This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Hi there,
I am deploying an always on VPN server.
As we do not currently use Intune or SCCM, I am hoping to deploy the client side of things using GPOs.
For the user tunnel, the powershell script to create the VPN connection must be run as an admin, but in the user's security context.
Is it possible, to deploy a group policy login script that meets those conditions, and can deploy the VPN profile to the users account?
I am not sure if GP scripts run with admin privileges or not, but my guess is by default they do NOT run as administrator?
Many thanks.
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 34%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Yes, you can. You will have to configure the profile to be deployed in the 'all users' context, then run the PowerShell script as a startup script, not a logon script. There are also third-party solutions that allow you to fully manage Always On VPN profiles using Active Directory and group policy. Feel free to reach out to me directly for more information.
Thanks Richard,
How would one go about adjusting it to be an "AllUsers" connection?
I assume then no special settings on the task are required, just set it to run at startup as NT AUTHORITY\SYSTEM?
Will this allow us to;
What happens for those users logging into a machine with this deployed who are not VPN authorised? Will it attempt to silently connect in the background and fail?
How will it interact with device tunnels, given those are all AllUsers connections. I thought you could only have the one AllUsers connection, but I may be mistaken.
Many thanks
James
To deploy an Always On VPN profile in the 'all users' context you load the user tunnel ProfileXML in the device context (./Device/Vendor/MSFT/VPNv2 instead of ./User/Vendor/MSFT/VPNv2). To make this easier you can use my PowerShell installation script (https://github.com/richardhicks/aovpn/blob/master/New-AovpnConnection.ps1) and supply the -AllUserConnection parameter. This is the script you'll run as a startup script in Active Directory group policy.
However, deploying the Always On VPN user tunnel in the 'all users' context does not provide pre-logon connectivity, and it won't appear on the Windows lock screen. The user tunnel connection will automatically connect once the user logs on, but it will not be available pre-logon. For that, you will need to deploy the device tunnel.
If a user logs on to the device that is not authorized for VPN, yes, the VPN connection will silently fail in the background.
I've deployed this countless times and typically the device tunnel and user tunnel coexist peacefully. You can have more than one VPN in the 'all users' context, but you can only have one 'always on' device tunnel and user tunnel at a time.
Thanks Richard,
This sounds exactly like the behaviour we want.
We want the device tunnel to connect at startup, to give non-cached users the ability to login to the machine remotely.
The user tunnel to then connect for authorised users on top of the device tunnel for general network access.
I'll give your script a go on a test machine next week and report back how we get on.
Many thanks.
James
Thanks Richard,
I've run the script to deploy the device and user tunnels on a Windows 10 machine, and it has raised a couple of queries;
Hopefully, you might be able to give me some guidance on these.
Many thanks
James
As long as you don't receive an error you don't have to worry about the output of the scripts. If the profile was created successfully, have a look at it in the UI and make sure all the settings look correct (it is possible for the script to run successfully but have the profile be configured incorrectly).
When installing the user tunnel did you use the -AllUserConnection switch with my script?
Thanks Richard,
Yes unfortunately, when trying to connect, it gave me an error that the number/name was unavailable.
Checking the adapter/VPN profile, there is no server name entered for it to use to connect to.
I did indeed use the -AllUserConnection switch.
It's odd, as the MS script seems to create this without issue, and this XML is unchanged from initial creation from their script.
Cheers
James
If you look at the VPN profile and it is missing information, it indicates there was a problem with the XML. If you reach out to me directly I'd be more than happy to assist. :)
Hi Richard,
Can I send you the XML I have, or could you send me a redacted example of one you use, so we can compare?
I followed Microsoft's documentation to create the XML from a template using their PowerShell script, and using their powershell script to deploy the profile worked before.
I haven't made any manual adjustments to the XML file, so can't see why it would fail, unless your script wasn't compatible with Microsoft's vanilla output?
Many thanks
James
Ok I do not understand;
I just recreated the XML using MS's script again. Diff'd them (they were identical), re-ran your script to deploy the user tunnel, and this time it worked....
I will now be testing via scheduled start up task and will report back.
In the interim, how do you handle trusted network detection with both tunnels? If I set my DNS suffix etc to our internal DNS domain on the device tunnel, and set the user tunnel trusted network to ignore our internal DNS name, then when the device tunnel connects, the user tunnel doesn't.
Should we be ignoring the DNS suffix settings on the device tunnel and only setting them on the user tunnel? I am not clear on how this is supposed to work?
Thanks
James
Windows is strange sometimes. ;) Glad it finally worked though.
To be clear, you would deploy these scripts as Startup scripts in Active Directory group policy, not a scheduled task.
Trusted network detection can be configured on both tunnels and typically works well. The detection logic should not evaluate VPN interfaces, only physical interfaces (e.g. Ethernet and Wi-Fi). I'm not sure why the user tunnel won't connect when the device tunnel is up unless you are using split DNS and the user tunnel is trying to resolve the public FQDN over the device tunnel and it is failing or returning the wrong address. Have a close look at that and let me know if that helps.
Thanks Richard.
Good to know. I tested as a task and seemed to also work, but will move to GP script as that's certainly cleaner :)
On premise we do have split brain DNS, so have an authoritive zone for our external domain name. There is no matching record for the external VPN name, so I guess if I;
Create one and set it to the public IP address of the VPN server.
The routes on the device tunnel should just be set to /32 entries for DNS, so that it then routes the user tunnel connection over the local internet connection rather than the device tunnel
i.e our routes section on the device tunnel would be something like:
<Route>
<Address>10.0.1.1</Address>
<PrefixSize>32</PrefixSize>
</Route>
<Route>
<Address>10.0.1.2</Address>
<PrefixSize>32</PrefixSize>
</Route>
Will give it a go and report back if any issues.
