How to Set Up a VPN on Windows 11 Professional for Secure Remote Work

Remote working is now a permanent part of how many businesses operate, but working from home or a coffee shop introduces security risks that simply do not exist inside a physical office. When you connect to the internet from a public or home network, your traffic can be intercepted, your location can be logged, and your connection to company systems may not be encrypted end-to-end.

A Virtual Private Network (VPN) solves these problems by creating an encrypted tunnel between your device and either a company server or a VPN service, routing your traffic securely and masking your network activity from anyone who might be monitoring your connection. Windows 11 includes built-in VPN client support for all major VPN protocols, and this guide covers how to configure each type — from connecting to your organisation’s corporate VPN to setting up a third-party VPN service.

For business VPN connectivity and the Group Policy management options discussed later, Windows 11 Professional (£18.99 from GetRenewedTech) is the recommended edition.

Understanding VPN Types

Before setting up a VPN, it helps to understand the main protocols Windows 11 supports natively:

• IKEv2 (Internet Key Exchange version 2): The recommended protocol for most business VPNs. Particularly good for mobile users because it can reconnect automatically after a brief network interruption (such as moving between Wi-Fi and mobile data). Uses IPsec for encryption.
• L2TP/IPsec (Layer 2 Tunnelling Protocol with IPsec): Older but widely supported. Requires a pre-shared key or certificate. Slightly less efficient than IKEv2 but works with nearly every VPN server.
• SSTP (Secure Socket Tunnelling Protocol): Microsoft-developed protocol that runs over HTTPS (port 443), making it able to pass through nearly any firewall. Good for environments with strict outbound port filtering.
• PPTP (Point-to-Point Tunnelling Protocol): Legacy protocol with known security weaknesses. Do not use PPTP for any sensitive connection — it is included in Windows for compatibility with very old infrastructure only.
• OpenVPN / WireGuard: Not natively supported in Windows 11, but available via official clients from third-party providers. WireGuard is the modern standard for consumer VPN services; OpenVPN is the established standard for business VPNs.

Setting Up a Business (Corporate) VPN

Corporate VPNs allow you to connect to your company’s internal network from anywhere — accessing shared drives, internal applications, and other resources as if you were in the office. Your IT administrator will provide the connection details.

Adding a VPN Connection via Settings

1. Open Settings → Network & internet → VPN.
2. Click Add VPN.
3. Fill in the connection details:
   • VPN provider: Windows (built-in)
   • Connection name: A descriptive name, e.g., Company VPN
   • Server name or address: The hostname or IP address provided by your IT team (e.g., vpn.yourcompany.co.uk)
   • VPN type: Select the protocol your company uses (ask IT if unsure — IKEv2 or L2TP/IPsec are the most common)
   • Type of sign-in info: Username and password, certificate, or smart card — as configured by your IT team
   • Username and password: Enter your VPN credentials if your organisation uses username/password authentication
4. Click Save.

The VPN connection now appears in Settings → Network & internet → VPN and in the Quick Settings panel (accessible via the Wi-Fi/Volume/Battery icon cluster on the taskbar). Click Connect to establish the VPN tunnel.

Configuring an IKEv2 VPN with Certificate Authentication

Many corporate VPNs use certificate-based authentication rather than passwords, providing stronger security. For certificate authentication, you first need to import the client certificate:

1. Press Win + R, type certmgr.msc, and press Enter to open the Certificate Manager.
2. Expand Personal → Certificates.
3. Right-click in the right panel and select All Tasks → Import.
4. Follow the wizard to import the certificate file (.pfx or .p12) provided by your IT administrator.

After importing, create the VPN connection as above. When you select IKEv2 as the type and Certificate as the sign-in method, Windows will use the installed certificate to authenticate.

Configuring L2TP/IPsec with Pre-Shared Key

L2TP/IPsec requires a pre-shared key (PSK) that both the client and server know. When creating the VPN connection:

1. Set VPN type to L2TP/IPsec with pre-shared key.
2. Enter the pre-shared key in the Pre-shared key field.
3. Set authentication type to User name and password and enter your credentials.

Important: L2TP/IPsec is blocked on some networks because it uses UDP ports 500 and 4500, which may be filtered. If you encounter connectivity issues, ask your IT team whether SSTP would be a better option — it uses port 443 (HTTPS) and is rarely blocked.

Configuring a Split-Tunnel VPN

By default, when a VPN is active, all your internet traffic is routed through it — including traffic to public websites. This is called full tunnelling. While it maximises security, it routes unnecessary traffic through your company’s servers, increasing latency for general browsing and potentially violating your company’s acceptable use policy for internet access.

Split tunnelling routes only traffic destined for the company network through the VPN, while regular internet traffic goes directly through your local connection. This is generally better for performance and is often configured by your IT administrator on the server side.

