Create an Always-On VPN: Auto-Connect on Wi‑Fi + Kill Switch with Windows Firewall (Win10/11)

Create an Always-On VPN: Auto-Connect on Wi‑Fi + Kill Switch with Windows Firewall (Win10/11)​

Difficulty: Intermediate | Time Required: 25 minutes
An “always-on” VPN setup is ideal when you want your PC to automatically protect itself the moment you join Wi‑Fi—and to stop all internet traffic if the VPN drops (a kill switch). Without a kill switch, a brief VPN disconnect can expose your real IP and leak traffic outside the encrypted tunnel.
This tutorial shows a practical approach for Windows 10/11 using:

• Auto-connect when joining Wi‑Fi (Task Scheduler + event triggers)
• A Windows Firewall–based kill switch (block outbound traffic except the VPN tunnel + the VPN server handshake)

This method is VPN-provider-agnostic and works with most IKEv2, L2TP/IPsec, and some OpenVPN/WireGuard setups (details vary by provider).

---

Prerequisites​

Before you begin:

1. Windows 10 or Windows 11
   • Steps apply to both. UI labels may vary slightly (Settings vs Control Panel).
2. A working VPN connection already created
   • Settings → Network & Internet → VPN → Add VPN (or your provider’s app).
3. Admin access (needed for firewall rule changes).
4. You should know at least one of the following for your VPN:
   • VPN connection name in Windows (e.g., MyVPN)
   • VPN server hostname (e.g., vpn.example.com) and/or server IP

Note: If your provider uses a desktop app (OpenVPN/WireGuard), you can still use the “kill switch” concept, but the “allow only VPN interface” rule may need provider-specific adjustments.

---

Step-by-step: Part 1 — Create a reliable VPN connect command​

We’ll use a built-in command that can connect a Windows VPN profile by name.

1. Press Win + R, type cmd, then press Ctrl + Shift + Enter (Admin Command Prompt).
2. List your saved VPN entries (optional but helpful):
   rasdial
3. Test connecting your VPN by name:
   rasdial "MyVPN"
   Replace MyVPN with your VPN connection name exactly as it appears in Settings → VPN.
4. Test disconnect:
   rasdial "MyVPN" /disconnect

Tip: If rasdial fails due to authentication, confirm the VPN profile credentials in Settings → Network & Internet → VPN → (Your VPN) → Advanced options.

---

Step-by-step: Part 2 — Auto-connect when you join Wi‑Fi (Task Scheduler)​

We’ll create a scheduled task that triggers when Windows connects to a network.

A) Create the scheduled task​

1. Press Win + R, type taskschd.msc, press Enter.
2. Click Task Scheduler Library.
3. In the right pane, click Create Task… (not “Basic Task”).

B) General tab settings​

1. Name: Auto-Connect VPN on Wi-Fi
2. Check Run whether user is logged on or not
3. Check Run with highest privileges
4. Configure for: Windows 10 (works for Win11 too)

C) Trigger: when a network connects​

1. Go to the Triggers tab → New…
2. Begin the task: On an event
3. Log: Microsoft-Windows-NetworkProfile/Operational
4. Source: NetworkProfile
5. Event ID: 10000 (Network connected)

Click OK.

Note: Event IDs can differ across environments. If this trigger doesn’t fire on your PC, see the Troubleshooting section for alternative triggers.

D) Action: run rasdial to connect​

1. Go to Actions tab → New…
2. Action: Start a program
3. Program/script:
   %SystemRoot%\System32\rasdial.exe
4. Add arguments:
   "MyVPN"

Click OK.

E) Conditions & Settings (recommended)​

1. Conditions tab:
   • Uncheck Start the task only if the computer is on AC power (if you want it to work on laptops)
2. Settings tab:
   • Check Run task as soon as possible after a scheduled start is missed
   • If the task fails, Restart every: 1 minute, Attempt: 3 times

Click OK, enter your Windows credentials if prompted.

F) Test it​

1. Right-click the task → Run
2. Confirm VPN connected: Settings → Network & Internet → VPN (status should show Connected)

---

Step-by-step: Part 3 — Build a Windows Firewall kill switch (outbound)​

The simplest kill switch logic in Windows Firewall is:

• Default: Block outbound traffic
• Exception: Allow outbound only via the VPN tunnel interface
• Exception: Allow traffic needed to establish the VPN (DNS + VPN server IP/ports) on your normal adapter

This prevents leaks if the VPN disconnects.

Warning: This can lock you out of the internet until the VPN connects. Do this only if you’re comfortable reversing changes. A restore point is strongly recommended.

A) Create a restore point (strongly recommended)​

1. Start menu → type Create a restore point
2. Select your system drive → Configure (enable protection if needed)
3. Click Create…

B) Identify your VPN interface (important)​

1. Press Win + X → Windows Terminal (Admin).
2. Run:
   Get-NetIPInterface | Sort-Object InterfaceAlias | Format-Table InterfaceAlias,InterfaceDescription,AddressFamily,ConnectionState
3. Connect your VPN, then run the command again and note the interface alias/description that appears for your VPN (often includes words like WAN Miniport, IKEv2, PPPoP, or provider name).

