A Point-to-Site (P2S) VPN gateway helps in the creation of a secure connection to Azure Virtual Network from a Remote Location. Point-to-Site VPN connections are useful when we have fewer clients, who want to connect to the Azure VNet from a remote location, like telecommuting from home or a conference.

This post is to summarize the basic concept around P2S VPN and steps to configure and connect P2S.

Protocols for P2S VPN

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).

  • Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

Note

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model.

Authentication Methods

  • Certificate :
    •  Self-signed or from an enterprise certificate authority. 
  • Radius
    • Integration with Windows Active Directory.
  • Azure AD authentication
    • Supports MFA

SKU

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes

High Level Steps to Create P2S VPN

  1. Create a Virtual Network
  2. Create Subnet(s) for Virtual Machines
  3. Create Virtual Machine(s) within the subnet in step 2 above
  4. Create a Gateway Subnet within the Virtual Network
  5. Create a Virtual Network Gateway after Step 3 above is complete
  6. Create the Root VPN certificate and client certificate using PowerShell commands in the next section
  7. Or create the Root VPN Certificate using makecert utility (Optional method)
    • Download and install Windows 10 SDK (if you do not have the makecert utility).
    • Go to Directory – C:\Program Files (x86)\Windows Kits\10\bin\x86 (This path might slightly differ)
    • Run Command – makecert -sky exchange -r -n “CN=<NameofVpnRootCert>” -pe -a sha1 -len 2048 -ss My “<NameofVpnRootCert>”
    • Open Certificate Manager (certmgr.msc), locate the certificate created above inside “Personal/Certificates” and export the certificate to BASE64 without the password
    • Open the Base64 certificate in step above in Notepad++ or Notepad, and put everything in a single line by deleting the carriage return. This is done because the VPN Gateway created in Step 5 above needs the certificate in a single line.
  8. Create the Client Certificate
    • Run Command – makecert.exe -n “CN=<NameofVpnClientCert>” -pe -sky exchange -m 96 -ss My -in “<NameofVpnRootCert>” -is my -a sha1
    • Open Certificate Manager (certmgr.msc), locate the client certificate created above inside “Personal/Certificates” and export the certificate as PFX with the password. This certificate is to be distributed to all the clients, who will be connecting to Azure VNets
  9. Configure Root Certificate on Gateway created in Step 5 above
  10. Download VPN Software after the certificate has been validated by Azure and highlights the download button

The VPN software downloaded after Step 8 above can be distributed along with the client certificate (PFX) to all clients who wish to connect to Azure VMs. 

Create Point-to-Site VPN

1. Create Virtual network gateway

2. Create a Point-to-Site Configuration

Generate Root Cert and Client Cert

PowerShell Commands:

  • Generate root Cert and Client cert in a same PowerShell Session:
#Create the root cert
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My"  `
-KeyUsageProperty Sign -KeyUsage CertSign 

# Create Client Cert
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SClientCert1" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
  • Generate client certificate in a separate PowerShell Session.
Usually, you have generate your root certificate, and you will need to generate your client certificate later. In this way, you will have find out your root certificate and assign the proper value to $cert this variable first, then generate your client certificate.

If you are creating additional client certificates, or are not using the same PowerShell session that you used to create your self-signed root certificate, use the following steps:

  1. Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of certificates that are installed on your computer.

    PowerShell
    Get-ChildItem -Path "Cert:\CurrentUser\My"
    
  2. Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text file. In the following example, there are two certificates. The CN name is the name of the self-signed root certificate from which you want to generate a child certificate. In this case, ‘P2SRootCert’.

    Thumbprint                                Subject
    ----------                                -------
    AED812AD883826FF76B4D1D5A77B3C08EFA79F3F  CN=P2SChildCert4
    7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655  CN=P2SRootCert
    
  3. Declare a variable for the root certificate using the thumbprint from the previous step. Replace THUMBPRINT with the thumbprint of the root certificate from which you want to generate a child certificate.

