A Point-to-Site (P2S) VPN gateway lets you create a secure connection to your Azure virtual network from an individual client computer, Point-to-Site VPN connections are useful when you want to connect to your Azure VNet from remote locations such as your home or hotel. This is very similar to a traditional VPN client but rather than connecting to your office which normally has some sort of single points of failure (such as a single internet connection or 1 firewall) you are utilising the highly available Azure configuration. This guide shows you how to set up a Client VPN connection with certificates to your Azure environment using the portal.
Create Virtual Network
Login to the Azure portal then navigate to Virtual Networks and Create Virtual Network
Create a virtual network similar to the settings below dependent on your environment (if you already have a virtual network setup you do not need to perform this).
Add a Gateway Subnet
Before connecting a gateway to a virtual network, you need to create the gateway subnet for the virtual network to which you want to connect, the gateway services use the IP addresses specified in the gateway subnet.
In the Settings section of your VNet page, click Subnets to expand the Subnets page
Add a Gateway Subnet with similar settings to below, the name must be GatewaySubnet, this subnet Is used for gateway services to enable cross-premise connectivity for routing between networks, this requires at least a /29 to function correctly.
Specify a DNS Server
This is an optional step but if you are needing to reference internal DNS settings, the value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.
In the Settings section of your virtual network page, select DNS servers to open the DNS servers page.
On the DNS servers page, select Custom then Add the DNS server: Enter the IP address of the DNS server(s) that you want to use for name resolution.
Create a Virtual Network Gateway
On the left side of the Azure portal, click Create a resource and search for Virtual Network Gateway and hit return, then select and create
Add a descriptive virtual network gateway name, public ip address name, select the virtual network created earlier and ensure your location is set correctly.
Generate Certificates
Certificates are required to authenticate clients connecting to the VNet over a Point-to-Site VPN connection, enterprise certificates can be generated and used but this guide uses a trusted self signed certificate. A root certificate needs to be generated and uploaded to the public key information in Azure. The root certificate is then considered trusted by Azure for connection over P2S to the virtual network, you then need to generate a client certificates from the trusted root certificate, and then install them on each client computer. The client certificate is used to authenticate the client when initiating a connection to the VNet.
Create a self-signed root certificate
To generate the certificate in powershell, right click and run powershell as administrator, then copy/paste the following code;
Do not close your powershell window as the $cert variable will be used to create the root certificate;
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSignGenerate a client certificate
Using the same powershell session as above, copy/paste the following code to generate the client certificate;
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")Your powershell should look similar to the following;
To see the list of certificates installed locally, use the following command;
Get-ChildItem -Path “Cert:\CurrentUser\My”The certificate now needs to be exported from your local machine to Azure, from the same powershell session open up certificate manager using the command;
certmgrNavigate to Personal > Certificates and you should see the 2 certificates generated within there
Right click the P2SRootCert and select All Tasks > Export
Select Next > Next (Ensure that the private key is not exported)
Select Base-64 encoded X.509 (.CER) then give the file a name and Finish
Export the client certificate
From within the Personal > Certificates, right click the P2SChildCert and select All Tasks > Export
Select Next then select "Yes, export the private key" then Next (The following options should be set by default)
Select Password and create a password for later use.
Choose a directory to export the file and give it a logical name and click Finish.
Install certificate on another client
On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then click Next, on the File to import page, leave defaults and click Next.
On the Private key protection page, input the password for the certificate then click Next. On the Certificate Store page, leave the defaults, and then click Next then finish
On the Security Warning for the certificate installation, click Yes.
The certificate is now successfully imported.
Add the client address pool
Once the certificates have been generated go back into the Virtual Network Gateway created earlier in Azure then go to Settings > Point-to-site configuration and select Configure now
Set an address pool of sufficient size for the amount of connections that will be using this.
This address pool must sit on a range outside of your Virtual Network/CIDR block specified earlier.
The tunnel type should be set to use IKEv2 and SSTP (SSL)
Set the authentication as Azure certificate
Under Root certificates, copy and paste the contents of everything between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
from within the P2SRoot.cer file that was exported earlier (Use notepad to open the file) and add a name and click save
After a few minutes the VPN Gateway should now be configured
Download and install VPN Client
After the save has completed, select Download VPN client
Download and extract the contents of the ZIP file to a folder.
You must have administrator rights on the windows client for this to work correctly.
Right click and run the installer as administrator, depending on your architecture either install WindowsAmd64 or WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
Once installed you should have the option to connect to it from the network adaptor icon on your taskbar;
Alternatively connect to the VPN via the network settings
Click Connect, then Continue at the routing table update prompt
Once connected you should be able to connect to VM (Network Security Group and local firewall rules are permitted)
Run ipconfig from the command prompt and you should see you have an address from your VPN address pool
When completed select Disconnect to terminate the connection correctly.
Tip: If you get the following error the certificate has not been installed, please reinstall the pfx as per the instructions above.
