Introduction to Always On VPN
Always On VPN (AOVPN) is Microsoft’s replacement for DirectAccess, introduced with Windows 10 and fully supported on Windows Server 2019. Unlike traditional VPN solutions where users must manually connect, Always On VPN connects automatically when the user logs in and the device detects it is not on the corporate network. AOVPN supports both Device Tunnels (machine certificates, connects before user login) and User Tunnels (user authentication, connects after login). It uses standard IKEv2 and SSTP protocols compatible with any VPN gateway and supports modern authentication including certificate-based and MFA. This tutorial covers deploying the complete AOVPN infrastructure on Windows Server 2019.
AOVPN Infrastructure Components
A complete Always On VPN deployment requires: a VPN Server running Windows Server 2019 with the Routing and Remote Access Service (RRAS), an NPS server for RADIUS authentication, an Active Directory Certificate Authority for issuing VPN client and server certificates, and DNS configuration so remote clients can resolve internal resources. The VPN server should have two network interfaces—one facing the internet (perimeter) and one facing the internal network.
Installing and Configuring the VPN Server
Install the Remote Access role with the DirectAccess and VPN (RAS) and Routing role services. The VPN server must be a domain member but should never be a domain controller.
Install-WindowsFeature DirectAccess-VPN, Routing -IncludeManagementToolsConfigure RRAS as a VPN-only server using the following PowerShell commands. This enables SSTP and IKEv2 VPN protocols and configures the server to use NPS for authentication.
Install-RemoteAccess -VpnType VpnS2S
Set-RemoteAccess -VpnType VpnConfigure RRAS with a static IP pool for VPN clients:
netsh ras ip set addrassign method=static
netsh ras ip add range from=172.16.1.1 to=172.16.1.254Configuring the VPN Server Certificate
The RRAS server needs a Server Authentication certificate. The certificate’s Subject or SAN must match the public DNS name used by VPN clients (e.g., vpn.yourdomain.com). This certificate is presented to clients during IKEv2 and SSTP handshakes. Request it from your internal CA or a public CA if clients will not trust your internal CA root.
# Check for existing server auth certificate
Get-ChildItem Cert:LocalMachineMy |
Where-Object { $_.EnhancedKeyUsageList -match "Server Authentication" } |
Select-Object Subject, Issuer, NotAfter
# Bind the certificate to SSTP
$thumbprint = "YOUR_CERT_THUMBPRINT"
netsh http add sslcert ipport=0.0.0.0:443 `
certhash=$thumbprint `
appid="{88010000-0000-0000-0000-000000000000}"Configuring NPS for VPN Authentication
Register the RRAS server as a RADIUS client in NPS with a strong shared secret. Create a Network Policy for VPN users that allows members of the VPN-Users AD group to authenticate using PEAP-MSCHAPv2 or EAP-TLS.
netsh nps add client `
name="RRAS-VPN-Server" `
address=10.0.1.5 `
sharedSecret="VPNtoNPSSharedSecret!" `
requireMessageAuthenticator=enableOn the RRAS server, configure it to use the NPS server for RADIUS authentication:
netsh ras set authtype type=RADIUS
netsh ras add authserver name=NPS01.yourdomain.com secret=VPNtoNPSSharedSecret! init=enableCreating the AOVPN Device Tunnel Profile
The Device Tunnel authenticates using the computer’s certificate before any user logs in. It provides pre-logon connectivity for domain authentication, Group Policy refresh, and management traffic. Create the Device Tunnel profile XML and deploy it via Intune or PowerShell to domain computers. The Device Tunnel requires Windows 10 Enterprise or later and must be configured in the SYSTEM context.
$deviceTunnelXML = @"
true
vpn.yourdomain.com
IKEv2
Certificate
SplitTunnel
10.0.0.0
8
.yourdomain.com
10.0.1.10
yourdomain.com
"@
$deviceTunnelXML | Out-File "C:VPNDeviceTunnel.xml" -Encoding UTF8Deploy the Device Tunnel in SYSTEM context:
Add-VpnConnection -Name "AOVPN-Device-Tunnel" `
-ServerAddress "vpn.yourdomain.com" `
-TunnelType IKEv2 `
-AuthenticationMethod MachineCertificate `
-RememberCredential $false `
-AllUserConnection
# For Device Tunnel, use the XML deployment method via SYSTEM context
# Deploy using: Invoke-Command with RunAs SYSTEM, or via Intune/SCCMCreating the AOVPN User Tunnel Profile
The User Tunnel connects after the user logs in and provides user-context authentication. It can use EAP-TLS with user certificates or PEAP-MSCHAPv2 with AD credentials. Configure the User Tunnel with split tunneling to only send corporate traffic through the VPN.
$userTunnelXML = @"
vpn.yourdomain.com
IKEv2
Eap
SplitTunnel
true
10.0.0.0
8
1
.yourdomain.com
10.0.1.10
true
yourdomain.com
"@Deploying VPN Profiles via PowerShell
Deploy the User Tunnel profile to a specific user using Add-VpnConnection or by writing the profileXML directly to the VPNv2 CSP registry key:
Add-VpnConnection `
-Name "AOVPN-User-Tunnel" `
-ServerAddress "vpn.yourdomain.com" `
-TunnelType IKEv2 `
-AuthenticationMethod EAP `
-EncryptionLevel Required `
-RememberCredential $true `
-SplitTunneling $true `
-PassThruVerifying AOVPN Connectivity
Check VPN connection status and troubleshoot using Get-VpnConnection and event logs.
Get-VpnConnection -AllUserConnection
Get-VpnConnection | Select-Object Name, ConnectionStatus, ServerAddress, TunnelType
# Event logs for RRAS
Get-WinEvent -FilterHashtable @{
LogName = 'Application'
ProviderName = 'RasClient'
StartTime = (Get-Date).AddHours(-1)
}Conclusion
Always On VPN on Windows Server 2019 provides a modern, transparent remote access solution that connects automatically without user interaction. The combination of Device Tunnel for pre-logon connectivity and User Tunnel for authenticated user access covers all remote access scenarios from domain join to daily use. AOVPN’s use of standard IKEv2 and SSTP protocols, combined with certificate-based authentication and NPS integration, makes it compatible with any modern VPN gateway and significantly more flexible than its predecessor DirectAccess.
