Point-to-Site VPN - Azure Virtual WAN Documentation

Configure Point-to-Site VPN

This document guides you through the process of setting up a Point-to-Site (P2S) VPN connection to your Azure Virtual WAN. P2S VPN allows individual users to connect to your Azure Virtual WAN hub from their client devices, providing secure access to resources in your Azure environment.

Prerequisites

An existing Azure Virtual WAN resource.
A Virtual WAN Hub deployed within your Virtual WAN.
An Azure Subscription with sufficient permissions.

Steps to Configure P2S VPN

Navigate to your Virtual WAN Hub:
In the Azure portal, go to your Virtual WAN resource, then select the specific Hub you want to configure P2S VPN for.
Access VPN Configuration:
Within the Hub settings, find and select the VPN (P2S) option in the left-hand menu.
Configure VPN Server Configuration:
- Authentication Type: Choose between Azure Active Directory, Radius, or Private Certificate Authority (PKI). For most scenarios, Azure Active Directory or PKI are recommended.
- RADIUS Server (if applicable): Provide the RADIUS server IP address and secret.
- Root Certificates: If using a private CA, upload the public root certificate(s) (Base-64 encoded format).
Configure Tunnel Type:
Select the desired tunnel type. OpenVPN (SSL) is generally recommended for its broad client compatibility. IKEv2 VPN is also an option.
Configure Address Pool:
Specify a private IP address range that will be assigned to clients connecting via P2S VPN. This range should not overlap with any existing network ranges in your on-premises or Azure environments.

Example: 172.16.201.0/24
Save Configuration:
Click Save to apply your P2S VPN configuration to the hub.

Client Configuration

After the P2S VPN configuration is saved, you will need to download the P2S VPN client configuration package. This package contains the necessary certificates and configuration files for your users to connect.

Download Client Package:
On the VPN (P2S) page of your hub, click the Download VPN client button.
Distribute to Users:
Extract the downloaded zip file and distribute the appropriate client installer (e.g., Windows, macOS) and configuration profiles to your users.
Install and Connect:
Users will need to install the VPN client and import the configuration. The process varies slightly depending on the operating system.

Important: Ensure that the firewall on the client machine allows the VPN connection. For Windows, the VPN client installer typically handles necessary firewall rules.

Managing P2S VPN

View Connected Clients: Monitor active connections from the VPN (P2S) section of your hub.
Revoke Certificates: If using PKI authentication, you can revoke certificates to prevent specific users from connecting.
Update Configuration: Any changes to the P2S VPN configuration will require users to re-download and re-import the client configuration.

Troubleshooting Common Issues

Connection Failure: Verify IP address pool configuration, firewall rules, and authentication credentials/certificates.
No Network Access: Ensure routing is correctly configured in Virtual WAN and that the client IP address pool has access to the desired subnets.
Certificate Errors: Confirm that the correct root certificates are uploaded to Azure and that the client has the necessary certificates installed.

For more advanced troubleshooting, refer to the Virtual WAN Troubleshooting Guide.