1
00:00:02,140 --> 00:00:05,520
So the process of deploying an Always On VPN device tunnel using

2
00:00:05,520 --> 00:00:09,750
PowerShell is nearly identical to the process that we used for

3
00:00:09,750 --> 00:00:12,960
deploying the user tunnel with a couple of exceptions.

4
00:00:12,960 --> 00:00:13,740
First,

5
00:00:13,740 --> 00:00:18,300
we do need another XML configuration file because the XML configuration

6
00:00:18,300 --> 00:00:21,000
file for the device tunnel is slightly different.

7
00:00:21,000 --> 00:00:32,240
So let's take a quick look at that.

8
00:00:32,240 --> 00:00:33,760
(Working) So, once again,

9
00:00:33,760 --> 00:00:37,010
you can find a template file for this on my website at

10
00:00:37,010 --> 00:00:41,030
github.com/richardhicks in the aovpn repository,

11
00:00:41,030 --> 00:00:44,340
but you could see here that this is a DeviceTunnel connection,

12
00:00:44,340 --> 00:00:47,190
and the XML stipulates that, right?

13
00:00:47,190 --> 00:00:49,110
So I have DeviceTunnel set to true.

14
00:00:49,110 --> 00:00:53,440
This tells Windows that this is going to be a device‑based connection.

15
00:00:53,440 --> 00:00:56,850
It is AlwaysOn, I have added my DnsSuffix.

16
00:00:56,850 --> 00:01:01,220
In this case, I actually selected the RegisterDNS option.

17
00:01:01,220 --> 00:01:04,480
You can do this on the user tunnel in XML by adding this

18
00:01:04,480 --> 00:01:08,360
directive or this command or element, whatever you want to call it,

19
00:01:08,360 --> 00:01:09,840
but fundamentally,

20
00:01:09,840 --> 00:01:12,380
we only want to do this on the device tunnel when we're

21
00:01:12,380 --> 00:01:14,440
using both device and user connections.

22
00:01:14,440 --> 00:01:18,420
So here I've selected to register my IP address in the internal DNS.

23
00:01:18,420 --> 00:01:23,020
I have my TrustedNetworkDetection, I've defined my VPN servers,

24
00:01:23,020 --> 00:01:26,640
the native protocol for a device tunnel is IKEv2.

25
00:01:26,640 --> 00:01:29,780
This is the only supported protocol for the device tunnel,

26
00:01:29,780 --> 00:01:32,490
so you can only use IKEv2 here.

27
00:01:32,490 --> 00:01:35,290
The Authentication method is MachineMethod,

28
00:01:35,290 --> 00:01:39,340
and the MachineMethod, specifically, is a Certificate.

29
00:01:39,340 --> 00:01:43,050
Also remember that we defined custom cryptography

30
00:01:43,050 --> 00:01:46,490
settings for IPsec on our VPN server.

31
00:01:46,490 --> 00:01:48,320
And when we set this up with Intune,

32
00:01:48,320 --> 00:01:52,070
we had a nice drop‑down list where we could pull all of our values

33
00:01:52,070 --> 00:01:54,650
and settings there and align that with the server.

34
00:01:54,650 --> 00:01:58,530
Here we have to define that in this particular block of code,

35
00:01:58,530 --> 00:02:03,730
and all of the settings, of course, need to match those defined on the server,

36
00:02:03,730 --> 00:02:04,880
so use caution.

37
00:02:04,880 --> 00:02:09,940
Also, you will notice, I'm going to call this out explicitly here,

38
00:02:09,940 --> 00:02:12,660
the syntax differs for this particular method.

39
00:02:12,660 --> 00:02:19,440
So if you're thinking GCMAES128 for the TransformConstants for both

40
00:02:19,440 --> 00:02:23,030
Authentication and Cipher are the same as the EncryptionMethod,

41
00:02:23,030 --> 00:02:26,720
no, the syntax changed a little bit there for some unknown reason,

42
00:02:26,720 --> 00:02:32,500
and you'll discover weird things like this using the VPNv2 CSP reference.

43
00:02:32,500 --> 00:02:36,320
So, make sure that you look at that document and follow it to the letter.

44
00:02:36,320 --> 00:02:40,070
Anyway, so that's just an oddity for this particular setting.

45
00:02:40,070 --> 00:02:44,130
We set our DHGroup and our PFsGroup and so forth,

46
00:02:44,130 --> 00:02:48,710
we have SplitTunneling enabled, disabled our ClassBasedDefaultRoute,

47
00:02:48,710 --> 00:02:51,430
and I defined a number of Routes.

48
00:02:51,430 --> 00:02:54,320
And since this is a device‑based connection,

49
00:02:54,320 --> 00:02:55,110
once again,

50
00:02:55,110 --> 00:02:58,040
I'm using host routes because I just want to allow

51
00:02:58,040 --> 00:03:01,520
minimal access over the device tunnel, so these are all /32s.

52
00:03:01,520 --> 00:03:07,940
There are /128s, of course, for my IPv6 connections.

53
00:03:07,940 --> 00:03:12,270
So, once that file has been configured, we need to,

54
00:03:12,270 --> 00:03:16,320
again, run the PowerShell command in the system context,

55
00:03:16,320 --> 00:03:18,580
and to do that we need a little bit of help.

