Azure Point to Site VPN Connection – VNet using native Azure certificate authentication
This post guides you to understand Point-to-Site VPN connection and How to configure VPN in Microsoft Azure to connect windows client devices to Azure vNet. When you use a Point to Site VPN ?
Point-to-Site VPN connections come in preference when you want to connect to your workloads running on Azure securely. P2S demo in this post is more adopted in case of only a few clients need to be connected.
Why VPN, why not direct access over the internet.
A VPN, or Virtual Private Network, allows you to create a secure connection to Azure vNet and resources like database and virtual machines over the internet. Accessing your resources over the internet is insecure, and VPN will create a secure communication to your Azure virtual network from your end-user computer to access resources from remote location, Conference or coffee shop.
What protocol does P2S use?
VPN is not just one protocol or one product. It is a combination of many protocols and encryption technologies which work together to bring a secure channel to resources. Your End users can connect to Azure resources using one of the following protocol.
OpenVPN utilises SSL/TLS for key exchange can penetrate firewalls, since most firewalls open TCP port 443 outbound. Open VPN offers pre-shared keys, certificate-based, and username and password authentication.
Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. SSTP utilises SSL/TLS over TCP port 443 allows SSTP to pass through firewalls and proxy servers except for authenticated web proxies. SSTP is only supported on Windows devices. Azure supports all versions of windows that have SSTP.
IKEv2 VPN, a Standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices.
How are P2S VPN clients Authenticated?
Validation of client certificate is performed by the VPN gateway and happens during the establishment of the P2S VPN connection. In this demo, we use a self-signed certificate generated from the End User system and then upload the root certificate to Azure which required for the validation. Azure VPN Server root certificate is shared with you once you complete the configuration and it must be imported to the end-user device. Enterprise organizations are recommended to use Certificate Authority or Azure AD Authentication as the self-signed certificate method is challenging to manage for the high volume of users.
Let us talk about design requirement
A route-based VPN Gateway Use Key Pair for authentication, A public Key of a root certificate uploaded to Azure and Client certificate installed on each client computer VPN configuration, A VPN client installed and configured to connect your device to Azure vNet.
My setup for this demo
Windows 10 Client device Azure Subscription Windows Server Azure VM
Session 1: Create a vNET, Subnet and Virtual Network gateway (VPN)
Step 1: login to https://portal.azure.com and select virtual networks from the search tab.
Step 2: Click on Add button to Create a Virtual Network
Step 3: Enter the following details and make sure the CIDR block doesn’t conflict with your onprem subnets CIDR block.
Step 4: Once you create a vNet (vNET-DemoP2S), Click on the vNet-DemoP2N.
Step 5: Click on the Gateway Subnet and Add gateway Subnet to the vNET.
Step 6: Next we need to create a Virtual Network Gateway. Search and Select Virtual Network Gateways.
Step 7: Enter all details, Select Gateway type VPN and route based VPN
Now Session 1 has completed, In the next session we will create a selfsigned certificate from the client device.
Session 2: Generate a Self-signed certificate and upload to Azure.
Authenticity of connection can be provisioned with different method. In this demo we use self signed certificate for VPN authenticity.Click here to download the the powershell script and run it in your client device. In this demo we generate self-signed certificate from a Windows 10.
Step 1: Client Device (Windows 10). Run the powershell script ( edit script to change certificate name) and generate two certificate (root and client). Go to certificates and expand personal to see the generated certificate.
Step2: Now we need to export the root certificate and upload to azure.Right click on the root certificate and complete export to save the certificate in to device.
Step 3: Once you exported the certificate, Edit certificate with notepad option and copy the text with out begin and end option.
In the next step we will configure Point to Site Configuration. Above Root certificate details copied will be entered to Azure Point to Site configuration page.
Session 3: Configure Point to Site Configuration
In this session we configure Point to Site Configuration. Step 1: Login back to Azure portal. Go to Virtual Network Gateway and Click on the Point-to-Site configuration to start P2S VPN configuration.
Step 2: Enter Address CIDR bock for VPN ( Make sure no conflict ), Select Azure certificate for Authentication and then paste root certificate details to Root certificate field. Click save and wait to complete the validation.
Session 4: Download and Install VPN client
In this session we gonna download and install the VPN client to client device.
Step 1: Click on DownloadVPN Client and Extract the folder to client device.
Step 2: Downloaded VPN client folder contain VPN Server root certificate from server. Now install the root certificate to client device.
Step 3: then Install VPN client and connect it (a new connection appear at VPN settings in client device)
Session 5: Test Connections
Once you are connected, Open CMD from client device and try ROUTE PRINT comment to verify the route created. In this demo, Any traffic to 10.1.0.0/16 is routed to interface 192.168.11.2 (VPN interface). All other traffic go through default gateway.