If you have followed the previous articles on how to create an Azure virtual network and on how to deploy an Azure jumpbox, you will be perfectly set up for this article. In this article, we will deploy and configure the required infrastructure to set up a point-to-site (P2S) VPN from our laptop or workstation to our Azure network.
Latest posts by David O´Brien (see all)

Use case for P2S VPN ^

We usually use a P2S VPN to gain access to a network from a device outside the managed networks, like our on-premises or Azure virtual networks. This is often required when there's no corporate VPN and an administrator needs to Remote Desktop Protocol (RDP) or Secure Shell (SSH) to a VM. Or in general, there may be times when no connection (like a site-to-site VPN or ExpressRoute) from on premises to the private Azure network exists.

Checklist ^

What is required to set up a P2S VPN? As it turns out, not too much. We need to deploy a GatewaySubnet and a virtual network gateway to deploy to that subnet. We can do this with just a few lines of command-line interface (CLI) code. We will also require a certificate to upload to the gateway to establish our VPN. On our laptop, it depends on the operating system. Windows 10 is going to be seamless; on macOS it's a bit more complicated depending on the VPN software used.

Creating the Azure gateway subnet ^

If you have followed along with the articles, you will already have a subnet called GatewaySubnet. If not, make sure you have a virtual network (VNet), and then call the following PowerShell:

$vnet = Get-AzVirtualNetwork -Name 4soNetwork -ResourceGroupName 4soResourceGroup
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name GatewaySubnet ‑AddressPrefix
Set-AzVirtualNetwork -VirtualNetwork $vnet

A /27 size subnet is more than enough for our use case. This is it for the subnet. Microsoft does not recommend or support assigning a network security group (NSG) to the GatewaySubnet, so make sure you don't have any process in place that automatically applies NSGs to subnets.

Creating the Azure VNet gateway ^

Into this subnet, we now need to deploy the gateway. Gateways can be VPN gateways or ExpressRoute gateways. To set up a point-to-site VPN, we will create a VPN gateway. You can then also use the same gateway to establish a site-to-site VPN if you require one. A VPN gateway will have a public IP address you will use to connect to. This public IP address must be a dynamic one. Azure currently does not support VPN gateways with static public IPs.

New-AzPublicIpAddress -ResourceGroupName 4soResourceGroup -AllocationMethod Dynamic -Name vpnPublicIp -Location "Australia East"
Creating an Azure public IP address

Creating an Azure public IP address

After doing this, we can continue deploying the VPN gateway. The following PowerShell snippet will deploy a VPN gateway into our GatewaySubnet that we can use to establish a P2S VPN connection. The gateway's SKU will be VpnGw1, which is one of the newer SKUs that supports all the gateway features, including things like Border Gateway Protocol (BGP), but it has the lowest data throughput. You can check out the documentation if you want to know more about the different SKUs.

$vnet = Get-AzVirtualNetwork -Name 4soNetwork -ResourceGroupName 4soResourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" ‑VirtualNetwork $vnet
$ip = Get-AzPublicIpAddress -Name vpnPublicIp -ResourceGroupName 4soResourceGroup
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name GatewayConfig -Subnet $subnet -PublicIpAddress $ip
New-AzureRmVirtualNetworkGateway -Name vpngateway -ResourceGroupName 4soResourceGroup -Location "Australia East" -IpConfigurations $gwipconf ‑GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

This operation can take anywhere between 20 and 45 minutes—yes, that long. Fortunately, you won't do it very often.

Creating an Azure VPN gateway

Creating an Azure VPN gateway

You'll notice it creates the resource almost straightaway, but it will mention "updating" until it is actually ready for use. As one of the last steps, it will also assign the public IP to the gateway, and the "updating" ribbon will disappear.

