Tutorial - Set up infrastructure for Always On VPN (2024)

Table of Contents
In this article Prerequisites Create the domain controller Create an Active Directory Group Policy Create the NPS server Create the VPN server Create VPN Windows client Create VPN User and Group Configure VPN server as a RADIUS client Configure NPS server as a RADIUS server Next steps Feedback In this article FAQs

Edit

Share via

  • Article
  • Next: 2 - Configure Certificate Authority templates

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows 11

In this tutorial, you'll learn how to deploy Always On VPN connections for remote domain-joined Windows client computers. You'll create a sample infrastructure that shows you how to implement an Always On VPN connection process. The process is composed of the following steps:

  1. The Windows VPN client uses a public DNS server to perform a name resolution query for the IP address of the VPN gateway.

  2. The VPN client uses the IP address returned by DNS to send a connection request to the VPN gateway.

  3. The VPN server is also configured as a Remote Authentication Dial-In User Service (RADIUS) Client; the VPN RADIUS Client sends the connection request to the NPS server for connection request processing.

  4. The NPS server processes the connection request, including performing authorization and authentication, and determines whether to allow or deny the connection request.

  5. The NPS server forwards an Access-Accept or Access-Deny response to the VPN server.

  6. The connection is initiated or terminated based on the response that the VPN server received from the NPS server.

Prerequisites

To complete the steps in this tutorial,

  • You'll need access to four physical computers or virtual machines (VMs).

  • Ensure that your user account on all machines is a member of Administrators, or equivalent.

Important

Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

Create the domain controller

  1. Install Windows Server on the machine that will run the domain controller.

  2. Install Active Directory Domain Services (AD DS). For detailed information on how to install AD DS, see Install Active Directory Domain Services.

  3. Promote the Windows Server to domain controller. For this tutorial, you'll create a new forest and the domain to that new forest. For detailed information on how to install the domain controller, see AD DS Installation.

  4. Install and configure the Certificate Authority (CA) on the domain controller. For detailed information on how to install CA, see Install the Certification Authority.

Create an Active Directory Group Policy

In this section, you'll create a Group Policy on the domain controller so that domain members automatically request user and computer certificates. This configuration lets VPN users request and retrieve user certificates that automatically authenticate VPN connections. This policy also allows the NPS server to request server authentication certificates automatically.

  1. On the domain controller, open Group Policy Management.

  2. In the left pane, right-click your domain (for example, corp.contoso.com). Select Create a GPO in this domain, and Link it here.

  3. On the New GPO dialog box, for Name, enter Autoenrollment Policy. Select OK.

  4. In the left pane, right-click Autoenrollment Policy. Select Edit to open the Group Policy Management Editor.

  5. In the Group Policy Management Editor, complete the following steps to configure computer certificate autoenrollment:

    1. In the left pane, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment. Select Properties.

    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, for Configuration Model, select Enabled.

    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

      See Also
      FAQ - Find An Answer To Your Question - PrivateVPNTroubleshooting Common Port Forwarding Issues - No-IP BlogWhat are the Dangers of Port Forwarding in the UK?How to Use Port Forwarding in Gaming Consoles – VPN Unlimited

    5. Select OK.

  6. In the Group Policy Management Editor, complete the following steps to Configure user certificate autoenrollment:

    1. In the left pane, go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.

    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model, select Enabled.

    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

    5. Select OK.

    6. Close the Group Policy Management Editor.

  7. Close Group Policy Management.

Create the NPS server

  1. Install Windows Server on the machine that will run the NPS server.

  2. On the NPS server, install the Network Policy and Access Services (NPS) role. For detailed information on how to install NSP, see Install Network Policy Server.

  3. Register the NPS Server in Active Directory. For information on how to register NPS Server in Active Directory, see Register an NPS in an Active Directory Domain.

  4. Make sure that your firewalls allow the traffic that is necessary for both VPN and RADIUS communications to function correctly. For more information, see Configure Firewalls for RADIUS Traffic.

  5. Create the NPS Servers group:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Computers. Select New, then select Group.

    3. In Group name, enter NPS Servers, then select OK.

    4. Right-click NPS Servers and select Properties.

    5. On the Members tab of the NPS Servers Properties dialog box, select Add.

    6. select Object Types, select the Computers check box, then select OK.

    7. In Enter the object names to select, enter the computer name of the NPS server. Select OK.

    8. Close Active Directory Users and Computers.

Create the VPN server

  1. Install Windows Server on the machine that will run the VPN Server. Ensure that the machine has two physical network adapters installed: one to connect to the internet, and one to connect to the network where the domain controller is located.

