What is Always On VPN?

What is Always On VPN?
What is Always On VPN?

In recent years, many businesses and organizations are bringing about remote workforces, and it is with this shift that the demand for reliable and secure VPN solutions arises.

These services offer a safe and attested connection to those who are working remotely, allowing them to work effectively from any location while keeping their sensitive information private.

What is an Always On VPN?

Always On VPN is a type of virtual private network that entails an “Always On” feature for remote workers. It uses the built-in VPN client in the Windows 10 operating system to offer seamless, transparent, and continuous remote access for employees working remotely.

The idea behind this feature is to constantly maintain a VPN connection that is operational even when the user is not active, such that remote workers can seamlessly connect to their respective corporate networks and access company resources, applications and data with the utmost security and without the need for a separate VPN client.

Always On VPN is flexible and can work with various VPN devices. Always On VPN provides the following benefits:

  • Enables the integration of Windows operating systems and third-party solutions to create advanced scenarios.
  • Maintains network security by limiting connections based on traffic types, applications, and authentication methods.
  • Allows auto-triggering for connections authenticated by users and devices.
  • Grants control over the network through the creation of granular routing policies
  • Enables VPN configuration using a standard XML profile (ProfileXML) defined by an industry-standard configuration template.

How Does an Always On VPN Work?

Always On VPN takes advantage of existing VPN infrastructure and supports commonly used VPN protocols. When working with Always On VPN, two primary protocols are recommended for optimal functionality: IKEv2 and SSTP.

It uses Windows 10’s built-in VPN client and the Internet Key Exchange version 2 protocol. IKEv2 is a reliable and secure protocol that provides robust authentication and encryption standards, making it a viable choice for Always On VPN.

  • At the time of user connection to the corporate network through Always on VPN, their device establishes a secure connection to the VPN server using IKEv2.
  • The VPN server authenticates the user and encrypts their traffic, which is then transmitted securely over the internet to the company network.
  • This connection remains operative even when the user’s device is idle, ensuring that they can access resources of their company instantly as required.

Further, Always On VPN uses two types of tunnels: device tunnels and user tunnels for secure remote access services.

User Tunnel: The User Tunnel is established when a user logs into a computer. It is used to provide access to file shares or applications. Below is an overview of the connection process for an Always On VPN user tunnel:

  1. The VPN client sends a connection request to the VPN server's external IP address.
  2. The firewall passes the request to the VPN server's external interface.
  3. The VPN server sends the request to the RADIUS server, passing through the internal firewall.
  4. The RADIUS server authenticates the connection request.
  5. The RADIUS server responds with an accept or deny response to the VPN server.
  6. The VPN server allows or denies the connection request based on the RADIUS server's response.

Device Tunnel: The Device Tunnel is established as soon as a computer is powered on and connected to the internet, without requiring a user to log in. It is used for accessing Active Directory or management servers like Configuration Manager.

Below is an overview of the connection process for an Always On VPN device tunnel:

  1. The VPN client sends a connection request to the VPN server's external IP address.
  2. The firewall forwards the request to the VPN server's external interface.
  3. The VPN server verifies the client's computer authentication certificate and allows or denies the connection request.

Note: The device tunnel doesn't use RADIUS for authentication. The VPN server handles the authentication, which means advanced features like conditional access and multi-factor authentication are not available for device tunnels.

What are the Benefits of Always On VPN Technology?

  1. Advanced Integration

Always On VPN offers smooth integration with the Windows operating system and third-party solutions. It stands out as a versatile platform for various advanced connection scenarios.

Always On VPN supports modern authentication methods such as Windows Hello, Multi-Factor Authentication (MFA), Azure AD integration, Azure conditional access, and management through Mobile Device Management (MDM).

  1. Better Security

Always On VPN introduces advanced security features that allow administrators to control traffic types, specify which applications can use the VPN connection, and choose authentication methods for initiating the connection.

It ensures better security and performance compared to DirectAccess with its industry-standard IKEv2 protocol.

  1. Seamless VPN Connectivity

Prior to Always On VPN, automatically setting up a VPN connection through user or device authentication was not feasible.

