How to Set Up a VPN on Windows 11 (Built-in & Third-Party)

PC Technician
Windows 11NetworkSecurity

The Problem

You need encrypted traffic—to reach office files, appear on another country's catalog, or stay off public Wi-Fi snooping. Windows 11 includes a built-in VPN client, but most consumer services ship their own app. Picking the wrong path wastes an hour of menu digging.

Built-in VPN vs Third-Party App

| Use case | Best option | |----------|-------------| | Employer gave you server name, username, pre-shared key | Built-in (Settings or ms-settings:network-vpn) | | NordVPN, ExpressVPN, Proton, Mullvad subscription | Vendor app (WireGuard/OpenVPN handled for you) | | Self-hosted WireGuard on a NAS or VPS | WireGuard app from wireguard.com |

The Fix: Built-in VPN (Work / Manual Server)

Step 1: Gather Details From IT or Your Router

You need: VPN type (IKEv2, L2TP, PPTP—avoid PPTP if possible), server hostname or IP, username, password, and sometimes a pre-shared key or certificate.

Step 2: Add the Connection in Settings

  1. SettingsNetwork & internetVPNAdd VPN.
  2. Fill in:
    • VPN provider: Windows (built-in)
    • Connection name: anything memorable (e.g. Office VPN)
    • Server name or address: from IT
    • VPN type: IKEv2 (preferred) or L2TP/IPsec
    • Sign-in info: username and password
  3. Save, then click the connection → Connect.

Step 3: L2TP Pre-Shared Key (If Required)

  1. Win + Rncpa.cpl → your VPN entry → PropertiesSecurity.
  2. Choose Allow these protocols → enable Microsoft CHAP Version 2 and L2TP.
  3. Click Advanced settings → enter the pre-shared keyOK.

Step 4: Fix "Can't Connect" on Built-in VPN

  • Double-check server address and VPN type—IKEv2 on the server must match the client.
  • Temporarily disable third-party firewalls to test; re-enable after.
  • Services: ensure IKE and AuthIP IPsec Keying Modules and IPsec Policy Agent are Running (services.msc).

Third-Party VPN Apps (Consumer Services)

Step 1: Download From the Official Site Only

Get the installer from the provider's website or the Microsoft Store—not random download mirrors.

Step 2: Install and Sign In

Run the installer, log in, pick a country or "fastest server," and toggle Connect. Most apps install a virtual adapter and set DNS automatically.

Step 3: Enable Kill Switch (Recommended on Laptops)

In the app settings, turn on Kill switch or Block internet without VPN so traffic does not leak if the tunnel drops on café Wi-Fi.

Step 4: Split Tunneling (Optional)

Route only the browser through VPN, or exclude local printers, so home file shares still work—each app labels this differently under Split tunneling or Bypass.

WireGuard (Self-Hosted)

  1. Install WireGuard for Windows from wireguard.com.
  2. Import the .conf file your server admin generated (Import tunnel(s) from file).
  3. Click Activate. No separate username—keys are in the config file.

After Connecting

  • Browse to whatismyip.com—the IP should match the VPN exit, not your home ISP.
  • Slow speeds? Try another server or WireGuard instead of OpenVPN in the app.
  • Done with work? Disconnect VPN before gaming or local streaming—double NAT adds lag.

DNS errors only while VPN is on? Disconnect and follow DNS server not responding—stale VPN DNS is a common cause.