Azure Point to site VPN

I setup a personal Azure account to experiment with. I think I found my sea legs in Azure enough to explore the idea of migrating some internal services to the cloud.

My goal is to be able to show the company how to dip toes in Azure through the creation of virtual networks, virtual machines, services, via Point-to-Site connection.

After demystifying it, I hope to show some simple savings on cost savings.

Simple VM running along with it’s baked in Cost Analysis
My resources

Attached at the bottom is a PDF of the full directions that I used for download

Azure Point to site VPN

Basic Requirements to pull this off:

*Method of authentication= certificate (root cert uploaded)

*Each client uses a VPN connection request to have client certificates as a child cert of that root cert (the one uploaded to azure)

*You need a VPN client package, (get from portal)

*You need a method to generate a root certificate and client certificate.

*One option is to use a self-signed root cert and client cert.  Done with a command shell which I will replicate below.

Basic framework for rolling up a Point-to-Site VPN Azure Infrastructure  

(My notes are based on reproducing a great tutorial scenario found here:

Steps Taken:

+ Create a Virtual Network

+ Create Gateway Subnet (Only one of these is allowed per virtual network)

+ Create Firewall Rules NSG’s (Link here)

+ Create a virtual gateway [Route based; basic; Search for virtual network gateway and highlight yours]

à Create it, name it, Basic; Attach it to your VNet; Create a new public address (sstp) protocol for this VPN basic:  Microsoft Specific notes :

+ Create a VM to interact with on Azure àWindows server; put it in the first subnet assign it the +Firewall rules (NSG’s) like frontend, backend (see separate writeup)

+Create Root Certificate for the VPN – Download windows 10 sdk (developers kit)

+ Install DevKit and head out to Powershell à C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86 You should make sure  makecert.exe is in that location

+ Toggle over to explorer and make c:\temp\Azure folder to dump things in.

+ Toggle back to do it in dos and switch over to Command typing cmd “ you’ll stay in powershell but you are rolling in command.

+ Now go to elevated cmd in this location: C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86

Run this command : makecert -sky exchange -r -n “CN=AzureVpnRootCert” -pe -a sha1 -len 2048 -ss My “AzureVpnRootCert.cer”

The above command will dump the cert in the original location.  The cert shows up in certmgr

+ Start\Run\ certmgr.msc to install it locally or just right click and install it from explorer

+ Go dump the AzureVPNRootCert.cer in your c:\temp\azure directory.  (I just like to keep stuff together)

+Create an “x64” version of your Cert:

Right click it and export it; Choose don’t export the private key –base64- locationàYou are actually dumping it next to the cert and creating the “x64” version of the certificate.

+ Right click and open it in notepad++ and put it in one line—May have to delete and backspace a bit to get it to look like this:

+ Save As a .txt and put it in the same directory; At some point you’ll have to download the VPN client created specifically based on this root certificate.  Must be distributed with the client to co-workers etc.

Next Step: Create the Client Certificate off the Root Certificate:

+ Get your Doc prompt (powershell) back up and pasth this command to make the client cert:

makecert.exe -n “CN=AzureVpnClientCert” -pe -sky exchange -m 96 -ss My -in “AzureVpnRootCert” -is my -a sha1

-If you open up Certmgr after that you will see that the AzureVpnClientCert will show up in there: (refresh certmgr)

+ export it so you can be able to deliver to your clients– (Yes to export the private key) defaults, file format is PFX file.

+ Dump the .pfx file in the c:\temp\azure folder with the other ones;

Generate the VPN based on your root certificate

+ Head back to your Azure Portal, highlight the Virtual Network Gateway you created earlier (That process may have taken 45 minutes to make the gateway).

+ Go to VnetGWay1 that you created or whatever you named it:

+ Click Point to site Configuration

+ Enter an Address pool: Typically, you can choose ( chose for this example. or something higher than that.

+ Open the text document you created in one line and copy the data from “AzureVpnRootCert.base64.cer.txt” cert and paste it into the Public Certificate Data field.  It’s used to generate the VPN based on your root certificate, then click save .

+After it creates it, you can use the download VPN button

*If the download VPN button is not there then go back to the “point-to-site configuration button” 

+ Any client that connects will need to install the .pfx file to import it with defaults. It will prompt for the password you created and install it. (check certmgr)

+ Install the VPN executable

+ Go to the bottom and network connection will show vpn and you connect.

+ Head out and take a look at the IPAddress for your VM on Azure:

You should be able to remote into it now!

  Make sure you peel off the FrontEnd rule that allowed you to remote in via 3389 port as you will not need it because you are connecting to the network by this rule: