Point-to-Site VPN Configuration

Point-to-Site (P2S) VPN allows individual users to connect to an Azure Virtual WAN hub from their client devices. This is useful for remote workers or for users who need secure access to Azure resources without establishing a full site-to-site VPN connection.

Overview

P2S VPN establishes a secure VPN tunnel from a client computer to an Azure Virtual WAN hub. Azure Virtual WAN supports two types of P2S VPN clients:

OpenVPN Protocol: Ideal for broad client compatibility, including Windows, macOS, and Linux.
IKEv2/IPsec Protocol: Primarily for Windows clients, offering robust security and performance.

Prerequisites

Before configuring P2S VPN, ensure you have the following:

An Azure subscription.
An existing Azure Virtual WAN hub.
A Virtual Network Gateway configured within your Virtual WAN hub.

Configuration Steps

1. Configure P2S VPN Gateway Settings

Navigate to your Virtual WAN hub in the Azure portal. Under the "VPN (gateway)" section, select "Point-to-site". Here you can configure:

Address Pool: A private IP address range that will be assigned to connecting clients. This range should not overlap with your existing virtual networks.
Authentication Type:
- Azure Active Directory: For certificate-less authentication using Azure AD users.
- RADIUS: For authentication via a RADIUS server.
- Certificate: For certificate-based authentication. You will need to upload a root certificate.
VPN Client Root Certificates: If using certificate authentication, upload the public certificates of your certificate authorities.
IKEv2 and OpenVPN Protocols: Enable the desired protocols and configure their settings (e.g., encryption, integrity algorithms).

Tip: For OpenVPN, you can download the VPN client configuration package from the portal, which includes all necessary configuration files and instructions for various operating systems.

2. Download VPN Client Configuration

Once the P2S VPN gateway settings are configured, you can download the VPN client configuration package. This package contains:

An installer for Windows clients.
Configuration files for macOS and Linux clients (for OpenVPN).
Root certificates.

This is typically found under the "Point-to-site" configuration page for your hub's VPN gateway.

3. Install and Connect the VPN Client

On the client machine:

Windows: Run the downloaded installer. The client will automatically configure itself.
macOS/Linux: Import the OpenVPN configuration file into your OpenVPN client application.

Initiate the VPN connection using the installed client. You may be prompted for credentials or certificates depending on the authentication method chosen.

Key Considerations

IP Address Allocation: Ensure the P2S address pool is appropriately sized and does not conflict with existing network ranges.
Certificate Management: For certificate-based authentication, robust certificate lifecycle management is crucial.
Protocol Selection: Choose protocols based on your client OS requirements and security needs. OpenVPN offers broader cross-platform support.
Route Management: Understand how routes are advertised to and from P2S clients to ensure proper connectivity to your Azure resources.

Note: Point-to-Site VPN connections contribute to the aggregate throughput of your Virtual WAN hub and the underlying VPN gateway. Refer to Azure Virtual WAN limits for details.

Troubleshooting

Common troubleshooting steps include:

Verifying client-side configuration files.
Checking firewall rules on client machines and corporate networks.
Reviewing Azure Network Watcher logs and VPN gateway diagnostics.
Ensuring correct root certificates are uploaded and trusted.

For detailed troubleshooting guidance, consult the official Azure documentation on VPN gateway diagnostics.