Configure Azure Point-to-Site VPN

Hi there

In this article we’re gonna explore how to create an Azure Point-to-Site VPN for Remote Access

Connect to your Azure virtual networks from anywhere

Point-to-Site VPN allows you to connect to your virtual machines on Azure virtual networks from anywhere.

1. Connect to your Azure Subscription https://portal.azure.com

Prerequisites

1. Under your Resource Group
2. Create your VNET (Virtual Network)
3. Create at least 02 subnets on your VNET
   1. Address Space (IP: 10.120.0.0/16)
      1. 1. Frontend subnet (IP: 10.120.1.0/24)
         2. Gateway subnet (IP: 10.120.255.0/24)
            
            
            
            
            
            
            

Virtual Network Gateway Setup

1. Create a Virtual Network Gateway resource object
   1. 1. 1. Name: Virtual network gateway
         2. SKU: basic
         3. Public IP address: define a static one (create a new one)
         4. Resource Group: pick your default resource group where your VMs are being hosted.
            
            
            
            
            
            
            
2. After your Virtual Network Gateway is created go to this resource and check the following information (should be empty)
   1. 1. select Point-to-site configuration
      2. configure
         1. Address pool:
         2. Tunnel type:
         3. Authentication type:
         4. Root certificates:
            1. Name
            2. Public certificate data
         5. Revoked certificates
            1. Name
            2. Thumbprint
      3. Allocated IP addresses
         
         
3. Setup the Virtual Network Gateway SSl Root Cert and Child Cert using self-signed certificate
   1. Create a self-signed root certificate
      Open PowerShell as an Administrator and run the following script

      #Root Certificate
      $date_now = Get-Date
      $extended_date = $date_now.AddYears(10)
      $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
      -Subject “CN=2020P2SRootCert” -KeyExportPolicy Exportable `
      -HashAlgorithm sha256 -KeyLength 2048 `
      -CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign -Notafter $extended_date

      

      
      This will create root cert and install it under current user cert store valid for 10 years.

   2. Generate a client certificate
      Open PowerShell as an Administrator and run the following command:

      #Client Certificate
      New-SelfSignedCertificate -Type Custom -DnsName 2020P2SChildCert -KeySpec Signature `
      -Subject “CN=2020P2SChildCert” -KeyExportPolicy Exportable `
      -HashAlgorithm sha256 -KeyLength 2048 `
      -CertStoreLocation “Cert:\CurrentUser\My” `
      -Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”) -Notafter $extended_date

      

      Get-ChildItem -Path "Cert:\CurrentUser\My\" | select issuer,subject,thumbprint | where-object { $_.subject -like "*2020*"}

   3. Export the root certificate public key (.cer)

      #Export SSL Cert to PFX
      $mypwd = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText
      Get-ChildItem -Path Cert:\CurrentUser\My\93B0F586E79C3003C02B70FCCA32F361207A19AE | Export-PfxCertificate -FilePath 2020SslChildCert.pfx -Password $mypwd #client
      Get-ChildItem -Path Cert:\CurrentUser\My\180D81C8631257C13880327AE028DAB90CB6861C | Export-PfxCertificate -FilePath 2020SslRootCert.pfx -Password $mypwd #root

      
      

   4. Export the client certificate
      Tip: change the ROOT and Client certificate Expire dates to 5, 10 or 15 years otherwise you’ll have to regenerate them again in 1 year (default option)
4. Setup the Virtual Network Gateway
   1. select Point-to-site configuration
      • Click on the newly created VPN gateway connection.
      • Then in a new window click on Point-to-site configuration
      • Click on Configure Now
      • In new window type IP address range for VPN address pool. In this demo, I will be using 10.120.100.0/24. For tunnel, type use both SSTP & IKEv2. Linux and other mobile clients by default use IKEv2 to connect. Windows also use IKEv2 first and then try SSTP. For authentication type use Azure Certificates.
      • In the same window, there is a place to define a root certificate. Under root certificate name type the cert name and under public certificate data, paste the root certificate data ( you can open cert in notepad to get data).
      • Then click on Save to complete the process.

      Note: when you paste certificate data, do not copy —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—– text

      

5. Testing VPN connection (quick
   1. Log in to Azure portal from the machine and go to VPN gateway config page.
   2. On that page, click on Point-to-site configuration.
   3. After that, click on Download VPN client.

References
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert