I’ve recently been asked by several clients about how they would go about setting up a P2S (Point-to-Site) VPN for their remote workers to VPN into Azure so I thought I’d write a short blog post demonstrating the process.
Before I begin, the following are the Microsoft documentation for configuring a Point-to-Site VPN that should be reviewed as it provides an explanation of how it works and the respective configuration parameters available during the deployment.
Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
About Point-to-Site VPN
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Create and install VPN client configuration files for native Azure certificate authentication P2S configurations
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert
Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Step #1 - Configure Azure Point-to-Site VPN
Assuming that a Site-to-Site VPN between Azure and an on-premise datacenter or office is already configured, begin by logging into Azure and selecting the Virtual network gateways option to list the gateways configured:
Image may be NSFW.Clik here to view.
Select the existing Site-to-Site VPN gateway that is already configured and then click on Point-to-site configuration:
Image may be NSFW.Clik here to view.
The following options for the P2S VPN is displayed:
Image may be NSFW.Clik here to view.
The Address pool is where you define the IP subnet that the VPN client will be in. Specify a subnet that does not overlap any existing address space specified in a Virtual Network.
The Tunnel type is where you select the type of VPN you want to provide to the users. I won’t go into the details of the differences between all of them and will simply reference the following Microsoft TechNet article: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#tunneltype
Image may be NSFW.Clik here to view.
For the purpose of demonstrating how to use Microsoft Enterprise CA certificates for authentication and using a Windows 10 operating system to connect natively with the OS built client, we’ll be configuring the following:
Tunnel type: IKEv2 and SSTP (SSL)
Authentication type: Azure certificate
Root Certificates:
We’ll need to obtain the Microsoft Enterprise CA root certificate’s Public certificate data by performing the following:
Either log onto the certificate authority, launch the Local Computer Certificate Store (certlm.msc), navigate to the Personal> Certificates folder to locate the Root CA Certificate Authority’s certificate (this is used to sign certificates this CA issues):
Image may be NSFW.Clik here to view.
Or from any domain joined computer, launch the Local Computer Certificate Store (certlm.msc), navigate to the Trusted Root Certification Authorities> Certificates folder to locate the Root CA Certificate Authority’s certificate:
Image may be NSFW.Clik here to view.
Open the properties of the certificate, click on the Details tab, click on Copy to File to copy the certificate without the private key to a file in Base-64encoded X.509 format:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Clik here to view.
Open the file in Notepad, copy the content between:
-----BEGIN CERTIFICATE-----
… and:
-----END CERTIFICATE-----
Image may be NSFW.Clik here to view.
… then paste it into the Public certificate data field:
Image may be NSFW.Clik here to view.
Save the configuration and proceed to download the VPN client by clicking on Download VPN client:
Image may be NSFW.Clik here to view.
A zip file containing the following folders will be downloaded:
Image may be NSFW.Clik here to view.
We’ll come back to installing the client once we have issued the client certificate.
Step #2 – Generate Client Certifcates for Authentication
The Microsoft document doesn’t provide much information for using an Enterprise CA other than the following:
Generate client certificates
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#generateclientcert
You can generate client certificates by using the following methods:
· Enterprise certificate:
o If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. Use this format instead of the domain name\username format.
o Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.
The information isn’t very clear on what certificate template to use other than that the common name value format must be the UPN rather than domain name\username. The good news is that the default User certificate template that a Microsoft Enterprise CA has can be used. While logged in as the user, launch the Certificates Console under the Current User context with:
Certmgr.msc
Proceed to request a new certificate under the Personal > Certificates store:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Select Active Directory Enrollment Policy:
Image may be NSFW.Clik here to view.
Select the User template:
Image may be NSFW.Clik here to view.
As the User template does not require information to be supplied because it requests the template with the logged in user’s identity, a certificate will be issued:
Image may be NSFW.Clik here to view.
Step #3 – Install and Configure Windows VPN Client
With the appropriate certificate requested, we can now install and configure the VPN client by navigating into the appropriate folder based on the operating system. For this example, the OS is Windows 10 so the VPNClientSetupAmd64.exe executable in the folder WindowsAmd64 will be ran:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
***Note that the installation doesn’t really present anything on the screen as it just flashes for a bit (I hope this will change in the future).
With the VPN installation completed, proceed to launch the VPN settings:
Image may be NSFW.Clik here to view.
Note that there will be a new VPN connection configured (in this case it is vnet-prod-eastus):
Image may be NSFW.Clik here to view.
The following are the advanced settings of the VPN connection. Note that the Type of sign-in info is specified as Certificate:
Image may be NSFW.Clik here to view.
The following are the settings that can be edited:
Image may be NSFW.Clik here to view.
Proceeding to connect to Azure will display the following message:
Image may be NSFW.Clik here to view.
Note that one of the most complained about topic for the Azure Point-to-Site VPN is that it requires the user connecting to Azure be an administrator because routes need to be injected into the routing table by using the CMROUTE.DLL file to copy them into a routes.txt file and this operation requires elevated permissions:
Image may be NSFW.Clik here to view.
The problem with this approach is that it is executed under the context of the current user, and a standard user does not have the permissions to make changes to routes. There are plenty of workarounds available on the internet for this so I will not include them here.
More information can be found here:
What are the client configuration requirements?
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#what-are-the-client-configuration-requirements
Clik here to view.
The connection will proceed once the routes have been copied:
Image may be NSFW.Clik here to view.
Notice that the VPN connect is now labeled as Connected:
Image may be NSFW.Clik here to view.
An IP address will also be assigned under the PPP adapter:
Image may be NSFW.Clik here to view.
Reviewing the Allocated IP Addresses will display the IP address assigned to the VPN client:
Image may be NSFW.Clik here to view.
Note that if the following message is displayed in the Connection Status when attempting to connect then it is because a valid certificate for authentication is not available:
A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)
Image may be NSFW.Clik here to view.
Also, there are cases when administrators would like to generate the certificate for the user under their own login and if this is desired, simply duplicate the User certificate template and modify the properties of it from:
Image may be NSFW.Clik here to view.
Clik here to view.