- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Have you had someone try to log into a laptop at a conference and then receive the "no logon servers are available" error? Ever wish your remote devices could easily update policies, install deployed applications, or configure changes? If so, you will love Always On VPN device tunnels!
When Microsoft first released Always On VPN, it only allowed user connections and did not support device connections. Windows 10 1709 introduced device tunnels, Windows 10 1803 improved the implementation, and development toward Windows 10 1809 ironed out some remaining bugs. Before you dive into the steps below, make sure you have followed this core Always On VPN setup guide.
Requirements for Always On VPN device tunnels
Windows 10 currently supports device tunnels on two editions: Education and Enterprise. Unlike user tunnels, device tunnels require a domain-joined client. Although you can use Windows 10 1709, it is better to use clients that are either Windows 10 1803 (fully patched) or Windows 10 1809.
The next requirement is that all remote clients have a machine certificate issued by your public key infrastructure (PKI) for the purpose of client authentication. You can check this by running certlm.msc and opening the local computer's personal certificate store. View the details of the certificate and check that Enhanced Key Usage contains the Client Authentication value.
This client has the correct certification for Always On VPN device tunnels
If you do not see a certificate or do not have one for Client Authentication, you can issue the default machine certificate template and configure client auto-enrollment with these steps.
Finally, no other device VPN profile can exist on the computer. If you are not sure if another profile exists, open PowerShell as an administrator and run this command:
Get-VpnConnection ‑AllUserConnection
Configuring RRAS for Always On VPN device tunnels
Open the Routing and Remote Access service (RRAS) Microsoft Management Console (MMC) and connect to your VPN server. On the left side of the RRAS console, right-click on your server name and select Properties.
Under Properties, select Security and then select Authentication Methods. Check the Allow machine certificate authentication for IKEv2 box and click OK. Restart RRAS.
Enabling device tunnels over IKEv2
By default, any valid certificate from any trusted certificate authority (CA) can complete machine certificate authentication to your environment. Just guessing here, but you probably only want machines with a certificate from your CA to be able to authenticate. To restrict access to just your CA, run these PowerShell commands on your VPN server:
$VPNRootCertAuthority = "Common Name of trusted root certification authority"
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "*$VPNRootCertAuthority*" })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru
#Source - https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#device-tunnel-requirements-and-features
For reference, you can find the CA common name in the Issuer attribute of the machine certificate you checked earlier. Right-click on the certificate, select Details, and click on the Issuer attribute. The common name is on the first line and is to the right of CN =.
Creating the Always On device tunnel profile
Copy this text and save it as an XML file in a location accessible to domain computers:
<VPNProfile> <NativeProfile> <Servers>VPNServer.Domain.Com</Servers> <NativeProtocolType>IKEv2</NativeProtocolType> <Authentication> <MachineMethod>Certificate</MachineMethod> </Authentication> <RoutingPolicyType>SplitTunnel</RoutingPolicyType> <!-- disable the addition of a class-based route for the assigned IP address on the VPN interface --> <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute> </NativeProfile> <!-- use host routes(/32) to prevent routing conflicts --> <Route> <Address>10.0.0.2</Address> <PrefixSize>32</PrefixSize> </Route> <Route> <Address>10.0.0.3</Address> <PrefixSize>32</PrefixSize> </Route> <Route> <Address>10.0.0.4</Address> <PrefixSize>32</PrefixSize> </Route> <Route> <Address>10.0.0.5</Address> <PrefixSize>32</PrefixSize> </Route> <!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel --> <TrafficFilter> <RemoteAddressRanges>10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5</RemoteAddressRanges> </TrafficFilter> <!-- need to specify always on = true --> <AlwaysOn>true</AlwaysOn> <!-- new node to specify that this is a device tunnel --> <DeviceTunnel>true</DeviceTunnel> <!--new node to register client IP address in DNS to enable manage out --> <RegisterDNS>true</RegisterDNS> <!-- inside/outside detection --> <TrustedNetworkDetection>Domain.Com</TrustedNetworkDetection> </VPNProfile>
Edit the XML file and change the <Servers> line and the <TrustedNetworkDetection> line to the correct values in your environment.
Next, list any IP your remote clients will need to access in the <Route> and <RemoteAddressRanges> sections. The sample profile you copied lists four IPs as examples. Ideally, your profile will only contain the critical services a client needs. These might include domain controllers, WSUS/SCCM, or network policy servers. Even though you can include subnets by changing the PrefixSize line below an IP, I recommend scoping route lines down to a single IP.
In the same folder where you saved the XML file, create a new PowerShell script and paste in the following code:
$ProfileName = 'Always On VPN - Device'
$ProfileXML = 'PASTE DEVICE PROFILE XML BETWEEN SINGLE QUOTATION MARKS'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
$ProfileXML = $ProfileXML -replace '<', '<'
$ProfileXML = $ProfileXML -replace '>', '>'
$ProfileXML = $ProfileXML -replace '"', '"'
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"
$session = New-CimSession
try {
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception] {
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Complete."
