@Peter Holland Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )

"I would still expect split tunnel to work, the point of most of our AOVPN deployments to be solely to ensure clients can reach internally hosted services."

Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )

"its just ensuring that the clients are always going to try to connect and users can't disconnect it."

NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administ...

@Peter Holland I did already explain this, but I only gave really generic advice, because that's all you can give. If you're using WAN failover ( HSPA / 3G, 4G / LTE, 5G, ) or a portable router, the service configuration depends on the interface ( media access controller, not the software interface itself. ) For WAN Failover, you can't use a single port obviously, it needs NTP to synchronize the clock, or it won't connect. Most VPNs have a supposed "kill switch" feature, so you have to write firewall rules specifically for this, but you also have to have rules for when you set up the VPN for the first time, so it doesn't get blocked before it finishes the setup process. Everything has to be scripted around the VPN for your idea to work, but the negative side of it, is that if you stop using the VPN and / or the resolver, then of course you have to reset everything to default, or restore the old settings:
 
"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc, they are using the Microsoft Always On VPN to vonnect to Microsoft RRAS servers using split tunnel (or force tunnel occasionally)."
 
Windows is an operating system ( monolithic kernel,) it is not a client or a server. You can enable Windows 11 Home to work much like Windows Server by going into the services.mmc snap-in and turning on Server, and then modifying this setting: System Properties -> Performance -> Settings -> Advanced -> Processor Scheduling: Background Services
 
If you wanted to create this, you couldn't actually block someone from turning it off. Instead you would have to have consent, or the person would have to be willing to not change the settings on you. Even if you added a security template, with a unified write filter, you could still boot into WinPE, load the registry hives, apply a new DACL, if it was unencrypted, and it would be simple to reset. I already described methods you could use to isolate it. These rules you could in theory use for a software firewall, but even with a mobile access point, you could still partition the devices on your network, or even use WSL, docker, a VM, as I have said before, on top of the operating system, if you were THAT worried. In the most extreme case, you could use OpenVPN or something else to make your own client to hardcode the settings I'm sure, but like I said, you have to pay close attention to making sure NTP isn't blocked, or you have to disable your in-house "kill switch," just to synchronize the clock. The other way around it, is to synchronize the clock on startup, just as the network stack is initialized, and then block all traffic as soon as the VPN loads ( the VPN has to be registered as a network service though. ) So you have to create your own custom network service to achieve this, but it follows all the same rules as in the above post anyways, although I only briefly covered some basic things, just to give you a hint as far as how much work it really is. The reason why it's not as popular to vertically integrate something like this with Windows, is when it breaks ( and you have to reverse the changes or go to default settings. ) I already have a similar setup to the one you have, that's why I'm describing it to you, although mine is superior to yours. Nothing I have said is esoteric knowledge or secret in any way shape or form. It's all derived from open sources:

This thread is about the fact that the Windows client side interface allows users to selectively disconnect from the user tunnel vpn and in doing so it disables the auto-connect "always on" nature of "always on vpn".

@Peter HollandIf you learn how a network stack works, how to harden operating system services, how network services work, how to use PowerShell, etc, various Systems Administration tasks as described in the above posts, it won't look like nonsense. The only problem is that you can't entirely lock it down as you imagine ( with a custom image, maybe, if it's company-owned. At that point, it's probably going to be a guest profile that is deleted after 12-72 hours or something else, or something that relies on STIG Viewer and OpenSCAP, both of which are publicly available. ) I did give you most examples, both hardware, and software configuration examples, albeit in a very generic cut-down fashion, given it's a platform-agnostic solution:

"this is entirely unrelated to the on-premises infrastructure and services. it is not related to any of the information you have posted in this thread. I am wondering if you are testing a techcommunity reply using chatgpt or something as it is also good at providing completely irrelevant nonsense."

@Mousefluff 

From what I've read, the OP is referring to Enterprise Windows 10 deployments, specifically the use of Always On VPN (https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vp...) which is commonly deployed via Intune.

This isn't about a single VPN that needs to be 'Always On' this is about the literal technology which Microsoft have called 'Always On VPN'. Specifically the OP seems to be referring to this:

Which can be toggled by the user and has no method of policy control. That about right @Peter Holland ?

