This Article Includes

The most popular way for businesses to link their on-premises networks to Azure vNets is by using a site-to-site VPN. This VPN connection is started at the router or edge firewall level. However, what if you're connected from a distant location, like your home? To do it, we can employ the point-to-site approach. In this manner, the endpoint and Azure virtual network will be authenticated using certificates.

This article provides a step-by-step guide for creating a Virtual Network (VNet) and VPN Gateway in Azure. The article also covers the process of generating and installing certificates, configuring VPN clients, and verifying the VPN connection.

• Prerequisites.
• Create a VNet.
• Create the VPN Gateway.
• Point-to-site Configuration of VPN Gateway.
• Generate Certificates.
• Generates a self-signed Root Certificate.
• Generate self-signed Client Certificates.
• Export Root and Client Certificate.
• Configuration of VPN Clients and Authentication.
• Verification of connection to the VPN.
• Conclusion

Prerequisites

• Ensure that you have a valid Azure Subscription. If you don’t have an Azure Subscription sign up for a free account.

Create a VNet

A VNet allows you to create an isolated virtual network environment in Azure. Here we will create a new virtual network.

1. Sign into your Azure Account.
2. In the Azure home portal search for ‘virtual networks' in the search bar, then select ‘virtual networks' from the ‘Marketplace’ results this will open the ‘Virtual network page’.
3. On the ‘Virtual network' page select Create, it will go to the ‘Create virtual network’ page.
4. On the ‘Create virtual network' page, select your subscription name in the Project details section, choose an existing Resource group, or create a new one. In Instance, details, name the virtual network and select the appropriate region where your resources are to be deployed.
5. On the ‘Create virtual network' page keeps all other field default in IP Address, Security, and Tag, and click on Review + Create to validate the virtual network settings, after validation creates the virtual network.

Create the VPN Gateway

A VPN gateway is a type of virtual network gateway that sends the encrypted traffic between a virtual network and an on-site network across a public connection.

Now we are all set to create VPN Gateway.

“Note: The process of creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.”

1. In Azure Portal search ‘virtual network gateway' and select it from ‘marketplace' it will open a page of ‘create virtual network gateway'.
2. On the ‘Create virtual network gateway’ page, navigate to the ‘Basics’ tab and fill in the following values.
   • Subscription: Select the subscription you want to select.
   • Resource Group: It will be auto-filled when you select Virtual Network on this page.
   • Name: Naming the gateway object you are creating.
   • Region: The region for the gateway must be the same as the region of the virtual network.
   • Gateway type: VPN.
   • VPN type: select VPN type based on your requirements, mostly required VPN configuration is route-based type.
   • SKU: Select gateway SKU based on your requirements in this case we will select VpnGw2. For more information ****click here.
   • Generation: Select the generation based on the features you want to use; in this example, we will use Generation2. For more information click here.
   • Virtual network: Select the virtual network you want to add to this gateway.
   • Gateway subnet address range: If your VNet subnet does not have a gateway subnet then only this field will appear, best to keep this /27 or larger (/26, /25etc).
   • Public IP address: Create a new public Ip address, and name it.
   • Enable active-active mode: Keep it disabled for this example. Only select "enable" if you want to create an active-active gateway configuration.
   • Configure BGP: Leave this as disabled.

Point-to-site Configuration of VPN Gateway

If you want to connect to a Remote site from your home, then you will need to configure a point-to-site VPN Gateway.

After deploying the VPN Gateway, we need to configure the Point-to-Site configuration. It is for VPN Clients.

• Address pool: The client address pool consists of a specified range of private IP addresses. When clients connect via a point-to-site VPN, they are dynamically assigned an IP address from this range. Choosing a private IP address range that does not overlap with the on-premises location you are connecting from or the VNet you wish to connect to is important. In case multiple protocols are configured, including SSTP, the address pool is divided equally among the protocols. In this example, we will use the 172.16.201.0/24 address pool.
• Tunnel type: select IKEv2 and OpenVPN (SSL) as the tunnel type.
• Authentication type: • In this example, we will use an Azure certificate as the authentication type.

Generate Certificates

In Azure, certificates are employed for client authentication when establishing a point-to-site VPN connection with a VNet. You can use an enterprise solution(recommended) generated root and client certificates or a self-signed certificate.

Here we will generate a self-signed root certificate with the help of PowerShell and based on that root certificate we will generate 2 self-signed client certificates. The root certificate will be attached with the VPN gateway thus the client certificate will help to authenticate the VPN client to connect with the VPN.

Generates a self-signed Root Certificate

How to generate a compatible self-signed root certificate using Windows 10 or later.

• PowerShell instructions: Open Windows PowerShell, run the following example with any necessary modification and leave the PowerShell console open.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

In this example, a self-signed root certificate called ‘P2SRootCert’ is generated and automatically installed in ‘Certificates-Current user\Personal\Certificates’. You can access and view the certificate by opening certmgr.msc or managing user certificates.

Generate self-signed Client Certificates

Note: Ensure that the PowerShell console session is still open.

