Starting a VPN automatically on boot with Windows XP

By | March 25, 2007

I recently needed to figure out how to make a Windows XP machine connect to a particular VPN automatically on reboot, before anyone logged into the machine. I eventually managed to assemble bits and pieces of information floating around the net into a working solution to the problem, but it wasn’t completely addressed in any single location, so I thought I’d stick the details in my blog for other people to Google and use (if you found this blog entry useful, please add a comment and let me know!).

The first thing I tried was to look for a property I could set on the VPN network connection to tell Windows that I wanted this connection to start automatically when the machine boots. I couldn’t find one; I doubt there is one.

After that, I considered setting the “Set as Default Connection” checkbox for the connection, but I couldn’t find any documentation of exactly what that would do, and I was worried that another user of the machine might muck with that setting, perhaps with good reason.

All I could think of at this point was to write a batch file that would start the VPN and then tell Windows to run that batch file on reboot.

The key to the first part, starting a VPN from a batch file, is a Windows command-line tool called “rasdial”. If you run “rasdial connection-name username password” from the command line or a batch file, the specified connection will be started with the specified username and password. Dandy!

The key to the second part, getting Windows XP to run a batch file during reboot, is a utility called AutoExnt that Microsoft distributes for free but doesn’t include with Windows. The utility is described at http://support.microsoft.com/kb/243486/en-us, and although that article doesn’t mention Windows XP, it works just fine for XP as well. You can download it from http://download.microsoft.com/ by searching for “Windows Server 2003 Resource Kit Tools”, which may or may not still be available at http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd when you read this blog entry. This should give you a file called rktools.exe, which when executed will install the tools on your hard disk, including the three files you need which are mentioned in the KB article referenced above.

With this knowledge in hand, here’s what you do to start a VPN when the machine boots:

  1. Put “rasdial connection-name username password” in the file c:\windows\system32\autoexnt.bat which you create.
  2. Copy the files autoexnt.exe, servmess.dll, and instexnt.exe from the resource kit tools folder you unpacked from the download mentioned above into c:\windows\system32.
  3. Run “instexnt install”.

That’s it!

Share

71 thoughts on “Starting a VPN automatically on boot with Windows XP

  1. It's not complicated

    Why complicate things? Save your username and password for the VPN-connection, then use the command “C:\windows\system32\rasdial.exe ” with Scheduled tasks and the switch “While computer startup”. Create a special user in XP which runs the task. Then you don’t have the problem with password changes, etc.

    This simplifies everything and doesn’t require third party software and such.

    Reply
    1. jik Post author

      As I believe I’ve already explained, saved usernames and passwords don’t work with rasdial.exe, at least not in my experience.

      Reply
  2. Pingback: Connect To VPN Before Logging In To Windows « H-TIPE – A Grab Bag Of I.T. Miscellany

  3. jik Post author

    I’m not sure what version of rasdial.exe you’re using, but on my Windows XP professional, it doesn’t take a “-d” option.

    Furthermore, as noted above, rasdial.exe does not use the username and password configured into the VPN. I’ve just tested this again to confirm, and indeed, when I run “rasdial vpn_name” without a username and password, it doesn’t work, even though the VPN has a username and password configured, and when I connect to it through the desktop it successfully connects without prompting me for a username and password.

    If you have an explanation for why rasdial.exe uses the configured username and password when you use it but not when I use it, I’d love to hear it ;-).

    Reply
  4. chp101

    schtasks /create /tn vpn /tr “rasdial.exe -d VPN_CONNECTION_NAME” /sc onstart /ru YOUR_COMP\YOUR_USERNAME

    one-liner ^^ 😉

    PS if you happened to have blank password, there is a solution –

    Then HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse

    change the value from 1 to 0.

    Reply
  5. chp101

    More short / secure way:

    1) Create VPN connection, save password, allow for anyone on your comp.
    2) Create vpn.cmd with rasdial.exe -d vpn_connection_name
    3) Use Task Scheduler to launch vpn.cmd at OS start

    No passwords in text files 😉

    Reply
  6. Chris Thompson

    Bravo, sir. Bravo. Exactly my same scenario. I’m trying to patch up someone else’s excuse for a server and right now that’s the only thing I can do for what I need. Great write-up.

    Reply
  7. Pingback: Автоматический запуск VPN при старте MS Windows | Записки Плюшевого Крыса

  8. ahmed bahaa

    creating the batch to open vpn connection was very very helpful,thanks for that.

    then i add the batch file to GPO in my domain to specific users and add the batch at restart not login under computer config so it start before the user tries to login

    again thanks for your valuable info

    Reply
  9. jik Post author

    2) Create a scheduled task to run the bat file when the computer turns on?

    Scheduled tasks need to be run as a specific user and need to be configured with a password. If the password on the account changes, the scheduled task stops working. The method described above doesn’t have this problem.

    Reply
  10. Umm??

    Why didn’t you just…
    1) create a bat file with – rasdial connection-name username password
    2) Create a scheduled task to run the bat file when the computer turns on?

