Azure’s Point-to-Site (P2S) VPN gateway connection creates a secure connection to an Azure virtual network’s (VNet) resources from an individual client computer. A VPN gateway is created on its own subnet in an Azure VNet, and then configured to allow P2S connections. No VPN physical device is required and there are minimal, if any, changes required to be made to the on-prem network. A P2S VPN connection is established by starting it from the client computer.

A P2S solution is useful for connecting to Azure VNets from a remote location or when there are only a few clients that need to access an Azure VNet’s resources. We use a P2S connection as a proof-of-concept (POC) for a .Net Web App hosted within an Azure VM webserver to be able to connect to an on-prem Sql Database.

The following cmdlets and process flow is from an excellent article in Azure Documentation, Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell with detailed explanations for each of the following steps – we’ve just put it all together in a single, easy to follow list of PowerShell cmdlets to run sequentially in an elevated Windows PowerShell ISE session, to quickly set up a P2S Gateway – after changing the variables for each use case.

Download Zip of POSH cmdlets

There is also an ARM Quickstart Template Point-to-Site Gateway that will quickly provision a P2S Gateway on Azure for you covering Steps 2 – 7 below!

Azure Deployment Model: ARM
Client Authentication: P2S native Azure certification
Gateway SKU: VpnGw1
Client OS: Windows 10 Pro

PowerShell Steps for Creating P2S Connection:  

  1. Log in to Azure and set variables
  2. Configure a VNet
  3. Create the VPN Gateway
  4. Add the VPN client address pool
  5. Generate certificates
  6. Upload the root certificate public key info to Azure
  7. Install an exported client certificate
  8. Configure the VPN on client computer
  9. Connect to Azure
  10. Verify P2S VPN Connection

Preparation
  • An active Azure Subscription
  • The most current version of Resource Manager PowerShell cmdlets installed. Installation info here.
1. Login to Azure and set variables

Login:

Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName "<subscriptionname>"

Declare Variables:

$VNetName = "VNet2"
$FESubName = "FrontEnd"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$GWSubPrefix = "192.168.200.0/27"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "VNet2-RG"
$Location = "Canada Central"
$GWName = "VNet2GW"
$GWIPName = "VNet2GW-PIP"

2. Configure a VNet:

#A. Create a Resource Group
New-AzureRmResourceGroup -Name $RG -Location $Location

#B.Create Subnet configurations – prefixes must be part of the declared VNet address spaces
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

#C.Create virtual network
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName VNet2-RG -Location $Location
   -AddressPrefix $VNetPrefix -Subnet $fesub, $gwsub

#D.Specify the variables for the virtual network just created
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

#E. Request a dynamically assigned public IP address
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

3. Create the Azure VPN Gateway 

This can take up to 45 minutes according to documentation. For us, its never taken more than 15 minutes.

New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG
  -Location $Location -IpConfigurations $ipconf -GatewayType Vpn
  -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IkeV2"

4. Add the VPN client address pool

This is done after the VPN Gateway has been created - and before you try to upload an exported root certificate for authentication.

$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

5. Generate certificates

We're using self-signed certificates in this case.

#A. Obtain the .cer file for the root certificate (Must be done from W10 or WS2016 machine)
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature

    -Subject "CN=P2SRootCert2" -KeyExportPolicy Exportable
    -HashAlgorithm sha256 -KeyLength 2048

    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

#B1.Generate a client certificate (In same POSH session as #5.A above since it uses the $cert)
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert3 -KeySpec Signature
   -Subject "CN=P2SChildCert3" -KeyExportPolicy Exportable

   -HashAlgorithm sha256 -KeyLength 2048
   -CertStoreLocation "Cert:\CurrentUser\My"

   -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

#B2.For Creating additional client certificates (or a new POSH session)
  #B2.1.Identity the self-signed root cert installed on computer
Get-ChildItem -Path “Cert:\CurrentUser\My”

  #B2.2.Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text file.

