A Point-to-Site (P2S) VPN gateway helps in the creation of a secure connection to Azure Virtual Network from a Remote Location. Point-to-Site VPN connections are useful when we have fewer clients, who want to connect to the Azure VNet from a remote location, like telecommuting from home or a conference.

Create a Home VPN Lab Between Palo ...

Protocol P2S Uses

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).

  • Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

 Note

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model.

Authentication Methods

  1. Certificate :
    •  Self-signed or from an enterprise certificate authority. 
  2. Radius
    • Integration with Windows Active Directory.
  3. Azure AD authentication
    • Supports MFA

SKU

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes

Steps to Create P2S VPN

  1. Create a Virtual Network
  2. Create Subnet(s) for Virtual Machines
  3. Create Virtual Machine(s) within the subnet in step 2 above
  4. Create a GatewaySubnet within the Virtual Network
  5. Create a Virtual Network Gateway after Step 3 above is complete
  6. Create the Root VPN Certificate
    • Download and install Windows 10 SDK (if you do not have the makecert utility).
    • Go to Directory – C:\Program Files (x86)\Windows Kits\10\bin\x86 (This path might slightly differ)
    • Run Command – makecert -sky exchange -r -n “CN=<NameofVpnRootCert>” -pe -a sha1 -len 2048 -ss My “<NameofVpnRootCert>”
    • Open Certificate Manager (certmgr.msc), locate the certificate created above inside “Personal/Certificates” and export the certificate to BASE64 without the password
    • Open the Base64 certificate in step above in Notepad++ or Notepad, and put everything in a single line by deleting the carriage return. This is done because the VPN Gateway created in Step 5 above needs the certificate in a single line.
  7. Create the Client Certificate
    • Run Command – makecert.exe -n “CN=<NameofVpnClientCert>” -pe -sky exchange -m 96 -ss My -in “<NameofVpnRootCert>” -is my -a sha1
    • Open Certificate Manager (certmgr.msc), locate the client certificate created above inside “Personal/Certificates” and export the certificate as PFX with the password. This certificate is to be distributed to all the clients, who will be connecting to Azure VNets
  8. Configure Root Certificate on Gateway created in Step 5 above
  9. Download VPN Software after the certificate has been validated by Azure and highlights the download button

The VPN software downloaded after Step 8 above can be distributed along with the client certificate (PFX) to all clients who wish to connect to Azure VMs. 

Generate Root Cert and Client Cert

#Create the root cert
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=WestP2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My"  `
-KeyUsageProperty Sign -KeyUsage CertSign 

# Create Client Cert
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=WestP2SClientCert1" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Install Client Certificate and VPN Client

Double click certificate to import the client certificate.

Double click to install VPN client. 

Both are standard process importing and installation process.

Connect to Azure VPN Gateway


By netsec

One thought on “Azure Point-to-Site VPN Configuration”

Leave a Reply

%d bloggers like this: