Setting up a (P2S) Point-to-Site on Azure VPN


Setting up a point-to-site is easier than one might think in Azure.
There’s a lot of point-to-point use-cases expecially for access to azure resources (ex virtual machines) without exposure to public-ip addresses

Pre-Requisites: Virtual Network and VGW Created

The following should be created in advance:

  • Virtual Network
  • Virtual Private Network (or VGW in Azure)
  • Virtual Machine with out Public IP address

I’m assuming there is a virtual network (VNET) with vpn/vgw already created. If you don’t have a VNET or VGW set up you can also deploy the following template

Point-to-Site Setup

Choose the configure now option

I usually pick a subnet in a different region

Almost Done…Setting up the Certifications

We’re almost done but we have to our authentication is setup using cert

Open PowerShell (powershell.exe)

Import the certificate module

Install-Module pspki -Scope CurrentUser

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRoot" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

$mychildcert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature ` -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -Signer $cert -TextExtension @("{text}")

[System.Convert]::ToBase64String($(get-item -path "Cert:\CurrentUser\My\$($mychildcert.thumbprint)").RawData)

The output will render something similar to the following:

FYI: You can download the script below and run powershell -c .\CreateCert.ps1

In the vgw hosted in Azure, Paste the output into public certificate data in the point-to-site configuration

Click Save

Lastly, download the point-to-site configuration which will be imported into the vpn client in the next step by clicking Download VPN Client

Note: This doesn’t install a client, it downloads the vpn configuration to be imported during setup in the vpn client (Microsoft please change the wording🤷‍♀️)

Installation of Azure VPN Client

The Azure VPN is in preview still at the time of the post. If you’re using windows 10, it should be pretty straightforward. If you have issues, it maybe worth puruing the install of OpenVPN client instead (which isn’t covered in this post)

Import the VPN Configuration

Open the vpn client, in this case “Azure VPN Client” recently installed. At the bottom there is a plus icon ->choose import

Navigate to the location of vpn configuration and select AzureVPN\Azurevpnconfig.xml

Click Save to save the configuration

After saving the vnet of your point-to-site is listed as a connection option in vpn client

Click connect

Connections Properties should now show a green icon 🟢 and vpn ip address

Testing Connectivity

On my any of the current vm with remote desktop. I should now be able remotely connect to one of them