A Point-to-Site (P2S) VPN gateway lets you create a secure connection to your Azure virtual network from an individual client computer, Point-to-Site VPN connections are useful when you want to connect to your Azure VNet from remote locations such as your home or hotel. This is very similar to a traditional VPN client but rather than connecting to your office which normally has some sort of single points of failure (such as a single internet connection or 1 firewall) you are utilising the highly available Azure configuration. This guide shows you how to set up a Client VPN connection with certificates to your Azure environment using the portal.

Create Virtual Network

Login to the Azure portal then navigate to Virtual Networks and Create Virtual Network

Create a virtual network similar to the settings below dependent on your environment (if you already have a virtual network setup you do not need to perform this).

Add a Gateway Subnet

Before connecting a gateway to a virtual network, you need to create the gateway subnet for the virtual network to which you want to connect, the gateway services use the IP addresses specified in the gateway subnet.

In the Settings section of your VNet page, click Subnets to expand the Subnets page

Add a Gateway Subnet with similar settings to below, the name must be GatewaySubnet, this subnet Is used for gateway services to enable cross-premise connectivity for routing between networks, this requires at least a /29 to function correctly.

Specify a DNS Server

This is an optional step but if you are needing to reference internal DNS settings, the value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

In the Settings section of your virtual network page, select DNS servers to open the DNS servers page.
On the DNS servers page, select Custom then Add the DNS server: Enter the IP address of the DNS server(s) that you want to use for name resolution.

Create a Virtual Network Gateway

On the left side of the Azure portal, click Create a resource and search for Virtual Network Gateway and hit return, then select and create

Add a descriptive virtual network gateway name, public ip address name, select the virtual network created earlier and ensure your location is set correctly.

Generate Certificates

Certificates are required to authenticate clients connecting to the VNet over a Point-to-Site VPN connection, enterprise certificates can be generated and used but this guide uses a trusted self signed certificate. A root certificate needs to be generated and uploaded to the public key information in Azure. The root certificate is then considered trusted by Azure for connection over P2S to the virtual network, you then need to generate a client certificates from the trusted root certificate, and then install them on each client computer. The client certificate is used to authenticate the client when initiating a connection to the VNet.

Create a self-signed root certificate

To generate the certificate in powershell, right click and run powershell as administrator, then copy/paste the following code;

Do not close your powershell window as the $cert variable will be used to create the root certificate;

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

Generate a client certificate

Using the same powershell session as above, copy/paste the following code to generate the client certificate;

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("{text}")

 Your powershell should look similar to the following;

To see the list of certificates installed locally, use the following command;

Get-ChildItem -Path “Cert:\CurrentUser\My”

The certificate now needs to be exported from your local machine to Azure, from the same powershell session open up certificate manager using the command;


Navigate to Personal > Certificates and you should see the 2 certificates generated within there

Right click the P2SRootCert and select All Tasks > Export

Select Next > Next (Ensure that the private key is not exported)

Select Base-64 encoded X.509 (.CER) then give the file a name and Finish

Export the client certificate

From within the Personal > Certificates, right click the P2SChildCert and select All Tasks > Export


Select Next then select "Yes, export the private key" then Next (The following options should be set by default)

Select Password and create a password for later use.

Choose a directory to export the file and give it a logical name and click Finish.

Install certificate on another client

On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then click Next, on the File to import page, leave defaults and click Next.
On the Private key protection page, input the password for the certificate then click Next. On the Certificate Store page, leave the defaults, and then click Next then finish
On the Security Warning for the certificate installation, click Yes.
The certificate is now successfully imported.

Add the client address pool

Once the certificates have been generated go back into the Virtual Network Gateway created earlier in Azure then go to Settings > Point-to-site configuration and select Configure now

Set an address pool of sufficient size for the amount of connections that will be using this.
This address pool must sit on a range outside of your Virtual Network/CIDR block specified earlier.

The tunnel type should be set to use IKEv2 and SSTP (SSL)

Set the authentication as Azure certificate

Under Root certificates, copy and paste the contents of everything between



from within the P2SRoot.cer file that was exported earlier (Use notepad to open the file) and add a name and click save

After a few minutes the VPN Gateway should now be configured


Download and install VPN Client

 After the save has completed, select Download VPN client

Download and extract the contents of the ZIP file to a folder.

You must have administrator rights on the windows client for this to work correctly.

Right click and run the installer as administrator, depending on your architecture either install WindowsAmd64 or WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.

Once installed you should have the option to connect to it from the network adaptor icon on your taskbar;

Alternatively connect to the VPN via the network settings

Click Connect, then Continue at the routing table update prompt

Once connected you should be able to connect to VM (Network Security Group and local firewall rules are permitted)

Run ipconfig from the command prompt and you should see you have an address from your VPN address pool

 When completed select Disconnect to terminate the connection correctly.

Tip: If you get the following error the certificate has not been installed, please reinstall the pfx as per the instructions above.