Summary: How to Setup a Point To Site VPN to Azure.
Date: Around 2018
Refactor: 22 March 2025: Checked links and formatting.

Setting up a Point2Site VPN is something you normally would consider for people on the road or if you do not have many users. This setup will just connect my computer to my Azure tenant and is a follow-up on these previous articles: Getting Started With Azure and Active Directory Domain Controller in Azure. So far I haven't done anything else in the environment so everything will still be done from scratch. To connect my computer through a VPN to the Azure tenant we'll need a couple of things and steps to go through:

• We'll need Certificate Services because we need a root certificate as well as a client certificate
• We need to enable the tenant to allow Point To Site VPNs by configuring a subnet and gateway
• Then we need to install the VPN client software

I opted to use AD CS as the source for creating the required certificates. See Active Directory Certificate Services on Windows Server 2016 if you want to know how the installation was done. See below for the creation of the specific certificates.

We need this certificate later on so follow these steps to export the Root CA certificate. Whatever you do, DO NOT EVER export the private key with it. Follow these steps:

• Start Server Manager → Go to Tools → Go to Certification Authority to start the Certification Authority Management Tool
• Right-click the CA server (shift-AzureDC01-CA) and click Properties
• In the new Window, in the General tab click on View Certificate:
  

• This will open the Root CA certificate. Go to the details tab and click Copy to File:
  

• This will open the Certificate Export Wizard. Click Next on the welcome screen
• Select the Export File format: Base-64 encoded X.509 (.CER):
  

• Specify the name, which can be anything you want:
  

• Verify the settings and click Finish to export the certificate.

It's not by default available in Server Manager or the Windows Administrative Tools but you can also manually start Certificates Manager by typing “certmgr.msc”. Here you can also select a certificate and export it.

Before we can create users certificates we first need users. Remember that this is completely empty environment.

• Start Server Manager → Go to Tools → Go to Active Directory Users and Computers
• Right-Click the domain, go to New → Organizational Unit and name it
• Right-Click the Organizational Unit you just created, go to New → User
• Follow the wizard to create the user. The only thing I changed was to not have the user change the password at the next logon

TEMP: sjoerd/User4President

• Right-Click the Organizational Unit you just created, go to New → Group
• Name the Group VPNUsers and make sure it's a global security group and click OK
• Right-Click the user you created before and select “Add to a group”
• Type in the groupname VPNUsers and click OK:
  

• Double-click the user to open it's properties
• In the general tab, add a email address as this is required for the certificate later on
  • Note that I entered sjoerd@shift.local which is not a valid email address but that's also not required.

Close all windows to continue with the user certificates

As my laptop is not domain joined I will create a custom Certificate Template with the required settings. Follow these steps:

• Start Server Manager → Go to Tools → Go to Certification Authority to start the Certification Authority Management Tool
• Right-click the Certificates Templates folder and click Manage:
  

• This starts the Certificate Templates Console. Right-click the User Template and select Duplicate Template:
  

• This will open the properties for the New Template. Go to the General Tab and name the Template and set the Validity period to 10 years (which I can because the Root CA certificate is valid for 20 years):
  

• On the Request Handling tab make sure that the “Allow private key to be exported” checkbox is checked:
  

• On the Extensions tab, click the Application Policies and click edit:
  

• Select both the Encryption File System and Secure Email policy and click Remove:
  

• Click OK to return to the New Template screen
• On the security tab add the previously created group VPNusers by clicking Add. Make sure you remove the Read permission and add the Enroll permission:
  

• Click OK to close the New Template window. It will now appear in the list Certificate Template Console:
  

Now you need to issue this certificate template so it can be used:

• Go back to the Certification Authority Console (Start Server Manager → Go to Tools → Go to Certification Authority)
• Right-click the Certificates Templates folder and click New → “Certificate Template to Issue”

• Select the BYOD template and click ok:
  

• This will add the BYOD template to the Certificate Templates list:
  

Now we a little challenge due to the lab environment. The easiest way to export the certificate is as the user but we only have a domain controller and users are not allowed to log onto a domain controller. To work around this we temporarily add the user to the Domain Administrators group:

• Start Server Manager → Go to Tools → Go to Active Directory Users and Computers
• Go to the Organizational Unit you created previously and hosts the user (in my case AzureUsers)
• Right-Click the user you created before (in my case Sjoerd) and select “Add to a group”
• Type in the groupname Domain Admins and click OK

Now use the user to log on to the domain controller. When logged in, follow these steps to publish the required certificate:

• Start Certificate Manager by typing certmgr.msc:
  

• Right-click the Personal folder and go to All Tasks → Request New Certificate:
  

• Click Next on the Before you begin screen of the Certificate Enrollment wizard
• Select the Active Directory Enrollment Policy:
  

