With a VPN, you can blind your ISP from monitoring your online activities, hide your public IP address, and even make it appear as if you’re browsing the web from another country. Typically, you’d use a VPN client application to do all this, but maybe you want to configure Windows 11 to connect directly to a VPN. We break down how to do it—and why you generally shouldn’t.
PSA: Just Use a VPN App
This article focuses on commercial VPNs, not the VPNs provided and managed by corporate IT. If you’re using a corporate VPN, manual configuration absolutely makes sense but it will probably be handled by your company. Be sure to consult with your IT team before trying to do it yourself.
When it comes to commercial VPNs, the easiest way to use a VPN in Windows 11 is to install the client application provided by the VPN company of your choice. And in this case, the easiest option is also the best.
When you use a VPN’s client app, you interact through a graphical interface that’s much simpler than any alternative DIY method. Plus, the app will update with all the necessary configuration information to connect to any of the VPN’s servers. As you’ll see below, manual configuration means you have to keep those updated yourself, and you can only connect to the servers you have configuration information for. For some companies, that’s thousands of servers. Trust me, you want the app handling all that.
Most importantly, VPN apps give you access to all the features VPN companies provide as part of their offerings. VPN client apps let you use split tunneling to route specific app traffic in or out of the VPN connection, for example. That’s not really possible with a manual configuration for commercial VPNs, but is for corporate VPNs.
So, before you go further, consider just installing your VPN of choice’s client app. Unless you have a compelling reason, the official VPN app is going to be the better, easier choice every time.
Getting Started With Manual VPN Setup in Windows 11
If you’ve read this far, you either have a complicated technical reason for seeking to manually configure a VPN or you’re filled with hubris. Either way, the first thing to do is decide what kind of VPN connection you’re seeking to create and which VPN servers you want to use.
For the first question, it comes down to VPN protocol. This is the underlying technology that creates an encrypted connection between your device and the VPN server. There are a few standard options:
Most VPN companies no longer support PPTP or L2TP because they are older and less secure. You probably shouldn’t use these protocols unless you absolutely have to.
The IKEv2 protocol is supported on most devices by default, and it is a good choice for creating a secure VPN connection. However, using it requires the installation of special certificates on your device to authorize the connection. This adds some effort and will definitely take you to some of Windows’ lesser used areas.
OpenVPN and WireGuard are both open-source VPN protocols, which means that they’ve been picked over for any potential vulnerabilities. To use either of these protocols with Windows 11, you need to download official client software from their respective developers. And if you’re going to do that, you may as well just install the official VPN app.
Next you need to decide the VPN servers you want to connect to. Choosing servers that are close to you is more likely to yield better speeds, since your data won’t have to travel as far. If you want to tunnel past local restrictions or want your traffic to appear as if you’re in another country, you’ll want to select a more far-flung server.
Once you have that figured out, head to your VPN’s help page and dig around for official documentation on how to manually configure a VPN. Not every service supports every kind of manual configuration, and every service is slightly different. For the instructions below, I used the information from Proton VPN and Surfshark VPN, and while they should be similar to any other VPN service, it’s best to have the official instructions.
How a VPN Works
How to Configure WireGuard in Windows 11
WireGuard is rapidly becoming an industry standard among VPNs. It’s new, uses strong cryptography, and promises better speed than other protocols. Most devices don’t support WireGuard by default, and for Windows you’ll need to download special client software.
The first thing to do is head over to your VPN’s website and seek out the official instructions on how to configure WireGuard. For the example below, I’ll be using Proton VPN. Every service is slightly different in where it stores the necessary information, so keep the official documentation handy.
First, I logged into the VPN service’s portal and navigated to where it provides WireGuard configuration information. For Proton VPN(Opens in a new window), this is a single form that generates a configuration file based on the parameters you enter. Surfshark VPN(Opens in a new window) uses a step-by-step process a bit like a software Wizard to generate the files.
For Proton VPN and Surfshark VPN, I named the configuration, selected the platform I wanted to use (that is, what kind of device to connect to the VPN), and the location of the server I wanted to connect to. Proton VPN had toggles for some additional options and the Surfshark VPN Wizard asked me if I needed to generate cryptographic key pairs. Again, the service you use may be different. Once I made my selections I clicked the Create button and downloaded the configuration file.
Note that some WireGuard configurations have a time limit. Proton VPN files are good for one year, but can be extended during generation.
Next, I went to the official WireGuard website and downloaded the client app(Opens in a new window). It took a few seconds to install.
During installation, the WireGuard app warned me it didn’t have any configuration files. Not a problem. After dismissing the alert, the WireGuard app opened and the only available button was to import configuration files.
I clicked it, and navigated to the WireGuard configuration file I downloaded earlier.
