Configure point-to-site VPN clients - certificate authentication - Windows
When you connect to an Azure virtual network (VNet) using point-to-site (P2S) and certificate authentication, you can use the VPN client that is natively installed on the operating system from which you’re connecting. If you use the tunnel type OpenVPN, you also have the option of using the Azure VPN Client or the OpenVPN client software. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients.
The VPN client configuration files that you generate are specific to the P2S VPN gateway configuration for the VNet. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see About point-to-site VPN.
Before you begin
Before beginning, verify that you are on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
| Authentication | Tunnel type | HowTo article |
|---|---|---|
| Azure certificate | IKEv2, OpenVPN, SSTP | Windows |
| Azure certificate | IKEv2, OpenVPN | macOS-iOS |
| Azure certificate | IKEv2, OpenVPN | Linux |
| Azure AD | OpenVPN (SSL) | Windows |
| Azure AD | OpenVPN (SSL) | macOS |
| RADIUS - certificate | - | Article |
| RADIUS - password | - | Article |
| RADIUS - other methods | - | Article |
Important
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections won't be affected. If you’re using TLS for point-to-site VPNs on Windows 10 or later clients, you don’t need to take any action. If you're using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
1. Install certificates
A client certificate is required for authentication when using the Azure certificate authentication type. A client certificate must be installed on each client computer. The exported client certificate must be exported with the private key, and must contain all certificates in the certification path.
- For information about client certificates, see Point-to site: generate certificates.
- To view an installed client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.
2. Generate VPN client configuration files
You can generate VPN client profile configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file.
Generate files using the Azure portal
In the Azure portal, navigate to the virtual network gateway for the VNet that you want to connect to.
On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.
At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.
Once the configuration package has been generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway. The folders and files that the zip file contains depend on the settings that you selected when creating your P2S configuration.
For next steps, depending on your P2S configuration, go to one of the following sections:
Generate files using PowerShell
When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
$profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls" $profile.VPNProfileSASUrlCopy the URL to your browser to download the zip file. The folders and files that the zip file contains depend on the settings that you selected when creating your P2S configuration.
For next steps, depending on your P2S configuration, go to one of the following sections:
IKEv2 and SSTP - native VPN client steps
This section helps you configure the native VPN client on your Windows computer to connect to your VNet. This configuration doesn't require additional client software.
View config files
Unzip the configuration file to view the following folders:
- WindowsAmd64 and WindowsX86, which contain the Windows 64-bit and 32-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
- Generic, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder isn’t present.
Configure VPN client profile
You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the point-to-site section of the VPN Gateway FAQ.
Note
You must have Administrator rights on the Windows client computer from which you want to connect.
Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
Double-click the package to install it. If you see a SmartScreen popup, click More info, then Run anyway.
OpenVPN - Azure VPN Client steps
This section applies to certificate authentication configurations that are configured to use the OpenVPN tunnel type. The following steps help you download, install, and configure the Azure VPN client to connect to your VNet. To connect to your VNet, each client must have the following items:
- The Azure VPN client software is installed.
- Azure VPN client profile is configured using the downloaded azurevpnconfig.xml configuration file.
- The client certificate is installed locally.
View config files
When you open the zip file, you'll see the AzureVPN folder. Locate the azurevpnconfig.xml file. This file contains the settings you use to configure the VPN client profile. If you don't see the file, verify the following items:
- Verify that your VPN gateway is configured to use the OpenVPN tunnel type.
- If you're using Azure AD authentication, you may not have an AzureVPN folder. See the Azure AD configuration article instead.
Download the Azure VPN Client
Download the latest version of the Azure VPN Client install files using one of the following links:
- Install using Client Install files: https://aka.ms/azvpnclientdownload.
- Install directly, when signed in on a client computer: Microsoft Store.
Install the Azure VPN Client to each computer.
Verify that the Azure VPN Client has permission to run in the background. For steps, see Windows background apps.
To verify the installed client version, open the Azure VPN Client. Go to the bottom of the client and click ... -> ? Help. In the right pane, you can see the client version number.
Configure the VPN client profile
Open the Azure VPN client.
Click + on the bottom left of the page, then select Import.
In the window, navigate to the azurevpnconfig.xml file, select it, then click Open.
From the Certificate Information dropdown, select the name of the child certificate (the client certificate). For example, P2SChildCert.
If you don't see a client certificate in the Certificate Information dropdown, you'll need cancel the profile configuration import and fix the issue before proceeding. It's possible that one of the following things is true:
- The client certificate isn't installed locally on the client computer.
- There are multiple certificates with exactly the same name installed on your local computer (common in test environments).
- The child certificate is corrupt.
After the import validates (imports with no errors), click Save.
In the left pane, locate the VPN connection, then click Connect.
OpenVPN - OpenVPN Client steps
This section applies to certificate authentication configurations that are configured to use the OpenVPN tunnel type. The following steps help you configure the OpenVPN ® Protocol client and connect to your VNet.
View config files
When you open the zip file, you should see an OpenVPN folder. If you don't see the folder, verify the following items:
- Verify that your VPN gateway is configured to use the OpenVPN tunnel type.
- If you're using Azure AD authentication, you may not have an OpenVPN folder. See the Azure AD configuration article instead.
Download and install the OpenVPN client (version 2.4 or higher) from the official OpenVPN website.
Download the VPN client profile package from the Azure portal, or use the 'New-AzVpnClientConfiguration' cmdlet in PowerShell.
Unzip the profile. Next, open the vpnconfig.ovpn configuration file from the OpenVPN folder using Notepad.
Export the point-to-site client certificate that you created and uploaded. While many of the steps in this section of the article can apply to both VPN Gateway and Virtual WAN configurations, the procedure is different for this step. Use the link that pertains to your environment.
- VPN Gateway instructions
- Virtual WAN instructions
Extract the private key and the base64 thumbprint from the .pfx. There are multiple ways to do this. Using OpenSSL on your machine is one way. The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate. Be sure to use the thumbprint of the client certificate.
openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"Switch to the vpnconfig.ovpn file you opened in Notepad from step 3. Fill in the section between
<cert>and</cert>, getting the values for$CLIENT_CERTIFICATE,$INTERMEDIATE_CERTIFICATE, and$ROOT_CERTIFICATEas shown below.# P2S client certificate # please fill this field with a PEM formatted cert <cert> $CLIENT_CERTIFICATE $INTERMEDIATE_CERTIFICATE (optional) $ROOT_CERTIFICATE </cert>- Open profileinfo.txt from the previous step in Notepad. You can identify each certificate by looking at the
subject=line. For example, if your child certificate is called P2SChildCert, your client certificate will be after thesubject=CN = P2SChildCertattribute. - For each certificate in the chain, copy the text (including and between) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
- Only include an
$INTERMEDIATE_CERTIFICATEvalue if you have an intermediate certificate in your profileinfo.txt file.
- Open profileinfo.txt from the previous step in Notepad. You can identify each certificate by looking at the
Open the profileinfo.txt in Notepad. To get the private key, select the text (including and between) "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.
Go back to the vpnconfig.ovpn file in Notepad and find this section. Paste the private key replacing everything between and
<key>and</key>.# P2S client root certificate private key # please fill this field with a PEM formatted key <key> $PRIVATEKEY </key>Do not change any other fields. Use the filled in configuration in client input to connect to the VPN.
Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.
Right-click the OpenVPN icon in the system tray and click connect.
Connect
To connect, return to the previous article that you were working from, and see Connect to Azure.
Next steps
For additional steps, return to the point-to-site article that you were working from.
Povratne informacije
Pošalјite i prikažite povratne informacije za