Write-Host "$Message"
Be sure to copy and paste your device profile XML in the $ProfileXML portion of the PowerShell script. You should now have two files in your folder. The first one is an XML file. The second one is a PowerShell script with the contents of your XML file pasted into it.
Deploying the Always On device tunnel profile
To deploy your profile, you just need to run the PowerShell script you created under the System account of a client. There are a few options for doing this.
For a single machine (or for testing), you can use the PSExec tool. Run it with the -S parameter and start PowerShell. Finally, run the PowerShell script you created previously.
The second option is to deploy the PowerShell script as a startup script in Group Policy. Startup and shutdown scripts process under the computer's account and run with the required permissions needed to create the VPN profile.
Always On VPN device profile deployment with Group Policy
Finally, you can deploy it with SCCM. Create a package for your script and allow it to run with administrative rights whether or not a user is logged on.
Always On VPN device profile deployment with SCCM
After using any of these options, verify that the VPN profile is installed. You can verify that the connection is installed with the Get-VPNConnection -AllUserConnection command.
Subscribe to 4sysops newsletter!
You should then be able to connect to an external network and communicate with one the IPs listed in the Route section of your profile. If you included a domain controller in that list, restart the client, connect to a remote network, and log on with a new user. It is a beautiful sight to see that a logon server is indeed available!
Hello Joseph
Interesting article, thanks for that!
Have you tried the device tunnel over the Internet? I have a fully functional AlwaysOn VPN in lab. The User Tunnel dials in perfectly over the Internet, but the Device Tunnel keeps on failing. Error 809, indicating connectivity problems, but since the User Tunnel works over the same IKEv2 we can rule that out. Device Tunnel does connect on premise.
I do and it does connect. Odd that you get that error. What was your issue? Firewall on the device?
I’ve contacted Richard Hicks about this, appears to be IKEv2 Fragmention, this solution works https://directaccess.richardhicks.com/2019/02/11/always-on-vpn-and-ikev2-fragmentation/
TLS-support would be a significant improvement for this young product, hope Microsoft will add this.
Hi!
Thank you for this article, its great. But one problem.
I can make this work with system elevated PSExec, but NOT with the GPO. You say “run with the required permissions needed to create the VPN profile.” but what exactly can I do in the GPO that allows me to change settings?
I would have thought that simply adding the ps1 script and XML to the server share and calling that in the Computer startup should work?
For a device profile, your method should work! Try calling PSExec through a batch file – using a startup script (talk about a convoluted solution though).
Hi, when using Always On VPN configuration how a laptop can undestand that it is connected to the corporate network and so it must not activate the VPN? Viceversa how it can understand that it is outside corporate network so it must activate the VPN?
@Luca – this is what the <TrustedNetworkDetection> element is used for. See https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-auto-trigger-profile#trusted-network-detection
Great article, thanks very much.
I have both device and user tunnels up and running. After login both a tunnel for the device and one for the user is established and two IPs are given.
Presuming that's normal behavior – I'm able to ping and interact (RDP, SMB) with the machine using the IP associated with the user tunnel but not the device tunnel.
Is this also normal? If so – how does an admin access a machine that is turned on but no one is yet logged in? If not normal – looking for some troubleshooting steps.
Thanks much!
@Ryan Bunce – we have Always On configured for user connection now using a machine cert. You said you have both a machine connection and a user connection. We would like to have this as well, can you provide any links or information to set up Always On this way?
@Shawn Morris – The way I did it was to follow a combination of instructions from these sites:
First Joesph Moody – the author of the article above does a great job walking through the whole process:
https://4sysops.com/archives/always-on-vpn-directaccess-for-windows-10/
Also found great information (and confirmation) here:
https://www.petenetlive.com/KB/Article/0001399
https://directaccess.richardhicks.com/category/always-on-vpn/
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy
I chose to deploy both via Intune:
User:
https://directaccess.richardhicks.com/2018/05/21/deploying-windows-10-always-on-vpn-with-microsoft-intune/
Device:
https://directaccess.richardhicks.com/2019/03/25/always-on-vpn-device-tunnel-configuration-using-intune/
We have this up and running – sort of.
If we run the Powershell script using PSExec, the profile gets installed and works like we want. If we run the Powershell script using the newer scripts feature in SCCM, it again works like we want. However, when I deploy the script as a package and have it run as administrator whether a user is logged in or not, it creates the profile but it doesn’t actually work. It doesn’t connect on its own and if you try to manually connect it, it just pops open the list of WiFi signals around you.
I have no idea what I’m doing wrong.
So i have user tunnels with both SSTp and IKEV2 working fine
however i am getting error 809 with the device tunnel,
i can also get error 809 if i switch to machine certificates on the user tunnel settings,
For our site we already have another computer certificate CA on the laptops that is used for Wi-FI authentication, this is in the computer certificate section, unfortunately when we enroll a computer authentication cert via our CA the wireless profile stops working, so we can't add our certificate and we can't remove the certificate we use for our wifi (its a state wide wifi network)
So on our VPN server i just installed the CA the wireless network uses and ran the commands above to only allow that CA to join,
Is this what causes a error 809? do i need to install this seperate CA on our NPS for client machine certificate authentication? i dont see any errors in event vewier on the NPS or RAS server, just the client,
Is certain traffic restricted to certain tunnels? ie are updates restricted to the computer authenticated tunnel?
