Azure Start Point | Point-to-Site VPN
In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.
If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/
Create typical a VIrtual Network
In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.
FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.
The Virtual Network Gateway can take up to 45 minutes to be created.
Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.
We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
For the root certificate run the below PowerShell using ISE:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` -Subject "CN=prodevrootcert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
For the client certificate run the below PowerShell using ISE:
New-SelfSignedCertificate -Type Custom -DnsName ProDevChildCert -KeySpec Signature ` -Subject "CN=ProDevChildCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
Export the root certificate in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export
Select to “not export the private key” and use Base64 encoded.
Now you have the prodevrootcert.cer
After that, export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.
Now you have the prodevchildcert.pfx. This pfx file must be installed to all the client computers that will use this Point-to-Site connection.
Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.
Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.
Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.
Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.
In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.
Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.