Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Configuring Azure Point-to-Site VPN with Windows 10

  • November 8, 2018
  • 12 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.

wp-image-10328

Introduction

It is common to use a VPN when we are working remotely, and we need to access our company assets. If you work with Azure, you may notice that you can configure two types of VPN:

  • Site-To-Site VPN: Site-to-site is used when you want to connect two networks and keep the communication up all the time. You will need to use your Firewall device to configure a Site-To-Site VPN.
  • Point-To-Site VPN: It will create a secure connection to your Azure Virtual Network from an individual client computer. The main difference is that if you log-off or restart the workstation, it loses connection, and you have to reconnect every time.

In this article, we will focus on how to connect our local network to our Azure Virtual Network. To reach this goal, we will perform the following steps:

  • Create a Resources Group
  • Create a Virtual Network
  • Create a VPN Gateway

– As described by Microsoft: “A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.”

  • Create a Gateway subnet / Virtual Network Gateway

– As described by Microsoft: “A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet you create, which is called the gateway subnet […] Virtual network gateway VMs are configured to contain routing tables”

  • Create Root and Client Certificates
  • Configure a Point-To-Site Connection
  • Testing the VPN Connection

Getting Started

From the Azure portal, Click on Resources Groups from the services list and create a new Resources Group. Select the Add button to create new resource group. In my case, the RG is named “GET-CMD-VPN“:

wp-image-10329

Now we need to create a new virtual network. Click the “Add” button to create the new virtual network:

wp-image-10330

A new blade will appear, and you must provide the required information for the following fields:

  • Name: It is the friendly name of your VNet
  • Address space: You will be able to access to this network when you will be connected through your VPN
  • Subscription: Select your Azure subscription
  • Resource Group: Select a Resources Group or create a new one
  • Location: Select the location where the VNET will be located

wp-image-10331

Click the Create button and refresh the Virtual Networks list:

wp-image-10332

Go to the newly Virtual Network, and create a new Gateway subnet:

Go to the newly Virtual Network, and create a new Gateway subnet

This subnet is dedicated to the Virtual Network Gateway Virtual Machines that will be automatically created by Azure.

wp-image-10334

Now, we can create the Virtual Network Gateway:

create the Virtual Network Gateway

wp-image-10336

At this step, we need to create a Root Certificate and a Client Certificate. In my case, I do not have an internal PKI in my lab, so I will use a self-signed certificate.

The following script has been released by the Microsoft Team:

wp-image-10337

This will create the ROOT certificate and install it under current user certificate store. We need to export the ROOT Certificate so that we can import it to Azure. Right click on the ROOT Certificate and select “Export”:

wp-image-10338

In the private key page, select “Do not export the private key

wp-image-10339

Select the following format:

wp-image-10340

Once the certificate has been exported, then go to the Azure Portal, and open the Virtual Network Gateway blade. Next, click “Configure now” in order to configure your Point-To-Site VPN:

wp-image-10341

At this step, I advise to use the following PowerShell script, because sometimes, when you try to copy/paste the ROOT Certificate, you may get some issues. Open a PowerShell console, and run the following script:

Wait until the Virtual Network Gateway is updating …

wp-image-10342

Then, you can download the VPN Client configuration in order to import it on your Windows 10 machine:

wp-image-10343

Extract the ZIP archive, and run the following executable:

wp-image-10344

Go to the Windows Control panel, and click “Connect”:

wp-image-10345

Wait a few seconds, and confirm the VPN status, which must be “connected“:

wp-image-10346

Let’s check the IP address by running the “ipconfig” command to verify the IP allocation from the VPN address pool. As you can see, the IP address is 172.31.21.2.

wp-image-10347

From the Windows 10 machine, the VPN configuration is mapped on the Gateway Public IP Address:

wp-image-10348

In VPN gateway page, I can confirm there is one active connection:

wp-image-10349

To finish, on the Windows 10 machine, run the “route print” command. Two active routes has been created, so it means that when I try to reach the following network: 10.1.0.0/16, my computer will use the Azure Point-To-Site VPN connection:

wp-image-10350

Now, I can test my VPN connection. I just need to create a new Virtual Machine, and create a network interface in the VPN Virtual Network:

wp-image-10351

When the Virtual Machine is created, I can connect through RDP using the private IP Address, which is part of the VPN Virtual Network:

wp-image-10352

wp-image-10353

 

Conclusion

Thanks to the VPN Gateway, you can easily create a VPN tunnel between your laptop and your Azure Virtual Network. Here is a very helpful link:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems that will help you to solve issues regarding the VPN Gateway.

Thanks for reading!

Found Nicolas’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!