Setting up and configuring Azure VPN - brian-anderson01/Capstone GitHub Wiki

Setting up the virtual networks

  • Head to the Azure Portal and search for virtual networks
  • Click create at the top
  • Choose your subscription and resource group then give the network a name, I named mine "VPN-NET" then click next
  • If you would like a custom address space for the network then set it here, if no just click next to keep the default
  • Leave the security settings as default, and click review + create
  • Now we need to create the public-facing VPN gateway
  • At the top of the page search for "virtual network gateways"
  • Click create at the top to make a new gateway
  • Choose your subscription and resource group then name the gateway
  • For gateway type choose VPN and for VPN type choose Route-based
  • Choose basic for the SKU and then choose the virtual network that you created above
  • For public address, choose create new and give it a name
  • Leave enable active-active mode and configure BGP disabled
  • Click review and create then create
  • Now wait for the virtual gateway to deploy, this can take a while

Creating certificates

  • While the gateway is deploying this is a good time to generate some certificates for the VPN tunnel
  • In this case I will be using self-signed certificates
  • From a windows 10 computer or a windows server, open PowerShell and run the command below
  • $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
  • If you want to change the name of the certificate replace P2SRootCert
  • Now that you have a private key, do not close the PowerShell window, run the command below to make a client certificate
  • New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature ` -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
  • Again if you want to change the name, replace P2SChildCert
  • Now both certificates have been created and need to be exported
  • Open certmgr with run or search "manage user certificates" in windows search
  • At the top of the list uncollapse the folder named "personal" then click on Certificates. Your generated certificates should show up in there, see screenshot below.
  • Right-click on the root cert and choose All tasks -> Export
  • When the wizard opens click next, choose No, do not export the private key, then click next
  • On the next page choose Base-64 encoded and click next
  • Now choose a name for the certificate and where you would like to export it to then click next and finish
  • Now we just need to export the client certificate
  • Again right-click the child certificate and choose All tasks then export
  • Click next and this time choose yes, export the private key and click next
  • Leave the file format default and click next
  • Check the box next to password and insert a password for the certificate then click next
  • Now choose where to export the client key and give it a name, then click next and then finish
  • With both of those exported, we need to associate those keys with the Azure VPN

Setting up the P2S VPN

  • Once the gateway has completely finished deploying head to virtual network gateways and choose your newly created gateway
  • On the left click point-to-site configuration
  • Click configure now
  • Choose an address pool for the VPN clients
  • Now input a name for the root cert then open the root certificate file you exported earlier with a text editor
  • Copy the certificate contents without the begin and end lines and paste it into the public certificate data text box
  • With that pasted in, click Save at the top and wait for it to finish saving
  • The VPN is now ready to be connected to, note that the client will need the client certificate installed or they will not be able to connect.

Connecting a client to the VPN

  • While still on the Virtual Gateway page choose point-to-site configuration on the left
  • At the top click "Download VPN client"
  • Once the zip has downloaded, move it onto the client PC
  • On the client PC open the zip and choose the folder for your system architecture and run the setup
  • Once installed, on a windows system go to the bottom right and click on the network icon
  • There should now be an entry for the VPN, see screenshot below
  • Left click on the VPN entry and it will open settings
  • Once in settings click on the VPN entry again and then click connect
  • An Azure VPN window will pop up, click connect once again
  • Accept the administrator prompt and then you will be connected
  • To check the connection status click the network icon in the bottom right again and it should say connected under the VPN entry
  • With this connected the user should be able to access resources in the Azure environment such as Azure file shares and VMs (if security settings permit it)