Always On VPN and Interface Metrics

Always On VPN DNS Registration Update Available

In Windows, each network interface identified by the operating system is assigned a metric value. Interface metrics are settings that determine the priority or preference of network interfaces when there are multiple active network connections. The Windows networking stack uses these metrics to determine which network interface should be used for routing traffic when multiple network interfaces are available. Network interface metrics are critical for Always On VPN administrators to understand because they can impact how name resolution requests are processed when an Always On VPN connection is established.

Metric Values

By default, Windows automatically assigns metric values to network interfaces (including VPN interfaces) based on various factors, including the connection speed, link state, and interface type. It tries to select the most suitable interface for general internet connectivity.

Metrics and DNS

Windows will also use the network interface with the lowest metric value as the preferred interface for sending DNS queries by default. This means that DNS queries will be routed through the network interface with the lowest metric value, assuming it is available and connected. When an Always On VPN connection is established, DNS queries may fail or return unexpected results if the network interface metrics are not configured optimally.

Split DNS and Wired Ethernet

Split DNS (sometimes called ‘split brain DNS’) is when the DNS namespace is the same internally and externally. The most common scenario where interface metric settings interfere with DNS operation is when using split DNS and the endpoint is connected to the Internet with a wired Ethernet connection. In this scenario, the Ethernet interface will be assigned the same or lower interface metric value as the Always On VPN interface, which can yield unexpected results.

Viewing Metrics

Always On VPN administrators can view currently assigned interface metric values by running the following PowerShell command.

Get-NetIpInterface

Assigning Metrics

Most Always On VPN administrators will never have to change interface metric settings. However, if your implementation uses split DNS and some of your endpoints connect using wired Ethernet connections, you may need to update the interface metric settings to ensure proper DNS operation. Choose a setting for the interface metric value that is lower than the wired Ethernet interface. I’ve used a value of ‘3’ without issue for many years. Use one of the following methods to update the interface metric for Always On VPN connections.

PowerShell

Updating interface metric settings in Windows can be accomplished by running the Set-NetIpInterface PowerShell command.

Set-NetIpInterface -InterfaceAlias <connection name> -InterfaceMetric 3

Note: Using PowerShell to assign the interface metric is not persistent! While this method is suitable for local validation testing, you should use one of the following methods to implement this change permanently.

Rasphone.pbk

To assign the interface metric permanently, Always On VPN administrators can edit the following settings in the rasphone.pbk configuration file.

IpInterfaceMetric=3

Ipv6InterfaceMetric=3

Administrators can automate updating this setting using the Update-Rasphone.ps1 PowerShell script. In addition, the following scripts can be used with Microsoft Intune remediation.

Detect-DeviceIpv4InterfaceMetric.ps1

Remediate-DeviceIpv4InterfaceMetric.ps1

Detect-DeviceIpv6InterfaceMetric.ps1

Remediate-DeviceIpv6InterfaceMetric.ps1

Detect-Ipv4InterfaceMetric.ps1

Remediate-Ipv4InterfaceMetric.ps1

Detect-Ipv6InterfaceMetric.ps1

Remediate-Ipv6InterfaceMetric.ps1

DPC

Organizations using PowerON Platforms’ Dynamic Profile Configurator (DPC) to manage Always On VPN client configuration settings with Active Directory and group policy or Microsoft Intune can enable the VPN Tunnel Metric setting.

Additional Information

Get-NetIpInterface PowerShell Command

Set-NetIpInterface PowerShell Command

Managing Always On VPN Client Settings with DPC

Always On VPN DPC with Microsoft Intune

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstration

PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)

Leave a comment

11 Comments

  1. Been testing this the other way around which seems to be persistent unless I am wrong? happy to be corrected of course, been setting the adapters to a higher metric than the AOVPN tunnels and unless the adapter is removed and reinstalled it stays persistent. e.g.

    Get-NetIPInterface | Where-Object InterfaceAlias -like “*Ethernet*” | Set-NetIPInterface -InterfaceMetric 40

    We do this for the adapters present, luckily we have a pretty uniformed build so can appreciative wouldn’t be suitable for everyone but does seem to be working for us.

    Reply
    • Same thing only different. 😉 Yes, if you use Set-NetIpInterface for a physical adapter it is persistent. It is not persistent for virtual adapters like VPN interfaces, however.

      Reply
  2. Steve Prentice

     /  September 26, 2023

    Nice article! Also (and I’ve not tried it yet), if you’re using the VPNv2 CSP and doing a custom XML profile, then you can specify the metric of routes there, I didn’t spot that until recently. I’ve asked MS to include that into the VPN Template so you can set it in the Intune GUI as well, I guess the more people that ask the quicker it might turn up because that’d be really helpful.

    https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenameroutelistrouterowidmetric

    Reply
    • Thanks, Steve! To be clear, though, the article is talking specifically about interface metrics, not route metrics. Configuring route metrics is important when you have overlapping routes. 🙂

      Reply
      • Steve Prentice

         /  September 26, 2023

        Argh great point! Drat, not the easy fix I was hoping for then, will have to keep relying on remediation scripts then. 🙂

  3. Ed Morgan

     /  October 23, 2023

    This is still causing us problems for machines using docking stations or direct ethernet connection. The AOVPN tunnel is simply not picking up the metric defined in the RAS phone book.
    We’re getting a metric of 25 or 35, the same as the IPv6 ethernet adapter. Which takes priority with DNS lookups, giving improper results.
    Anyone got any ideas?
    This is on w10 and w11

    Reply
    • Usually setting this in rasphone.pbk works without issue. If this is for the device tunnel, or if the user tunnel is deployed in the ‘all users’ context, then you need to make sure you are updating the correct location of the file. Also, in either case rasphone.pbk is copied to the _hidden folder in the user’s context. You may need to delete that file to force Windows to copy the new file over.

      Reply
      • Ronald Popken

         /  March 19, 2025

        Hello Richard,

        We experience the same problem as Ed Morgan. Our AOVPN keeps the same metric (in our case, 25). Even though we run the remediation scripts, after a restart of the device, the VPN gets the metric 25 instead of 3 again as we have set it trough your scripts. We also see that these values are copied into the rasphone.pbk file, but here too, after a restart these values are back to 0 and the metric is 25. We also have the rasphone.pbk file under the user profile %userprofile%appdatamicrosoftconnections. deleted. Do you have still some advice? Regards, Ronald Popken

      • This could be related to a known issue with Windows 11 and Intune when using the custom XML template. What might be happening is that the VPN profiles are being replaced on each device sync even though no changes to the policy have been made. You can confirm this by running the following PowerShell command, then issue a device sync and run the command again and compare the two GUIDs.

        (Get-VpnConnection -Name <'name of vpn profile').Guid

        Let me know what you find!

      • Ronald Popken

         /  March 21, 2025

        Hello Richard,

        If we follow your instructions we will indeed see that we get 2 different guid on the AOVPN connection after a new sync with the device from Intune. What can you advise?

        Regards,

      • You will need to reconfigure your XML configuration file using exactly the same order and syntax as Intune expects to see. Have a look at the “XML” section of this post for more details.

        https://directaccess.richardhicks.com/2023/10/09/always-on-vpn-disconnects-in-windows-11/

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading