VPN Gateway: Point-to-Site (P2S) Configuration

This document provides a comprehensive guide to configuring Point-to-Site (P2S) VPN connections for Azure Virtual Network Gateways. P2S allows individual client computers to connect to your Azure virtual network securely.

Note: P2S VPN is suitable for remote users accessing resources in Azure. For connecting on-premises networks to Azure, consider Site-to-Site (S2S) VPN.

Overview of P2S VPN

Point-to-Site VPN enables a secure tunnel from a client computer to an Azure virtual network. This is achieved by installing a VPN client on the individual client machines. Azure supports two types of P2S VPN protocols:

  • Secure Socket Tunneling (SSTP): Uses TLS/SSL to encapsulate VPN traffic, making it highly firewall-friendly.
  • OpenVPN Protocol: Offers broad client support and is a strong choice for cross-platform connectivity.

Prerequisites

  • An Azure subscription.
  • An existing Azure Virtual Network.
  • A GatewaySubnet within your virtual network.
  • A Virtual Network Gateway configured for VPN type.

Configuration Steps

Configuring P2S VPN involves several key steps:

1. Configure the Virtual Network Gateway for P2S

You can configure your Virtual Network Gateway to accept P2S connections using either the Azure portal, Azure CLI, or PowerShell.

Using Azure PowerShell

The following PowerShell script demonstrates how to configure P2S settings. Ensure you have the AzureRM PowerShell module installed.


$GatewayName = "MyVpnGateway"
$ResourceGroupName = "MyResourceGroup"
$VpnClientAddressPool = "172.16.201.0/24" # Example address pool
$VpnClientProtocols = "SSTP", "OpenVPN" # Or just "SSTP"

Add-AzVirtualNetworkGatewayIpConfig -Name "vnetGatewayConfig" -VirtualNetworkGateway $VpnGateway -LocalNetworkGateway $LocalNetworkGateway -PublicIpAddressId $VpnGateway.PublicIpAddress.Id

# Set the VPN client address pool and protocols
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $VpnGateway -VpnClientAddressPool $VpnClientAddressPool -VpnClientProtocol $VpnClientProtocols

# Note: The above is a simplified illustration. Actual commands may vary based on gateway creation.

2. Generate and Download VPN Client Packages

Once the gateway is configured, you need to generate the client configuration packages. These packages contain the necessary certificates and configuration files for your clients.


# To download the VPN client configuration package for Windows
Get-AzVpnClientPackage -ResourceGroupName $ResourceGroupName -VirtualNetworkGatewayName $GatewayName -Processor "Amd64" -Authentication "S2S" # Or use "Azure" for Azure AD auth

# To download the VPN client configuration package for generic OS (e.g., macOS, Linux)
Get-AzVpnClientPackage -ResourceGroupName $ResourceGroupName -VirtualNetworkGatewayName $GatewayName -Processor "Any" -Authentication "S2S"

You can also achieve this through the Azure portal by navigating to your Virtual Network Gateway, going to "Point-to-site configuration", and clicking "Download VPN client".

3. Install the VPN Client on Client Machines

Distribute the downloaded client package to your users. For Windows, the downloaded package typically contains an installer that can be run directly. For other operating systems, the configuration files (like .ovpn for OpenVPN) will need to be imported into compatible VPN client software.

Tip: For large deployments, consider using a Mobile Device Management (MDM) solution to distribute and install the VPN client configuration.

4. Connect to Azure VPN

Once the client is installed and configured, users can initiate the VPN connection from their respective client operating systems. They will typically be prompted for credentials if Azure AD authentication is used, or the connection will establish based on the embedded certificates.

Authentication Methods

Azure VPN Gateway supports various authentication methods for P2S connections:

  • Azure Active Directory (Azure AD): Enables users to authenticate using their Azure AD credentials, leveraging conditional access policies and multi-factor authentication.
  • RADIUS Server: Integrate with an on-premises RADIUS server for centralized authentication.
  • Self-Signed Certificates: Use root certificates uploaded to Azure to validate client certificates.

Troubleshooting Common Issues

If you encounter issues connecting, consider the following:

  • Verify that the VPN client address pool does not overlap with your virtual network address spaces.
  • Ensure firewall rules on client machines and corporate networks allow SSTP (TCP port 443) or OpenVPN traffic.
  • Check VPN gateway logs in Azure Monitor for detailed error messages.
  • Confirm that the correct root certificates are installed on client machines if using certificate-based authentication.
Warning: Always ensure that your VPN client configurations and certificates are kept up-to-date to maintain secure and reliable connections.