Always On VPN DPC Open Source

Recently, I wrote about the demise of PowerON Platforms, the company behind the popular Always On VPN Dynamic Profile Configurator (DPC) software that allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory Group Policy or Microsoft Intune with custom ADMX/ADML. Initially, the future of DPC was uncertain. However, I’m happy to announce that DPC will continue to be developed.

We’re on Discord! Join the conversation: https://discord.aovpndpc.com/.

DPC Open Source

The lead developer of DPC and my good friend Leo D’Arcy retained the source code for the product and has been working diligently to decommercialize the software. That work has been completed, and Always On VPN DPC is now available via open source. You can find the source code for DPC on GitHub here.

DPC Features

This initial open-source release (version 5.0.0) contains no significant new features or functionality. Most of the development efforts focused on removing references to PowerON Platforms (registry paths, binary names, etc.).

Support

Today, DPC support is community-based. You can report issues on the GitHub issues page for DPC. In addition, you can ask questions about DPC on Discord in the Microsoft Remote Access UG. Leo and I will monitor the group closely and answer any questions you might have there.

Deployment

If you’re not a DPC user today, I encourage you to have a look at its impressive feature set. Not only does DPC make Always On VPN deployment and management easier, but it also includes many advanced capabilities that will make connections more stable and reliable. Here are some links to articles outlining some of those advanced features.

Migration

If you already have a previous commercial release of Always On VPN DPC deployed, migrating to the new open-source DPC is straightforward. You will find guidance for migrating your existing DPC configuration here.

Contribute

Now that DPC is open source, we encourage everyone to contribute. If you have development skills, feel free to help. If you have feedback or feature requests, don’t hesitate to submit them!

Learn More

Are you interested in learning more about Always On VPN DPC? Would you like a personal demonstration of DPC’s features and capabilities? Do you need help migrating from a previous release to the new open-source software? Fill out the form below and I’ll contact you with more information.

Additional Information

Always On VPN DPC Open Source on GitHub

PowerON Platforms Are No More

Always On VPN Disconnects in Windows 11

Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or Dynamic Profile Configurator (DPC) do not experience this problem.

Troubleshooting

Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.

Intune and XML

The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.

Workaround

Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.

Native VPN Template

When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.

Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.

XML

If you must use XML, I’ve had some success by ensuring the order and syntax of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.

  1. Deploy your XML file with Intune.
  2. Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
  3. Compare the order of settings to your existing XML.
  4. Compare the syntax of all settings. For example, the <Servers> section should list the server FQDN twice, separated by a semi-colon.
  5. Make changes to ensure all settings in your XML are in the same order as the extracted XML.
  6. Publish a new XML configuration file using Intune and test.

I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!

Reference XML

I have published an Always On VPN XML configuration file on GitHub for reference. It includes all common settings using the order and syntax required to ensure reliable operation. As a reminder, the sample file includes many settings that aren’t required. It is published as guidance for reference only.

Additional Information

Always On VPN Windows 11 Issues with Intune

Always On VPN PowerShell Script Issues in Windows 11

What’s New in Always On VPN DPC v3.0

Recently I wrote about a compelling solution from PowerON Platforms for managing Always On VPN client configuration setting using Active Directory group policy. Always On VPN Dynamic Profile Configurator (DPC) addresses a very specific need for managing Always On VPN for organizations that have not yet migrated to Microsoft Endpoint Manager/Intune. Recently, PowerON Platforms released an important update to DPC that includes many new features and capabilities.

New Features

Always On VPN DPC version 3.0 includes the following new functionality Always On VPN administrators are sure to find useful.

  • Traffic filters – Support for enabling traffic filters for both device tunnel and user tunnel are now supported in DPC, greatly simplifying the task of creating access control lists to enforce zero-trust network access (ZTNA) policies.
  • Enhanced security – The option to disconnect the VPN connection if the VPN server does not present a cryptobinding TLV is now enabled by default. This often-overlooked security setting ensures VPN client connections are not intercepted by detecting man-in-the-middle attacks.
  • Device tunnel enhancements – Administrators can now display the device tunnel connection and status in the Windows UI.
  • Backup connection – Always On VPN DPC now supports the configuration and deployment of a backup VPN connection, which is helpful when Always On VPN connectivity is disrupted.
  • Hostname routing – Administrators can now define hostnames in the routing table. Hostnames are resolved on the endpoint and converted to IP addresses for including in the routing table.
  • Smart card authentication – Always On VPN DPC now supports smart card authentication as an authentication option in addition to client authentication certificates.

Learn More

Interested in learning more about Always On VPN DPC? Fill out the form below and I’ll provide you with additional information or visit aovpndpc.com to sign up for a free trial.

Additional Information

Always On VPN with Active Directory Group Policy

Always On VPN Video Demonstration

Always On VPN DPC Advanced Features

Always On VPN DPC on YouTube