  2. Identify which network adapter connects to the internet and which network adapter connects to the domain. Configure the network adapter facing the internet with a public IP address, while the adapter facing the intranet can use an IP address from the local network.

  3. For the network adapter connecting to the domain, set the DNS preferred IP address to the IP address of the domain controller.

  4. Join the VPN server to the domain. For information on how to join a server to a domain, see To join a server to a domain.

  5. Open your firewall rules to allow UDP ports500 and 4500 inbound to the external IP address applied to the public interface on the VPN server.

  6. On the network adapter connecting to the domain, enable the following ports: UDP1812, UDP1813, UDP1645, and UDP1646.

  7. Create the VPN Servers group:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Computers. Select New, then select Group.

    3. In Group name, enter VPN Servers, then select OK.

    4. Right-click VPN Servers and select Properties.

    5. On the Members tab of the VPN Servers Properties dialog box, select Add.

    6. select Object Types, select the Computers check box, then select OK.

    7. In Enter the object names to select, enter the computer name of the VPN server. Select OK.

    8. Close Active Directory Users and Computers.

  8. Follow the steps in Install Remote Access as a VPN server to install the VPN server.

  9. Open the Routing and Remote Access tool from Server Manager.

  10. Right-click the VPN server, and then select Properties.

  11. In Properties, select the Security tab and then:

    1. Select Authentication provider and select RADIUS Authentication.

    2. Select Configure to open the RADIUS Authentication dialog.

    3. Select Add to open the Add RADIUS Server dialog.

      1. In Server name, enter the Fully Qualified Domain Name (FQDN) of the NPS server. In this tutorial, the NPS server is the domain controller server. For example, if the NetBIOS name of your NPS and domain controller server is dc1 and your domain name is corp.contoso.com, enter dc1.corp.contoso.com.

      2. In Shared secret, select Change to open the Change Secret dialog box.

      3. In New secret, enter a text string.

      4. In Confirm new secret, enter the same text string, then select OK.

      5. Save this secret. You'll need it when you add this VPN server as a RADIUS client later in this tutorial.

    4. Select OK to close the Add RADIUS Server dialog.

    5. Select OK to close the Radius Authentication dialog.

  12. On the VPN server Properties dialog, select Authentication Methods....

  13. Select Allow machine certificate authentication for IKEv2.

  14. Select OK.

  15. For Accounting provider, select Windows Accounting.

  16. Select OK to close the Properties dialog.

  17. A dialog will prompt you to restart the server. Select Yes.

Create VPN Windows client

  1. Install Windows 10 or later on the machine that will be your VPN client.

  2. Join the VPN client to your domain. For information on how to join a computer to a domain, see To join a computer to a domain.

Create VPN User and Group

  1. Create a VPN User by taking the following steps:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Users. Select New. For User logon name, enter any logon name. Select Next.

    3. Choose a password for the user.

    4. Deselect User must change password at next logon. Select Password never expires.

    5. Select Finish. Keep Active Directory Users and Computers open.

  2. Create a VPN User group by taking the following steps:

    1. Under your domain, right-click Users. Select New, then select Group.

    2. In Group name, enter VPN Users, then select OK.

    3. Right-click VPN Users and select Properties.

    4. On the Members tab of the VPN Users Properties dialog box, select Add.

    5. On the Select Users dialog box, add the VPN user that you created and select OK.

Configure VPN server as a RADIUS client

  1. On the NPS server, open your firewall rules to allow UDP ports 1812, 1813, 1645, and 1646 inbound.

  2. In the NPS console, double-click RADIUS Clients and Servers.

  3. Right-click RADIUS Clients and select New to open the New RADIUS Client dialog box.

  4. Verify that the Enable this RADIUS client check box is selected.

  5. In Friendly name, enter a display name for the VPN server.

  6. In Address (IP or DNS), enter the IP address or FQDN of the VPN server.

    If you enter the FQDN, select Verify if you want to verify that the name is correct and maps to a valid IP address.

  7. In Shared secret:

    1. Ensure that Manual is selected.

    2. Enter the secret that you created in the Create the VPN server section.

    3. For Confirm shared secret, re-enter the shared secret.

  8. Select OK. The VPN Server should appear in the list of RADIUS clients configured on the NPS server.

Configure NPS server as a RADIUS server

Note

In this tutorial, the NPS server is installed on the domain controller with the CA role; and we don't need to register a separate NPS server certificate. However, in an environment where the NPS server is installed on a separate server, an NPS server certificate must be enrolled before you can preform these steps.