Also note your normal adapters (e.g., Wi-Fi, Ethernet).

C) Switch outbound to “Block” (the kill switch foundation)​

1. Open Windows Defender Firewall with Advanced Security:
   • Press Win + R → type wf.msc → Enter
2. In the left pane, click Windows Defender Firewall Properties
3. For each profile (Domain, Private, Public):
   • Outbound connections: set to Block
   • Leave Inbound connections as default (usually Block)

Click OK.
At this point, most internet traffic will stop until you add allow rules.

D) Allow outbound traffic through the VPN interface (the leak-proof part)​

Now we allow traffic when (and only when) the VPN tunnel is in use.

1. In Outbound Rules → right-click → New Rule…
2. Choose Custom → Next
3. Program: All programs → Next
4. Protocol and Ports: Any → Next
5. Scope: (leave defaults) → Next
6. Which remote IP addresses does this rule apply to? Any → Next
7. Action: Allow the connection → Next
8. Profile: check Domain, Private, Public → Next
9. Name: ALLOW - Outbound via VPN interface
10. Click Finish

Now we must bind this rule to the VPN interface:

1. Double-click the new rule → go to Advanced tab
2. Interface types: select Remote access (common for VPN)
3. If your VPN appears as a specific interface type, choose accordingly; otherwise use Remote access as the main restriction.
4. Click OK

Note: Windows Firewall filtering by interface is limited compared to some third-party firewalls. “Remote access” works well for many built-in VPN types. If your VPN uses a virtual adapter that doesn’t classify as “Remote access,” you may need to use the provider’s kill switch or create program-specific allow rules for the VPN client + essential apps.

E) Allow the VPN connection to be established (server + DNS)​

Even with “allow via VPN interface,” the VPN still needs to start over your Wi‑Fi/Ethernet. You must allow the initial handshake to your VPN server.
You need your provider’s server IP(s) and protocol:

• IKEv2: UDP 500 and UDP 4500 to the VPN server IP
• L2TP/IPsec: UDP 500, UDP 4500, UDP 1701
• OpenVPN: UDP/TCP 1194 (or provider-specific)
• WireGuard: UDP 51820 (or provider-specific)

Create an outbound allow rule for the VPN server:

1. Outbound Rules → New Rule… → Custom
2. Program:
   • For built-in Windows VPN: use All programs
   • For a VPN app: choose the VPN client executable if known
3. Protocol and Ports: select UDP/TCP and set the needed port(s)
4. Scope: set Remote IP addresses to your VPN server IP (best)
   • If you only have a hostname, resolve it to an IP first.
5. Action: Allow
6. Profiles: all
7. Name: ALLOW - VPN handshake to server

Now allow DNS so the hostname can be resolved (optional if you use server IPs):

1. Create another Custom outbound rule
2. Protocol: UDP, local port: Any, remote port: 53
3. Remote IP: your DNS server (router IP like 192.168.1.1 or trusted DNS like 1.1.1.1 / 8.8.8.8)
4. Name: ALLOW - DNS for VPN startup

Tip: The most leak-resistant setup uses VPN server IPs (not hostnames) so you can avoid DNS rules on the non-VPN interface.

---

Tips and troubleshooting​

Auto-connect task doesn’t trigger​

• Open Event Viewer → Applications and Services Logs → Microsoft → Windows → NetworkProfile → Operational
• Connect to Wi‑Fi and see which Event ID is logged.
• Update the scheduled task trigger to match that Event ID.
• Alternative trigger: On workstation unlock or At log on plus a short delay.

No internet even when VPN is connected​

• Your “ALLOW - Outbound via VPN interface” rule may not match the interface type used by your VPN.
• Try adjusting the rule’s Advanced → Interface types (or temporarily set it to “Any” to confirm the issue, then tighten again).
• Some VPN apps use split tunnels or proxy modes that don’t present as “Remote access.”

You locked yourself out (kill switch too strict)​

• Disconnect from Wi‑Fi (so you’re not stuck trying to reach the network).
• Open wf.msc and set Outbound connections back to Allow in Firewall Properties.
• Or use the restore point created earlier.

Want it only on Wi‑Fi (not Ethernet)​

• In Task Scheduler, add an additional condition by creating a second task that checks the network interface, or use a PowerShell script to detect Get-NetAdapter -Name Wi-Fi status before calling rasdial.

---

Conclusion​

With Task Scheduler auto-connect and a Windows Firewall kill switch, your Windows 10/11 PC can automatically protect traffic whenever you join Wi‑Fi—and prevent accidental leaks if the VPN drops. Once configured, it’s a set-and-forget upgrade that’s especially valuable on laptops and public networks.
Key Takeaways:

• Auto-connect ensures the VPN comes up automatically when you join a network.
• A firewall-based kill switch can stop traffic leaks during VPN disconnects.
• Allow rules must cover both VPN tunnel traffic and VPN startup (server/ports/DNS).
• Test carefully and keep a restore point or rollback plan.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.