How to configure point-to-site P2S VPN to Azure VNET

Case



You have one or more on-premises computers which need to securely access Azure resources via an Azure VNET. If you dont have the necessary VPN gateway appliance to setup a site-to-site (S2S) VPN using IPSec and IKE, you can alternatively setup point-to-site (P2S) VPN.



Bear in mind that supported devices for P2S VPN are all Windows 10, Linux and Mac latest version devices as well as any other device which can support the SSTP or IKE/OpenVPN protocol.



Solution



This tutorial assumes the following Azure resources are already in place:



- You have a functional Azure subscription and you are global administrator in Azure AD.

- You have created an Azure VNET which will be used for setting up the P2S VPN connectivity between your on-premises clients and the Azure VNET.

- You have setup an Azure VNET gateway resource for route-based VPN access. This should have a gateway SKU which covers your needs. You can find a handy comparison matrix of Azure VNET gateway SKUs at: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku.

Assuming all the above are in place, follow the procedure below to configure TLS certificate-based authentication for your new P2S VPN with Azure.



- Generate the root TLS certificate which will be uploaded to the Azure VNET gateway. The following articles provide instructions for Windows 10 and for Linux computers. - Windows 10 - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

- Linux - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux

The Powershell code for root and client certificate generation (self-signed, without a CA) is the following:



Run in same elevated PS terminal:

//root

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign



//client

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:CurrentUserMy" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

- Generate client certificates and have procedure for installing the client certificates to each VPN client. You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client which uses that certificate. First e export the root cert from MMCconsole without the private key and Base-64 format (.cer). Then do the same export of the root cert but this time with private key (.pfx). Finally export the client certificate (.pfx) to copy it to all client computers.

- Add the VPN client address pool and configure all P2S VPN parameters in the Azure VNET gateway. First navigate in the Azure portal to your VNET gateway resource and click on the "Point-to-site configuration" pane. Click on "Configure now".



- On the next screen configure the IP address pool for your VPN clients. This should be a minimum /28 subnet and must not overlap with any subnets of the Azure VPN gateway. A /27 subnet for example would allow for 30 IP addresses to be allocated to VPN clients. Click "Save" when done. It may take some time before the P2S configuration is successfully committed.



- Configure your VPN clients for Azure P2S connectivity and confirm successful connection. To connect to the virtual network gateway using P2S, each computer uses the VPN client that is natively installed as a part of the operating system. For steps to generate and install VPN client configuration files for your clients, review the following Microsoft article: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert. The steps at high level are the following: - Download the VPN client configuration file and run the setup on the client computer, e.g. Windows 10 VPN client.

- Connect to the Azure P2S VPN using either the OS native client or an OpenVPN client (depending on your OS and local machine configuration).



- The above will download a .zip file with the VPN client configuration files. You will need to install this alongside the VPN client .pfx certificate into all VPN clients before they can initiate a VPN connection to Azure. The VPN client configuration .zip file includes configuration packages for OpenVPN, Windows 10/11 clients and a generic .xml configuration file for third party or Linux native VPN clients.



In the case of Windows 10, after you have run the VPN configuration wizard, to initiate the VPN connection, navigate to Windows settings -->VPN settings and click on the created VPN record.





Click Connect.





- Ensure that you have received an Azure private IP address from the address pool you specified in the Azure P2S IP address pool configuration. You can do that in Windows with the ipconfig /all command and in Linux with the ifconfig command. Test an RDP connection to an existing VM which has an Azure VNET interface residing in a VNET which has peering configured with the Azure VPN gateway VNET.

Common Azure Point-to-site P2S VPN connection troubleshooting

You may come across the following errors when trying to establish a P2S connection with Azure.



- Common error 1: "The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. (Error 809)". This is a firewall rule related issue. Check your local firewall configuration to allow ports and protocols for P2S VPN (IKEv2, SSTP, OpenVPN).

- Common error 2: "Policy match error (Error 13868)". This means the the IKE protocol parameters have a mismatch between the VPN client and VPN server. Review this article for remediation actions if you come across this error.
https://stefanos.cloud/kb/how-to-configure-point-to-site-p2s-vpn-to-azure-vnet/

Comments

Post a Comment

Popular posts from this blog

Acronis Cyber Protect 15 virtual machine backup not working when using shared mode virtual disks vhds

Image
Case When you apply and run an Acronis Cyber Protect backup against a virtual machine which is part of a guest cluster which makes use of virtual disk shared files of type .vhds (VHD Set), you run across the following error. Activity succeeded with warnings. Activity 'Preparing for backup of virtual machine' succeeded with the following warning 'Windows error: (0xC05CFF0A). The requested operation cannot be performed on the virtual disk as it is currently used in shared mode. Or the error may state something along the lines of: "Failed to open virtual disk file '.vhds'. Unknown format of the virtual disk." The same error as above can occur in virtual machine backup of virtual machines which include a .vdhx shared disk. Solution The above error is by design when you are attempting a virtual machine backup to virtual machine which does not have an Acronis backup agent installed, as per https://kb.acronis.com/content/68573 . According to Acronis, as of July 2
Read more

How to perform hardware health checks in Windows

Image
Case You need to perform an overall hardware health check in a Windows machine, running either a Windows client or a Windows Server operating system. This article provides guidance on the steps to carry out to perform hardware health checks in Windows. Solution Carry out the steps below. - Thoroughly check all Windows event logs (Application, System, Security) for any warnings or errors which may be related to issues you are experiencing with your Windows machine. - Check the device management mmc console by running devmgmt.msc. Ensure that you choose to show all hidden devices from the View menu. If you notice any exclamation marks next to any device, you will need to re-install its driver from the respective manufacturer to ensure that there afterwards no warnings in the device management console. - Check the health of all your disks , either HDD or SSD. Follow instructions in the following KB article for steps to follow to check your disk health: https://stefanos.cloud/kb/how-to-ch
Read more

How to resolve Group Policy error codes 8007071a and 800706ba

Image
Case You are running "Group Policy Update" on an OU inside the Group Policy Management Console in Active Directory but you are receiving RPC errors from your servers or domain-joined workstations, as shown in the example below. After a Group Policy Update, you come across Group Policy error codes 8007071a and 800706ba. This means that the local Windows Firewall is not configured properly to allow Group Policy (GPO) traffic. GPO traffic an be either remote GPO update or remote GP Resultant Set of Policy (RSOP) operations. Solution Option 1 Run gpedit.msc and create a new local group policy object which implements the following policies under Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Windows Defender Firewall --> Inbound Rules : The full configuration is shown below. After the above local group policies are configured on each domain server and workstation, you can start applying group policy objects to the dom
Read more