Windows Networking

Set up a VPN using Windows built-in client

Practical Windows guide: set up a VPN using Windows built-in client without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Configure a VPN connection using Windows built-in client for L2TP/IPsec, IKEv2, or PPTP (where still supported) without third-party VPN software.

1) Add a VPN connection in Settings

  1. Open Settings → Network & internet → VPN → Add VPN.
  2. Enter a connection name, VPN provider Windows (built-in), server name or address from your VPN admin.
  3. Choose VPN type: IKEv2 (recommended), L2TP/IPsec, or PPTP (legacy, avoid if possible).
  4. Enter username and password or choose certificate-based auth if your organisation requires it.

2) Connect and verify

  1. Click the VPN entry and choose Connect.
  2. Check assigned IP: ipconfig in Command Prompt — look for a PPP or TAP adapter with a new address.
  3. Confirm split tunnel vs full tunnel with your IT team (whether all traffic or only corporate subnets route through VPN).

3) Create via PowerShell (scriptable)

Add-VpnConnection -Name "Work VPN" -ServerAddress "vpn.example.com" -TunnelType "Ikev2" -AuthenticationMethod EAP -EncryptionLevel Required -RememberCredential

4) Troubleshoot common failures

  1. Error 809 (IKEv2): ensure UDP 500 and 4500 are allowed on the firewall/router.
  2. L2TP: install the correct pre-shared key under VPN adapter Properties → Security → Advanced settings.
  3. Run Settings → Network & internet → Advanced network settings → Network reset only as a last resort — it removes all VPN profiles.

5) Split tunneling (Windows 11)

  1. Settings → Network & internet → VPN → [connection] → Advanced options.
  2. Add routes or use vendor profile if built-in client lacks split tunnel UI — some orgs deploy XML profiles via Intune.

6) Export VPN profile

Get-VpnConnection | Export-Clixml "$env:USERPROFILE\Desktop\vpn-backup.xml"

7) Always-on VPN (Pro/Enterprise)

  1. Configured via Intune or PowerShell VPNv2 CSP — auto-connect before user logon for corporate laptops.
  2. Home users typically use manual connect from Settings tray icon.

8) Certificate-based VPN

  1. Import machine cert to Local Computer store via certlm.msc for IKEv2 cert auth.
  2. Match EKU for client authentication — wrong cert type fails with opaque error 789.
  3. Enterprise profiles often deploy via rasphone.pbk or Intune VPN profile — manual setup mirrors same fields.

Verification checklist

Disconnect VPN and confirm public IP returns. Reconnect and verify internal DNS resolves intranet hostnames — split tunnel misconfig shows connected but no internal access.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Related guides

built setup vpn windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Windows Firewall: inbound vs outbound rules
Practical Windows guide: windows Firewall: inbound vs outbound rules without the usual guesswork.
Read guide
Networking
Fix network printer not found
Practical Windows guide: fix network printer not found without the usual guesswork.
Read guide