    Reply
  11. Reno

    Thanks for the information. I have another question!

    How can i depoy this to, lets say 300 remote computers??

    The remote computers are spread out all over the place, all with dynamic ip’s using a (user) account on windows XP. Is there a script that users can run? i dont want to give anyone the admin passwords, and i really dont want to remote desktop to 300 computers if i can avoid it.

    I would really appreciate your help so much on this one!

    Thanks

    Reply
  12. The Don

    Awesome !! I’ve been looking all morning and this explained it all.

    Thanks.

    Reply
  13. Pingback: Автоматический запуск VPN при старте MS Windows | Записки Плюшевого Крыса

  14. Matthew

    This is brilliant. However I am running to a problem and this is probably a wild programming dream, but would there be any way to encrypt this? I run a large and wide state agency’s network however we have to utilize so many services from a central IT agency, which doesn’t see this as secure enough.

    Any ideas in improving the security around this?
    thanks for reading and commenting in advance.

    Reply
  15. Megan Walker

    Thank you! Didn’t really NEED to do this, just lazy and couldn’t be bothered to connect to it each time I worked from home. This works a treat! Was very happy to see it working this morning! Yeah!

    Reply
  16. Neel

    Hi All,

    My all machines is in Active Directory, and spread across the location.
    I want to do ISA 2006 VPN, can it be possible with solution given above ?

    If yes, then i have a multisite VPN site in mesh topology, which ISA VPN’s credential i have to given ?

    If i go for hub and spoke topology with VPN can it be possible?

    How many VPN Clients can connect with same VPN server (ISA 2006) ?

    Regards,
    Neel Naik

    Reply
  17. Ron

    That’s exactly what I needed.
    I just made a batch file and put a shortcut to it in the Autostart folder and it’s working just fine! Great thing!
    Thanks! 🙂

    Reply
  18. Derek

    Sometimes you need to wait for a service or an app to start up before rasdialing in, USB modem software for instance as it creates a virtual COM port. I use StartRight which can take your existing setup of services and startup folder items and control them. You can vary the order and introduce delays (important for me as I need to let USB drives spin up). Hope this helps.

    Reply
  19. Snagga

    I use rasdial “connection name” username “password” as a batch file and placed in the local computer startup/shutdown group policy. Worked for me. Thanks to all the posts.

    Reply
  20. mjl

    Thanks, worked a charm. Great document – saved me a huge amount of time and effort!

    Reply
  21. AhmetHT

    thanks jik for the best information.

    can i applies to windows 2003 server PPPOE connections

    Reply
  22. Keyvan

    Dear Jik,

    Thank you for your help. I am using VPN autoconnected by rasdial and a batchfile. But my question: My VPN is connected but there is no send/receive (beacause of problems in my office isp) so i need to disconnect and reconnect the vpn. How may i check if there is a internet connetion( i have send and receive)

    Reply
  23. jik Post author

    Not sure it’s normal for the connection to drop when you log out. I don’t think I see that behavior. Don’t know about the other question.

    Reply
  24. Daniel

    Thanks for your very simple and correct guide. I did it exactly the way you explained it and it worked at the first attempt, like clockwork! Very nice work!

    I’m only left with two questions it seems. When I log out the VPN connection seems to drop, so I need to reboot in order to automatically reconnect again. Is that normal?

    And, when I’m logged in, I can browse the SMB network just fine (and fast as well) but I can’t get any active directory profile settings to work. The domain login script does not load, I have to do it from the client side. The users specific network drive does not connect and it won’t use the user profile as provided in ‘profile path’. Logically, this has nothing to do with the VPN connection, but since I’ve been stumbling back and forth with this I thought I’d just ask if anyone experienced the same thing?

    Again, nice work with the guide, thanks!

    Reply
  25. Fasulye

    Great. Good ve helpful documentation. I could not find any clue about rasdial command in Microsoft ‘s site. Thanks.

    Reply
  26. kavya

    I’m connecting to Ras using smartcard.I want to know how to connect to Ras automatically at a schedulled time.

    Reply
  27. JAYG29

    Just a quick update, was able to sort by doing the following.

    rasdial “connection name” username “password”

    That worked for me!

    Thanks again jik

    Reply
  28. JAYG29

    Thanks for the response jik! I did try specifying the connection name but still unsucessful with that as well.

    Bummer – Thanks any way!

    Reply
  29. jik Post author

    You can’t use the default username and password. You have to specify them explicitly to rasdial.

    If you are explicitly specifying the connection name, username and password on the command line and it still isn’t working, that I can’t explain.

    Reply
  30. JAYG29

    Hi Guys,

    Having a similar problem, trying to create a batch to run a remote download on another machine. Tried using rasdial cmd but just keep getting an error on the username/password even though im telling it use the default. Any suggestions on how I can force the default username/password I have tried connection name [username [password]]

    Reply
  31. jik Post author

    Well, now, I appreciate the gratitude, but I imagine that my blog posting probably didn’t literally save your life. 🙂

    Reply
  32. Casey S

    You are a true hero. Not just the kind you see in movies or books, but the kind that you only see once or twice in a lifetime.

