Home / Documentation / Azure / Virtual WAN / How to configure point-to-site VPN

How to configure point-to-site (P2S) VPN in Azure Virtual WAN

Point-to-site (P2S) VPN enables you to create a secure connection from a client computer to an Azure virtual hub. This guide will walk you through the process of setting up a P2S VPN for Azure Virtual WAN.

Introduction

Point-to-site (P2S) VPN allows individual users to connect to your Azure virtual network from their local devices. This is useful for remote workers or for connecting to resources in a secure and controlled manner without establishing a full site-to-site VPN. Azure Virtual WAN simplifies the deployment and management of P2S VPNs.

Prerequisites

  • An Azure subscription.
  • An existing or newly created Azure Virtual WAN resource.
  • Network connectivity from your client machine to the internet.
  • The latest version of the Azure CLI or Azure PowerShell module installed, if you prefer to use CLI/PowerShell.

Steps

1. Create a Virtual WAN

If you don't already have a Virtual WAN, you need to create one.

  1. Navigate to the Azure portal.
  2. Search for "Virtual WAN" and select it.
  3. Click "+ Create" to create a new Virtual WAN.
  4. Fill in the required details: Resource group, Resource group location, Name, and Type (Standard is recommended for most scenarios).
  5. Click "Review + create" and then "Create".

You can create a Virtual WAN using Azure CLI: 

az network vwan create --name MyVirtualWAN --resource-group MyResourceGroup --location eastus

2. Create a Virtual Hub

A Virtual Hub acts as the central transit node in your Virtual WAN. You'll deploy the P2S VPN gateway within the hub.

  1. In your Virtual WAN resource, navigate to "Hubs".
  2. Click "+ Create hub".
  3. Select the region for your hub.
  4. Enter a hub name.
  5. For "Hub private address space", specify a non-overlapping CIDR block (e.g., 10.0.1.0/24). This range is used for the hub's internal network.
  6. Select "Yes" for "Route All traffic". This will enable routing for all traffic through the hub.
  7. Leave other settings at their defaults or configure as needed.
  8. Click "Review + create" and then "Create".

Note: Hub creation can take some time (typically 30 minutes or more).

3. Configure P2S VPN gateway

Once the hub is deployed, you can create the P2S VPN gateway.

  1. Navigate back to your Virtual WAN resource and select the hub you just created.
  2. Under "Security + networking", click "VPN (site-to-site/VNet-to-site)".
  3. Click "+ Configure now" to create a new VPN gateway.
  4. For "Gateway type", select "VPN".
  5. For "Virtual WAN type", select "Point-to-site".
  6. Configure the following settings:
    • VPN client address pool: A private IP address range for clients connecting to the VPN. This range must not overlap with your VNet address ranges or your on-premises network ranges (e.g., 172.16.201.0/24).
    • Authentication type: Select "Azure certificate", "Radius", or "OpenVPN". For simplicity, "Azure certificate" is often used for basic setups.
    • Root certificate: If using Azure certificate authentication, you'll need to upload the public key of a root certificate. You can generate a self-signed certificate for testing.
    • IPsec/IKE policy: Leave as default unless you have specific requirements.
    • Route redistribution: Typically set to "None".
  7. Click "Create".

VPN gateway deployment can take a significant amount of time (up to 45 minutes).

4. Download VPN client

After the P2S VPN gateway is deployed, you need to download the client configuration.

  1. Navigate to your Virtual Hub.
  2. Under "Security + networking", click "VPN (site-to-site/VNet-to-site)".
  3. On the VPN gateway page, click "Download VPN client".
  4. Select the correct operating system for your client device.
  5. Click "Download".

This will download a ZIP file containing the necessary configuration files and an installer for the Azure VPN client.

5. Connect to the VPN

  1. Extract the downloaded ZIP file.
  2. Run the installer (e.g., `VpnClientSetupA.exe` for Windows).
  3. Follow the on-screen prompts to install the VPN profile.
  4. Once installed, open the VPN client application on your machine.
  5. Select the VPN connection profile you just installed and click "Connect".
  6. If prompted, enter any necessary credentials (e.g., for Radius authentication).

Your client machine should now be connected to your Azure Virtual WAN. You can verify connectivity by accessing resources within your connected virtual networks.

Troubleshooting

  • Connection Failed: Ensure the VPN client address pool does not overlap with any existing networks. Verify your firewall rules allow VPN traffic (UDP ports 500 and 4500).
  • No Network Access: Check the routing configuration in your Virtual Hub and the connected VNets. Ensure the P2S gateway is correctly configured to route traffic.
  • Certificate Issues: If using Azure certificate authentication, ensure the root certificate public key is correctly uploaded and the client certificate is properly installed on the client machine.

Next steps

Explore other features of Azure Virtual WAN, such as connecting to on-premises sites using site-to-site VPNs, or integrating with Azure Firewall for advanced security.