Skip to content

Possibly add support for automatically starting backup tunnels if the domain is not avalible #36

New issue
New issue
Open
Open
Possibly add support for automatically starting backup tunnels if the domain is not avalible#36
Labels
feature requestNew feature or request
@ld0614

Description

@ld0614
ld0614
opened on Aug 13, 2025

Currently someone on discord is using the following approach in conjunction with DPC:

Create an event trigger for the following events:

  • Microsoft-Windows-NetworkProfile - Event 10000
  • Application/RasClient - Event 20226
  • Microsoft-Windows-Kernel-Power - Event 42
  • User Login (Event ID should be possible to figure out)

This checks for events on the local machine, based on specific event IDs (image.png above).
NetworkProfile 10000 - created when a network connection is established (specifically a domain connection),
RasClient 20226 - typical RAS disconnect event, caused by unhandled termination,
Kernel Power 42 - created when the system enters sleep,

The first and third event IDs are essentially "failsafes" - basically, if a connection has been established, is domain connectivity functional? If the system has recovered from sleep, is domain connectivity still functional?
The second event is the key one - if the RAS client has terminated its connection, we need to get it back up and running asap.

On triggering, the scheduled task runs a Powershell script (Connect-AlwaysOnVPN.ps1) that:
Checks for domain connectivity - if present, script exits cleanly
If domain connectivity is not present, first try to redial the device tunnel (suffix '-DT'), and if that fails, try the backup user tunnel (suffix '-UT') using a "short" connection loop
If the short connection loop doesn't work, retry using a "long" connection loop a maximum of 15 times

The process is effectively:
PowerShell Script to install Scheduled Task -> Scheduled Task in XML Format -> Calls VBS Script -> Calls PowerShell Script to review and trigger tunnels

In this case it appears that the 'primary tunnel' is the device tunnel, against normal best practices however it may be possible to use the same concepts when dialling the user tunnel, device tunnel and the user backup tunnel.

This would need to be an optional feature as it relies on domain connectivity (doesn't cover EID only devices) and also is starting to manipulate VPN connections directly which is something DPC has historically avoided doing

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature requestNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions