Configure an Always-On VPN device tunnel using Azure VPN on Windows 10 (2024)

Are you looking to set up an Always-On VPN Tunnel for Client devices using Azure VPN? Always On is the ability to maintain a VPN connection. With Always On, the active VPN profile can connect automatically and remain connected based on triggers, such as user sign-in, network state change, or device screen active.

You can use Azure VPN gateway with Always On to establish persistent user tunnels and device tunnels to Azure. In this article, we will focus on Device Tunnel.

Prerequisite:

1. Configure the point-to-site VPN tunnel using this article Configure P2S server configuration — certificate authentication: Azure portal — Azure VPN Gateway | Microsoft Learn

2. The device must be a domain joined computer running Windows 10 Enterprise or Education version 1809 or later.

1. Copy the client certificate file into the VPN client device and click to install PFX to install the certificate.

2. Select Store Location as Current User and click on next.

Note: After the certificate has been installed with the current user, again install the certificate with the store location as Local Machine

3. Click on Next

4. Enter the password for the private key

5. Click on Next

6. The certificate has been installed.

Install the Azure Point-To-Site VPN on the VPN client device:

1. Install the VpnClientAmd64.exe package on the client device
2. Open VPN settings and connect the VPN

3. Click on Connect in the Azure VPN and continue to establish the connection

Steps to domain join the VPN client device (Optional)

Note — Here my client is running in Azure and Domain Controller as well. I am joining the client to Domain using P2S VPN first to meet the pre-requisites.

1. Select Advanced system settings in the Properties of This PC

2. Click on Change and enter the domain name and the logins

As you can see the device has joined the domain:

Configurations for Device tunnel

We have completed pre-requisutes before, now we will setup Always-On Device Tunnel

1. Copy the following text and save it as devicecert.ps1

Param(
[string]$xmlFilePath,
[string]$ProfileName
)
$a = Test-Path $xmlFilePath
echo $a
$ProfileXML = Get-Content $xmlFilePath
echo $XML
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
$Version = 201606090004
$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"
$session = New-CimSession
try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Complete."
Write-Host "$Message"

2. Copy the following text and save it as VPNProfile.xml in the same folder as devicecert.ps1. Replace the following text to match your environment.

• <Servers>azuregateway-1234-56-78dc.cloudapp.net</Servers> <= Can be found in the VpnSettings.xml in the downloaded profile zip file
• <Address>192.168.3.5</Address> <= IP of resource in the vnet or the vnet address space
• <Address>192.168.3.4</Address> <= IP of resource in the vnet or the vnet address space
• Update the Route section as per your requirement to ensure proper routing to the VNET CIDRs

<VPNProfile> 
 <NativeProfile> 
<Servers>azuregateway-1234-56-78dc.cloudapp.net</Servers> 
<NativeProtocolType>IKEv2</NativeProtocolType> 
<Authentication> 
 <MachineMethod>Certificate</MachineMethod> 
</Authentication> 
<RoutingPolicyType>SplitTunnel</RoutingPolicyType> 
 <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute> 
 </NativeProfile> 
 <!-- use host routes(/32) to prevent routing conflicts --> 
 <Route> 
<Address>192.168.3.5</Address> 
<PrefixSize>32</PrefixSize> 
 </Route> 
 <Route> 
<Address>192.168.3.4</Address> 
<PrefixSize>32</PrefixSize> 
 </Route>
<!-- need to specify always on = true --> 
 <AlwaysOn>true</AlwaysOn> 
<!-- new node to specify that this is a device tunnel --> 
 <DeviceTunnel>true</DeviceTunnel>
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
</VPNProfile>

3. Download PsExec (PS Tools) from the below link and extract the files to C:\PSTools.

PSPsExec — Sysinternals | Microsoft Learn

4. Open Command Prompt, change the path where the PS Tools file is present, and execute the below command:

For 32-bit Windows: PsExec.exe -s -i powershell
For 64-bit Windows: PsExec64.exe -s -i powershell

After clicking on the Agree, PowerShell will appear.

3. In PowerShell, switch to the folder where devicecert.ps1 and VPNProfile.xml are located, and run the following command:

.\devicecert.ps1 .\VPNProfile.xml MachineCertTest

(Note: If facing any issue with policies then Run the below command:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

4. Now to test the connection, open Run and type rasphone and hit enter

5. Look for the MachineCertTest connection entry and click Connect (If you see Hang-up option instead of Connect then you are already connected)

6. Remove the earlier created P2S Connection to join the Client Machine to the Domain

I hope this was helpful, thank you for reading! Cheers!