If you were following along with our last post where we created a site-to-site VPN between our On-Prem network and Azure, you might be wondering what else we can do with our Virtual Network Gateway.
Why not create a P2S VPN so that we can connect in from our devices from anywhere and, not just access our Azure resources, but also our resources On-Prem via our previously mentioned site-to-site VPN?
Why is this in our “Don’t Try This At Work” series?
The main reason this one is classed as Don’t Try This At Work is due to the fact that in an enterprise environment there are much better ways to do this. When using a VPN client such as anyconnect you’re going to get much better logging and control over connectivity (amongst others). Compared to our limited setup using Azure VPN client into a Basic SKU Virtual Network Gateway the choice should be clear in an enterprise network.
Setting up a P2S Configuration
Let’s go through the steps to configure and enable our P2S configuration in our Azure Virtual Network Gateway. I’ll try and give you the steps to follow along in the GUI and in Azure
Creating a root certificate
First off, we need to create our self signed certificates. To do this we need to be on the device we are going to use to connect to our P2S VPN Once it is ready to go.
Open your PowerShell windows as Admin and run the below script to generate our root cetificate.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSignLeave the PowerShell window open as we’ll need it for the next steps.
Generate a client certificate
For each computer that connects to your P2S VPN, they must have a client certificate generated using the root certificate that we just created.
To create our first client certificate we need to run the below script in our PowerShell window that we still have open.
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
Export Root Certificate File
Now we are ready to export our root certificate, we’ll need this to create our P2S configuration in Azure.
Open “Manage user certificates” from your start menu, and you’ll be able to find our newly created certs under “Certificates – Current User” > Personal > Certificates.
You’ll want to right-click, select All Tasks and then export as below.
Click Next in the Wizard
Select “No, do not export the private key” and then click next.
For the Export File Format page, choose Base-64 Encoded as below and click next.
Choose a suitable location to export your file to and select a name, then click next.
Click Finish to export your certificate
Once you see the below message you know your certificate is ready.
Go to the location you saved your .cer file, right-click it and open in Notepad
Copy the text between the two lines
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----This copied text is the certificate information we need to upload to Azure.
Upload root certificate public key information
Now that we have the information we need to upload this into our Azure Virtual Network Gateway.
Open your Virtual Network Gateway and select Point-to-Site Configuration from the left menu bar.
In the section marked Root Certificates, enter P2SRootCert in the Name field and the data you copied from your .cer file into the Public certificate data field.
At the top of the page you will need to create your VPN address range. In my case I have used 172.168.1.0/24
Don’t forget to add your On-Prem network details to the “Additional routes to advertise” section at the bottom so your VPN knows which traffic to route. This should look like 192.168.0.0/24 depending on your network details.
Once your info is in hit save at the top of the screen.
Alternatively, if doing this via powershell (on your local machine not Azure Cloud Shell, from your admin PowerShell window
Declare your Certificate name variable
$P2SRootCertName = "P2SRootCert.cer"Change the file path to the one you used above when exporting your .cer file
$filePathForCert = "C:\cert\P2SRootCert.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)Upload your info to Azure
Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "%YourVNet Gateway Name%" -ResourceGroupName "%Your Resource Group Name%" -PublicCertData $CertBase64Export your VPN Configuration
Now that our settings are in, it’s time to download our client.
From the Point-to-Site Configuration screen we were on, the Download VPN Client button should no longer be greyed out
Accept any security warnings and run the VPNClientSetupAMD64.exe file (or equivalent depending on your flavour of Windows)
You should then get a prompt to confirm for whether you wish to install the client
Once installed, go to your VPN settings
Choose our new VPN profile and hit connect
You’ll get an Azure VPN Connection window pop up, hit Connect
Accept the prompt to allow admin access to update route tables
You’ll now be connected to your Azure P2S VPN.
How can we prove this?
Running ipconfig /all should show your new PPP adapter with your VPN IP and DNS settings as configured in your VNet
Heading to the Point-to-site Sessions tab in the Virtual Network Gateway will also show any connections as shown below
Why can’t I connect to my On-Prem resources while connected to my P2S VPN?
To finish off, we’ll talk briefly about getting your connection work from Client > P2S VPN > Azure > S2S VPN > On-Prem.
If you find this isn’t working, don’t forget that you needed to set your additional routes in the P2S configuration page for your On-Prem network, but you also need set your route on your On-Prem network/devices for your 172.168.1.0/24 network to get back out via your gateway On-Prem
I hope this has been a fun run through a quick setup to allow remote access into your On-Prem and Azure environments and will have given you the skills and confidence to help when it comes to doing it for real in an enterprise environment!