Azure VPN – Part2 (Create Point-to-Site VPN)

Santosh Gaikwad

Connect on LinkedIn      Follow SCI Page

Write to
Santosh Gaikwad

Latest posts by Santosh Gaikwad (see all)

<< Azure VPN – Part 1

What is VPN (Virtual Private Network)?

A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. To send network traffic between your Azure virtual network and your on-premises site, you must create a virtual network gateway for your virtual network.


For more information about VPNs please refer article Azure VPN – Part1

This article focuses on configuring Point to Site VPN.

Point-to-Site (VPN over SSTP)

Point to Site VPN
Point to Site VPN

A Point-to-Site (P2S) VPN gateway connection allows you to create a secure connection to your virtual network from an individual client computer. P2S is a VPN connection over SSTP (Secure Socket Tunneling Protocol). P2S connections do not require a VPN device or a public-facing IP address to work. You establish the VPN connection by starting it from the client computer. This solution is useful when you want to connect to your VNet from a remote location, such as from home or a conference, or when you only have a few clients that need to connect to a VNet. P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible.


P2S connections require the following:

  • A RouteBased VPN gateway.
  • The public key (.cer file) for a root certificate, uploaded to Azure. This is considered a trusted certificate and is used for authentication.
  • A client certificate generated from the root certificate, and installed on each client computer that will connect. This certificate is used for client authentication.
  • A VPN client configuration package must be generated and installed on every client computer that connects. The client configuration package configures the native VPN client that is already on the operating system with the necessary information to connect to the VNet.

VPN gateways can be configured either through ARM Portal or Azure PowerShell.

This article follow Azure PowerShell to configure P2S connection.


Step 1: Login and prepare variables

1. Login

Select-AzureRmSubscription -SubscriptionName "Name of subscription"

2. Prepare Variables for VNET

$VNetName  = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"

$VNetPrefix1 = ""
$VNetPrefix2 = ""
$FESubPrefix = ""
$BESubPrefix = ""
$GWSubPrefix = ""

$VPNClientAddressPool = ""
$RG = "TestResourceG"
$Location = "West India"
$DNS = ""

$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

Step 2: Configure VNet

1. Create new resource group

New-AzureRmResourceGroup -Name $RG -Location $Location

2. Create the subnet configurations for the virtual network, naming them FrontEndBackEnd, and GatewaySubnet

$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix


3. Create Virtual network

New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer $DNS
Create New Virtual Network
Create New Virtual Network

4. Read created virtual network in a variable

$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

5. Create Public IP address and set it to network gateway

$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

Step 3: Create Certificate using MakeCert

Makecert is deprecated option, but as I am using windows 7, I had to go for it as PoewerShell module is not available for in windows 7.


1. Download and install MakeCert.


2. Makecert by default got installed at location  “C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin” on my machine, path might differ on your machine, so check during installation.


3. Run Makecert command to create certificate

makecert -sky exchange -r -n "CN=P2SRootCert" -pe -a sha1 -len 2048 -ss My "P2SRootCert.cer"






4. Export public key and upload in Azure
Open management console of certificates for current user, select certificates under personal folder and select “P2SRootCert”, right click and select export option. Select “No, do not export the private key”.

Save file as “P2SRootCer.cer” and store on local machine,  this file contains the public key of certificate, which needs to be uploaded to azure in further steps.

Export Public Key
Export Public Key


5. Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.

makecert -n "CN=P2SClientCert" -pe -sky exchange -m 96 -ss My -in "P2SRootCert" -is my -a sha1

Export client certificate to install on the client machines, Select “Yes, to export the private key”, Select “Include all certificates in the certification path if possible”

Export Client Certificate
Export Client Certificate


6. Install an exported client certificate on client machine.
If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. When installing a client certificate, you need the password that was created when the client certificate was exported. Typically, this is just a matter of double-clicking the certificate and installing it.

7. Upload server (root) certificate to Azure
Prepare to upload the .cer file (which contains the public key information) for a trusted root certificate to Azure. You do not upload the private key for the root certificate to Azure. Once a .cer file is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. Run following PowerShell.

$P2SRootCertName = "P2SRootCert.cer"

$filePathForCert = "D:\Santosh\Personal\Azure\Articles\P2SRootCert.cer"

$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)

$CertBase64 = [system.convert]::ToBase64String($cert.RawData)

$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64


Step 4 – Create the VPN gateway

Configure and create the virtual network gateway for your Virtual Network. The -GatewayTypemust be Vpn and the -VpnType must be RouteBased.

New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
-Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku Standard `
-VpnClientAddressPool $VPNClientAddressPool -VpnClientRootCertificates $p2srootcert
Create New Azure Virtual Network Gateway
Create New Azure Virtual Network Gateway


Step 5 – Download the VPN client configuration package

To connect to a VNet using a Point-to-Site VPN, each client must install a package to configure the native Windows VPN client. The configuration package configures the native Windows VPN client with the settings necessary to connect to the virtual network

You can use the same VPN client configuration package on each client computer, as long as the version matches the architecture for the client.

1. After the gateway has been created, you can generate and download the client configuration package. This example downloads the package for 32-bit clients. If you want to download the 64-bit client, replace ‘x86’ with ‘ Amd64’. You can also download the VPN client by using the Azure portal.

Get-AzureRmVpnClientPackage -ResourceGroupName $RG `
-VirtualNetworkGatewayName $GWName -ProcessorArchitecture x86
Download VPN Client Package
Download VPN Client Package




2. Copy and paste the link that is returned to a web browser to download the package.

JUST FOR REFERENCE, In my case link is as follows, you would get different URL

You would be prompted to install VPN client, select Yes.

Install VPN Client
Install VPN Client


VPN get installed on client machine.

List of networks on client machine
List of networks on client machine


Step 6 – Connect to Azure

Right client VNet1 and click on connect, so that client machine gets connected to the P2S VPN.

VPN Connected
VPN Connected



You can run ipconfig /all command to check the IP details of machine.
IP of Client Machine
IP of Client Machine

You can see that your machine is part of the Azure VNET now and it has got the IP address in the range of VNET of Azure.

Create a folder on client machine and share to everyone to check if shared folder can be accessed from Azure VM.

Share a folder on client machine
Share a folder on client machine


Run a PowerShell script to check the list of VMs available in Azure and get the IPs for each VM, and initiate mstsc command to open remote desktop connection.

$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null

foreach($Nic in $Nics)
 $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
 $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
 $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
 Write-Output "$($VM.Name): $Prv,$Alloc"
Get the IPs of Azure VM and initiate Remote Desktop Connection
Get the IPs of Azure VM and initiate Remote Desktop Connection

Log in to azure VM and ping local machine IP,  It gives back reply, open shared a folder of client machine and provide client credentials to connect to shared folder.

Login to Azure VM and Ping client machine and open shared folder of client machine
Login to Azure VM and Ping client machine and open shared folder of client machine


Check Articles From Categories      Health and Parenting      Inspiring Stories      Technology      Microsoft Azure      SharePoint O365

Leave a Reply

Your email address will not be published. Required fields are marked *