Azure Point-to-Site VPN with Certificate Based Authentication

Thank you Travis, you are a wonderful presenter. I'm happy I found your channel!

Big THANK YOU! Have been working on this for a couple days running into issues. Watching your video helped me figure out what I was doing wrong and got it working! Thank you again!

Great job, the best explanation available and ever found on UA-cam for this topic. Congratulations and many thanks 👍

Thanks! Learning all about this for my AZ-104 studies. This helped a bunch since I don't wanna spend money in my own personal tenant of Azure.

Great video, something to note for future people who come here, you can't select subnets which are overlapping with already allocated Address Space in the Vnet in the point-to-site configuration after the gateway is created. I thought I was being efficient and adding it ahead of time and to my subnets and route table assuming I would be able to select it but no I had to pull all of that out before I could set the Address Pool.

Great explanation, thanks for sharing. You really clarified on how the cert is intended to be imported into the Azure platform. That helped a lot! Thanks

This was the best. It covered things, finer details, left out by others. This was clearly the best done by a pure expert. I have been doing things like this as an engineer for 30+ years. You are a real teacher of tech. Kudos! :)

Very nice Travis, thank you, your demo will help me configure the VPN Gateway for my team.

Thank you for this video. Helped me to understand Basic SKU and P2S.

Travis Thanks for this Video, after some many failures ... finally thanks men !

Thanks man, for this thorough tutorial/ step-by-step guide. Really appreciate the effort you put into this. It helped me a lot. :)

Thanks U so much, with your video I can connect the vpn finally. I had trouble with the certificate, I didn't one new and I wanted this works with another old one. I executed your scripts.

Excellent tutorial. Thank you Travis.

Awesome, easily followed along, worked the first time! Liked,Subscribed, Thank you

This is super helpful. Thank you, Travis

Thanks Travis, very clear step by step

Worked like a charm , Thanks a lot for good explanation

Thanks well explained and straight to the point

Great tutorial, appreciate all the effort!

Excellent video! Thank you for your explaining, it worked perfectly!

Excellent video! Thanks

Indeed this great video, concepts are well explained in clear and concisely manner, it helped me to understand the concept thank you. I followed along the video and created my VPN but I had issues connecting to azure network after downloading the client. I could see there is a difference in the point-to-site configuration exactly a 12.54 sec in your video to my view in portal. I had an additional field to select for Tunnel-type by default it was openvpn (SSL) and the vpm zip downloaded files were different from yours (vpnconfig.ovpn instead of amd64 file). I tried to connect with this file with open vpn connection but errored with x509::parse_pem: error in cert: error:0909006C.
After looking at Microsoft docs, changed my tunnel type to IKev2 SSTP SSL and downloaded the client, this time the files were same as yours and I could connect to my network. I used same root certificate both time. I unable to understand why I got parsing error when connection via openvpn. I appreciate if you could explain this ?

Thanks a lot Travis. It was useful and clear.

awesome Travis, this helped me a lot!

I think your videos are awesome but it would be great just to show the topology or requirements you need before doing this lab like where is the dc or client this give a more understandable overview of what you are doing here. hope this help, you are great teacher.

Great tutorial, thank you for it!

Great video, thank you !

Hi Travis, thanks for the video, very clear and informative. Is there a way to import or deploy the client certificate to the end device without user interaction? Could it be deployed via Intune?

Great step by step... thank you for the demo! I'd love to see what this looks like as an inclusive topology. What is traditionally behind the gateway? DNS server IIS servers? Thank you again!!

Great video, very well explained demonstration

Hi Travis! First, great video and explaining high level details and setup. Question. Instead of creating self-signed certs, can user authenticate using Azure AD with MFA? Is that possible? If so, do you have a video or best practice URL(s) to share? Thanks again!

Great video. I get about 3 tickets a week with this issue. When you think you know Azure....Think again

Nicely done, thank you

Very clear thank you !!

Thank you man. That was great.

Good stuff! Thank you 👍

thanks for your time and help. I already subscribed.

Travis- Great Video! Question. When in the office we use a point to point VPN through an ASA to gain access to files & shares on a VM file server in Azure. When working remotely we connect to the office client VPN and can access those shares in Azure. We want a P2S option so that users can still access shares on the VM directly in case of a power or other outage in the office making the P2P and client VPN inaccessible. Can we use this same configuration for working remotely to connect to the Azure environment and rather than RDP have access to the mapped drives on the Azure VM? Thanks!