Or is it just a way of authenticating? eg you can just use computer authentication rather than user authentication?
We also use radius authentication for our wired/wireless clients so I'm wondering if we can use the same certs?
Traffic filters might work for this: https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-security-features
Hi, great artile. It is working however it does not display under network connections for anyone. If we run get-uservpnconnection it does show up in the list but not displayed in the network connections applet in the bottom right? Any idea why?
Hi Patrick, what did you find out about your problem? Was it due to an older client version of Windows 10?
Great article thank you!
The powershell script for the device tunnel is missing Get-Content
$ProfileXML = Get-Content 'file.xml'
Configuring and provisioning a Windows 10 Always On VPN device tunnel is similar to the process for the Always On VPN connection itself. A VPN profileXML file is created and then deployed via a Mobile Device Management (MDM) solution such as Microsoft Intune. Optionally, the VPN profileXML can be deployed using SCCM or PowerShell. Additional information about Windows 10 Always On VPN device tunnel configuration, including a sample profileXML and PowerShell script, can be found here .
Is an NPS Server needed for Always On VPN device tunnels?
As the RRAS Server locally authenticates the clients using a certificate, where is the use of NPS?
Just found the confirmation in this conversation at another forum:
Something isnt right here, when configuring a device tunnel it doesnt connect automatically and prompts for credentials when trying to dial up the connection manually (have followed these instructions to the letter). Anyone else experienced this?
I also am getting this same thing. Did you ever resolve this?
Tristan, T.J Smith
The solution was a couple of posts up. See below.
The powershell script for the device tunnel is missing Get-Content. Add the Get-Content text to the $ProfileXML line in your powershell script as seen below. As posted it is not putting the information into the VPN that is being created from your xml file.
$ProfileXML = Get-Content 'file.xml'
If you want to use DEVICE TUNNELS / Device Authentication then make the following changes.
– auto enroll Computer certificates
– RAS > Properties > Security > Auth Methods > Allow Machine Certificate…for IKEv2
– On Windows 10 client – under Security > Auth > Instead of EAP – simply choose “use machine certificates”
Thanks for the update, i worked through the issues myself and have a working solution as of a week ago 🙂
Hi, Having reviewed this, I cannot seem to get this to work with a VM that I have turned into an Internet client having followed all the steps here. Is there nothing on the DNS front required to make this work?
Thanks
Hi,
Is there any way to setup Device or User Tunnel as Full Tunnel not Split Tunnel?
Change this line in the XML: <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
Once I create the tunnel via the script using psexec -s this is my output. Should I see the rest of the fields populated?
AlwaysOn :
ByPassForLocal :
DeviceTunnel :
DnsSuffix :
EdpModeId :
InstanceID : Always%20On%20VPN%20-%20Device
LockDown :
ParentID : ./Vendor/MSFT/VPNv2
ProfileXML :
RegisterDNS :
RememberCredentials :
TrustedNetworkDetection :
PSComputerName :
That output looks right. The device profile should appear if you run Get-VPNConnection -AllUserConnection . You should also see it as a network adapter in Control Panel.
Joesph,
I have always on device tunnels working. However one important aspect is not functioning, I cannot communicate with VPN connected devices from internal resources. However I can communicate with all internal resources from the device tunnel. Is there a route I need to publish to my core switch? Right now both of my NICs on the vpn server are on the same subnet, should the external one be on a separate subnet in the dmz? I've tried adding routes to the VPN server, but to no avail. I see aside from the two NICs I have on the VM, RRAS creates a virtual NIC I assume as the gateway for VPN connected devices.
Thanks!
Ryan
How is it possible to autoconnect Always on vpn client when windows startup? So the user does not have todo anything.
This should be the default behavior. In the XML, do you have <AlwaysOn>true</AlwaysOn> ?
Hi Joseph, can you tell me where I can see what the XML contains. An external party has set up our Intune config, but the device tunnel is not connecting automatically when booting the devices.
Hope you can assist.
Thanks en greetz,
Check out this website: github.com/richardhicks/aovpn
Download the Get-VPNClientProfileXML.ps1 powershell script. It will export the curretn VPN profile to a XML file.
Thank you for all this info! One weird "issue" I have is when I run the script for the device profile, it does exactly as it should but the script "hangs" for a few minutes then the catch exception kicks in with "Unable to create DeviceTunnel profile: The remote procedure call failed.". Even though it did all the work and it functions. This is causing very long delays in log on times (deployed through startup GPO)
Specifically, this part hangs: $session.CreateInstance($namespaceName, $newInstance)
Does this article still apply with the latest version of windows? For a while, SCCM supported deploying VPN profiles via Company Resource Access, but they have since deprecated that and are now saying that InTune *must* be used to deploy VPN profiles. I’m trying to avoid intune at all costs.