Open Windows PowerShell and run the following example with any necessary modifications.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

The generated client certificate will automatically be installed in ‘Certificates-Current user\Personal\Certificates’. You can access and view the certificate by opening certmgr.msc or managing user certificates.

Export self-signed Root and Client Certificates

Export the root certificate with the public key (.cer)

1. Open "Manage User Certificates" by pressing the Windows key + R, typing certmgr.msc, and hitting Enter.
2. To locate the self-signed root certificate, navigate to "Certificates - Current User\Personal\Certificates" and right-click on it. Then, select the "Export" option from the "All Tasks" menu, which will open the Certificate Export Wizard.
3. In that wizard, click Next.
4. Select "No, do not export the private key" and then click Next.
5. On the Export File Format page, select "Base-64 encoded X.509 (.CER)" and then click Next.
6. Choose a location, provide a name for the file, and complete the process. A confirmation message states, "The export was successful."
7. Go to the physical location of the certificate. Open the certificate file using a text editor like Notepad and copy only the specified section as a single continuous line.

Export the Client certificate

1. Open "Manage User Certificates" by pressing the Windows key + R, typing certmgr.msc, and hitting Enter.
2. To locate the Client certificate, navigate to "Certificates - Current User\Personal\Certificates" and right-click on it. Then, select the "Export" option from the "All Tasks" menu, which will open the Certificate Export Wizard.
3. In that wizard, click Next.
4. Select "Yes, export the private key" and then click Next.
5. In the Export File Format wizard, leave it as the default option, which is "Personal Information Exchange" and include all paths and certificate privacy.
6. set a password to protect the private key on the Security wizard.

Configuration of VPN Clients and Authentication.

Add the Root certificate to the virtual network gateway

• Go to the physical location of the certificate. Ensure that the certificate is opened using a text editor like Notepad. Copy only the specified section as a single continuous line.
• In the Azure portal, navigate to your created virtual network gateway. Select "Point-to-site configuration"; on the right side, add the Root certificate and save the changes. The configuration of VPN clients and connections to Azure differs based on the operating system used, such as Windows, macOS, and Linux. We will discuss the setup process for each one separately.

Windows

1. In the Azure portal, go to the virtual network gateway that you created using the previous instructions.
2. On the virtual network gateway page, select "Point-to-site configuration" and download the VPN client from the right side. It will be downloaded to your local machine as a zip file.
3. Import the Client certificate on the client machine by providing the password key. Right-click and select "Import certificate" from the context menu.
4. In the certificate import wizard, select "Current User" and click "Next".
5. Choose the file location where you want to import the certificate.
6. In the private key protection wizard, enter the private key password you provided while exporting the client certificate. Click "Next" and then "Finish".
7. Extract the downloaded VPN client zip file, navigate to the WindowsAmd64 folder, and install VpnClientSetupAmd64.exe on the client machine.
8. Check the VPN settings on the client machine, and you should see the VPN added with the name of the virtual network gateway.

9. Connect to the VPN using the client certificate validation and then use the private IP to access the VM instances.

   Note 1: The VM instances should be connected to the same VNet as the virtual network gateway.

   Note 2: Use only the private IP of the VM instances. Public IP can be accessed without VPN. For additional security, dissociate the public IP. Refer to this article for public IP dissociation.

Verification of connection to the VPN

To verify your connection to the VPN, open the command prompt and run the command ipconfig/all.
Take note that the IP address you receive should be one of the addresses from the point-to-site VPN client address range. Here is an example:

```powershell
PPP adapter VNet1:
   Connection-specific DNS Suffix .:
   Description.....................: VNet1
   Physical Address................:
   DHCP Enabled....................: No
   Autoconfiguration Enabled.......: Yes
   IPv4 Address....................: 172.16.201.3(Preferred)
   Subnet Mask.....................: 255.255.255.255
   Default Gateway.................:
   NetBIOS over Tcpip..............: Enabled
```

Conclusion

The provided article outlines a detailed procedure for setting up a Virtual Network (VNet) and VPN Gateway in Azure. It encompasses essential prerequisites, such as generating and installing certificates, configuring VPN clients, and verifying the VPN connection. The step-by-step process includes creating a VNet, establishing the VPN Gateway, configuring point-to-site settings, generating root and client certificates, exporting the certificates, configuring VPN clients, connecting to Azure, verifying the VPN connection, and concluding the setup.
This article focuses on providing setup instructions specifically for Windows 10 and later versions, while future articles will cover setup procedures for Linux and macOS.

About the Author

I am working in the domain of Network engineering with my experience and expertise in Network engineering, Azure, Windows Administration, and Linux Administration, I have been actively involved in this field for one year at Capgemini.
I am passionate about sharing my knowledge and insights through informative articles and tutorials. I aim to provide valuable guidance and practical solutions to readers seeking to enhance their understanding of Azure, Network engineering, Windows Administration, and Linux Administration. If you want to connect with me or provide your feedback, you can find me on LinkedIn, Twitter, or through the mail.
Stay tuned for more articles as I continue to explore and share my expertise in Azure, Network engineering, Windows Administration, and Linux Administration across various platforms and operating systems.