Always On VPN ensures a seamless and uninterrupted VPN connection. It allows users to access corporate resources securely, whether they are working remotely or switching networks.

  1. Improved Networking Control

Always On VPN empowers administrators to define routing policies at a more detailed level, including specific applications.

This is particularly useful for line-of-business (LOB) applications that require specialised remote access. It also supports both IPv4 and IPv6, without being dependent on IPv6 like DirectAccess.

  1. Flexible Configuration and Compatibility

Always On VPN offers multiple deployment and management options, providing advantages over other VPN client software like DirectAccess. It offers easier portability and reduces complexity as it doesn't require Network Location Server (NLS) or Active Directory dependencies.

What Type of Security Does Always On VPN Provide?

Always On VPN offers several important security features that contribute to a robust and protected VPN experience. Here are some of the additional security features you can refer to:

  • Dynamic Split Tunneling: Allows you to define specific applications or traffic that should be routed through the VPN, while allowing other traffic to bypass the VPN. This ensures that sensitive data is transmitted securely while maintaining optimal network performance.
  • Endpoint Compliance: Enables administrators to enforce compliance requirements on connected devices before granting access to the VPN. This ensures that only secure and compliant devices can establish a connection.
  • Network Access Protection (NAP) Integration: Integrates with the Network Access Protection feature in Windows Server to assess the health and compliance of connecting devices. Devices that do not meet the defined criteria can be denied access, preventing potential security risks.
  • Certificate Revocation List (CRL) Checking: Allows the verification of certificate revocation status, ensuring that revoked or compromised certificates are not accepted for VPN authentication. This adds an extra layer of protection against unauthorised access.
  • Advanced Encryption: Always On VPN supports strong encryption algorithms, including AES (Advanced Encryption Standard) with 256-bit keys, ensuring that data transmitted over the VPN remains secure and confidential.
  • Advanced Authentication Methods: In addition to machine certificate authentication, Always On VPN supports a wide range of authentication methods, such as smart cards, One-Time Passwords (OTP), and Azure Active Directory (Azure AD) integration, providing flexibility and enhanced security.

Features and Capabilities of Always On VPN: A Tabular Representation

The demand for VPNs has surged alongside the growing trend of remote work. Organisations must now prioritise security since VPNs can be targeted by cyberattacks.

Always On VPN addresses this concern by enabling network administrators to enforce consistent configurations. It ensures that devices and machines maintain optimal security levels. Here are the key features commonly offered by Always On VPN:

Common Features

Defined Capabilities

Industry-standard IKEv2 VPN protocol support

Always On VPN uses the widely used IKEv2 protocol for secure and reliable VPN connections.

Interactivity with third-party IKEv2 VPN gateways

Always On VPN can seamlessly work with VPN gateways from different vendors that support the IKEv2 protocol.

Trusted network detection

Prevents the VPN connection from being activated when a user is already connected to a trusted network within the organisation.

Support for machine certificate authentication

Always On VPN enables the use of machine or computer certificates for authentication, adding an extra layer of security.

Traffic and app filters

Allows administrators to outline the  security policies that control which traffic and applications are permitted to use the VPN connection.

VPN conditional access

Provides the ability to enforce specific conditions and device compliance requirements before allowing VPN connections.

Limiting remote access to specific users and devices

Allows granular control over VPN access by using security groups and RADIUS authentication.

Name resolution of corporate resources

Allows the resolution of short names, fully qualified domain names (FQDNs), and DNS suffixes for corporate resources through the VPN connection.

Native Extensible Authentication Protocol (EAP) support

Supports a wide range of authentication methods, such as username and password, smart card, user certificates, and Windows Hello for Business.


Per-app VPN

Restricts VPN connectivity to specific applications, ensuring that only designated apps can access corporate resources through the VPN.

Dual-stack support for IPv4 and IPv6

Enables Always On VPN to work seamlessly in environments that use both IPv4 and IPv6 protocols.

Application-specific routing policies

Provides the ability to control routing behaviour on a per-application basis, allowing fine-grained control over which apps use the VPN tunnel.


Secure Remote Access

Creates secure and encrypted connections to access company resources from anywhere, ensuring data privacy and protection.

