VPN Wired

Your Online Security Advisor

Nord_W

How to Auto Connect to Azure VPN

Microsoft Azure Auto Connect

Do you need to configure Azure VPN to connect automatically? Keeping a VPN always ON has many benefits, including the ability to set up a point-to-site connection for non-tech-savvy employees or a large company. The fact that all users reconnect if the connection drops or if they forget to connect can save businesses a lot of money and eradicate many security problems. The problem is that the VPN client only permits 25 connections at once and that the Azure VPN client on Microsoft Store doesn’t always offer this option. Thus, we must provide a workaround. Let’s show you how to auto connect to Azure VPN.

Why should I set Azure VPN to auto connect?

Here’s why you should configure Azure VPN to connect to the VPN server automatically:

1. Permanent protection

If Azure VPN always remains connected, the user’s activities and location will be routed inside a VPN tunnel and encrypted at all times. That protects the user from the dangers of cyberattacks and public Wi-Fi snooping, surveillance from the government, Internet Service Provider (ISP) monitoring, and more.

It also eradicates privacy problems such as revealing trade secrets and personal and company information, therefore facilitating a safe remote work environment.

2. Ease of use

If you set up the VPN to consistently connect in a point-to-site configuration, users won’t need to understand any settings, learn how to use software, or type any commands.

Simultaneously, you reduce the chance of human error due to inexperience. This lets network administrators protect technically-inclined and non-tech-savvy users alike at the same time.

3. Saving time

Once set up, the always-on VPN will continue running without any adjustments until the network is deactivated or the service stops. Consequently, managers and administrators don’t need to double-check if everyone is safely connected. Concurrently, workers don’t have to waste time performing manual connections and risk human error.

4. Saving money

A permanently enabled VPN solution can be deployed to all computers on the site once and never again unless there’s a problem, saving a lot of setup costs. Additionally, users don’t need to be trained in maintenance after the initial configuration.

Plus, an always-on VPN prevents them from leaking sensitive data and using the assigned machine for unintended purposes. Yet, network resources are saved by triggers such as screen activation, log-in action, and network state change.

1. How to set up auto connect in Azure VPN client

The easiest way of setting Azure VPN to always be on is to enable the option in the VPN client settings, but it only works on a P2S (point-to-site) VPN gateway with Active Directory authentication (AD). This means it only supports the OpenVPN security protocol on Windows 10 and 11.

Here are two steps to ensure Azure VPN connects automatically on Windows:

1. Install Azure VPN and configure a user profile

Here’s what to do to set up an Azure VPN to user profile after installation:

  1. Download the Azure VPN client from Microsoft Store or via client install files on the Microsoft App Center.
  2. Install the client and confirm it can run in the background on Windows—this is essential.
  3. Generate a client profile from your VPN server if you haven’t, then download the azurevpnconfig.xml profile configuration file.
  4. Open Azure VPN, click the + icon in the bottom left corner, then select Import. You can also press Ctrl + I right away.
  5. Choose the .xml profile and click the Open button.
  6. Give the profile a name, then select Save.
  7. You can now connect to the VPN with the Connect button next to the profile name. The icon will turn green once you do.

2. Set up the Azure VPN connection and make it always ON

Now that you have a profile on the machine, it’s time to create a connection. Follow these instructions to add a connection for Azure VPN:

  1. Open Azure VPN if you closed it.
  2. Click the + icon again, but this time select Add. Alternatively, press Ctrl + N.
  3. Configure the VPN connection based on the VPN server settings, including the server’s IP address or hostname, username/password or pre-shared key, and so on. Ensure that OpenVPN is selected as the protocol.
  4. Click the Connect button, and enter the authentication credentials before clicking Continue. If you did everything right, you’ll see a green “Connected” icon.
  5. Disconnect and go back to the home page.
  6. Click VPN Settings under “Related System Settings”.
  7. When prompted to switch applications, select Yes.
  8. A default Windows VPN settings interface will open. Choose your Azure VPN connection.
  9. Put a checkmark in front of the “Connect automatically” option.
  10. Go back to Azure VPN and click the Connect button again. It should remain connected and connect automatically when the system reboots.
  11. If you encounter problems, check our “Azure VPN disconnects frequently” fix guide.

