How to Check VPN Connection Status in Batch Script
In a secure computing environment, knowing whether your VPN (Virtual Private Network) is active is critical. Whether you are automating file transfers over a secure tunnel or building a "kill switch" that prevents internet access when the VPN drops, a reliable Batch script can monitor your connection state in the background. Windows provides several low-level network tools that can identify the presence of a VPN adapter or an active dial-up session.
This guide will explain how to use native tools like rasdial, ipconfig, netsh, and route to determine if your VPN is currently connected.
Method 1: Using RASDIAL (For standard Windows VPNs)
If you are using the built-in Windows VPN client (PPTP, L2TP, IKEv2), the rasdial command is the most effective way to check status. When called without parameters, rasdial lists only the currently connected VPN sessions.
Basic Detection Script
@echo off
setlocal
set "VPNName=MyCompanyVPN"
:: Run rasdial and search for your VPN name in the output
rasdial | findstr /i /C:"%VPNName%" >nul
if %errorlevel% equ 0 (
echo [STATUS] VPN "%VPNName%" is CONNECTED.
) else (
echo [STATUS] VPN "%VPNName%" is DISCONNECTED.
)
endlocal
pause
If you don't care about a specific name and just want to know if any VPN is active, search for the name of your VPN connection rather than status words like "Connected to", which change across Windows language packs. The name you gave the connection will remain the same regardless of the OS language.
Method 2: Using NETSH (For 3rd Party VPNs like OpenVPN)
Many third-party VPN clients (like OpenVPN, NordVPN, or WireGuard) create a specialized virtual network adapter. A common mistake is to search ipconfig for adapter keywords like "TAP" or "Tunnel". This is unreliable because ipconfig lists adapter names even when they are disconnected, and the keyword "Tunnel" also matches built-in IPv6 tunnel adapters (Teredo, ISATAP) that have nothing to do with your VPN.
Instead, use netsh interface show interface, which displays each adapter's connection state on a single line.
Detection Script via Adapter State
@echo off
setlocal
echo Checking for active VPN adapters...
:: Set this to a keyword in your VPN adapter's name
:: (e.g., "TAP", "WireGuard", "Wintun", "AnyConnect")
set "AdapterKey=TAP"
:: netsh shows one line per adapter: Admin State, State, Type, Name
:: 1. Filter for lines matching the VPN adapter keyword
:: 2. Exclude any line showing "Disconnected"
:: 3. Confirm the remaining line shows "Connected"
netsh interface show interface | findstr /i "%AdapterKey%" | findstr /v /i "Disconnected" | findstr /i "Connected" >nul
if %errorlevel% equ 0 (
echo [OK] VPN adapter matching "%AdapterKey%" is connected.
) else (
echo [ALERT] No active VPN adapter detected.
)
endlocal
pause
To find the correct keyword for your VPN adapter, run netsh interface show interface while connected and look for the adapter name your VPN client created (e.g., TAP-Windows Adapter V9, WireGuard Tunnel: wg0).
Method 3: Checking for a Specific Gateway or Route
Sometimes a VPN is "Connected" but not actually passing traffic. A more thorough check is to verify if your computer's routing table has changed to include the VPN's gateway.
@echo off
setlocal
:: Replace with the internal IP range of your company network
set "CompanyNet=10.0.0."
route print | find "%CompanyNet%" >nul
if %errorlevel% equ 0 (
echo [SUCCESS] Internal routes are active. VPN is working.
) else (
echo [FAILURE] Internal routes missing. VPN is likely down.
)
endlocal
pause
Practical Use Case: Simple "Kill Switch" Script
Here is a practical script that checks the VPN every 30 seconds. If the VPN is lost, it kills a specific application (like a torrent client or a browser) to prevent leaking your real IP address.
@echo off
setlocal
set "AppToKill=browser.exe"
set "VPNAdapter=TAP"
:MonitorLoop
:: Check if the VPN adapter is both present AND connected
netsh interface show interface | findstr /i "%VPNAdapter%" | findstr /v /i "Disconnected" | findstr /i "Connected" >nul
if %errorlevel% neq 0 (
echo [CRITICAL] VPN Lost! Killing %AppToKill%...
taskkill /f /im "%AppToKill%" >nul 2>&1
echo Security protocol engaged. Script exiting.
endlocal
exit /b
)
echo [SAFE] VPN is active. Re-checking in 30s...
:: /nobreak prevents a keypress from skipping the wait (use Ctrl+C to quit)
timeout /t 30 /nobreak >nul
goto MonitorLoop
How to Avoid Common Errors
Wrong Way: Searching ipconfig for adapter names
Many users try ipconfig | findstr "TAP Tunnel VPN".
Why it fails: ipconfig lists adapter headers even when the adapter is disconnected (showing "Media disconnected" below). It also matches IPv6 tunnel adapters (Teredo, ISATAP) that are unrelated to your VPN. This creates false positives.
Correct Way: Use netsh interface show interface which reports each adapter's state (Connected / Disconnected) on a single line, making it safe to filter with findstr.
Best Practice: Dealing with Localization
In non-English versions of Windows, rasdial might output "Connesso a" instead of "Connected to".
Always search for the Name of your VPN connection (e.g., MyVPN) rather than searching for English status words. The name you gave the connection will remain the same regardless of the OS language.
Best Practices and Rules
1. Wait After Connect
VPNs take time to negotiate encryption. If your script connects the VPN and immediately checks the status, it might show "Disconnected" even though it's halfway through the process. Always add a 5-10 second timeout after a connect command.
2. Administrator Rights
Commands like rasdial and ipconfig work for standard users, but route print or netsh commands often provide more data when run as an Administrator.
3. Identify by IPv4 address
If you know your VPN always assigns you an IP starting with 172.16.x.x, that is the most reliable way to verify status:
ipconfig | find "172.16." >nul
Conclusions
Checking VPN status in a Batch script is the foundation of network security automation. Whether you use name-based detection with rasdial or adapter-state detection with netsh, you can build resilient scripts that protect your privacy and ensure your data travels over secure paths. By combining these checks with a polling loop and taskkill, you can effectively create a custom, lightweight security suite for your Windows environment.