  1. In the NPS console, select NPS(Local).

  2. In Standard Configuration, ensure that RADIUS server for Dial-Up or VPN Connections is selected.

  3. Select Configure VPN or Dial-Up to open the Configure VPN or Dial-Up wizard.

  4. Select Virtual Private Network (VPN) Connections, and select Next.

  5. In Specify Dial-Up or VPN Server, in RADIUS clients, select the name of the VPN server.

  6. Select Next.

  7. In Configure Authentication Methods, complete the following steps:

    1. Clear Microsoft Encrypted Authentication version 2 (MS-CHAPv2) .

    2. Select Extensible Authentication Protocol.

    3. For Type, select Microsoft: Protected EAP (PEAP). Then select Configure to open the Edit Protected EAP Properties dialog box.

    4. Select Remove to remove the Secured Password (EAP-MSCHAP v2) EAP type.

    5. Select Add. The Add EAP dialog box opens.

    6. Select Smart Card or other certificate, then select OK.

    7. Select OK to close Edit Protected EAP Properties.

  8. Select Next.

  9. In Specify User Groups, complete the following steps:

    1. Select Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens.

    2. Enter VPN Users, then select OK.

    3. Select Next.

  10. On Specify IP Filters, select Next.

  11. On Specify Encryption Settings, select Next. Do not make any changes.

  12. On Specify a Realm Name, select Next.

  13. Select Finish to close the wizard.

Next steps

Now you've created your sample infrastructure you are ready to being configuring your Certificate Authority.

  • Deploy Always On VPN Tutorial: Configure Certification Authority templates

  • Troubleshoot Always On VPN

Feedback

Was this page helpful?

Tutorial - Set up infrastructure for Always On VPN (2024)

FAQs

Tutorial - Set up infrastructure for Always On VPN? ›

However, Always On VPN requires clients to run Windows 10 or higher, which might not be an option in environments that need to support older Windows OSes or non-Windows clients. Also, Always On VPN is not compatible with Azure VMs.

Read On
How do I make my VPN always on? ›

  1. If you haven't already, add a VPN.
  2. Open your device's Settings app.
  3. Tap Network & internet. VPN. ...
  4. Next to the VPN you want to change, tap Settings .
  5. Turn Always-on VPN on or off. If you've set up a VPN through an app, you won't have the always-on option.
  6. If needed, tap Save.

Discover More Details
How to configure Windows always on VPN? ›

Create an Always On VPN client profile
  1. Sign in to the domain-joined VPN client computer as the VPN user you created in Create Active Directory test user.
  2. On the Start menu, type VPN to select VPN Settings. ...
  3. In the details pane, select Add a VPN connection.
  4. For VPN Provider, select Windows (built-in).
Jun 29, 2023

Continue Reading
What are the system requirements for always on VPN? ›

However, Always On VPN requires clients to run Windows 10 or higher, which might not be an option in environments that need to support older Windows OSes or non-Windows clients. Also, Always On VPN is not compatible with Azure VMs.

See Details
What are the three required technologies needed before deploying always on VPN? ›

To deploy Always On VPN, you will need to install and configure the following components:
  • A domain controller.
  • Active Directory Group Policy.
  • Network Policy Server (NPS)
  • A VPN server.
Dec 10, 2023

Find Out More
What type of VPN is always on? ›

IKEv2 is a reliable and secure protocol that provides robust authentication and encryption standards, making it a viable choice for Always On VPN. At the time of user connection to the corporate network through Always on VPN, their device establishes a secure connection to the VPN server using IKEv2.

Tell Me More
What are the prerequisites for always on VPN device tunnel? ›

The device must be a domain joined computer running Windows 10 Enterprise or Education version 1809 or later. The tunnel is only configurable for the Windows built-in VPN solution and is established using IKEv2 with computer certificate authentication. Only one device tunnel can be configured per device.

Show Me More
What ports are required for always on VPN? ›

Configure VPN server as a RADIUS client

On the NPS server, open your firewall rules to allow UDP ports 1812, 1813, 1645, and 1646 inbound.

Explore More
What license is needed for always on VPN? ›

To set up Always On VPN using Azure VPN gateway, Entra ID and Azure certificate, you need to have the following prerequisites: A Microsoft 365 E3 or E5 license, or an Intune license for each user or device that you want to protect.

Continue Reading
Which three tools are primarily used to deploy and manage the always on VPN feature? ›

You can deploy and manage your VPN settings with Windows PowerShell, Microsoft Endpoint Configuration Manager, Intune, Windows Configuration Designer, or any third-party mobile device management (MDM) tool.

Show Me More

What is MFA for always on VPN? ›

Configuring Multifactor Authentication (MFA) is an excellent way to ensure the highest level of assurance for Always On VPN users. Azure MFA is widely deployed and commonly integrated with Windows Server Network Policy Server (NPS) using the NPS Extension for Azure MFA.