Great video explaining the details of a P2S VPN configuration. I have a question around using this P2S VPN setup from my host computer (not a vm on the cloud) connecting to PaaS services in the VNET that the gateway is connected to.
So Local Machine configured with VPN to connect to VNET on Azure and resolving PaaS service URL's on my local machine while connected to the VPN.
Right now I can access the PaaS services via a VM in the same VNET/Subnet and connect to this VM via my VPN from my local and RDP. but how do i remove this dependency on the VM and go from my local straight to those services just by having the VPN configured locally as a client.
Thanks in advance

Great video, thank you.

Great Work

Great info again! One quick question. Can I use the same Client Cert on multiple client PCs or do I need to create separate client certs for each client PC?

nicely briefed thumbs up

Thanks, this is useful for me

Hi,
If you are using AOVPN in Azure and have multiple remote sites, would Point to Site still be an option?
I have an scenario where the vNETs are linked to an Express Route and we have configured PS2 for the AOVPN. The Clients connect but cannot ping any remote sites/on-premise. Where would I need to add the routes?

Hi Travis, could you please clear the cases, when a company really needs a dedicated Azure VPN. Thanks. Its really confusing to have some sort of VPN integrated in Service and it is not clear if its free of charge or not. For example a Data Lake Gen2 has VPN settings, which limits access via Network mask.

Is there a way to always have the machine connected to the VPN so you can join the machine to the domain, reboot and allow logins? When you reboot the VPN is obviously going to be disconnected.

Thanks for the very informative video! I was able to finally understand how this all works. I have one question however:
If you need to manage access for multiple users, and you are distributing client certificates, how can you be sure that a user will not share a certificate to another user?

Great video and clear explanation. How do you revoke the certificate if you do not have the client certificate or thumbprint? How would you automatically push a client certificate for less end-user intervention? Thanks again.. -Kyle

When would you use File share over vpn or containers?

Amazing :)

HI Travis, Can you share a video on how to use enterprise certificate (CA) in point-to-site

good video

Is it possible to have internet access behind the vpn? In other words: to route all data over the VPN connection?

Hello, great material, but when I download the zip file I see 3 folders, AzureVPN, Generic, and OpenVPN and none of them has the executable for the VPN, any idea

very good, thx

So the VPN connection here works to send traffic by IP Address but no traffic will pass by DNS name. My VNET does have my internal Azure DNS server IP handing out correctly so my Virtual NIC created by the VPN client does properly show my Azure DNS server IP. First of all a NSLOOKUP doesn't try to use the DNS server on my VPN NIC (10.x.x.x) but instead uses my local network DNS instead (192.168.x.x). And second the VPN related NIC doesn't put a DNS Suffix in the NIC settings so that is going to make DNS communication by short name difficult. And can't even manually edit the NIC settings for this SSTP adapter. Any idea how to make full internal DNS work over this SSTP VPN?

Thanks a lot. A question how to use the same root certificate again to generate the child cert?. Thanks

Hey bud! Awesome video, helped us out a great deal!
Do you or any others perhaps know how to create child/client certs from an already existing signed root cert?

Just a quick question. Why there was no subnet created by the name GatewaySubnet. I thought that was mandatory and the vnet gateway must reside in Gateway Subnet.. Thanks

Could someone tell me if P2S is the right method I would need. I want to have a windows server hosted on a VM and then domain join local desktops to the on Prem AD that's on the VM. Essentially using a VPN would allow me to domain join local desktops to azure VM's on prem AD?

Have a question does P2S timeout frequently I have it set to never but it stills disconnect.

Thanks Travis, when opening .cer created by MacOS keychain, it shows illigal characters, when opened with Sublime, it gives letters and digits, how to solve this please?

thanks bro

I have an basic sku vpn gtw with a s2s connection running, once I try to co figure p2s the s2s gets down...any idea

hi Travis, does this also work with SQL Server?

If I want to connect my Mikrotik with Azure Point to Site SSPT, is that possible?

Thanks

Thanks for this video, very much helpful. One query, you said, the client certi are user based, so if the user changes his/her device, s/he can use the same client certificate to connect the site? Can we create certificate to ensure the device based authentication ? plz share the video !

I need to change my public IP address using this VPN as other VPNs support. Is it possible?

we can add max 20 root cert on azure.how we can incease limit.

