Windows 10/11 uses the most simplified graphical interface for setting up VPN connections. To set specific settings for a VPN connection, you have to use both the classic VPN connection settings interface in the control panel and the modern network settings application in the Options panel (command ms-settings:network-vpn for quick access to settings). In this article, we'll take a look at the specifics of managing VPN connections in Windows using PowerShell: we'll look at how to create/edit/delete a VPN connection and connect/disconnect to a VPN server.
To create a new VPN connection on Windows, use the Add-VpnConnection cmdlet . In the simplest case, to create a new VPN connection, you need to specify its name and VPN server address.
Add-VpnConnection -Name "WorkVPN" -ServerAddress "vpn.site.io” -PassThru
To set custom settings for a VPN connection, use the following options (the most common ones):
- TunnelType – VPN tunnel type. The following options are available:
Automatic – Windows itself tries to determine the type of VPN tunnel
IKEv2 – Internet Key Exchange
PPTP – Point to Point Tunneling Protocol
L2TP – Layer 2 Tunneling Protocol /IPsec with certificate or pre-share key
SSTP – Secure Socket Tunneling Protocol
- L2TPPsk – pre-shared key for authentication (L2TP only). If this parameter is not specified, a certificate is used for L2TP authentication;
- AuthenticationMethod – type of authentication. It is possible to use: Pap, Chap, MSChapv2, Eap, MachineCertificate;
- EncryptionLevel – encryption settings ( NoEncryption, Optional, Required, Maximum, Custom );
- SplitTunneling – whether all computer traffic should be wrapped in a VPN tunnel (similar to the option Use default gateway on remote network in the settings of the VPN adapter parameter);
- UseWinlogonCredential – use the credentials of the current user to authenticate on the VPN server;
- AllUserConnection – allow to use VPN connection for all computer users;
- RememberCredential – allow to save VPN connection credentials (the account and password are saved in the Windows Credential Manager after the first successful connection);
- PassThru – parameter allows you to display the results of the command (we recommend using it in all commands).
Below are some examples of PowerShell commands for creating different types of VPN connections.
- L2TP/IPsec:
Add-VpnConnection -Name "WorkVPN_L2TP" -ServerAddress "vpn.site.io" -TunnelType L2TP -L2tpPsk "str0ngSharedKey2" -Force -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -UseWinlogonCredential -RememberCredential -AllUserConnection –PassThru
- PPTP:
Add-VpnConnection -Name "WorkVPN_PPTP" -ServerAddress "vpn.winitpro.ru" TunnelType "PPTP" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -SplitTunneling -PassThru
- SSTP: you must first import the root CA VPN server into the certificate store of the computer, and use the FQDN of the VPN server specified in the certificate (CN - Common Name, or Subject Alternative Name) as the address
Add-VpnConnection -Name "WorkVPN_SSTP" -ServerAddress "vpn.winitpro.ru" -TunnelType "SSTP" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -RememberCredential -SplitTunneling -PassThru
When using self-signed certificates, you can add multiple names to the certificate using PowerShell.
- IKEv2: you need to import the root CA into the Windows Trusted Root Certificate store first, and the computer certificate into personal certificates:
Import-PfxCertificate -FilePath $comp_certificate -CertStoreLocation Cert:\LocalMachine\My\ -Password $password
Import-Certificate -FilePath $ca_cert -CertStoreLocation Cert:\LocalMachine\Root\
Add-VpnConnection -Name "WorkVPN_IKEv2" -ServerAddress "vpn.winitpro.ru" -TunnelType Ikev2 -EncryptionLevel "Maximum" -AuthenticationMethod MachineCertificate -SplitTunneling $True -PassThru
Connections available to all users (created with the option AllUserConnection ) are displayed in the network control panel, and Owner is set to System . The user's connection will have domain\username.
Shared VPN connections are saved to a text file %ProgramData%\Microsoft\Network\connections\Pbk\rasphone.pbk.
To change the parameters of an existing VPN connection, use the Set-VpnConnection command:
Set-VpnConnection -Name "WorkVPN_SSTP" –splittunneling $false –PassThru
If you need to change the IPsec settings for an existing VPN connection, use the Set-VpnConnectionIpsecConfiguration cmdlet (IKEv2 and L2TP VPN only)
Set-VpnConnectionIPsecConfiguration -ConnectionName "WorkVPN_IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 –PassThru
You can use the VPNCredentialsHelper module to force saving the name and password for a VPN connection.
Install the module on your computer from the PowerShellGallery (you can also install the PowerShell module offline):
Install-Module -Name VPNCredentialsHelper
After that, you can save a specific name and password for your VPN connection in Windows Credential Manager:
$user = "vpnusername"In modern versions of Windows, you can dynamically add routes to the routing table when you connect to a VPN.
$plainpass = "vpn_password"
Set-VpnConnectionUsernamePassword -connectionname "WorkVPN_SSTP" -username $user -password $plainpass
Add-VpnConnectionRoute -ConnectionName "workVPN" -DestinationPrefix 192.168.111.0/24 –PassThruSuch a route will be activated only after a successful connection to the VPN server.
List all VPN connections available to the user:
Get-VpnConnection
To remove a VPN connection, run:
Remove-VpnConnection -Name "WorkVPN_SSTP"
To connect to a VPN server with a previously configured VPN profile, run:
rasdial "WorkVPN_SSTP"
Display the status of all VPN connections:
Get-Vpnconnection | Select Name, Connectionstatus
Creating a VPN Connection with PowerShell: