This chapter covers VPN client configuration for the CompTIA A+ Core 2 (220-1102) exam, specifically under Domain 2.0 (Security) and Objective 2.2 (Configure and secure basic mobile device and VPN connections). VPNs are a critical security technology for remote access, and the exam expects you to understand the different protocols, authentication methods, and configuration steps for client-side VPN setup. Approximately 5-10% of exam questions touch on VPN-related topics, often focusing on protocol differences (e.g., PPTP vs. L2TP/IPsec vs. SSTP vs. OpenVPN) and common configuration pitfalls. This chapter will give you the precise, exam-relevant knowledge to answer those questions confidently.
Jump to a section
Imagine you work in a high-security office building (the corporate network). To get inside, you must pass through a guarded lobby (the firewall) and show your badge (authentication). Now suppose you are working from a coffee shop (the public internet). You cannot just walk into the building from there. Instead, you use a private courier service (the VPN client) that picks up your documents (data packets), seals them in a tamper-proof, locked briefcase (encryption), and delivers them via a dedicated, invisible tunnel under the city streets (the VPN tunnel) directly to the building's loading dock (the VPN concentrator). The courier has a special key (tunnel authentication) that only the building's loading dock manager recognizes. Once inside, the briefcase is unlocked (decrypted) and your documents are handed to the internal mailroom (the corporate LAN). Anyone watching the courier on the streets only sees a courier van—they cannot see the briefcase's contents or even that the van is going to your building. This is exactly how a VPN works: it encapsulates and encrypts your IP packets inside another IP packet, creating a secure tunnel over an untrusted network. The coffee shop's Wi-Fi sees only encrypted traffic to the VPN server's IP address; it cannot inspect the actual data or destination inside the corporate network.
What is a VPN Client?
A VPN (Virtual Private Network) client is software installed on a device (Windows, macOS, Linux, iOS, Android) that establishes a secure, encrypted connection to a VPN server (or concentrator) located at the corporate network perimeter. The client creates a virtual network interface that routes traffic through the tunnel. All data sent over this tunnel is encapsulated, encrypted, and authenticated, protecting it from eavesdropping, tampering, and impersonation on the public internet.
Why Use a VPN?
Confidentiality: Encryption prevents unauthorized parties from reading data.
Integrity: Authentication ensures data is not modified in transit.
Authentication: Both endpoints verify each other's identity (mutual authentication).
Access Control: The VPN grants access to internal resources that are otherwise blocked from the internet.
Bypassing Geo-restrictions: The client appears to be at the VPN server's location.
How VPN Tunneling Works
The core mechanism is tunneling: taking a complete IP packet (the inner packet) and placing it inside another IP packet (the outer packet) as the payload. The outer packet has the source IP of the VPN client and destination IP of the VPN server. The inner packet has the source IP of the client (usually a virtual IP assigned by the VPN server) and the destination IP of the corporate resource. This encapsulation allows the inner packet to traverse the internet without revealing its true destination.
Step-by-step packet flow: 1. Application on client sends data to destination (e.g., 10.0.1.50). 2. Operating system's routing table sends this packet to the virtual VPN interface. 3. VPN client software encapsulates the packet: adds a new IP header (source: client's public IP, destination: VPN server's public IP), then encrypts the entire inner packet + original headers. 4. Optionally, a new transport header (TCP/UDP) is added for the VPN protocol. 5. The encapsulated packet is sent over the internet to the VPN server. 6. VPN server decrypts the payload, removes the outer header, and forwards the original inner packet to the internal network.
VPN Protocols on the 220-1102 Exam
The exam tests four main VPN protocols:
PPTP (Point-to-Point Tunneling Protocol): Uses TCP port 1723 and GRE (IP protocol 47). It is outdated, uses MPPE encryption (128-bit RC4), and has known security vulnerabilities. Microsoft deprecated PPTP in Windows 10 and later. Exam tip: PPTP is the least secure; avoid it in modern environments.
L2TP/IPsec (Layer 2 Tunneling Protocol with IPsec): L2TP itself provides no encryption; it relies on IPsec for confidentiality and integrity. Uses UDP port 1701 for L2TP, plus UDP ports 500 (IKE) and 4500 (IPsec NAT-T). It is more secure than PPTP but can be slower due to double encapsulation. Exam tip: L2TP/IPsec is common for site-to-site and remote access; requires a pre-shared key or certificates.
