How to create a VPN connection before logging in to Windows 10
I just thought I’d post a quick help guide for those struggling with remote sites that have no site-to-site VPN. For whatever reason the site has no VPN, you can get new users logged into a domain by connecting to the VPN before log on.
I’ve been looking after a site that has remote users and due to the fact the remote office is shared with other companies, it is not possible to set up a site-to-site VPN. In the past, we have set up new computers at the head office, got the user to log-in and then ship the PC to site. Once on the remote site, they can log in and connect to the VPN to get access to the network shares. This is becoming more difficult as new users are starting at the remote location and need to log in for the first time from there.
It’s not obvious how to set up a VPN before the windows login process but I have found the answer.
You need to run the following command from an elevated Powershell window (right-click, – ‘Run as Administrator). You will need to substitute VPN_NAME with a name of your choice and VPN_SERVER_ADDRESS with the IP address or domain address of your VPN server:
Add-VpnConnection -Name VPN_NAME -ServerAddress VPN_SERVER_ADDRESS -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru
If you want to use a specific type of VPN you can change the -TunnelType
eg. -TunnelType “PPTP” or -TunnelType “L2TP” – L2TPpsk “PassKey”
Once you’ve run the add VPN script above, log off the PC. At the login screen, you will see a new network icon in the bottom right of the screen.
Click on that, and it will prompt for your VPN username and password.
I’m using Microsoft Routing and Remote Access for VPN access, which is linked to Active Directory. This means the user just has to put in their Windows username and password. This then connects the VPN and they get logged into Windows.
Please also note you might need to a Registry key for L2TP if you have NAT on your routers.
Add a DWORD AssumeUDPEncapsulationContextOnSendRule with a value of 2 if both devices are behind NAT firewalls or a value of 1 if one end is behind a NAT Firewall.
Let me know if this helps in the comment section below,