Configure VPN Device Tunnels in Windows 10

Applies To: Windows 10 version 1709

You can use this topic to learn how to create and configure a Virtual Private Network (VPN) device tunnel for VPN connections in Windows 10.

Windows 10 VPN connections include two types of tunnels.

  • Device tunnel. This tunnel connects to specified VPN servers before users log on to the device. Device tunnel is used for pre-logon connectivity scenarios and device management purposes.
  • User tunnel. This tunnel connects only after a user logs on to the device. User tunnel allows users to access organization resources through VPN servers.

Device Tunnel Features

Following are device tunnel features.

  1. Device tunnel is always connected - as long as there is network connectivity and the computer is not in a low power state
  2. Device tunnel connects to your organization VPN servers before user logon
  3. Device tunnel can coexist with one active user tunnel
  4. Device tunnel is hidden from the user and not visible through the UI

Requirements for the Device Tunnel

Following are requirements for the device tunnel.

  • The device must be a domain joined computer
  • The device must be running Windows 10 Enterprise or Education version 1709 or later
  • The tunnel is only configurable for the Windows built-in VPN solution
  • The tunnel is established using IKEv2 with computer certificate authentication
  • Only one device tunnel can be configured on a device

Configure the VPN Device Tunnel

The sample profile XML below provides good guidance for pre-logon scenarios where only client initiated pulls are required over the device tunnel. Traffic filters are leveraged to restrict the device tunnel to management traffic only. This configuration works well for Windows Update, typical Group Policy (GP) and System Center Configuration Manager (SCCM) update scenarios, as well as pre-logon VPN connectivity for first logon without cached credentials, or password reset scenarios.

On the other hand, for server initiated push cases, like Windows Remote Management (WinRM), Remote GPUpdate, and remote SCCM update scenarios – inbound traffic on the device tunnel has to be allowed, so traffic filters cannot be used. This limitation is going to be removed in future releases.

Sample VPN profileXML

Following is the sample VPN profileXML.

<VPNProfile>  
  <NativeProfile>  
<Servers>vpn.contoso.com</Servers>  
<NativeProtocolType>IKEv2</NativeProtocolType>  
<Authentication>  
  <MachineMethod>Certificate</MachineMethod>  
</Authentication>  
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
 <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
  </NativeProfile> 
  <!-- use host routes(/32) to prevent routing conflicts -->  
  <Route>  
<Address>10.10.0.2</Address>  
<PrefixSize>32</PrefixSize>  
  </Route>  
  <Route>  
<Address>10.10.0.3</Address>  
<PrefixSize>32</PrefixSize>  
  </Route>  
<!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel --> 
  <TrafficFilter>  
<RemoteAddressRanges>10.10.0.2, 10.10.0.3</RemoteAddressRanges>  
  </TrafficFilter>
<!-- need to specify always on = true --> 
  <AlwaysOn>true</AlwaysOn> 
<!-- new node to specify that this is a device tunnel -->  
 <DeviceTunnel>true</DeviceTunnel>
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
</VPNProfile>

Depending on the needs of each particular deployment scenario, another VPN feature that can be configured with the device tunnel is Trusted Network Detection.

 <!-- inside/outside detection --> 
  <TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection> 

Deployment and Testing

You can configure device tunnels by using a Windows PowerShell script and using the Windows Management Instrumentation (WMI) bridge. The following article provides guidelines on how to deploy a per device (.\Device) vs. a per user (.\User) profile. You must deploy the device profile in the local system context.

For more information, see Using PowerShell scripting with the WMI Bridge Provider.

To verify that you have successfully deployed a device profile, run the following Windows PowerShell command.

Get-VpnConnection -AllUserConnection

The output displays a list of the device-wide VPN profiles that are deployed on the device.

Example Windows PowerShell Script

You can use the following Windows PowerShell script to assist in creating your own script for profile creation.

Param(
[string]$xmlFilePath,
[string]$ProfileName
)

$a = Test-Path $xmlFilePath
echo $a

$ProfileXML = Get-Content $xmlFilePath

echo $XML

$ProfileNameEscaped = $ProfileName -replace ' ', '%20'

$Version = 201606090004

$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'

$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"

$session = New-CimSession

try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)

$session.CreateInstance($namespaceName, $newInstance)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Complete."
Write-Host "$Message"

Additional Resources

Following are additional resources to assist with your VPN deployment.

VPN client configuration resources

These are VPN client configuration resources.

Remote Access Server (RAS) Gateway resources

Following are RAS Gateway resources.