56
00:03:18,580 --> 00:03:22,090
So, we actually need to go out and download a tool,

57
00:03:22,090 --> 00:03:28,440
one of the Sysinternals tools from the PsExec tools suite.

58
00:03:28,440 --> 00:03:31,140
Enter psexec in your favorite search engine,

59
00:03:31,140 --> 00:03:34,360
you should get the Windows Sysinternals reference,

60
00:03:34,360 --> 00:03:36,220
so click on that.

61
00:03:36,220 --> 00:03:40,490
And once you get there, we're going to download the PsTools here,

62
00:03:40,490 --> 00:03:45,140
so just click on the Download PsTools link,

63
00:03:45,140 --> 00:03:49,040
and then we'll click Open file.

64
00:03:49,040 --> 00:03:51,350
And here, minimize this,

65
00:03:51,350 --> 00:03:56,100
here what we want to do is just extract PsExec.exe to the desktop.

66
00:03:56,100 --> 00:03:58,640
That's fine, that's really the only one that we need.

67
00:03:58,640 --> 00:04:02,630
So once that's done, we'll run PsExec with a couple of switches,

68
00:04:02,630 --> 00:04:06,980
we'll use the ‑i and ‑s switch, i for interactive,

69
00:04:06,980 --> 00:04:19,040
s for system, and we'll specify powershell as the executable to launch.

70
00:04:19,040 --> 00:04:23,820
I'm also going to include the ‑accepteula switch just

71
00:04:23,820 --> 00:04:26,350
to get rid of some of the noise, I don't have to accept their EULA,

72
00:04:26,350 --> 00:04:33,140
it'll just accept it for me if I do this.

73
00:04:33,140 --> 00:04:37,320
And once that's done, we now have a new PowerShell command window.

74
00:04:37,320 --> 00:04:38,510
So if we take a look at this,

75
00:04:38,510 --> 00:04:42,980
we can confirm that it actually is running as system by running whoami,

76
00:04:42,980 --> 00:04:49,190
and you'll see we're running as nt authority\system.

77
00:04:49,190 --> 00:04:53,220
So now I'm going to navigate back to the folder where my XML file is,

78
00:04:53,220 --> 00:04:59,140
and that's on the desktop for this particular user.

79
00:04:59,140 --> 00:05:01,250
And you'll see that my files are all there.

80
00:05:01,250 --> 00:05:06,140
So I'm going to go ahead and run the PowerShell command New‑AovpnConnection,

81
00:05:06,140 --> 00:05:16,910
(Typing) and then I will specify the path to the XML

82
00:05:16,910 --> 00:05:19,880
configuration file for the device tunnel,

83
00:05:19,880 --> 00:05:23,770
and then I can also use the ProfileName switch here

84
00:05:23,770 --> 00:05:26,060
to use a custom profile name,

85
00:05:26,060 --> 00:05:29,850
but I'm just going to accept the defaults and use the default setting,

86
00:05:29,850 --> 00:05:32,740
which is just Always On VPN Device Tunnel.

87
00:05:32,740 --> 00:05:37,490
Also I'm going to add the DeviceTunnel switch to tell the

88
00:05:37,490 --> 00:05:42,090
function to create this VPN connection as a device tunnel and

89
00:05:42,090 --> 00:05:46,540
deploy it in the system context.

90
00:05:46,540 --> 00:05:47,520
So there we have it.

91
00:05:47,520 --> 00:05:51,070
We've got an Always On VPN Device Tunnel connection.

92
00:05:51,070 --> 00:05:54,080
And now, let me show you something very interesting here,

93
00:05:54,080 --> 00:05:55,910
if we go to the notification area here,

94
00:05:55,910 --> 00:05:59,150
you will see that the device tunnel does not show up.

95
00:05:59,150 --> 00:06:00,710
That is by design.

96
00:06:00,710 --> 00:06:02,750
Don't be alarmed when you don't see it show up here.

97
00:06:02,750 --> 00:06:08,260
The device tunnel, by default, does not appear in this particular interface.

98
00:06:08,260 --> 00:06:11,510
It also does not show up in the VPN settings menu here,

99
00:06:11,510 --> 00:06:14,070
so you will not see it here as well.

100
00:06:14,070 --> 00:06:17,780
You will, however, see it in the classic Control Panel.

101
00:06:17,780 --> 00:06:19,460
So this is the only place you see this.

102
00:06:19,460 --> 00:06:21,240
And again, this is by design.

103
00:06:21,240 --> 00:06:23,960
There is a registry hack,

104
00:06:23,960 --> 00:06:27,400
there is a way to basically add a registry key to get the

105
00:06:27,400 --> 00:06:30,200
device tunnel to appear in this menu.

106
00:06:30,200 --> 00:06:34,960
You still cannot interact with it as a user because it is running a system,

107
00:06:34,960 --> 00:06:36,890
but you can at least get the status.

108
00:06:36,890 --> 00:06:38,410
So that might be helpful for you.

109
00:06:38,410 --> 00:06:40,380
And you could find that information on my website.

110
00:06:40,380 --> 00:06:42,530
If you go to directaccess.richardhicks.com,

111
00:06:42,530 --> 00:06:47,000
search for that, I'm sure you'll find it; or use your favorite search engine, either way.