To configure split tunnelling client-side:

1. Go to Settings → Network & internet → VPN, find your VPN connection.
2. Click the VPN name, then Advanced options.
3. Click Edit.
4. Note that split tunnelling configuration at the client level in the Settings UI is limited. For full control, use PowerShell after creating the connection:

# Check current VPN split tunnelling setting
Get-VpnConnection -Name "Company VPN" | Select-Object SplitTunneling

# Enable split tunnelling
Set-VpnConnection -Name "Company VPN" -SplitTunneling $true

# Disable split tunnelling (route all traffic through VPN)
Set-VpnConnection -Name "Company VPN" -SplitTunneling $false

# Add a specific route to go through the VPN (when split tunnelling is on)
Add-VpnConnectionRoute -ConnectionName "Company VPN" -DestinationPrefix "192.168.10.0/24"

Setting Up a Consumer VPN Service

Consumer VPN services (such as NordVPN, ExpressVPN, Mullvad, and ProtonVPN) provide encrypted connections for general internet privacy rather than corporate network access. Most provide dedicated Windows clients with more features than the built-in Windows VPN connection — protocol selection, split tunnelling, kill switches, and server selection.

However, if you prefer to use Windows’ built-in client with a consumer VPN service, most providers also publish their server details for manual configuration. Here is the general process using a provider that supports IKEv2:

1. Download the configuration details from your VPN provider’s website (look for a manual configuration or native apps section).
2. Note the server hostname, protocol (IKEv2 is typical), and authentication type.
3. Some providers issue client certificates; others use username and password. Import certificates if required using Certificate Manager.
4. Create the VPN connection via Settings as described above.

VPN Kill Switch

A kill switch blocks all internet traffic if the VPN connection drops unexpectedly — preventing your real IP address from being exposed during reconnection. Windows 11’s built-in VPN does not have a native kill switch, but you can configure a Windows Firewall rule to approximate this behaviour:

# Block all outbound traffic except through the VPN interface when connected
# This is a simplified approach - consult your IT team for a production implementation

# First, get the VPN interface name when connected
Get-NetAdapter | Where-Object {$_.InterfaceDescription -like "*WAN Miniport*"}

# Create a firewall rule allowing traffic only through the VPN
# (Full kill switch implementation requires professional IT configuration)

For a proper kill switch, use either the VPN provider’s official client (which includes this feature natively) or a dedicated networking tool.

Always-On VPN for Business

Always-On VPN (AOVPN) is a Windows 11 Pro/Enterprise feature that automatically connects to the corporate VPN whenever the machine detects it is not on the corporate network. Unlike the older DirectAccess technology it replaces, AOVPN works with standard IKEv2 and other protocols and does not require an IPv6 infrastructure.

AOVPN requires configuration on both the VPN server (Windows Server 2016 or later, or a third-party server that supports the required features) and client side via MDM (Mobile Device Management) or Group Policy. The client-side configuration involves creating a VPN profile with device tunnel and user tunnel settings, typically deployed via Intune or SCCM.

For IT administrators configuring AOVPN, the key components are:

• Device tunnel: Connects before user login, using machine certificates. Allows domain join and pre-login scripts to execute.
• User tunnel: Connects after user login, providing access to user-specific resources.
• Trusted Network Detection: Automatically disconnects AOVPN when the device is on the corporate network, avoiding unnecessary traffic routing.

Troubleshooting VPN Connections

Connection Failures

• Error 800 (Unable to establish connection): The VPN server is not reachable. Check the server address, confirm the server is online, and ensure the VPN protocol’s required ports are not blocked by your firewall or ISP.
• Error 691 (Authentication failed): Incorrect username or password. Verify credentials with your IT team.
• Error 806 (A connection between your computer and the VPN server could not be established): Common with PPTP and L2TP. Often caused by a NAT device between you and the server not supporting VPN passthrough. Try SSTP as an alternative, as it uses port 443 which is almost never blocked.
• Error 789 (L2TP authentication attempt failed): Certificate or pre-shared key mismatch. Verify the PSK with your IT team, or reinstall the client certificate.

Connected but Cannot Access Resources

If the VPN connects but you cannot reach internal servers:

• Check DNS configuration: VPN connections may need to use the company’s internal DNS server. Go to VPN connection properties → Networking → Internet Protocol Version 4 → Properties → Advanced → DNS tab, and add the company’s DNS server IP addresses.
• Check whether split tunnelling is enabled and whether the correct routes are being added. Run route print in Command Prompt while connected to see the current routing table.
• Confirm with your IT team whether your account has permission to access the resources you are trying to reach — VPN connectivity does not automatically grant access to all internal resources.

VPN Security Best Practices for Remote Workers

• Always use the VPN on public Wi-Fi. Coffee shops, airports, hotels — any public network should be treated as hostile. Connect to your VPN before accessing any work systems or sensitive personal accounts.
• Keep the VPN client updated. VPN client software has historically been a target for vulnerabilities. Update it whenever updates are available.
• Use strong, unique credentials. If your VPN uses password authentication, ensure the password is strong and not reused from other services.
• Do not disable the VPN for convenience. Bypassing the VPN to improve connection speed defeats the purpose entirely.
• Report unusual VPN behaviour. If you see unexpected disconnect/reconnect events or unusual traffic, report it to your IT team — it could indicate an active attack.

Conclusion

Windows 11’s built-in VPN client provides solid connectivity for all the major protocols used by corporate VPN solutions, without requiring any additional software installation. For employees connecting to company systems from home or while travelling, a properly configured IKEv2 or SSTP VPN connection provides both the access and the encryption that remote work security demands.

For organisations deploying VPNs at scale, Windows 11 Professional’s Group Policy and Always-On VPN support provide a management framework that ensures consistent, automatic security without relying on individual users to remember to connect. Get Windows 11 Professional from GetRenewedTech for £18.99 and ensure your remote workforce is working securely.