
netsh nps add radclient address="192.168.1.10" name="VPNServer" sharedSecret="SharedSecretKey123!"

On the RRAS server, configure it to use the NPS server for RADIUS authentication:

Set-RemoteAccessRadius -ServerName "192.168.1.20" -SharedSecret "SharedSecretKey123!" -AccountingOnOffMsg Enabled -Score 30 -Timeout 5 -MsgAuthenticator Enabled -EntrypointName VPNEntry -PassThru

Step 5: Create VPN Connection Profile Using ProfileXML

Always On VPN is deployed to Windows 10 clients via a VPN ProfileXML. This XML defines all settings for the VPN connection. Create a ProfileXML file. The following is a simplified example for a user tunnel using IKEv2:

$ProfileXML = @"

  corp.domain.local
  
    vpn.company.com
    IKEv2
    
      Eap
      
        
      
    
    SplitTunnel
  
  
    
10.0.0.0
    8
  
  true
  true
  corp.domain.local

"@

Step 6: Deploy the VPN Profile via Intune or PowerShell

Deploy the VPN profile to client machines using Microsoft Intune, ConfigMgr, or a PowerShell script deployed via Group Policy. To apply via PowerShell on a client machine:

$ProfileName = "Corporate Always On VPN"
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
$ProfileXML_Encoded = [System.Net.WebUtility]::HtmlEncode($ProfileXML)

$nodeCSPURI = "./User/Vendor/MSFT/VPNv2/$ProfileNameEscaped/ProfileXML"
$Session = New-CimSession
$Options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions
$Namespace = "rootcimv2mdmdmmap"
$ClassName = "MDM_VPNv2_01"
$Method = "AddPerUserConnection"

$Instance = New-CimInstance -Namespace $Namespace -ClassName $ClassName -Property @{ParentID="./Vendor/MSFT/VPNv2";InstanceID=$ProfileName;ProfileXML=$ProfileXML_Encoded} -ClientOnly
$Session.CreateInstance($Namespace, $Instance, $Options)

Step 7: Configure Device Tunnel (Optional)

The device tunnel connects before user logon, enabling domain authentication and Group Policy processing for remote machines. Configure the device tunnel profile and deploy it using SYSTEM context. The device tunnel requires IKEv2 with machine certificate authentication and must be deployed to devices enrolled in the domain.

# Verify VPN connection status on client
Get-VpnConnection -AllUserConnection
Get-VpnConnectionTrigger -ConnectionName "Corporate Always On VPN"

Always On VPN on Windows Server 2016 provides a modern, secure remote access solution that works transparently for users. With certificate-based authentication, split tunnelling, and automatic connection management, it delivers a superior experience compared to traditional manually-initiated VPN connections while maintaining strong security controls.