2. Use Windows PowerShell to auto connect to Azure VPN via automatic tunneling

The problem with the method above is that it doesn’t work on Mac or with any protocol except OpenVPN. While Mac users have to wait for another option, users of Windows 10 Enterprise or Education version 1809 can use the method below. They must also generate a user profile beforehand and resort to using the IKEv2 protocol.

Follow these instructions to configure an automatic connection in Azure VPN using Windows PowerShell:

1. Create a client device tunnel configuration for Azure VPN

If you have the Azure VPN certificate configured on the machine and set up your virtual network gateway, you need to create a client device tunnel file like this:

  1. Open Notepad or another text editor software.
  2. Paste the code below, then save it as devicecert.ps1. Make sure to put All Files under “Save as type:”.
Param(
[string]$xmlFilePath,
[string]$ProfileName
)

$a = Test-Path $xmlFilePath
echo $a

$ProfileXML = Get-Content $xmlFilePath

echo $XML

$ProfileNameEscaped = $ProfileName -replace ' ', '%20'

$Version = 201606090004

$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'

$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"

$session = New-CimSession

try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)

$session.CreateInstance($namespaceName, $newInstance)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Complete."
Write-Host "$Message"

2. Add a client profile and adjust it to your VPN settings

Now’s the time to create a VPN profile, which looks like this:

<VPNProfile>  
  <NativeProfile>  
<Servers>VPN SERVER INFORMATION</Servers>  
<NativeProtocolType>IKEv2</NativeProtocolType>  
<Authentication>  
  <MachineMethod>Certificate</MachineMethod>  
</Authentication>  
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
 <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
  </NativeProfile> 
  <!-- use host routes(/32) to prevent routing conflicts -->  
  <Route>  
<Address>XXXX.XXXX.XXXX.X</Address>  
<PrefixSize>32</PrefixSize>  
  </Route>  
  <Route>  
<Address>XXXX.XXXX.XXXX.XXXX</Address>  
<PrefixSize>32</PrefixSize>  
  </Route>  
<!-- need to specify always on = true --> 
  <AlwaysOn>true</AlwaysOn> 
<!-- new node to specify that this is a device tunnel -->  
 <DeviceTunnel>true</DeviceTunnel>
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
</VPNProfile>

Configure the following information before saving the file as VPNProfile.xml:

  • <Servers>VPN SERVER INFORMATION</Servers> — Replace it with the hostname found in the VpnSettings.xml file for your Azure VPN client user profile
  • <Address>XXXX.XXXX.XXXX.X</Address> and <Address>XXXX.XXXX.XXXX.XXXX</Address> — Both found as the IP address of the resource within VNet or VNet address space

3. Use PowerShell to auto connect to Azure VPN after every boot

You now have all the necessary files for a VPN connection via IKEv2. Here’s how to set up auto connect for Azure VPN using Windows PowerShell:

  1. Place VPNProfile.xml in the same folder as devicecert.ps1.
  2. Download PsExec from Microsoft Sysinternals.
  3. Extract the PsExec package to C:\PSTools.
  4. Open Command Prompt as administrator, then launch PowerShell like this:
    • On Win 32-bitPsExec.exe -s -i powershell
    • For Win 64-bitPsExec64.exe -s -i powershell
  5. Use the cd command in PowerShell to go to the folder with the two files from step 1.
  6. Run this command: .\devicecert.ps1 .\VPNProfile.xml MachineCertTest
  7. Press the Windows key + R or open Run and type rasphone.
  8. Select MachineCert Test and click the Connect… button.
  9. If the VPN connection gets established, restart the machine, and the VPN should connect automatically.

Milan

VPN is one of my passions. I love being secure and helping others avoid any potential threats online. I also contribute to several VPN guide websites online.