    PowerShell
    $cert = Get-ChildItem -Path "Cert:\CurrentUser\My\<THUMBPRINT>"
    

    For example, using the thumbprint for P2SRootCert in the previous step, the variable looks like this:

    PowerShell
    $cert = Get-ChildItem -Path "Cert:\CurrentUser\My\7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655"
    
  4. Modify and run the example to generate a client certificate. If you run the following example without modifying it, the result is a client certificate named ‘P2SChildCert’. If you want to name the child certificate something else, modify the CN value. Do not change the TextExtension when running this example. The client certificate that you generate is automatically installed in ‘Certificates – Current User\Personal\Certificates’ on your computer.

    PowerShell
    New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
    -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
    

Add root certificate content into Point-to-Site configuration. Root certificate will need to export first. .

Export Root Cert Using certmgr.msc

Following steps are export Root Cert:

  1. To obtain a .cer file from the certificate, open Manage user certificates  (run certmgr.msc from command line or run window). Locate the self-signed root certificate, typically in ‘Certificates – Current User\Personal\Certificates’, and right-click. Click All Tasks, and then click Export. This opens the Certificate Export Wizard. If you can’t find the certificate under Current User\Personal\Certificates, you may have accidentally opened “Certificates – Local Computer”, rather than “Certificates – Current User”). If you want to open Certificate Manager in current user scope using PowerShell, you type certmgr in the console window.

    Screenshot shows the Certificates window for the current user with Certificates selected and a contextual menu with Export selected from All Tasks.

  2. In the Wizard, click Next.

    Export certificate

  3. Select No, do not export the private key, and then click Next.

    Do not export the private key

  4. On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.

    Base-64 encoded

  5. For File to ExportBrowse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.

    Screenshot shows the Certificate Export Wizard with a File Name text box and a Browse option.

  6. Click Finish to export the certificate.

    Screenshot shows the Certificate Export Wizard with the selected settings.

  7. Your certificate is successfully exported.

    Screenshot shows a message that the export was successful.

  8. The exported certificate looks similar to this:

    Screenshot shows a certificate icon and file name with the c e r file name extension.

Exported certificate content will be copied into your VPN Gateway Point-to-Site configuration page’s Root certificate section. 

Following steps are exporting client certificate:

  1. To export a client certificate, open Manage user certificates. The client certificates that you generated are, by default, located in ‘Certificates – Current User\Personal\Certificates’. Right-click the client certificate that you want to export, click all tasks, and then click Export to open the Certificate Export Wizard.

    Screenshot shows the Certificates window for the current user with Certificates selected and Export selected from All Tasks.

  2. In the Certificate Export Wizard, click Next to continue.

    Screenshot shows the Certificate Export Wizard Welcome message.

  3. Select Yes, export the private key, and then click Next.

    export private key

  4. On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in the certification path if possible is selected. This setting additionally exports the root certificate information that is required for successful client authentication. Without it, client authentication fails because the client doesn’t have the trusted root certificate. Then, click Next.

    export file format

  5. On the Security page, you must protect the private key. If you select to use a password, make sure to record or remember the password that you set for this certificate. Then, click Next.

    Screenshot shows the Certificate Export Wizard Security page with the password entered and confirmed and Next highlighted.

  6. On the File to ExportBrowse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.

    file to export

  7. Click Finish to export the certificate.

    Screenshot shows the Certificate Export Wizard with the entered settings.

Workflow

After your Azure VPN Gateway point-to-site configuration is complete, your next steps are as follows:
  1. Download and install the Azure VPN Client.
  2. Generate the VPN client profile configuration package.
  3. Import the client profile settings to the VPN client.
  4. Create a connection.
  5. Optional – export the profile settings from the client and import to other client computers.

Install Client Certificate and VPN Client

Double click certificate to import the client certificate.