High availability features

Offers server resilience, load balancing, and geographic site resilience options to ensure robust and reliable VPN connectivity in various deployment scenarios.

Source: Microsoft

Requirements to Deploy Always On VPN

Always On VPN can be configured as a remote-access or business VPN, enabling remote employees to securely access their company's intranet from anywhere in the world, whether it's from home or using their personal computers or mobile phones. Below are the prerequisites to deploy Always On VPN:

  • Domain Controllers: These servers manage the Active Directory domain and provide authentication and authorisation services for user and computer accounts.
  • Public Key Infrastructure (PKI): This is a system that manages the verification of digital certificates to ensure secure communication and authentication in a network.
  • DNS Servers: They resolve domain names to IP addresses, enabling clients to locate resources on the network.
  • Network Policy Server (NPS): NPS is a RADIUS server that handles authentication, authorisation, and accounting for remote access connections.
  • Certificate Authority Server (CA): It issues and manages digital certificates used for secure communication and authentication within the network.
  • Routing and Remote Access Server (RRAS): RRAS enables remote connectivity by providing routing, VPN, and NAT (Network Address Translation) services for remote employees accessing the organisation's network resources.

How to Deploy Always On VPN in Your Organisation?

There are two ways to deploy Always On VPN technology. The first scenario is using Always On VPN alone, and the second scenario is combining Always On VPN with VPN connectivity through Active Directory access.

Step 1: Set up security groups in Active Directory (AD)

Create groups for servers and users in AD and assign them to your custom groups. This helps organise and manage access control.

Step 2: Implement a Public Key Infrastructure (PKI) solution

Many organisations use Active Directory Certificate Services (AD CS) for PKI. You must properly plan your PKI implementation and consider other PKI solutions if they better suit your needs.

Step 3: Create and publish certificate templates

Create three certificate templates: one for VPN users, one for the Network Policy Server (NPS), and one for the VPN server itself. These templates define the specific information and requirements for each certificate type.

Step 4: Use Group Policy to auto-enrol certificates

Use Group Policy to configure security policies for certificates and automatically provision them to devices, workstations, and other relevant entities. This streamlines the certificate enrollment process.

Step 5: Install Network Policy Server (NPS)

You need an authentication server for Always On VPN, and NPS is commonly used as a RADIUS server. However, you can configure other third-party RADIUS servers if desired.

Step 6: Set up Remote Access Service (RAS)

RAS, or its successor Routing and Remote Access Service (RRAS), enables remote users to connect to networks. Configure RAS to support Always On VPN connections.

Step 7: Configure your Windows 10 machines

Ensure the client devices running Windows 10 have the necessary configurations for Always On VPN. This includes deploying the appropriate VPN settings, such as VPN profiles, via Group Policy or other management tools.

Step 8: Deploy settings

Once all the necessary components are set up and configured, deploy the VPN settings and profiles to your client devices. This ensures they are ready to establish secure Always On VPN connections.

How Can InstaSafe Help?

With all the impressive capabilities and unique features that VPNs offer, you might question why you would consider using any other solution. The primary reason is also the most straightforward: security concerns.

Traditional VPN gateways advertise their presence on the internet, making them vulnerable to simple scanning tools used by potential attackers. This means that information about the VPN gateway can be easily discovered, posing a security risk.

Various modern alternatives compete with VPNs in the world full of remote access solutions. One such alternative is InstaSafe VPN Alternative, which embraces the concept of Zero Trust Network Access.

This contemporary security framework addresses the limitations of traditional secure perimeter approaches. Zero Trust stands by the principles of "Never trust, Always Verify" and incorporates them into a comprehensive secure access solution. To learn more about the capabilities of InstaSafe, including its approach to enhancing security, you can schedule a free demo session.



Popular Searches
Biometrics Authentication | Certificate Based Authentication | Device Binding | Device Posture Check | Always on VPN | FIDO Authentication | FIDO2 | Ldap and SSO | Multi Factor Authentication | Passwordless Authentication | Radius Authentication | SAML Authentication | SAML and SSO | What is Sdp | Devops Security | Secure Remote Access | Alternative of VPN | Zero Trust VPN | Zero Trust Security | Zero Trust Network Access | ZTAA