Up and running on my test machine with both dev and user tunnels.
Had to add a bunch of routes and traffic filters to the user tunnel, but both auto connected and I can access internal resources.
I think I will still stick with a scheduled startup task, purely because we have current VPN users at home who only connect the VPN once logged in. Therefore, I don't think it will be able to trigger a startup script if no DC is contactable at start.
What I'll do is use GP to copy the deploy script and XML configs to the local machine, then deploy a task to run them locally.
At least for now, this allows me to automate deployment for old VPN users.
Final question I hope;
My home network is 10.0.0.0/24. Our corporate network is 10.0.0.0/23
If I add a 10.0.0.0/23 route to our VPN XML config, will this break things because of the overlap?
Would I therefore have to add smaller routes for just the essential corporate hosts that need to be contactable?
Thanks
James
Great to hear! :)
It's possible you'll have some issues if you have overlapping networks like that. Routes are processed from most specific to least specific, with the most specific route being selected. If you have more than one matching route, the route with the lowest metric takes precedence. If you have more than one matching route and all have the same metric, then the route with the lowest interface metric is chosen.
So, it really depends on how you configure the routes for the VPN tunnel and what your home subnet looks like. You'll have to do some testing though to confirm how it works.
Hi Richard,
Thanks again for all of your guidance with AOVPN. So far, my testing has hit a few speed bumps which slowed me down, but I am now undertaking some user testing.
I do have two queries;
Many thanks again!
James
Indeed, that is a limitation of using PowerShell to provision and manage Always On VPN client configuration settings. It will only let you install one Always On VPN profile at a time. It does not support updating of existing Always On VPN profiles. For that you must remove the VPN profile and reprovision it. Alternatively, many settings changes can be implemented post-deployment by running PowerShell commands. For example, you could add or remove routes, change DNS suffixes, etc. Ultimately, this is why Microsoft Endpoint Manager/Intune is a better approach because any updates are handled transparently to the administrator and the user.
Also, yes, you can use MFA with Always On VPN. You'll find guidance for that here.
https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa
Thanks!
Thanks again Richard.
Where is the best place to go to investigate powershell commands to modify some of the existing settings of an already deployed AOVPN?
Thanks for the link RE: MFA, but that looks to be around Azure VPN?
Is it going to just be a case of installing the Azure MFA NPS extension on the NPS server we are currently using for AOVPN?
Thanks for your continued input.
James
Try this.
https://learn.microsoft.com/en-us/powershell/module/vpnclient/?view=windowsserver2022-ps
Also, this is a better reference specifically for Azure MFA and Always On VPN with NPS.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Let me know if that helps!
Thanks RIchard.
Looks like the only part I may not be able to do is control traffic filtering, but routes does seem to be covered by those so will give it a crack.
Thanks for the MFA doc. I had come across this one before, but wasn't sure if it applied to AOVPN.
Again, I'll try it out and see how I go.
Thanks for all your advice.
James
You're right. You can't configure or update application or traffic filter rules for Always On VPN using PowerShell. You'll have to remove and replace the entire VPN profile to do that, unless you use Microsoft Endpoint Manager/Intune, of course.
Hi Richard,
I've taken a few bits from your script around the creation of the VPN profiles and registry cleanup sections.
I've used these to create my own script for use with scheduled tasks and Powershell, with some versioning capability.
So far, it seems to be working well, and removes connections if they exist and deploys new versions if needed.
I was wondering if you wanted me to send you a copy to review, and if happy for me to do so, I'll add some credits to you to my version.
I wouldn't intend to distribute this, and only use internally, but thought worth checking with you first.
Cheers
James
I'd love to see it. Reach out to me through my website, and I'll respond with my email address.
https://directaccess.richardhicks.com/contact/
Thanks!
Hello JamesEdmonds,
Unfortunately logon scripts use the interactive user session and can´t be set with elevated permissions on themselves.
On the other hand, I never configured, but theoretically you can deploy Scheduled Tasks through GPO to run that script, and set to run with elevated rights, either administrator or NT AUTHORITY. Then set the trigger "At Logon" and "Any User"
--If the reply is helpful, please Upvote and Accept as answer--
Thanks Limitless!
This seems like a neat enough way to achieve this.
Would it be correct to say I would set the run as user to be the logon user, but tick "Run with Highest Privileges" (I assume this means "Run as administrator")?
Then, just tick to "Run in logged on users security context"?
I will try to give this a test now to see what happens.
Cheers
James
I've done a quick bit of testing, but not sure this is going to work how we'd like it to.
Unless you can advise specifically how I should be setting it up?
I think computer policy tasks run as admin, not the current user, so that doesn't work.
User policy tasks have no option to run with admin right (Use highest privileges does not grant admin right after a read up on that option).
Any other thoughts on how this can be achieved in an automated fashion?
Cheers
James
I've manually created a task in task scheduler, and have this working if I run it manually whilst logged in as a standard user, but adding a login trigger it never seems to fire.
If I can correct that, I have all I need to then move this to a GPO. Any thoughts on what would prevent it from triggering on user login?
Cheers
James
Ended up using a lot of parts from Richard Hicks' AO VPN scripts, but rolling my own that deploys both user and device tunnels as "AllUserConnection" VPNs, run as SYSTEM at system startup.
It uses a small CSV to record VPN profile versions, in case we need to push new versions at later dates.
So far, seems to be working quite well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 60%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
is it possible for you to share the scripts you ended up using?
