Windows 11 has a built-in VPN client that lets you connect to a work VPN, a home server, or a third-party VPN service without installing any additional software. This guide covers how to set up a VPN connection manually, how to connect and disconnect, and how to configure split tunnelling and DNS settings for work use.
What Type of VPN Do You Need?
Before setting up, check which protocol your VPN uses. Windows 11 supports:
- IKEv2 — fast, stable, reconnects automatically. Recommended for business use.
- L2TP/IPsec — widely compatible, slightly slower. Common on older business VPNs.
- SSTP — uses HTTPS port 443, works through most firewalls
- PPTP — old and insecure. Avoid if possible.
- OpenVPN / WireGuard — not built into Windows. Require their own client apps.
If your workplace uses Cisco AnyConnect, Palo Alto GlobalProtect, or a similar enterprise VPN, you will need the vendor’s app — not the built-in Windows VPN. Contact your IT department for the installer.
For third-party consumer VPN services (NordVPN, ProtonVPN etc.), use their own apps rather than the built-in client — they offer more features and are easier to manage.
How to Add a VPN Connection
- Go to Settings → Network & internet → VPN
- Click Add VPN
- Fill in the connection details:
- VPN provider: Windows (built-in)
- Connection name: A name you choose (e.g. “Office VPN”)
- Server name or address: The VPN server address provided by your IT team (e.g. vpn.company.co.uk or an IP address)
- VPN type: Select the protocol (IKEv2, L2TP/IPsec, SSTP, or PPTP). If unsure, try IKEv2 first.
- Type of sign-in info: Username and password is the most common
- Username and password: Enter your credentials (these can also be entered at connection time)
- Click Save
How to Connect and Disconnect
Once added, there are several ways to connect:
- Taskbar: Click the network icon in the system tray → click the VPN entry → click Connect
- Settings: Go to Settings → Network & internet → VPN → click your VPN → Connect
- Quick Settings: Press Win + A to open Quick Settings — if VPN is pinned here, you can toggle it
To disconnect, click Disconnect in the same location.
L2TP/IPsec — Additional Settings
L2TP/IPsec often requires a pre-shared key (also called a shared secret). To add this:
- Go to Settings → Network & internet → VPN
- Click your VPN connection → Advanced options
- Click Edit
- Enter the pre-shared key in the Pre-shared key field
How to Configure VPN DNS Settings
For work VPNs, you may need to configure DNS to resolve internal company hostnames (like fileserver.company.local) through the VPN tunnel.
Open the Network Connections panel: press Win + R, type ncpa.cpl, press Enter. Right-click your VPN adapter → Properties → Internet Protocol Version 4 (TCP/IPv4) → Properties → Advanced → DNS. Add your company’s DNS server IP addresses here.
Split Tunnelling
By default, when you connect to a VPN, all internet traffic goes through the VPN tunnel — including browsing, streaming, and everything else. This is called full tunnel mode and can slow down your connection.
Split tunnelling sends only traffic destined for the corporate network through the VPN, while normal internet traffic uses your direct connection. The Windows built-in VPN client does not have a simple toggle for this — it requires a PowerShell command to disable the default gateway on the VPN adapter:
Set-VpnConnection -Name "Office VPN" -SplitTunneling $TrueRun this in PowerShell as Administrator, replacing “Office VPN” with your connection name. To revert to full tunnel:
Set-VpnConnection -Name "Office VPN" -SplitTunneling $FalseHow to Set a VPN to Connect Automatically
Windows 11 does not have a built-in always-on toggle for VPN in the GUI, but you can configure IKEv2 VPNs to reconnect automatically after being interrupted using PowerShell:
Set-VpnConnection -Name "Office VPN" -RememberCredential $TrueFor true always-on VPN (connecting before user login), this requires configuration via Group Policy and is typically managed by an IT administrator.
Troubleshooting
Error 691 — Authentication Failed
The username or password is incorrect. Double-check the credentials and ensure you are using the right account — domain accounts usually require the format DOMAIN\username.
Error 809 — Cannot Establish the VPN Connection
The VPN server is unreachable or blocked. Check:
- The server address is correct
- UDP port 500 and 4500 are not blocked by your firewall (for IKEv2)
- Your internet connection is working
- Try SSTP instead of IKEv2 — it uses port 443 and is rarely blocked
Error 789 — L2TP Connection Failed
Usually a pre-shared key mismatch or missing IPsec policy. Confirm the pre-shared key with your IT team. Also check that the IPsec Policy Agent service is running: open Services (search in Start), find IPsec Policy Agent and ensure it is set to Automatic and running.
Connected but Cannot Access Internal Resources
DNS is not resolving internal hostnames. Add your company DNS server address to the VPN adapter’s DNS settings (see the DNS configuration section above).