Creating the VPN certificate ^

While it's creating this, we can go ahead and create a self-signed certificate we need to upload to the gateway. This certificate can also be from your internal certificate authority (CA), but for this article, I will create a self-signed certificate. You can use any tool you like to create the certificate, for consistency, I will use PowerShell.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=4soP2SRootCertificate" -CertStoreLocation "Cert:\CurrentUser\My" ‑KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 ‑KeyUsageProperty Sign -KeyUsage CertSign

Make sure you execute this not in the Azure CloudShell but locally on your system because otherwise you won't be able to access the certificate created in your user's personal certificate store. This is the root certificate that will sign the client certificate in the next step. You need to install client certificates on every device that wants to connect to the P2S VPN. With the following snippet, we will create the client certificate:

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=4soP2SChildCertificate" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -HashAlgorithm sha256 ‑KeyLength 2048 -Signer $cert -TextExtension @("{text}")
Creating a self signed certificate for Azure VPN usage

Creating a self signed certificate for Azure VPN usage

We now need to export the root certificate's public key manually. For this, we launch certmgr.msc, browse to Personal/Certificates, select the root certificate, and export it.

Exporting the P2S root certificate

Exporting the P2S root certificate

We make sure we don't export the private key and then select it to export it as a Base-64 encoded file.

Exporting the P2S root certificate as a .CER

Exporting the P2S root certificate as a .CER

After exporting it, we can open it in notepad.exe. Make sure you don't use a different text editor because other applications might add line breaks or other hidden characters to the file that might invalidate the certificate. Keep the file open while we head back to the Azure Portal to continue configuring the gateway.

Configuring the P2S connection ^

Click on Point-to-site configuration and then on Configure now.

Configuring the VPN gateway

Configuring the VPN gateway

On the next page, we need to add some information, mainly the address pool, the protocol to use, and the certificate data. The address pool can be any classless inter-domain routing (CIDR) range you want, as long as it doesn't overlap with any range in your VNet or your on-premises networks.

The tunnel type depends on what you want to support. If you are on Windows 7 or later, any combination with Secure Socket Tunneling Protocol (SSTP) will be great for you, but only for you (Windows users). SSTP only works on Windows. To be as open as possible most of my customers pick OpenVPN. We will use SSTP and Internet Key Exchange v2 (IKEv2) for this article.

This supports pretty much all operating systems. For the certificate, go back to the .cer file from before and copy the file content between the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- strings. Make sure to remove all line breaks!

Specifying the VPN gateway data

Specifying the VPN gateway data

Establishing the VPN ^

Hitting the Save button will apply the configuration, and a few minutes later we will be able to hit Download VPN client. This download is a zip file with preconfigured files inside it that will enable the VPN connection. For Windows, pick the correct architecture, most likely WindowsAmd64, and then double click the executable VpnClientSetupAmd64.exe inside that folder. You can then find the VPN connection in the Settings\VPN panel and can also connect to it from here.

Subscribe to 4sysops newsletter!

Connecting to the Azure P2S VPN

Connecting to the Azure P2S VPN

Once connected, you are now "part" of the Azure VNet and can communicate to resources inside the VNet via their private IPs or private DNS names.

  1. Swapnil Kambli 3 years ago

    If someone is looking for completely automating the P2S configuration process with Powershell here is the code:

    Generate Root Certificate and Export Root Certificate along with the private Key for client certificate generation
    $Rootcert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=RootCertificate" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -KeyUsageProperty Sign -KeyUsage CertSign

    $mypwd = ConvertTo-SecureString -String "myP@ssw0rd" -Force -AsPlainText
    Export-PfxCertificate -cert $Rootcert -FilePath C:\RootCert.pfx -Password $mypwd

  2. Swapnil Kambli 3 years ago

    Generate Root Certificate and Export Root Certicate without private key for Gateway configuration
    $Rootcert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=RootCertificate" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -KeyUsageProperty Sign -KeyUsage CertSign

    $certFile = 'C:\RootCert.cer'

    [System.Convert]::ToBase64String($Rootcert.RawData, 'InsertLineBreaks') | Out-File -FilePath $certFile -Encoding ascii

  3. Swapnil Kambli 3 years ago

    Gateway Configuration with the root certificate data
    $Text = Get-Content -Path "C:\RootCert.cer"
    $CertificateText = $body = $Text -join "`r`n" | Out-String
    Add-AzVpnClientRootCertificate -PublicCertData $CertificateText -ResourceGroupName $RGname -VirtualNetworkGatewayName $Gwname -VpnClientRootCertificateName "RootCertificate"

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account