Introduction to Point to Site VPN Azure
A Point-to–Site (P2S VPN) connection allows you to establish a secure connection tunnel to your virtual networks (VNet) using a single client computer device. P2S VPN can be established by initiating it on the client’s computer device. This is a good option for WFH employees who need to connect to Azure VNets remotely. When you only have a few clients who want to connect to a VNet, P2S VPN can be used in lieu of S2S VPN.
Virtual Network with Subnet (For ex. I have created a Virtual network named VNet-Dev-Centralindia-001)
The virtual machine can be accessed via the Virtual Network above by using P2S VPN from its private IP
Configuring Virtual Network gateway
Register to Azure Portal
Click on Create to fill out the data.
Mayank-MPN is your subscription, VGW–Dev is your gateway name. Now select the region where you want to create a Virtual Network. After that, the Virtual Network Section will automatically appear under the SKU as VpnGw1. (includes maximum 250 connections with 640 Mb throughput) and other options will remain the default as shown in the Screenshot below.
You can specify the gateway subnet range, or it will create an Ip based on CIDR. Also created Public Ip VGW-PIP–dev. Other options are available as default in the screenshot below.
Give appropriate tags to the resources. Click on click + Create, then click on Review + Create.
Export and create certificates
To create client and root certificates, open PowerShell. To create a root certificate, run the following PowerShell script. Once created will be installed in the user certificate app$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject “CN=RootCert” -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign1234$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `-Subject “CN=RootCert” -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign
Now, we need to create a certificate for our client. The following script can be executed in PowerShell. The below script will create a ChildCert certificate and install it in the user certificate app.New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation “Cert:\CurrentUser\My” `-Signer $cert -TextExtension @(“”)12345New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `-HashAlgorithm sha256 -KeyLength 2048 `-CertStoreLocation “Cert:\CurrentUser\My” `-Signer $cert -TextExtension @(“”)
We now need to export the certificates for further use. Win+R. Open msc and search for Manage user certs. Right-click on root cert inside certmgr console. Click on Export
Select No, do not export your private key in the Export dialog box and click on Next
In the export file format dialogue box, select Base-64 encoded (X.509(.CER).
To save the certificate on your computer, click Finish after you have completed the Certificate Export Wizard.
Export the client certificate by following the same procedure, except that you will now need to select option Yes to export the private key.
Keep the default option in the Export File Format dialog box as shown in the screenshot below, and click Next
Under Security dialogue box, enter a password to protect the pfx file and set the encryption type to default. Click on Finish to save the file name in the File to Format dialogue box.