Introduction to Always On VPN on Windows Server 2019

Always On VPN (AOVPN) is Microsoft’s successor to DirectAccess, introduced with Windows 10 and Windows Server 2016, and significantly improved in Windows Server 2019. AOVPN automatically establishes a VPN connection when a user’s device is outside the corporate network, without requiring user interaction. Unlike DirectAccess, AOVPN supports Windows 10 and Windows 11 clients exclusively, works with both domain-joined and non-domain-joined devices, and supports modern authentication methods such as Azure AD and certificate-based authentication.

AOVPN uses two tunnel types: Device Tunnel (pre-logon connection for machine authentication, domain connectivity, and management traffic) and User Tunnel (post-logon connection for user access to corporate resources). Both tunnels can coexist on the same device. The server-side infrastructure requires Windows Server 2019 with Routing and Remote Access Service (RRAS), Network Policy Server (NPS), and a public-facing VPN endpoint.

Infrastructure Requirements

The AOVPN deployment requires several components. You need a Windows Server 2019 RRAS server with a public IP address (or behind a NAT with port forwarding), a Windows Server 2019 NPS server for RADIUS authentication, an Active Directory Certificate Services (AD CS) server to issue certificates, DNS with a public record for the RRAS server, and Windows 10 version 1607 or later clients.

Install the required roles on the RRAS server:

Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools

Install NPS on the NPS server (can be combined with RRAS or separate):

Install-WindowsFeature -Name NPAS -IncludeManagementTools

Configuring RRAS for Always On VPN

Configure RRAS as a VPN server. From an elevated PowerShell session on the RRAS server:

Install-RemoteAccess -VpnType VPN

Configure the VPN protocols — AOVPN clients use IKEv2 by default. Configure the RRAS service to listen on the public interface and configure the IP address pool for VPN clients:

$serverSettings = @{
    VpnIpAddressRange = "172.16.0.10-172.16.0.100"
    IPv4AddressRange  = @{
        StartIPv4Address = "172.16.0.10"
        EndIPv4Address   = "172.16.0.100"
    }
}
Set-VpnServerConfiguration -TunnelType IKEv2 -SstpAuthenticationMethod Certificate -PassThru

Configure the IKEv2 certificate on RRAS (the VPN server certificate must have the Server Authentication EKU and a Subject Alternative Name matching the public DNS name):

$cert = Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.Subject -like "*vpn.contoso.com*"}
Set-RemoteAccessConfiguration -IPAddressAssignmentMethod "Static" -IPv4AddressRange "172.16.0.10","172.16.0.100"

Configuring NPS for RADIUS Authentication

Register the NPS server in Active Directory so it can read user dial-in properties:

netsh nps add registeredserver domain=contoso.com server=NPSServer01

Add the RRAS server as a RADIUS client on NPS:

New-NpsRadiusClient -Address "192.168.1.20" -Name "RRAS-VPN-Server" -SharedSecret "SharedSecret123!" -AuthAttributeRequired $false

Create a Network Policy on NPS that matches VPN connection attempts and grants access:

New-NpsNetworkPolicy -Name "Always On VPN Policy" -ProcessingOrder 1 -PolicyType Accept -ScopeOfApplicability Local -Enabled $true

Creating the Client VPN Profile (User Tunnel)

AOVPN client configuration is delivered via a ProfileXML pushed through Intune, SCCM, or a PowerShell script. Create the ProfileXML for the User Tunnel. Save this as a file UserTunnel.xml:


  
    vpn.contoso.com
    IKEv2
    
      Eap
      
        
          
            
              25
              0
              0
              0
            
          
        
      
    
    SplitTunnel
  
  true
  true
  contoso.com

Deploy the profile to a Windows 10/11 client using PowerShell:

$ProfileXML = Get-Content -Raw -Path "UserTunnel.xml"
Add-VpnConnection -Name "Contoso Always On VPN" -ServerAddress "vpn.contoso.com" -TunnelType "IKEv2" -AuthenticationMethod MachineCertificate -ProfileXML $ProfileXML -AllUserConnection

Configuring the Device Tunnel

The Device Tunnel connects before user login and requires a machine certificate. Create the Device Tunnel profile (DeviceTunnel.xml) and deploy it:

$deviceTunnelXml = @"

  
    vpn.contoso.com
    IKEv2
    
      Certificate
    
    SplitTunnel
  
  true
  true

"@

Add-VpnConnection -Name "Contoso Device Tunnel" -ServerAddress "vpn.contoso.com" -TunnelType "IKEv2" -AuthenticationMethod MachineCertificate -ProfileXML $deviceTunnelXml -AllUserConnection -DeviceTunnel

Monitor AOVPN connections from the RRAS server using:

Get-RemoteAccessConnectionStatistics