SSTP (Secure Socket Tunneling Protocol): Uses HTTPS (TCP port 443) to traverse firewalls. Encapsulates PPP frames over HTTPS. Native on Windows; uses SSL/TLS for encryption. Exam tip: SSTP is ideal for bypassing strict firewalls because it looks like normal HTTPS traffic.
OpenVPN: Open-source protocol that uses SSL/TLS for key exchange and can run over TCP (port 443) or UDP (port 1194). Highly configurable, supports certificates, username/password, and two-factor authentication. Exam tip: OpenVPN is considered very secure and flexible; not native on Windows but available via third-party clients.
Authentication Methods
Pre-Shared Key (PSK): A shared secret (password) configured on both client and server. Simple but less secure; if the key is compromised, the entire VPN is vulnerable.
Certificates: Use PKI (Public Key Infrastructure). Each client has a unique certificate signed by a Certificate Authority (CA). Provides stronger authentication and can be revoked individually.
Username/Password (EAP-MSCHAPv2): Often used with L2TP/IPsec or SSTP. Can be combined with certificates for two-factor authentication.
Two-Factor Authentication (2FA): Adds a one-time code (e.g., from a token or smartphone app) on top of username/password. Common with OpenVPN and SSL VPNs.
Configuration Steps for Windows 10/11
1. Open Settings > Network & Internet > VPN. 2. Click Add a VPN connection. 3. Fill in: - VPN provider: Windows (built-in) - Connection name: e.g., "Corporate VPN" - Server name or address: Public IP or FQDN of VPN server - VPN type: Choose PPTP, L2TP/IPsec, SSTP, or IKEv2 (Windows 10/11 also supports IKEv2) - Type of sign-in info: User name and password, certificate, or smart card 4. Save and then click Connect.
Note: For L2TP/IPsec, you may need to set the pre-shared key in advanced settings. In Windows, go to Change adapter options (in classic Control Panel), right-click the VPN connection, select Properties > Security > Advanced settings.
Verification Commands
ipconfig /all: Shows the virtual VPN interface and its assigned IP address.
ping <internal-IP>: Tests connectivity to internal resources.
tracert <internal-IP>: Shows the path; if the first hop is the VPN server's internal IP, traffic is going through the tunnel.
netstat -r: Displays the routing table. A VPN typically adds a default route or specific routes for the corporate network.
Split Tunneling vs. Full Tunneling
Full Tunneling: All client traffic (including internet-bound) goes through the VPN. More secure but uses more bandwidth on the corporate link.
Split Tunneling: Only traffic destined for the corporate network goes through the VPN; other traffic goes directly to the internet. Less secure because the client is exposed to the internet, but reduces load on the VPN server.
Exam tip: The exam may ask which is more secure—full tunneling is more secure.
Common Issues and Troubleshooting
Authentication failures: Wrong username/password, expired certificate, or mismatched PSK.
Protocol mismatch: Client and server must support the same protocol.
Firewall blocking: PPTP needs TCP 1723 and GRE; L2TP needs UDP 500, 1701, 4500; SSTP needs TCP 443; OpenVPN needs UDP 1194 or TCP 443.
NAT traversal: IPsec with NAT-T (UDP 4500) helps if the client is behind NAT.
DNS resolution: VPN may push DNS servers; if not set, internal names won't resolve.
Choose VPN Protocol
Select the VPN protocol based on security requirements and firewall policies. For the exam, know that PPTP is obsolete and insecure; L2TP/IPsec is secure but may be blocked; SSTP uses TCP 443 to bypass firewalls; OpenVPN is highly configurable. The protocol determines the ports and encryption used.
Configure VPN Client Software
Install the VPN client if not built-in (e.g., OpenVPN GUI). On Windows, use built-in VPN client via Settings > VPN. Enter the server address (IP or FQDN), select the VPN type, and set authentication method (user/pass, certificate, or smart card). For L2TP/IPsec, you must enter the pre-shared key in advanced properties.
Set Authentication Credentials
Provide the username and password, or install a client certificate. For certificate-based authentication, the certificate must be trusted by the VPN server (i.e., issued by the same CA). On Windows, certificates are stored in the user's certificate store. If using EAP-MSCHAPv2, the client sends hashed credentials.
