Setting up a point-to-site VPN with Azure

Synopsis

This article is a short description on setting up a point-to-site VPN from a developer PC to a network defined in an Azure subscription. The long form of this setup can be found here.

The setup follows these steps:

  1. Set up an Azure virtual network with a gateway
  2. Create the root and client certificates
  3. Connect a client to that gateway

Set up an Azure virtual network

An Azure virtual network consists in three distinct configurations:

  • The point-to-site connectivity address space: the address space client will be added to when connecting to the gateway
  • The virtual network address space: the address space for virtual machines running in the virtual network
  • The virtual network DNS configuration
  • A root certificate
  1. From the Azure portal go to networks and select “New”
  2. Select “Custom create”, name the network and let Azure create an affinity group
  3. Enter 8.8.8.8 (google) and 8.8.4.4 (google2) as DNS servers and select “Configure a point-to-site VPN”
  4. Define the point-to-site connectivity address space: 172.16.0.0/24
  5. Define the virtual network address space (10.0.0.0/8), including a subnet (10.0.0.0/11)and a gateway subnet (10.32.0.0/29)
  6. Create the gateway (action at the bottom of the screen)

You can also grab this configuration and just import it.

Create the root and client certificates

We will use makecert to create certificates. Makecert ist installed as part of Visual Studio 2013.

makecert -sky exchange -r -n "CN=PRMgmtRootCert" -pe -a sha1 -len 2048 -ss My "PRMgmtRootCert.cer"  creates the certificate (.cer file), saves it to the local keystore and to the named file. You then need to upload the file it into the certificates section of the Azure virtual network.

makecert.exe -n "CN=PRMgmtClientCert1" -pe -sky exchange -m 96 -ss My -in "PRMgmtRootCert" -is my -a sha1 creates a client certificate to the local keystore.

In order to export the client certificates use the keystore manager (certmgr.msc), select all tasks and export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.

Connect a client to the gateway

  1. Go to the dashboard of the virtual network in the Azure potal and download the client (32 or 64-bit version depending on your needs)
  2. On the client that will establish the point-to-site VPN import the client certificate (.pfx file), confirm the password and establish the VPN

From here

Now that we have established a point to site VPN we can:

  • add virtual machines to the virtual network (in the 2nd step make sure that “Create Could Service” is selected in order to be able to select the virtual network)
  • delete the public endpoints of those machines in case they shall only be reache through the VPN
  • connect to the virtual machines (RPD, powershell) using the private IP addresses (in the VPN’s address space)