@MousefluffI'm going to rewrite this one as well, due to some sort of issue with posting replies about service configurations on a site designed solely for sharing technical information with other people ( someone either edited it, or it disappeared due to a glitch. ) Windows itself isn't a client. Windows is an operating system ( monolithic kernel. ) You can switch at the drop of a hat from workstation to server using the MMC snap-in ( services.msc, ) enabling the Server service, disabling the Workstation service, and then going into System Properties and changing this -> Advanced -> Performance -> Advanced -> Processor Scheduling: Background Services

Knowing that this is modular enough that you can script it in the same way as Windows Server, you can partition each adapter on the network, and isolate / sandbox each program, enough that you could create your own "kill-switch" functionality just using scripts ( to block all traffic in the event that you lose the connection. Of course my VPN has this, as well as split-tunneling, but it's a post-paid product. ) Most commercial-quality VPN routers have WAN failover for HSPA / 3G, 4G / LTE, 5G, etc, and WiFi support. The main difference between these and the software firewall implementation on a PC, is that you can't block the Network Time Service like you can on a PC, or tunnel it over the VPN. You'll never be able to connect, and you won't know why, but the obvious reason is the time stamp doesn't match. If you pull out the battery as well, with the "kill-switch" engaged, you can't reconnect, and you have to reinstall it, or disable the VPN to be able to use it ( this is why they bypass the VPN / Firewall sometimes to allow NTP, or they synchronize the clock on startup. It's really problematic with mobile devices, but nothing else. ) With VyOS, all you need is an adapter to create your own access point, or you could even use a HTPC board with two Ethernet MACs ( it's very flexible, and you can even run it in a container using WSL / docker, on top of the operating system image. ) You could also make your own fixed-login process by forking OpenVPN and hard-coding the login, so nobody could disconnect, along with a custom network stack and service configuration. It's still vastly inferior to a VPN router, but understanding the drawbacks is an important part of learning how it works. If you don't understand this, then you won't be able to learn from your mistakes, or you won't understand the limitations of what you've learned. This is how I think about things, not just what I would tell someone else:

"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc"

@BestowOk so he already identified the problem, and I gave examples of how to deal with this issue, using a solution that I already use:

"Which can be toggled by the user and has no method of policy control. That about right"

@Peter HollandThat's unfortunate, given I wrote several workarounds for this problem, but you have to learn how to use PowerShell to bypass this ( I did give examples as well, similar to the ones I use. ) I don't think I was trying to write spam at all:

"your previous replies dissapeared as i marked them as spam."

@Peter HollandYou asked Microsoft to rewrite the default interface to suit your needs, which is not going to happen, and then you mass reported my account and it was locked up for some period of time. You have 3 choices really: Make your own app ( learn how to code. ) Choice #2: Learn how to write scripts to bypass the limitations with the default UI Choice: #3: Use a 3rd-party solution ( this is all industry-standard, and I'm not going to say anything else. I already explained how the VPN works. )

@Mousefluff 

You asked Microsoft to rewrite the default interface to suit your needs, which is not going to happen

You are starting to understand the point of this post. IF there is not administrative way to control this element of the UI, as there is with many parts of the UI, then it does need an element of control. I am hearing this from many customers of all sizes. This is the beginning of the route to enacting positive change in the platform and how many things have been improved over the years. I was also hopeful that someone else who has also spent the time digging into this area might have found a specific ACL on a registry key or a hidden registry setting that controls access to this element such as a registry setting that doesn't exist but changes behaviour when created.

In the second post I put a link to a feedback hub item created asking to make this a manageable setting, as many others have one in the past with other items that need to be brought into the scope of management. This is exactly the way we, as users, administrators, and consultants, help Microsoft to improve things so they work better for more. To say otherwise is to speak for the whole of Microsoft and rebuke all features requests.

 then you mass reported my account and it was locked up for some period of time

As there was no way to prevent additional derailing of the thread and no apparent change in behaviour change when repeatedly informed that either the question had been misunderstood or that the input was not related to the question and the forum doesn't allow thread starters to remove unhelpful responses it seemed that option had the desired result in getting the thread back on track so others with helpful insight might be able to provide input.

You have 3 choices really: Make your own app ( learn how to code. ) Choice #2: Learn how to write scripts to bypass the limitations with the default UI Choice: #3: Use a 3rd-party solution

none of those answer the problem. The point of this thread is to identify any undocumented methods of controlling the 'connect automatically' option on the client VPN UI as I have already explored option 2. Option 1 doesn't apply as we are talking about a closed Microsoft solution "Always On VPN". Neither does options 3 as the entire point of this is the need to use AOVPN for many organisations due to dependencies with autopilot, integration with Intune management etc.

this is all industry-standard, and I'm not going to say anything else. I already explained how the VPN works.

you did largely talk about genuine topics around VPN infrastructure and a lot of that information was technically accurate. It was, however, the equivalent of giving a detailed description of how the internal combustion engine works when being asked about the seatbelt warning light controls.

Personally, when it seems evident i have misunderstood somethign i have been told I would re-examine any initial assumptions and the scope of what is being asked rather than doubling down and ignoring what is being asked.