A Point-to-Site (P2S) VPN gateway helps in the creation of a secure connection to Azure Virtual Network from a Remote Location. Point-to-Site VPN connections are useful when we have fewer clients, who want to connect to the Azure VNet from a remote location, like telecommuting from home or a conference.
Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S uses the following protocol –
- OpenVPN, an SSL/TLS based VPN protocol – Can be used to connect from Android, iOS (versions 11.0 and above), Linux and Mac devices (OSX versions 10.13 and above).
- Secure Socket Tunneling Protocol (SSTP) – Can penetrate firewalls. SSTP is only supported on Windows devices.
- IKEv2 VPN – Can be used to connect from Mac devices (OSX versions 10.11 and above).
Gateway SKU Support for P2S VPN
Aggregate Throughput Benchmark is based on the total of multiple tunnels aggregated from a single gateway.
Apart from the Basic SKU, all other available SKUs, like – VpnGw1, VpnGw2, and VpnGw3 are supported for VPN gateways, which use the Resource Manager only.
Steps to create Point-to-Site VPN
- Create a Virtual Network
- Create Subnet(s) for Virtual Machines
- Create Virtual Machine(s) within the subnet in step 2 above
- Create a GatewaySubnet within the Virtual Network
- Create a Virtual Network Gateway after Step 3 above is complete
- Create the Root VPN Certificate
- Download and install Windows 10 SDK (if you do not have the makecert utility).
- Go to Directory – C:\Program Files (x86)\Windows Kits\10\bin\x86 (This path might slightly differ)
- Run Command – makecert -sky exchange -r -n “CN=<NameofVpnRootCert>” -pe -a sha1 -len 2048 -ss My “<NameofVpnRootCert>”
- Open Certificate Manager (certmgr.msc), locate the certificate created above inside “Personal/Certificates” and export the certificate to BASE64 without the password
- Open the Base64 certificate in step above in Notepad++ or Notepad, and put everything in a single line by deleting the carriage return. This is done because the VPN Gateway created in Step 5 above needs the certificate in a single line.
- Create the Client Certificate
- Run Command – makecert.exe -n “CN=<NameofVpnClientCert>” -pe -sky exchange -m 96 -ss My -in “<NameofVpnRootCert>” -is my -a sha1
- Open Certificate Manager (certmgr.msc), locate the client certificate created above inside “Personal/Certificates” and export the certificate as PFX with the password. This certificate is to be distributed to all the clients, who will be connecting to Azure VNets
- Configure Root Certificate on Gateway created in Step 5 above
- Download VPN Software after the certificate has been validated by Azure and highlights the download button
The VPN software downloaded after Step 8 above can be distributed along with the client certificate (PFX) to all clients who wish to connect to Azure VMs. Install the client certificate and VPN Software.
You can now connect to the VPN from the network connections. After the VPN is connected, you can connect to the virtual machine(s) created in Step 3 above using it’s private ip address.