Hey Travis awesome video .. helped me alot .. one more thing how do i make the internet work on my VPN ..DNS server is not responding on the VPN ..

how do you get the certs to the endpoints? what is the Azure equivalent for pushing it out with GPO, intune?

Thanks for your video, But this solution will not support domain joined devices, do you have any solution for domain users please?

friend of mine is presenting a message like the connection was not established due to a policy configured in RAS VPN specifically the authentication method used by your server to verify name and password may not match the authentication method configured in the connection profile

how to add device name in azure vpn p2s which shows on azue portal in point to site sessions

Nice 👍

Nice sharing video.
I wonder about how connecting SQL Server management Studio to Azure SQL Servr through VPN Gateway ?

Dear sir,
what's mean error 798
Thinks for your help

please explain how non-admin users can connect to the VPN? Thanks!

Video is great. I am having trouble with the client end. When I download the client and try to run it - I get prompt for admin rights, then the "Do you want to install . . . ", when i click yes a brief dos window displays then disappears. When I check the VPN area for the created profile nothing is there. I white listed the client .exe in windows security. No difference. Any help would be appreciated. Thank you

If I am going to use internal PKI, I should upload the Root CA to virtual network gateway

can some one help please i cant connect "The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. (Error 809)
"

It appears the WindowsAMD64 client is missing when I downloaded the VPN client. Trying to connect with OpenVPN instead....

Hi, can you please give me this info if you have the time. I did everything as you did, I have successfully connected to the VPN and I can RDP to my Win 10 VM. Now I want to enable PING for that VM. I've included inbound rule for ICMP and on the Win 10 Firewall I've enabled ICMP but I still can't ping it from my home PC. Do I need to do something else? Thank you for this great tutorial by the way! Very very helpful!

VpnClientSetupAmd64' installer package not included in VPN Configuration ZIP file, help me

First time i configure the P2S VPN there was no error all worked but once I deleted the VPN gate way and created a New VPN gate way generated new certificates client and root certificates on the same desktop now I'm getting certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (error 0x800b0109) i did all the troubleshooting like removing cert reinstalling but anything doesn't work Please help

Great video anyone? Y when our users connect to azure VPN it connects to AD sites instead of Azure DC?

I tried to configure the VPN on a ad User account Windows 10 but I'm getting a error when i try to import the certificate its saying An internal error occurred. the private key that you are importing might require a cryptographic service provider that is not installed on your system
On the same desktop on when importing the certificate on admin amd local user its able to import
Can someone one please help 😢

Can't believe how expensive those gateways are.

Hello,
I followed these steps with you but it doesn't work for me, i am using windows server as file server when i click on connect on vpn nothing is happening.

I don't know why I am getting this error, i have followed all your steps, but getting this error in powershell while creating the root certficate
New-SelfSignedCertificate : A parameter cannot be found that matches parameter name 'Type'.
At line:1 char:35
+ $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
+ ~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SelfSignedCertificate], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCo
mmand

@17:05 - you did not show how to see which device is connected not how to see the current connections?
- Can't you revoke & force disconnection via the web interface?
- Can we use XCA for the Cert creation?
- How does one enable 2FA/MFA for the connection?
- How Does DNS work in this setup? what if you wanted to use the VM hostname and not the ip-address?
- What is Locks under Properties?
- What is shown in the Activity Logs, the fail attempts?
- So, what is shown is "Logs" under Monitoring?

how does vpn client know where to point traffic to?

I am unable to install the certificate I copy pasted the script exactly it just goes to the next line
PS C:\WINDOWS\system32> $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
>> -Subject "CN=WestP2SRootCert" -KeyExportPolicy Exportable `
>> -HashAlgorithm sha256 -KeyLength 2048 `
>> -CertStoreLocation "Cert:\CurrentUser\My" `
>> -KeyUsageProperty Sign -KeyUsage CertSign

Confusing, why copy certificates again and again..

Hi Travis, I completed the process over the weekend, all went smoothly except that when I attempted to connect from my workstation, I got the error "The client and server cannot communicate, because they do not possess a common algorithm. (Error 0x80090331)" I researched the error, and based on some KB articles, verified that we're using .NET 4.6 (.NET 4.8 on my client). I just wondered whether you had seen this before, or had any ideas on the fix. Thanks again for the demo, it was great, I followed it step by step!

I don't know how to create a root certificate with azure would you like to hello me please