Finally, I clicked the Activate button and my VPN connection was complete! Comparing my IP address with and without the VPN running, I confirmed that my public IP address was changed.
Note that the WireGuard client has the option to manage and store multiple configurations. Be sure to explore the options the client provides.
How to Configure OpenVPN in Windows 11
OpenVPN, like WireGuard, is open-source software and has long been the workhorse of most VPN companies. It’s a solid choice, and, while it might someday be eclipsed by WireGuard, that day is still a long way off. As with WireGuard, you’ll need to download configuration files from your VPN of choice and install the official WireGuard client application.
For the instructions below, I used Proton VPN(Opens in a new window), but most VPNs will have similar setups. Be sure to find the support documentation from your VPN of choice so you know where to find everything required to use OpenVPN.
First, I logged into the Proton VPN web portal and navigated to the section that holds the OpenVPN and IKEv2 username and password. I set this information aside for later.
Then I navigated to where Proton VPN lets users download OpenVPN configuration files. I selected the kind of device I’d be using (Windows, natch) and was then prompted to select UDP or TCP. Proton VPN explained the difference this way, and I’ve seen similar explanations in other VPN documentation: “UDP is faster and recommended in most situations, while TCP is more reliable and can bypass some censorship measures.”
Finally, I selected the VPN servers I wanted to use and downloaded the configuration file.
Note that some VPNs, including Proton VPN, include access to some advanced features with their configuration files. Proton VPN, for instance, provides instructions for using DNS filtering and multi-hop connections. Be sure to check your documentation or, better yet, just install the official client from your VPN.
Next, I went over to the OpenVPN website and downloaded the official client application(Opens in a new window). It installed in a few seconds.
I then right clicked on the OpenVPN icon in the task bar, selected Import, and then the Import File option. In the prompt, I navigated to the configuration file I downloaded earlier, and selected it.
Recommended by Our Editors
When prompted, I entered the username and password I’d saved earlier.
That done, I right clicked again on the OpenVPN task bar icon and selected Connect. This created a VPN connection, and I confirmed that my public IP address had changed.
Like WireGuard, the OpenVPN app can hold several different VPN configurations. Be sure to explore it.
How to Configure IKEv2 in Windows 11
IKEv2 is supported by default by Windows, so you won’t need to install any client software and can control the VPN connection right from the taskbar. However, you’ll likely have to install certificates to successfully connect. These need to be installed in just the right way or they won’t work. While IKEv2 is fine to use, WireGuard and OpenVPN are probably better choices. But the best choice of all? Simply installing your VPN’s default application.
For these instructions, I used Proton VPN. You should look for the official documentation from your VPN of choice so you can find the right configuration information and certificates.
One thing to note: Because this involves installing Trusted Root Certificates, it’s very important that you only use certificates you get from official documentation from a VPN you trust. This is another compelling reason not to use this particular method, but if you’ve read this far I suppose there’s no stopping you.
First, I had to gather some information necessary to create the VPN connection. I needed to get the exact server name of every VPN server I wanted to use. Proton VPN directed me, confusingly, to a page for OpenVPN configuration, but I easily snagged the server name. I saved this for later.
I also needed an IKEv2 username and password. This is different from the username and password I use to log in to the VPN service. Your VPN’s documentation will point you in the right direction. Note that you should be able to reset these credentials to new ones, if you are ever concerned the old ones have been compromised. Once I found this information, I set it aside.
Next I needed the appropriate certificates. The Proton VPN documentation had me download the certificate directly from the company’s site. Again, your VPN may differ in this step. After downloading the certificate file, I opened it and was prompted to install.
The documentation I used had me select the option to install on a Local Machine, then select the Place All Certificates in the Following Store option. From here, I was told to select the Trusted Root Certificate Authorities folder, then to click Next, then click Finish.
Now I was ready to enter all this information into Windows. I opened the Network & Internet control panel, clicked the VPN option, and then clicked Add VPN. Next, I worked through the form that appeared. The VPN provider is Windows. The connection name can be anything, but I used the service and the location. The Server Name or Address is the server name I copied before. The VPN type is IKEv2. The type of sign-in is username and password. I pasted the username and password from the VPN service into the appropriate fields. I then hit save.
A new option now appeared in Network Settings, showing the name I gave the VPN connection. I clicked Connect and the VPN was activated. Success! I verified that my public IP address had changed.
You can store any number of server configurations in this way, and it’s handy to have them accessible from the OS. However, you’re still limited to only the VPN servers you configure Windows to use.
Again, Just Use a VPN App
While there may be some unusual cases where you need to use the instructions above, it’s really best to stick with the official VPN app. It’s far easier to use, will be kept up to date automatically, and you get access to all the features you’re already paying for. This is one case where the most convenient option really is the best.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.