WHAT WE DO  
  CLOUD CONSULTING AWS & Azure Constalting, Migrations, Strategy   CLOUD ADOPTION Architecture, Design, Migrations, Cost Optimization   Cloud Professional Services Engineering, DevOps & Automation, Disaster Recovery   Cloud Operations Support 27x7x365 Cloud Support, Continuity, Patching   Productivity Suite Integration Microsoft 365, G-Suite, Zero Trust Security   Managed IT Services Managed Infrastructure, Business Continuity
WHO WE ARE  
About Stepinlogic About Stepinlogic Why Stepinlogic Why Stepinlogic AWS Partnership AWS Partnership Microsoft Partnership Microsoft Partnership Our Story Careers
INSIGHT  
Latest Blog Posts   Latest Help Articles  
CONTACT US

How to Configure Azure Point to Site VPN

Azure Poit to Site Vpn Image

How to Configure an Azure Point to Site VPN | Step by Step Guide

In our previous article, We have explained how we can create a site-to-site VPN connection between the local network and azure virtual network. This VPN connection is initiated in your edge firewall or router level. But what if you want to connect from remote locations such as home?

In this article, we will focus on how to connect our local network to our Azure Virtual Network. To reach this goal, we will perform the following steps:

  • Create a Resources Group
  • Create a Virtual Network
  • Create a Gateway subnet
  • Create Virtual Network Gateway
  • Create Root and Client Certificates
  • Configure a Point-To-Site Connection
  • Testing the VPN Connection

You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • VNet Name: SL-VNET
  • Address space: 10.10.0.0/16
  • For this example, we use only one address space. You can have more than one address space for your VNet.
  • Subnet name: SL-VLAN
  • Subnet address range: 10.10.1.0/24
  • Resource Group: SL-RG
  • Location: East US
  • GatewaySubnet: 10.10.0.0/24
  • Virtual network gateway name: SL-P2SVPN
  • Gateway type: VPN
  • VPN type: Route-based
  • Public IP address name: SL-PublicIP
  • Connection type: Point-to-site
  • Client address pool: 20.20.20.0/24 – VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.

Before beginning, verify that you have an Azure subscription. If you don’t already have an Azure subscription, you can sign up for a free account.

To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. The screenshots are provided as examples. Be sure to replace the values with your own.

Let’s get started

Create a virtual network

  1. Log in to the Azure portal
  2. Navigate to Virtual Networks and click Add to create a new network scheme. You can also search by click New and search Virtual Network.

Configure-a-Site-to-Site-VPN

3. Next, we’ll define the gateway network inside of the virtual network we just created. In our case, the virtual network is called “SL-VNET”. Click back into SL-VNET, select Subnets | Gateway Subnet. Define the gateway subnet (in our case 10.10.0.0/24) and click Create.

Configure-a-Site-to-Site-VPN

Configure-a-Site-to-Site-VPN

Create a virtual network gateway

  1. Next, we’ll create a virtual network gateway. Click on “All Services” and search for “Virtual network gateways“.  (You can highlight “star” to pin in the left Menu)

Azure Point to Site VPN

2. Create a new virtual network gateway. Give the gateway a name and define the VPN type. We’ll select gateway type VPN and VPN type Route-based. Choose  SKU type. Select the virtual network (in our case SL-VNET) and create a new public IP address. Click Create.

VPN Gateway throughput and connection limit capabilities are defined by the VPN SKU type. We deploy VPN SKU VpnGW1 as the default SKU. More information on VPN SKUs can be found in the screenshot below. 

Configure-a-Site-to-Site-VPN

Note: Provisioning a virtual network gateway may take up to 45 minutes.

Azure Point to Site VPN

Generate certificates

Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. Once you obtain a root certificate, you upload the public key information to Azure. The root certificate is then considered ‘trusted’ by Azure for connection over P2S to the virtual network. You also generate client certificates from the trusted root certificate and then install them on each client computer. The client certificate is used to authenticate the client when it initiates a connection to the VNet.

Generate a root certificate

Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. Then, upload the public certificate data to the Azure server.

  1. Open PowerShell as an Administrator and run the following script

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject “CN=SLP2SRootCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign

This will create root cert and install it under current user cert store.

Generate Client Certificate from Root Certificate

  1. Open PowerShell as an Administrator and run the following command:

Get-ChildItem -Path “Cert:\CurrentUser\My”

This should provide a thumbprint:

2.  Next, run this command:

Thumbprint should mutch to your Certificate.

$cert = Get-ChildItem -Path “Cert:\CurrentUser\My\B1C79D177D465E76FF74243F7553EA4837FD137B

3. Finally, you’ll want to run this to generate your client certificate

New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject “CN=SLP2SClientCert” -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(1) `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

Now we have certs in place, But we need to export root certificate to upload it in Azure.

Export the root certificate public key (.cer)

  1. Hit the Windows Key + “R”, to bring up the run dialog box and type in “certmgr.msc”. When the management console opens, you should see your newly created certificate in “Current User\Personal\Certificates”. Right-click on your newly created cert and go to All Tasks > Export

2.  In the Wizard, click Next.

Export certificate

3. Select No, do not export the private key, and then click Next.

Do not export the private key

4.  On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.

Base-64 encoded

5. For File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.

6. Click Finish to export the certificate.

7. Your certificate is successfully exported.

8. The exported certificate looks similar to this:

Exported

If you open the exported certificate using Notepad, you see something similar to this example. The section in blue contains the information that is uploaded to Azure. If you open your certificate with Notepad and it does not look similar to this, typically this means you did not export it using the Base-64 encoded X.509(.CER) format. Additionally, if you want to use a different text editor, understand that some editors can introduce unintended formatting in the background. This can create problems when uploaded the text from this certificate to Azure.

Configure Point-to-Site Connection

Next step of this configuration is to configure the point-to-site connection. Here we will define the client IP address pool as well. It is for VPN clients.

  1. Click on the newly created VPN gateway connection.
  2. Then in a new window click on Point-to-site configuration
  3. Click on Configure Now
  4. In new window type IP address range for VPN address pool. In this demo, I will be using 20.20.20.0/24. For tunnel, type use both SSTP & IKEv2. Linux and other mobile clients by default use IKEv2 to connect. Windows also use IKEv2 first and then try SSTP. For authentication type use Azure Certificates.
  5. In the same window, there is a place to define a root certificate. Under root certificate name type the cert name and under public certificate data, paste the root certificate data ( you can open cert in notepad to get data).
  6. Then click on Save to complete the process.

Note: when you paste certificate data, do not copy —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—– text.

Testing VPN connection

  1. Log in to Azure portal from the machine and go to VPN gateway config page.
  2. On that page, click on Point-to-site configuration.
  3. After that, click on Download VPN client.

4. Then double click on the VPN client setup. In my case, I am using a 64bit VPN client.

5. After that, we can see a new connection under windows 10 VPN page.

Azure Point to Site VPN

6. Click on connect to VPN. Then it will open up this new window. Click on Connect in there.

Azure Point to Site VPN

7. Then run ipconfig to verify IP allocation from VPN address pool.

Need Help? Contact Us

STEPINLOGIC | 292 262 6652

Stepinlogic.com

Full-service IT provider for Growing Companies in NY & NJ

Share Article
Share on facebook
Share on twitter
Share on linkedin
Latest Articles