   #B2.3.Declare a variable from the root certificate using the thumbprint from #B2.2. Replace THUMBPRINT with the
       thumprint of the root certifiace from which you want to generate a child certificate.
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT"

    #B2.4.Modify and run the script below to generate a client certificate. (Change ‘Subject’ to modify CN Value – eg. to P2SChildcert3)
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature
   -Subject "CN=P2SChildCert3" -KeyExportPolicy Exportable

   -HashAlgorithm sha256 -KeyLength 2048
   -CertStoreLocation "Cert:\CurrentUser\My"

   -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

    #B2.5.Export Root Certificates Read the following: Export Certificates for P2S Connections

6. Upload Root Cert Info to Azure

#A.Declare the variable for your certificate name, replacing value with your own:
$P2SRootCertName = "P2SRootCert2.cer"

#B.Replace the file path variable with your own file path to the exported root certificate, and then run the cmdlets:
$filePathForCert = "D:\Downloads\rootcert2.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64_3 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64_3

#C.Upload the public key information to Azure:
 Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName
   -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG

   -PublicCertData $CertBase64_3

#D.Verify that the root certificate uploaded:
Get-AzureRmVpnClientRootCertificate -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName

7. Install an exported client certificate

If  using a client/computer other than the one used to generate the client certificates, it is necessary to install an exported client certificate to the ‘2nd’ client/computer. The password created when the client certificate was exported is necessary for the installation of the .pfx file.

A. Copy the .pfx file to the client computer. Double-click the .pfx file to install

B. On the Welcome page, leave Store Location as Current User > Next:

C. On the File to Import page, accept defaults > Next:

D. On the Private key protection page, enter the password for the certificate > Next:

E. On the Certificate Store page, leave default selection > Next:

F. Select Finish:

G. On the Security Warning page, select YES, since the source of the generated certificate is known and trusted. The certificate is successfully imported/installed.

     

8. Configure the VPN on the client machine

#A.Generate files using POSH:
$profile=New-AzureRmVpnClientConfiguration -ResourceGroupName $RG -Name $GWName -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl

#B.Copy the URL to your browser to download the zip file, then unzip the file to view the folders

#C.Install on Windows:Read the following: Create and Install VPN Client Configuration Files

9. Connect to Azure VNet via VPN

A. On client computer, navigate to Settings > Network & Internet > VPN > Connect:

      

The VPN adapter is showing as connected via SSTP in the Network Adapters of the client:

In the Azure Portal, the Point-to-site configuration blade shows 1 connection  and shows the Allocated IP address of that connection:

10. Verify Connection from Client to VNet

A. Ping the internal IP address of an Azure VM in the P2S VNet:

B. Using RDP, connect to the internal IP address of an Azure VM in the P2S VNet:

C. If you’re not using a DNS server in addition to Azure’s default DNS service, adding the name and IP address to the client computer’s hosts file    (C:\Windows\System32\drivers\etc\hosts) will allow remote connections via IP address or host name, by mapping IP addresses to host names.

   

Adding the client’s assigned Gateway App Pool IP address and name to the hosts file of an Azure VM will allow connection via IP or client name – good for verifying the connection from the Azure VM to the client. However, each time the client computer is restarted, a new VPN connection must be made manually, and the P2S Gateway allocates a NEW IP address from the address pool – so the Azure VMs hosts file would have to be updated! The P2S Gateway is always ‘on’, but VPN sessions won’t persist if the client computer leaves the VPN network.

Resources:

  1. ARM Quick Template: Create a Point-to-Site Gateway
  2. About Point-to-Site VPN
  3. Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: Azure portal
  4. Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
  5. Generate and export certificates for Point-to-Site connections using PowerShell on Windows 10 or Windows Server 2016
  6. Create and install VPN client configuration files for native Azure certificate authentication Point-to-Site configurations
  7. PowerShell script to create and export self-signed certificate