Thomas Thornton – Microsoft Azure MVP – HashiCorp Ambassador

Microsoft Azure Blog – Microsoft MVP

Azure Point to Site VPN configuration using PowerShell

on by 1 Comment

From time to time, a Point-to-Site VPN (P2S) is required to access your Azure Virtual Network securely from a range of computers. This VPN setup is configured using an Azure Gateway within your Virtual Network.

In this blog, I will detail a test setup of how you can create this P2S configuration along with the required PowerShell

What client operating systems can I use with Point-to-Site? (supported list from docs.microsoft)

The following client operating systems are supported:

  • Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (64-bit only)
  • Windows 10
  • Mac OS X version 10.11 or above
  • Linux (StrongSwan)
  • iOS

Lets get deploying

Ahead of this, I have created a Resource Group:- vnet-vpn

Create Virtual Network (vNET)

Virtual Network tamopsvpn will be created with an Address Prefix of 192.168.0.0/24

#Create Vnet
$vnet = New-AzVirtualNetwork `
  -ResourceGroupName vnet-vpn `
  -Location EastUS `
  -Name tamopsvpn `
  -AddressPrefix 192.168.0.0/24

Create VPN Gateway Subnet

To deploy a VPN Gateway into your Subnet, it is required to be deployed into a subnet called GatewaySubnet, the address space needs to be at least /29

Deploying GatewaySubnet with Address Prefix of 192.168.0.0/28

#Create VPN Subnet
$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
  -Name GatewaySubnet `
  -AddressPrefix 192.168.0.0/28 `
  -VirtualNetwork $vnet

#Build vNET
  $vnet | Set-AzVirtualNetwork


Create VPN Gateway

Creating VPN Gateway tamopsvpngateway with SKU VpnGw1, this is the minimum size of SKU you can use for a P2S VPN configuration

*Note:- deploying VPN Gateway will take roughly 30 minutes to deploy*

#VPN Gateway Public IP address
$VPNGatewayIP= New-AzPublicIpAddress `
    -Name tamopsvpngw-pip `
    -ResourceGroupName vnet-vpn `
    -Location 'East US' `
    -AllocationMethod Dynamic

#VPN Gateway Configuration
$vnet = Get-AzVirtualNetwork `
    -Name tamopsvpn `
    -ResourceGroupName vnet-vpn

$vpnsubnet = Get-AzVirtualNetworkSubnetConfig `
    -Name 'GatewaySubnet' `
    -VirtualNetwork $vnet

$gwipconfig = New-AzVirtualNetworkGatewayIpConfig `
    -Name gwipconfig1 `
    -SubnetId $vpnsubnet.Id `
    -PublicIpAddressId $VPNGatewayIP.Id

#Create VPN Gateway
New-AzVirtualNetworkGateway `
    -Name tamopsvpngw `
    -ResourceGroupName vnet-vpn `
    -Location 'East US' `
    -IpConfigurations $gwipconfig `
    -GatewayType Vpn `
    -VpnType RouteBased `
    -GatewaySku VpnGw1

What has current been deployed?

From following above, you will have created:-

  • Virtual Network
  • Virtual Network Gateway and its associated Public IP Address

How is authentication handled?

In this example, I will be using a self-signed root CA and user certificates.

Typically, a client certificate is generated from a trusted root certificated and then to be installed on each client computer. Validation of this client certificate is performed by the VPN gateway and it happens during the P2S VPN establishing a successful connection

Create a Root CA and Client self-signed certificates

#Create Certs - Root 
$tamopsrootcert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=tamopsvpnrootcert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign 


#Create Certs - Client
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:CurrentUserMy" `
-Signer $tamopsrootcert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Both certificates now available in your Personal Certificate store of current user

Configure Point-to-Site Configuration on Azure VPN Gateway

Address Pool:- Needs to be configured, this pool is the IP Address that connected VPN traffic source will be coming from

Tunnel Type:- IKEv2 and OpenVPN (SSL)

Upload Root Certificate created above public key to the Azure VPN Gateway

PowerShell script below to achieve these changes

#Extract Root Cert
$certfind = Get-ChildItem -Path Cert:CurrentUserMy | ?{$_.Subject -eq 'CN=tamopsvpnrootcert'}

export-Certificate  -cert $certfind -FilePath C:UsersThomasDesktopexportcert.cer -type CERT  -NoClobber
certutil -encode C:UsersThomasDesktopexportcert.cer C:UsersThomasDesktopuseme.cer

#Upload configuration changes to Azure VPN Gateway
$P2SRootCertName = "P2SRootCert.cer"
$filePathForCert = "C:UsersThomasDesktopuseme.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "tamopsvpngw" -ResourceGroupName "vnet-vpn" -PublicCertData $CertBase64

Configuration now complete

To test the configuration and successful connection to Azure Virtual Network Gateway VPN – download VPN client

In this example I will be installing on Windows 10, inside your VPN settings after installation – click connection

VPN will successfully connect!

You have now configured an Azure Point to Site VPN using PowerShell!

1 comment

  1. Pingback: Azure Insights: Point to site VPN; Connector actions; Triggers and bindings; AKS-Azure AD integration; CLI for emergencies ERP for Hong Kong SME

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s