Configure Point-to-Site VPN Gateway

This article guides you through the process of configuring a Point-to-Site (P2S) VPN gateway in Azure. P2S VPN allows individual client computers to connect to your Azure virtual network securely. This is often used for remote workers or for securely accessing Azure resources from a public network.

Overview of Point-to-Site VPN

P2S VPN configuration involves several key components:

• VPN Gateway: A resource in Azure that handles VPN connections.
• Gateway Subnet: A dedicated subnet within your VNet for the VPN gateway.
• Public IP Address: A public IP address for the VPN gateway.
• VPN Client Configuration: Configuration files downloaded and installed on client machines.
• Authentication: Methods like Azure Active Directory, radius, or certificates.

Steps to Configure P2S VPN

Step 1: Create a VPN Gateway

Navigate to the Azure portal and search for "Virtual network gateways". Click "Create".

1. Subscription: Select your Azure subscription.
2. Resource group: Choose an existing or create a new resource group.
3. Name: Provide a name for your VPN gateway.
4. Region: Select the same region as your virtual network.
5. Gateway type: Select VPN.
6. VPN type: For P2S, choose Route-based.
7. SKU: Select an appropriate SKU based on your performance and connection requirements (e.g., VpnGw1, VpnGw2).
8. Virtual network: Select the VNet you want to connect to.
9. Gateway subnet IP ranges: Ensure you have a dedicated subnet named GatewaySubnet with at least /27 or larger CIDR block. The portal usually prompts for this if it doesn't exist.
10. Public IP address: Create a new one or use an existing standard SKU, static public IP address.
11. Active-active mode: Optional, for high availability.
12. Configure BGP: Optional, for advanced routing.

Click "Review + create" and then "Create" to deploy the gateway. This process can take 30-45 minutes.

Step 2: Configure P2S VPN Settings on the Gateway

Once the gateway is deployed, navigate to its resource page. Under "Settings", click on "Point-to-site configuration".

1. Address pool: Specify a range of private IP addresses that will be assigned to connected clients. This range must not overlap with any existing subnets in your VNet or on-premises networks. For example, 172.16.201.0/24.
2. Tunnel type: Choose between OpenVPN (recommended for cross-platform compatibility) or IKEv2 VPN.
3. Authentication type:
   • Azure Certificate: Requires generating and uploading a root certificate.
   • Azure Active Directory: Integrates with Azure AD for user authentication.
   • RADIUS: Use an on-premises RADIUS server for authentication.
4. Root certificates (for Azure Certificate authentication): Upload the public key of your root certificate.
5. Radius server: If using RADIUS, provide the server address and secret.

Click "Save".

Step 3: Download VPN Client Configuration Package

On the Point-to-site configuration page, click the "Download VPN client" button. This will generate and download a zip file containing the necessary configuration files and installers for Windows, macOS, and Linux clients.

Step 4: Install and Connect the VPN Client

On each client machine that needs to connect:

1. Extract the contents of the downloaded zip file.
2. Run the appropriate installer (e.g., VpnClientSetupAmd64.exe for 64-bit Windows).
3. Follow the prompts to install the VPN connection profile.
4. Once installed, you can connect to the VPN through your operating system's network settings. You may be prompted for authentication credentials depending on the authentication type configured.

Troubleshooting Common Issues

• Connection failures: Verify IP address pool non-overlap, correct tunnel type, and authentication credentials.
• Slow speeds: Check the VPN gateway SKU, client machine performance, and network latency.
• Client configuration errors: Re-download the client configuration package and ensure it's installed correctly.

For detailed troubleshooting steps, refer to the Azure VPN Gateway Troubleshooting Guide.

View or suggest edits on GitHub