What is Always-On VPN
Always-on VPN is a configuration in which a device automatically maintains a persistent VPN connection at all times, preventing any unencrypted traffic from reaching the network — commonly deployed in enterprise environments to ensure all employee traffic routes through corporate security.
Always-on VPN is a VPN configuration in which a device maintains a continuous, automatic VPN connection that is established before the user logs in and remains active at all times. Unlike traditional VPNs that users activate manually when needed, always-on VPN is enforced at the system level — if the device loses VPN connectivity, it typically blocks internet access entirely until the connection is restored.
Always-on VPN is primarily a corporate/enterprise technology used to ensure that company devices always access the internet and corporate resources through the organization's security infrastructure, regardless of where the employee is working.
How Always-On VPN Differs from Traditional VPN
| Feature | Traditional VPN | Always-On VPN |
|---|---|---|
| Activation | Manual — user connects when needed | Automatic — persistent connection |
| Coverage | When user remembers to connect | Continuous, no gaps |
| Traffic outside VPN | Possible (if not connected) | Blocked by policy ("kill switch" behavior) |
| Deployment | Often user-managed | IT-managed and enforced |
| Typical use case | Remote access, privacy | Enterprise device management |
| Platform examples | Any VPN client | Microsoft DirectAccess, GlobalProtect, Intune VPN profiles |
Always-On VPN in Enterprise Environments
In corporate deployments, always-on VPN ensures:
All traffic passes through corporate filters: Web filtering, data loss prevention (DLP), and security monitoring apply to employee traffic regardless of location — preventing employees from bypassing corporate security policies when working from home, hotels, or coffee shops.
Continuous access to internal resources: Employees always have access to internal servers, file shares, and applications without needing to manually connect each morning.
Device compliance enforcement: Before establishing a VPN tunnel, some implementations check that the device meets compliance requirements (antivirus up-to-date, policies applied) — ensuring only healthy devices access the network.
Audit logging: All network activity routes through systems that can monitor and log for security and regulatory compliance.
Microsoft Always-On VPN (AOVPN)
Microsoft Always-On VPN is a remote access solution introduced in Windows 10 (and Server 2016) as the successor to DirectAccess. It provides:
- User-level and device-level tunnels
- Integration with Microsoft Intune and Active Directory
- Conditional access policies (enforce MFA, device compliance)
- Split tunneling options (route only specific traffic through VPN, or all traffic)
AOVPN is configured through Mobile Device Management (MDM) profiles, group policy, or configuration scripts — IT deploys and manages it without end-user involvement.
Kill Switch in Always-On VPN
A core feature of always-on VPN implementations is the kill switch — network traffic is blocked if the VPN connection drops. This prevents any unencrypted or unprotected traffic from leaking outside the VPN tunnel during a momentary disconnection.
In consumer VPN products, a kill switch is typically an optional feature. In always-on enterprise VPNs, it's usually mandatory — the entire point is to ensure no traffic bypasses corporate security infrastructure.
Privacy Implications for Employees
Employees should understand: when using employer-managed always-on VPN on company devices, the organization can see all network traffic routed through the VPN. This is a feature from the IT security perspective and a known consideration for employees using company devices for personal browsing.
Best practice: use personal devices for personal activity; use company devices for work and assume all traffic is visible to IT.
Consumer Always-On VPN
Some consumer VPN apps offer an always-on or "auto-connect" mode that:
- Automatically connects to the VPN when the device starts
- Reconnects if the VPN drops
- Optionally blocks internet access until VPN is established
This provides continuous privacy protection without requiring manual activation — useful for users who want persistent encryption on all connections, particularly on mobile devices that frequently switch between WiFi and cellular networks (each transition being a potential privacy exposure point).
For high-security personal use cases, always-on VPN with a kill switch provides the most complete protection against traffic leaks, DNS leaks, and accidental unencrypted connections.