Adjust Routing and DNS Settings
The VPN client typically receives a virtual IP address and DNS server addresses from the VPN server (via DHCP or PPP). The client's routing table is modified: either a default route (full tunnel) or specific routes for the corporate network (split tunnel). Verify with `route print` on Windows or `netstat -rn` on macOS/Linux.
Test and Verify Connectivity
After connection, use `ipconfig` to confirm the VPN interface has an IP. Ping an internal resource (e.g., 10.0.1.1). Use `tracert` to see if traffic goes through the VPN. Check that DNS resolves internal names. If using split tunneling, ensure internet traffic does not go through the VPN.
In enterprise environments, VPN client configuration is a daily task for IT support. Consider a company with 500 remote employees who need access to internal file servers and ERP applications. The IT team deploys a Windows Server with Routing and Remote Access Service (RRAS) configured as a VPN server using SSTP, because SSTP uses TCP 443 and is rarely blocked by hotel or coffee shop firewalls. Employees use the built-in Windows VPN client. The company issues client certificates via Active Directory Certificate Services for authentication, eliminating the need for passwords. This provides strong security and allows revocation of a single certificate if a laptop is lost.
Another scenario: A small business uses a third-party VPN service (e.g., OpenVPN) to connect branch offices. They configure a site-to-site VPN but also allow remote access for a few teleworkers. The OpenVPN server uses UDP 1194, and clients have configuration files with embedded certificates. The challenge is firewall rules: the company's firewall must allow UDP 1194 inbound, and the client's home router must allow UDP 1194 outbound (often not an issue). Performance is a concern: with 50 simultaneous connections, the VPN server's CPU and bandwidth must be adequate.
A common misconfiguration is forgetting to enable IP forwarding on the VPN server. Without it, the server receives the decrypted packets but cannot route them to the internal network. Another issue is DNS: if the VPN server does not push internal DNS servers, users cannot resolve internal hostnames by name. They might use IPs, but that's not scalable. Also, split tunneling is often misconfigured: if the corporate subnet is 10.0.0.0/8 but the route is set to 10.0.0.0/16, traffic to 10.1.0.1 might not go through the tunnel. These real-world pitfalls are exactly what the exam tests—understanding the underlying routing and DNS behavior.
The 220-1102 exam tests VPN client configuration under Objective 2.2: 'Configure and secure basic mobile device and VPN connections.' Specific topics include:
Identifying VPN protocols (PPTP, L2TP/IPsec, SSTP, OpenVPN) and their ports.
Understanding authentication methods (PSK, certificates, username/password).
Configuring VPN on Windows 10/11.
Troubleshooting common issues (authentication, firewall, routing).
Common wrong answers and why candidates choose them: 1. Question: Which VPN protocol is most secure? Wrong answer: PPTP (because it's simple). Reality: PPTP is insecure; OpenVPN or IKEv2 are more secure. 2. Question: What port does SSTP use? Wrong answer: UDP 1701 (that's L2TP). Candidates confuse L2TP and SSTP. SSTP uses TCP 443. 3. Question: What does split tunneling do? Wrong answer: It encrypts all traffic. Reality: Split tunneling only encrypts traffic to the corporate network; internet traffic goes unencrypted. 4. Question: Which authentication method uses a shared secret? Wrong answer: Certificates. Reality: Pre-shared key (PSK) uses a shared secret; certificates use PKI.
Specific numbers and terms that appear verbatim: - PPTP: TCP 1723, GRE (IP 47) - L2TP: UDP 1701, uses IPsec (UDP 500, 4500) - SSTP: TCP 443 - OpenVPN: UDP 1194 (default), TCP 443 - IKEv2: UDP 500, 4500 (often used with IPsec)
Edge cases the exam loves: - If a VPN connection succeeds but you cannot access internal resources, the issue is likely routing (split tunnel missing route) or DNS (no internal DNS server). - If a VPN connection fails with error 691, it's an authentication failure (wrong username/password). - If a VPN connection fails with error 800, it's a connection attempt to a server that is not reachable (firewall blocking).
How to eliminate wrong answers: - If the question mentions 'most secure,' eliminate PPTP and any protocol without encryption (L2TP alone). - If the question mentions 'bypasses firewalls,' look for SSTP or OpenVPN on TCP 443. - If the question mentions 'built-in Windows,' SSTP and PPTP are native; OpenVPN requires third-party software. - For authentication, if the question says 'no password,' think certificates.
PPTP is obsolete; use L2TP/IPsec, SSTP, or OpenVPN.
