All posts tagged Always On VPN

Always On VPN Class-Based Default Route and Intune

`Always On VPN Class-Based Default Route and IntuneIn a recent post, I described how to configure routing for Windows 10 Always On VPN clients. In that article, I shared guidance for disabling the class-based default route in favor of defining specific routes for the VPN client. While this is easy enough to do when you use custom XML (deployed via PowerShell, SCCM, or Intune), there is a known limitation when using the native Intune UI that could present some challenges.

Updated 11/9/2024 to include update information for a workaround using Intune Remediation.

Intune VPN Profile Configuration

Defining specific routes is easy to do in Intune using the native VPN configuration profile. In the Configuration settings expand Split Tunneling and click Enable. The administrator can then add routes by entering their Destination prefix and Prefix size, as shown here.

Always On VPN Class-Based Default Route and Intune

Class-Based Default Route

The limitation with using Intune to configure routes is that there is currently no option to disable the class-based default route as there is with custom XML. This means the routes shown in the example above will be added to the client, but the class-based route will also be added automatically, as shown here (class-based default route highlighted with the arrow).

Always On VPN Class-Based Default Route and Intune

Considerations

In most cases, the inclusion of the class-based default route along with the administrator-defined routes will not be a problem. However, in some scenarios, it could yield unexpected results. Specifically, Always On VPN clients may have unintended access to some networks over the VPN tunnel. This is most significant for the Always On VPN device tunnel, where it is common to limit access to only specific resources using individual host routes.

Workaround

As a workaround, administrators can use Intune Remediations to disable the class-based default route post-deployment. Sample detection and remediation scripts for the user and device tunnel can be found here.

https://github.com/richardhicks/endpointmanager/blob/main/Detect-DeviceDisableClassBasedDefaultRoute.ps1

https://github.com/richardhicks/endpointmanager/blob/main/Remediate-DeviceDisableClassBasedDefaultRoute.ps1

https://github.com/richardhicks/endpointmanager/blob/main/Detect-UserDisableClassBasedDefaultRoute.ps1

https://github.com/richardhicks/endpointmanager/blob/main/Remediate-UserDisableClassBasedDefaultRoute.ps1

Additional Information

Deploying Windows 10 Always On VPN with Intune and Custom XML

Deploying Windows 10 Always On VPN Device Tunnel with Intune and Custom XML

Windows 10 Always On VPN Routing Configuration

Windows 10 Always On VPN Device Tunnel Operation and Best Practices

5 Comments
by Richard M. Hicks on March 4, 2021  •  Permalink
Posted in Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, InTune, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobility, Operational Support, PowerShell, public cloud, Remote Access, split tunnel, split tunneling, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 4, 2021

https://directaccess.richardhicks.com/2021/03/04/always-on-vpn-class-based-default-route-and-intune/

Always On VPN Windows Server RRAS Service Does Not Start

Always On VPN Windows Server RRAS Service Does Not StartAdministrators configuring a Windows Server Routing and Remote Access Service (RRAS) server to support Windows 10 Always On VPN connections may encounter an issue where the RemoteAccess service fails to start. Attempts to start the service might seem to work at first, but the service immediately stops again.

Troubleshooting

On the RRAS server, the Services management console (services.msc) or PowerShell Get-Service command shows the RemoteAccess service as being stopped. Attempts to start the service result in failure.

Always On VPN Windows Server RRAS Service Does Not Start

Event Log

Looking at the System event log on the RRAS server shows an error with event ID 7024 from the Service Control Manager source indicating “The Routing and Remote Access service terminated with the following service-specific error: A device attached to the system is not functioning.

Always On VPN Windows Server RRAS Service Does Not Start

Resolution

This issue is commonly caused when IPv6 is disabled on the server via the registry. To verify, open the registry editor on the RRAS server and navigate to the following location.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

If the DisabledComponents value is present and set to anything other than 0, set it to 0 or simply delete the DisabledComponents value completely and reboot the server.

Always On VPN Windows Server RRAS Service Does Not Start

The following PowerShell command can be used to remove the DisabledComponents value.

Remove-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -Name DisabledComponents

Additional Information

IPv6 Recommended Reading for Always On VPN and DirectAccess Administrators

Guidance for Configuring IPv6 in Windows for Advanced Users (Microsoft)

5 Comments
by Richard M. Hicks on January 11, 2021  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, IPv6, PowerShell, Remote Access, routing and remote access service, RRAS, VPN, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 11, 2021

https://directaccess.richardhicks.com/2021/01/11/always-on-vpn-windows-server-rras-service-does-not-start/

Always On VPN Fails with Windows 10 2004 Build 610

Updated 11/10/2020: Microsoft update KB4586781 has resolved the connectivity issues described in this post. If you had previously installed update KB4580364, please update to KB4586781 immediately.

A recent preview update for Windows 10 2004 has broken Always On VPN. Specifically, after installing the latest Preview update for Windows 10 2004 (KB4580364), Always On VPN connections will fail to connect automatically. They can be established manually, however.

Affected Builds

This issue affects Windows 10 2004 with build 19041.610 and 19042.610.

Always On VPN Fails with Windows 10 2004

Workaround

The only workaround currently is to remove this update.

Caveat

Although this is a “preview” update and an optional installation, it is important to know that preview updates are released in the next “patch Tuesday” release. Administrators are advised to carefully consider delaying the implementation until additional testing has been completed.

Additional Information

October 29, 2020 – KB4580364 (OS Builds 19041.610 and 19042.610) Preview Update

Windows 10 Always On VPN Updates for Windows 10 2004

16 Comments
by Richard M. Hicks on November 9, 2020  •  Permalink
Posted in Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, Remote Access, Update, user tunnel, VPN, Windows 10
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on November 9, 2020

https://directaccess.richardhicks.com/2020/11/09/always-on-vpn-fails-with-windows-10-2004-build-610/

« Older Posts
Newer Posts »