    Rasdial saved my life.

    Reply
  33. Pingback: How to start a VPN automatically on boot with Windows - David Overton's Blog

  34. BrianW

    I first asked all my buddies/IT admins on how to do this. Being able find this, saves a ton of headaches for field support issues.
    You Rock, and Thanks to Google more will be saved.

    Reply
  35. Dll Files Dude

    Wooohoo… we have a few of our users that have laptops and work from home… the only time they turn the computer on is.. to dial in via vpn, and this is going to help me a bunch.

    Some of these guys can barely turn on the thing… let alone remember to dial in hahah.

    Thanks Man.

    Reply
  36. ebasi

    Thanks! It works fine! I translate it in Bulgarian and post it in my blog!

    Reply
  37. jik Post author

    PS. Can’t you just add the batch file to the group policy startup scripts?

    I’ve never really played with group policies. I’m not sure, but I think they may be only applicable to domains, and there’s no domain where I was working out this problem.

    Reply
  38. Arya Parsi

    Thanks for the article – it saved me much pain trying to find a solution.

    I have a machine hosted remotely with a very fast internet connection (buy my house’s standards), and need to be able to log into it remotely via the internet with a domain account. The domain controller is located at my house, so by forcing a dial in at startup it will successfully authenticate, and I will be pleased.

    I bet there are other ways of doing this, but this seems to work very well indeed. (If only I could do Cisco site-to-site VPN :p)

    Cheers again!

    PS. Can’t you just add the batch file to the group policy startup scripts?

    Reply
  39. Rune Kock

    AutoExnt doesn’t seem to be available for 64-bit Windows. I’ll try just adding rasdial as a scheduled task, and hope that works.

    Another important point is that the 64-bit version of rasdial (in c:\windows\syswow64) is buggy: it always sets the default gateway, whether you want it or not. Fortunately, the 32-bit rasdial is still available (in c:\windows\system32) and works as intended.

    Reply
  40. Scott

    jik,

    I am trying to do the exact same thing you did but cannot get it to work. I tried several different approaches with no solution yet. My command script is as follows:

    C:\windows\system32\rasdial [sharename] [user] [password]

    The file executes correctly from the command line but not upon a reboot. According to the log file I’ve created, the command script executes at reboot but doesn’t set up the VPN connection. The autoexnt service was originally set to run as Local User. I changed it first to run as the Administrator – that didn’t work – so I then tried running the service as the same user and same password that I use in the rasdial command (which happens to be the same as a username and password that exists on the machine). That didn’t work either. The service is set to automatic.

    The other issue I’m running into is that I want my VPN connection to persist even if a user logs off. Naturally, I’m having similar luck. According to a MS article the following procedure should make this work. But, of course it didn’t.

    Keeping RAS Connections Active After Logoff :

    The KeepRasConnections value entry in the Registry’s Winlogon key controls whether RAS maintains active connections after a user logs off. If you want your dial-up or VPN connections to remain live, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, add the value entry KeepRasConnections: REG_SZ: 1, and reboot. This entry doesn’t typically appear in the Winlogon key; you must create it with a Registry editor. See Microsoft Online Article Q158909 for more information.

    Any ideas on either?

    Reply
  41. Benbowski

    This was a huge help, thanks so much for posting this. I never would’ve considered this as an option for this problem!

    Reply
  42. Gregg

    Great one jik. Thanks. I never thought about the windows 2k3 tools for that. It’s the same kernel after all.

    In response to Merril, take my case as an example.

    I’m a uni student. Part of my course requires that I do an industrial project. I need a computer system dedicated to this web project as I need it to run 24/7 and get crawled by search bots at silly o’clock which is unpredictable (So my laptop is not the ideal solution here, having xp home, not being able to install xp pro due to warranty terms, and having difficulties using SSL with Apache web server, xp pro is my solution).

    This system must be connected to the net using a wireless connection to the initial layer, then a PPPoE connection, and over this, a VPN. Being a student, and not the top man at Information Services, I can’t change this.

    If I’m using remote desktop to do any maintenance/configuration, or windows updates does one of its “lovely” automatic reboots, my network connection would only reconnect wireless, leaving PPPoE and VPN disconnected. This solution allows for such (irritating) automatic downtime to be kept to a minimum by allowing automatic reconnection.

    I hope this explanation gives a realistic use case for this solution.

    Reply
  43. jik Post author

    You are making several incorrect assumptions, among which are the assumption that I have control over where the computer in question is located and the assumption that it is related to my work.

    Reply
  44. Merril

    Ahhh. Why do you place things on a remote machine to allow yourself and others to access it from work instead of placing them directly on a machine w/in the network and accessing them remotely when necessary.

    Sounds backwards.

    Reply
  45. jik Post author

    I need to be able to access the machine remotely even if no one has logged into it.

    Reply
  46. Merril

    The burning question is why do you need this on re-dial and not when you log in? Do you have other scripts that need to run on your work network? If so, why not just put them on a machine at work?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *