Windows 10 Always On VPN supports both a user tunnel for corporate network access, and a device tunnel typically used to provide pre-logon network connectivity and to support manage out scenarios. The process of testing Always On VPN is often an iterative one involving trial and error testing to fine tune the configuration parameters to achieve the best experience. As a part of this process it will often be necessary to delete a connection at some point. For the user tunnel the process is simple and straightforward. Simply disconnect the session and delete the connection in the UI.
Deleting a device tunnel connection presents a unique challenge though. Specifically, there is no VPN connection in the UI to disconnect and remove. To delete an Always On VPN device tunnel, open an elevated PowerShell window and enter the following command.
Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force
If the device tunnel is connected when you try to remove it, you will receive the following error message.
The VPN connection [connection_name] cannot be removed from the global user connections. Cannot
delete a connection while it is connected.
The device tunnel must first be disconnected to resolve this issue. Enter the following command to disconnect the device tunnel.
rasdial.exe [connection_name] /disconnect
Remove the device tunnel connection using PowerShell once complete.
Additional Resources
Windows 10 Always On VPN Device Tunnel Step-by-Step Configuration using PowerShell
What’s The Difference Between DirectAccess and Always On VPN?
When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.