Read The Full Story
How much does always on VPN cost? ›

The solution comes at no cost and is built into all supported flavours of Windows 10. Which means there are no additional VPN clients that need to be deployed, reducing PC management complexity. Additionally, Always-On VPN supports Azure AD Conditional Access and MFA for an extra layer of security.

See Details
What are the 4 main types of VPN? ›

How to Choose the Right VPN for Your Business
VPN TypeConnection Type
Site-to-Site VPNPrivate network connects to another private network
SSL VPNDevices establish a secure remote access VPN connection with a web browser
Cloud Based Remote Access VPNUser connects to a company's applications, data, and files in the cloud
2 more rows

Get More Info Here
How do I stop my VPN from turning off? ›

Basic troubleshooting checks
  1. Restart your devices. Often, the simplest solution if your VPN keeps disconnecting is to restart your devices. ...
  2. Check your internet connection. The stability of your VPN heavily relies on your internet connection. ...
  3. Inspect physical connections. ...
  4. Contact your ISP. ...
  5. Check for software updates.
Mar 11, 2024

Continue Reading
How to keep VPN permanently on iPhone? ›

Methods to Keep VPN On All the Time on iPhone

Create and install a VPN configuration profile on your iPhone. Enable the “Connect On Demand” option to automatically connect to the VPN whenever an internet connection is detected.

View More
How do I make my VPN start automatically? ›

An Access Server user account for the end user.
  1. Step 1: Install OpenVPN Connect. The user installs OpenVPN Connect on their device.
  2. Step 2: Allow an auto-login connection profile. ...
  3. Step 3: Download the auto-login profile. ...
  4. Step 4: Set the OpenVPN Connect launch options. ...
  5. Step 5: Connect to your VPN.
Mar 29, 2024

View Details
Do you have to turn on VPN every time? ›

It is not safe to disable a VPN, even when you're connected to your home network. Without a VPN, ISPs can see what you're doing online. However, if you really must disable your VPN, don't forget to turn it back on.

See More
Top Articles
Ethereum’s Dencun Upgrade Could Mean Near-Zero Fees for Layer-2 Blockchains: Fidelity Digital Assets
Best Energy Stocks for September 2024
3 Tick Granite Osrs
Antisis City/Antisis City Gym
Busted Newspaper Zapata Tx
Craigslist Campers Greenville Sc
Ghosted Imdb Parents Guide
Jailbase Orlando
Katmoie
50 Meowbahh Fun Facts: Net Worth, Age, Birthday, Face Reveal, YouTube Earnings, Girlfriend, Doxxed, Discord, Fanart, TikTok, Instagram, Etc
EY – все про компанію - Happy Monday
Learn How to Use X (formerly Twitter) in 15 Minutes or Less
Minn Kota Paws
Devourer Of Gods Resprite
Dusk
Edible Arrangements Keller
REVIEW - Empire of Sin
What to do if your rotary tiller won't start – Oleomac
Marion County Wv Tax Maps
Gwdonate Org
Committees Of Correspondence | Encyclopedia.com
Morristown Daily Record Obituary
Tripadvisor Napa Restaurants
Masterkyngmash
Best Transmission Service Margate
C&T Wok Menu - Morrisville, NC Restaurant
Reicks View Farms Grain Bids
Pawn Shop Moline Il
Churchill Downs Racing Entries
Cars & Trucks - By Owner near Kissimmee, FL - craigslist
Bursar.okstate.edu
Kempsville Recreation Center Pool Schedule
Citibank Branch Locations In Orlando Florida
Utexas Baseball Schedule 2023
Wcostream Attack On Titan
Gas Prices In Henderson Kentucky
Weekly Math Review Q4 3
Teenage Jobs Hiring Immediately
The Mad Merchant Wow
Dr. John Mathews Jr., MD – Fairfax, VA | Internal Medicine on Doximity
Kelley Blue Book Recalls
Santa Clara County prepares for possible ‘tripledemic,’ with mask mandates for health care settings next month
Exploring the Digital Marketplace: A Guide to Craigslist Miami
Ghareeb Nawaz Texas Menu
Nimbleaf Evolution
Strange World Showtimes Near Marcus La Crosse Cinema
Minute Clinic Mooresville Nc
Research Tome Neltharus
Solving Quadratics All Methods Worksheet Answers
Tyrone Dave Chappelle Show Gif
Hcs Smartfind
Predator revo radial owners
Latest Posts
The Evolution of Auditing: AI's Role in the Big Four Accounting Firms
F5 Visa in South Korea | Getting A Permanent Visa in Korea - Seoul Law Group
Article information

Author: Duncan Muller

Last Updated:

Views: 6604

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.