• Select the BYOD template from the list and click Enroll:
  

• Result: Succeeded:
  

Now we can finally export the user certificate. Again in Certificate Manager, you now see that a certificate is issued to you by the BYOS template:

• Right-click the certificate, select All Tasks → Export
  

• Click next on the Welcome to the Certificate Export Wizard screen
• Select to export the private key and click next to continue:
  

• Keep the “Include all certificates in the certification path if possible” checkbox checked:
  

• Protect the private key with a password:
  

• Save the private key where you can find it:
  

• Click Finish on the completion screen

To make sure it all works for normal users now remove the user account again from the Domain Admins group:

• Start Server Manager → Go to Tools → Go to Active Directory Users and Computers
• Go to the Organizational Unit you created previously and hosts the user (in my case AzureUsers)
• Double-Click the user you created before (in my case Sjoerd)
• In the tab Member Of select the Domain Admins group and click Remove
• Confirm the removal and click on OK to close the user properties

Now as this is a follow-up on Getting Started With Azure and Active Directory Domain Controller in Azure there is already a Virtual Network that I can use. I do however want a separate subnet for my VPN clients so they are not in the same subnet as the Domain Controller. I also need a GatewaySubnet and the actual VPN for Azure, called a Virtual Network Gateway.

Every manual says create a client subnet. However, so far I have not discovered what for.

Follow these steps to create a new subnet:

• Log into the https://portal.azure.com with your credentials
• Click on Virtual Networks and select the network in which you want to create the extra subnet (AzureVirtualNetwork01)
• Click subnets and click +Subnet to add a new subnet:
  

• Name your subnet and click OK to create it:
  

• Wait for the subnet creation to finish.

Follow these steps to create a new gateway subnet:

• In the same subnet section, where you've now created an extra subnet click +Gateway subnet to add one:
  

• Fill in the Address range to your requirements. The Name is prefilled, and the name “GatewaySubnet” is required for the Azure fabric to recognize the subnet as the gateway subnet:
  

I've added the Virtual Network Gateway to my favorites, but if you don't find it in the services overview and follow these steps to add one:

• Click +Add to add a new Virtual Network Gateway:
  

• Fill in the fields
  • Note that the SKU is about pricing
  • Make sure to create a new public IP address:
    

• Wait for the Virtual Network Gateway creation to finish. This can take up to 45 minutes so relax…

The Client Address Pool is the pool of IP addresses from which clients that connect will receive an IP address. Follow these steps to configure one:

• Go to the just created Virtual Network Gateway and select it
• Go to Point-to-site configuration:
  

• Enter the Address Pool, and as there may be no overlap with the Virtual Network Address space be sure to enter a different IP network/subnet:
  

Follow these steps to add the Root Certificate to the Virtual Network Gateway:

• Again, go to the just create Virtual Network Gateway and select it
• Again, go to the Point-to-site configuration
• Enter a name for the root certificate you will add. As you can add 20 root certificates name them appropriately
• Now, from the location where you saved the root certificate, open it in notepad and copy the section between the two — BEGIN / END CERTIFICATE — sections:
  

• Past the value into the Public Certificate Data Field in the Point-tosite configuration of the Virtual Network Gateway and click Save:
  

Note: I got errors saying the data for the certificate was invalid. For some reason only the first line of the copied data is pasted, so you need to remove all the linebreaks before you paste the certificate data. I other words, put all the lines of the certificate in one line and then paste it.

After you've done the twp previous steps it's possible to download the VPN Client. Still in the Point-to-site configuration of the Virtual Network Gateway click Download VPN Client to start the download:

Make sure you select the correct package. For 64-bit clients you need the AMD86 package:

Now it's time to setup the client. There are two things we need, the downloaded VPN Client and the exported client certificate. Make sure you also have the password the private key of the user certificate was protected with.

Follow these instruction to install and check the VPN Client:

• Doubleclick the downloaded VPN Client
• As it is not much of an installation you only have to confirm it and it will be finished within seconds, not even confirming the installation so you need to do that yourself
• On Windows 10, type settings and press ENTER, then click Network and Internet:
  

• Click on VPN and see the VPN connection on the right:
  

Simply doubleclick the client certificate, which will start the “Welcome to the Certificate Import Wizard”:

Do not modify any of the settings.

Enter the password for the private key when prompted:

Now doubleclick on the VPN icon and click connect:

Click connect again in the pop-up window and allow it to change your route table while going through the first time connection. Accept everything that is suggested. Afterwards it will show that it is connected:

Then test a ping towards the domain controller:

And it also shows in Azure:

So now it works. You just created a Point2Site VPN connection to azure.

• Configure server settings for P2S VPN Gateway certificate authentication
• About VPN Gateway
• Building an Azure Lab – Implementing P2S (Point-to-Site) VPN