Azure Virtual WAN Point-to-Site VPN

This document provides a comprehensive guide to configuring and using Point-to-Site (P2S) VPN connections with Azure Virtual WAN. P2S VPN allows individual users to connect to your Azure Virtual WAN hub securely from their client devices.

Introduction

Point-to-Site VPN is a method to secure remote connectivity for users. When you want to allow users to connect to your Azure resources from their local devices (laptops, desktops), P2S VPN is an ideal solution. Azure Virtual WAN offers a scalable and efficient way to manage these connections.

Key benefits of using P2S with Virtual WAN:

• Securely connect remote users to your Azure VNet resources.
• Leverage existing Azure infrastructure for simplified management.
• Support for multiple authentication methods (certificates, RADIUS, Azure AD).
• Scalable and high-performance connectivity.

Prerequisites

Before you begin configuring P2S VPN, ensure you have the following:

• An active Azure subscription.
• A deployed Azure Virtual WAN resource.
• A Virtual Hub within your Virtual WAN.
• (Optional but recommended) Network security groups (NSGs) and firewall rules configured for your connected VNets.

Supported Protocols

Azure Virtual WAN supports the following VPN protocols for P2S connections:

• OpenVPN Protocol: Provides robust security and broad client compatibility.
• IKEv2 VPN: A secure and widely adopted VPN protocol, offering good performance and reliability.

The protocol you choose will depend on your security requirements and client operating system compatibility.

Creating a Virtual WAN and Hub

If you don't already have a Virtual WAN and a Virtual Hub, you can create them through the Azure portal:

1. Navigate to the Azure portal.
2. Search for "Virtual WAN" and select it.
3. Click "+ Create" to create a new Virtual WAN.
4. Once the Virtual WAN is created, navigate to it and select "Hubs".
5. Click "+ Create hub" to create a new Virtual Hub. Configure the hub details, including its name, region, and private IP address space.

Configuring Point-to-Site VPN

To configure P2S VPN for your Virtual Hub, follow these steps:

1. Navigate to your Virtual WAN resource in the Azure portal.
2. Under "Connectivity," select "Virtual Hubs."
3. Click on the Virtual Hub you want to configure.
4. In the hub's menu, select "Point-to-site VPN."
5. Click "+ Create point-to-site VPN configuration."
6. Address pool: Specify an IP address range for clients connecting via P2S VPN. This range should not overlap with any existing VNets or on-premises networks.
7. Routing preference: Choose "ExpressRoute and VPN" or "VPN only" based on your needs.
8. VPN client tunnel configuration: Select your desired VPN protocol (OpenVPN or IKEv2).
9. Tunnel configuration: Define the authentication method and associated settings.
10. Click "Save."

Authentication Methods

Virtual WAN supports several authentication methods for P2S VPN connections:

• Certificate-based authentication: Uses digital certificates to authenticate clients.
• RADIUS authentication: Integrates with a RADIUS server for centralized authentication.
• Azure Active Directory (Azure AD) authentication: Leverages Azure AD for user authentication.

Certificate Authentication

For certificate-based authentication:

• You need to create a root certificate and then issue client certificates from it.
• Upload the root certificate public key (in Base64 format) to your P2S VPN configuration in Azure.
• Each client device will need a unique client certificate installed.

RADIUS Authentication

For RADIUS authentication:

• Ensure you have a RADIUS server (e.g., Windows Server NPS) configured and accessible from Azure.
• Provide the RADIUS server's IP address and shared secret in the P2S VPN configuration.
• Clients will authenticate against your RADIUS server.

Azure AD Authentication

For Azure AD authentication:

• You need to configure your Virtual WAN hub to use Azure AD as the authentication provider.
• This typically involves registering an application in Azure AD and configuring the necessary permissions.
• Users will sign in using their Azure AD credentials.

Downloading the Client Package

Once the P2S VPN configuration is complete, you can download the VPN client package for each supported operating system (Windows, macOS, Linux). This package contains the necessary configuration files and VPN client software.

1. Navigate to your Virtual Hub in the Azure portal.
2. Select "Point-to-site VPN."
3. Click the "Download VPN client" button.
4. Choose the desired operating system and authentication type.
5. Click "Generate and download."

Extract the downloaded package to install the VPN client on user devices.

Connecting from a Client

After installing the VPN client package on a user's device:

1. Open the VPN client application.
2. Select the Azure VPN connection profile.
3. Click "Connect."
4. If prompted, enter your credentials or ensure your client certificate is available.

Once connected, the client device will be assigned an IP address from the P2S address pool and will be able to access resources in the connected VNets.

Troubleshooting

If you encounter issues connecting:

• Verify IP Address Pools: Ensure no IP address conflicts exist.
• Check Authentication Settings: Double-check your root certificates, RADIUS shared secrets, or Azure AD configurations.
• Review Firewall Rules: Ensure that any firewalls between the client and Azure allow VPN traffic.
• Examine Client Logs: The VPN client software usually provides logs that can help diagnose connection problems.
• Azure Network Watcher: Utilize Azure Network Watcher for advanced diagnostics if needed.

For more detailed troubleshooting steps, refer to the official Azure documentation on Virtual WAN P2S VPN.