You will be able to download your Azure VPN Client from Virtual Network Gateway Point-to-Site configuration page:

It is a zipped file, inside, you will find WindowsAMD64 folder which includes the installation exe file, VpnClientSetupAmd64.exe.

Double click VpnClientSetupAmd64.exe to install VPN client. 

The installation window will disappear after completed. 

Recent VPNClientSetup packet is not included into the download file. You will need to search Azure VPN from Microsoft Store and then install the client.

After install Azure VPN Client, you will be able to import the configuration from downloaded file. 

[May, 2022] Updated Steps to Install Azure VPN Client:

  1. Download the latest version of the Azure VPN Client install files using one of the following links:

  2. Install the Azure VPN Client to each computer.

  3. Verify that the Azure VPN Client has permission to run in the background. For steps, see Windows background apps.

  4. To verify the installed client version, open the Azure VPN Client. Go to the bottom of the client and click … -> ? Help. In the right pane, you can see the client version number.

Generate the VPN client profile configuration package:

To generate the VPN client profile configuration package, see Working with P2S VPN client profile files. After you generate the package, follow the steps to extract the profile configuration files.

Import the profile file

For Azure AD authentication configurations, the azurevpnconfig.xml is used. The file is located in the AzureVPN folder of the VPN client profile configuration package.

  1. On the page, select Import.

    Screenshot that shows the "Add" button selected and the "Import" action highlighted in the lower left-side of the window.

  2. Browse to the profile xml file and select it. With the file selected, select Open.

    Screenshot that shows a profile x m l file selected.

  3. Specify the name of the profile and select Save.

    Save the profile.

  4. Select Connect to connect to the VPN.

    Screenshot that shows the VPN and "Connect" button selected.

  5. Once connected, the icon will turn green and say Connected.

    import

Using AD Authentication

You also can choose to use Azure Active Directory as your authentication method. 

There are some requirements for enabling Azure AD authentication, such as, VPN tunnel type. 

More explanation about Tenant ID, audience and Issuer, that can be found from following url:

https://docs.microsoft.com/en-ca/azure/vpn-gateway/openvpn-azure-ad-tenant

Assign Users to Azure VPN Application

Assign the users to your applications.

  1. Under Azure AD -> Enterprise applications, select the newly registered application Azure VPN and click Properties. Ensure that User assignment required? is set to yes. Click Save.

Connect to Azure VPN Gateway

After VPN client installed, you can search it out from Windows menu by typing network to view network connections:

You will find a new network created. Drag the new network to your desktop to create a shortcut for future connection. 

Click network icon then click VPN from pop up window

You should be able to see connect button , which is used to connect to your VPN gateway.

You might also got a UAC (User Access Control) window to warn you this action, click Yes to continue.

Verify connections:

After vpn connected, you might be able to check the ip address to see if your computer got a new ip from VPN pool:

PS C:\WIDOWS\system32> ipconfig
Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::fd79:1858:9a7c:5a4f%4
   IPv4 Address. . . . . . . . . . . : 192.168.2.71
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.1

PPP adapter rg-storage-file-share-access-vnet:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.16.0.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
PS C:\WINDOWS\system32>

172.16.0.0/24 is the VPN pool we configured for our VPN gateway. We got an ip 172.16.0.3 which is allocated from that pool.

To connect automatically


These steps help you configure your connection to connect automatically with Always-on.

  1. On the home page for your VPN client, select VPN Settings.

    Screenshot of the VPN home page with "VPN Settings" selected.

  2. Select Yes on the switch apps dialogue box.

    Screenshot of the "Did you mean to switch apps?" dialog with the "Yes" button selected.

  3. Make sure the connection that you want to set isn’t already connected, then highlight the profile and check the Connect automatically check box.

    Screenshot of the "Settings" window, with the "Connect automatically" box checked.

  4. Select Connect to initiate the VPN connection.

    auto

By netsec

One thought on “Azure Point-to-Site VPN Configuration (Using Certs or AD Authentication)”
  1. A Point-to-Site VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.

Leave a Reply