L2TP itself does not encrypt; it requires IPsec.
SSTP uses TCP port 443, allowing it to bypass most firewalls.
OpenVPN is open-source and highly configurable; uses UDP 1194 or TCP 443.
Full tunneling routes all traffic through the VPN; split tunneling routes only corporate traffic.
Common VPN authentication: pre-shared key, certificates, username/password, or two-factor.
Windows built-in VPN supports PPTP, L2TP/IPsec, SSTP, and IKEv2.
Troubleshoot connectivity: check firewall ports, authentication, and routing tables.
These come up on the exam all the time. Here's how to tell them apart.
Full Tunneling
All traffic (corporate and internet) goes through the VPN tunnel.
More secure: all traffic is encrypted and subject to corporate security policies.
Higher bandwidth usage on corporate internet link.
Client's public IP is the VPN server's IP for all traffic.
Common in high-security environments.
Split Tunneling
Only corporate-bound traffic goes through the VPN; internet traffic goes directly.
Less secure: internet traffic is not encrypted and may bypass corporate security controls.
Reduces load on corporate internet link.
Client's public IP is its own for internet traffic; VPN server's IP for corporate traffic.
Common when client needs local internet access (e.g., printing, streaming) without latency.
Mistake
PPTP is secure enough for modern use.
Correct
PPTP uses MPPE encryption (RC4) which is easily cracked; Microsoft has deprecated it. It should never be used for any sensitive data.
Mistake
L2TP provides encryption by itself.
Correct
L2TP is a tunneling protocol only; it does not encrypt data. It must be combined with IPsec to provide confidentiality. Without IPsec, L2TP traffic is in plaintext.
Mistake
A VPN always hides your IP address.
Correct
A VPN hides your IP from the destination server, but the VPN server sees your real IP. Also, if the VPN client leaks DNS requests or uses split tunneling, your IP may be exposed.
Mistake
Split tunneling is more secure than full tunneling.
Correct
Split tunneling is less secure because internet-bound traffic goes directly to the internet, bypassing the VPN's encryption and security policies. Full tunneling forces all traffic through the VPN, providing consistent security.
Mistake
You can use any VPN protocol on any port.
Correct
Each protocol uses specific ports (e.g., PPTP uses TCP 1723 and GRE; L2TP/IPsec uses UDP 500, 1701, 4500; SSTP uses TCP 443). Changing ports may break functionality unless the VPN server is configured to listen on an alternate port.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PPTP uses TCP 1723 and GRE, with MPPE encryption (128-bit RC4). It is less secure and deprecated. L2TP/IPsec uses UDP 500, 1701, and 4500 (for NAT-T). L2TP provides tunneling, and IPsec provides encryption (AES or 3DES) and authentication. L2TP/IPsec is more secure but can be slower due to double encapsulation.
SSTP is a Microsoft proprietary protocol, so native support is limited to Windows. On other platforms, you may need third-party clients or use alternative protocols like OpenVPN or IKEv2.
L2TP uses UDP 1701. IPsec uses UDP 500 for IKE (key exchange) and UDP 4500 for IPsec NAT-T (if clients are behind NAT). Additionally, IPsec ESP (IP protocol 50) and AH (IP protocol 51) may be needed, but many firewalls handle them via UDP encapsulation.
Error 691 indicates an authentication failure. This means the username, password, or other credentials (e.g., certificate) are incorrect or not accepted by the VPN server. Double-check credentials, ensure the account is active, and verify that the authentication method matches the server's configuration.
A VPN client initiates the connection and is typically installed on an end-user device (laptop, smartphone). A VPN server (or concentrator) accepts incoming connections, authenticates clients, and routes traffic to the internal network. The client is the 'dialer'; the server is the 'answerer'.
IPsec is a suite of protocols for securing IP communications by authenticating and encrypting each IP packet. It can be used with L2TP (L2TP/IPsec) or as a standalone VPN (IKEv2). IPsec operates in two modes: transport mode (secures only payload) and tunnel mode (encapsulates entire IP packet).
Go to Settings > Network & Internet > VPN > Add a VPN connection. Enter the server address, choose VPN type (PPTP, L2TP/IPsec, SSTP, IKEv2), and select authentication method. For L2TP/IPsec, click 'Advanced options' to enter the pre-shared key. Save and connect.
You've just covered VPN Client Configuration — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?