Tutorial: Create a User VPN connection using Azure Virtual WAN

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an IPsec/IKE (IKEv2) or OpenVPN VPN connection. This type of connection requires the VPN client to be configured on the client computer. For more information about Virtual WAN, see the Virtual WAN Overview.

In this tutorial, you learn how to:

  • Create a virtual WAN
  • Create a P2S configuration
  • Create a virtual hub
  • Choose client address pools
  • Specify DNS servers
  • Generate VPN client profile configuration package
  • Configure VPN clients
  • View your virtual WAN

Virtual WAN diagram


  • You have an Azure subscription. If you don't have an Azure subscription, create a free account.

  • You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart article.

  • Your virtual network must not have any existing virtual network gateways. If your virtual network already has gateways (VPN or ExpressRoute), you must remove all of the gateways before proceeding. This configuration requires that virtual networks connect to the Virtual WAN hub gateway only.

  • A virtual hub is a virtual network that is created and used by Virtual WAN. It's the core of your Virtual WAN network in a region. Obtain an IP address range for your virtual hub region. The address range that you specify for the hub can't overlap with any of the existing virtual networks that you connect to. It also can't overlap with the on-premises address ranges that you connect to. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.

Create a virtual WAN

From a browser, navigate to the Azure portal and sign in with your Azure account.

  1. In the portal, select + Create a resource. Type Virtual WAN into the search box and select Enter.

  2. Select Virtual WAN from the results. On the Virtual WAN page, select Create to open the Create WAN page.

  3. On the Create WAN page, on the Basics tab, fill in the following fields:

    Screenshot shows the Create WAN pane with the Basics tab selected.

    • Subscription - Select the subscription that you want to use.
    • Resource group - Create new or use existing.
    • Resource group location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to manage and locate the WAN resource that you create.
    • Name - Type the Name that you want to call your WAN.
    • Type - Basic or Standard. Select Standard. If you select Basic VWAN, understand that Basic VWANs can only contain Basic hubs, which limits your connection type to site-to-site.
  4. After you finish filling out the fields, select Review +Create.

  5. Once validation passes, select Create to create the virtual WAN.

Create a P2S configuration

A point-to-site (P2S) configuration defines the parameters for connecting remote clients.


Some features and settings are in the process of rolling out to the Azure portal.

  1. Navigate to All resources and select the virtual WAN that you created, then select User VPN configurations from the menu on the left.

  2. On the User VPN configurations page, select +Create user VPN config at the top of the page to open the Create new user VPN configuration page.

    Screenshot of user VPN configurations page.

  3. On the Basics tab, under Instance details, enter the Name you want to assign to your VPN configuration.

  4. For Tunnel type, from the dropdown, select the tunnel type that you want. The tunnel type options are: IKEv2 VPN, OpenVPN, and OpenVpn and IkeV2.

  5. Use the following steps that correspond to the tunnel type that you selected. After all the values are specified, click Review + create, then Create to create the configuration.

    IKEv2 VPN

    • Requirements: When you select the IKEv2 tunnel type, you see a message directing you to select an authentication method. For IKEv2, you may specify only one authentication method. You can choose Azure Certificate, Azure Active Directory, or RADIUS-based authentication.

    • IPSec custom parameters: To customize the parameters for IKE Phase 1 and IKE Phase 2, toggle the IPsec switch to Custom and select the parameter values. For more information about customizable parameters, see the Custom IPsec article.

      Screenshot of IPsec switch to custom.

    • Authentication: Navigate to the authentication mechanism that you want to use by either clicking Next at the bottom of the page to advance to the authentication method, or click the appropriate tab at the top of the page. Toggle the switch to Yes to select the method.

      In this example, RADIUS authentication is selected. For RADIUS-based authentication, you can provide a secondary RADIUS server IP address and server secret.

      Screenshot of IKE.


    • Requirements: When you select the OpenVPN tunnel type, you see a message directing you to select an authentication mechanism. If OpenVPN is selected as the tunnel type, you may specify multiple authentication methods. You can choose any subset of Azure Certificate, Azure Active Directory, or RADIUS-based authentication. For RADIUS-based authentication, you can provide a secondary RADIUS server IP address and server secret.

    • Authentication: Navigate to the authentication method(s) that you want to use by either clicking Next at the bottom of the page to advance to the authentication method, or click the appropriate tab at the top of the page. For each method that you want to select, toggle the switch to Yes and enter the appropriate values.

      In this example, Azure Active Directory is selected.

      Screenshot of OpenVPN page.

Create virtual hub and gateway

  1. On the page for your virtual WAN, on the left pane, select Hubs. On the Hubs page, select +New Hub.

    Screenshot of new hub.

  2. On the Create virtual hub page, complete the following fields:

    • Region - Select the region that you want to deploy the virtual hub in.
    • Name - Enter the name that you want to call your virtual hub.
    • Hub private address space - The hub's address range in CIDR notation.

    Screenshot of create virtual hub.

  3. On the Point-to-site tab, complete the following fields:

    • Gateway scale units - which represents the aggregate capacity of the User VPN gateway.
    • Point to site configuration - which you created in the previous step.
    • Client Address Pool - for the remote users.
    • Custom DNS Server IP.
    • Routing preference - Select the appropriate Routing preference. Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing, respectively. The public IP address in Virtual WAN is assigned by the service based on the routing option selected. For more information about routing preference via Microsoft network or ISP, see the Routing preference article.

    Screenshot of virtual hub configuration with point-to-site selected.

  4. Select Review + create.

  5. On the validation passed page, select Create.

Choose P2S Client Address Pools

This section describes guidelines and requirements for allocating client address spaces where the chosen Virtual WAN Hub’s Point-to-site VPN Gateway scale unit is greater than or equal to 40.


Point-to-site VPN gateways in the Virtual Wan hub are deployed with multiple instances. Each instance of a Point-to-site VPN gateway can support up to 10,000 concurrent point-to-site user connections. As a result, for scale units greater than 40, Virtual WAN needs to deploy extra capacity, which requires a minimum number of address pools allocated for different scale units.

For instance, if a scale unit of 100 is chosen, 5 instances are deployed for the Point-to-site VPN Gateway in Virtual Hub. This deployment can support 50,000 concurrent connections and at least 5 distinct address pools.

Available Scale Units

Scale Unit Maximum Supported Clients Minimum Number of Address Pools
40 20000 2
60 30000 3
80 40000 4
100 50000 5
120 60000 6
140 70000 7
160 80000 8
180 90000 9
200 100000 10

Specifying Address Pools

Below are some guidelines for choosing address pools. Note that point-to-site VPN address pool assignments are done automatically by Virtual WAN.

  1. One gateway instance allows for a maximum of 10,000 concurrent connections. As such, each address pool should contain at least 10,000 unique RFC1918 IP addresses.
  2. Multiple address pool ranges are automatically combined and assigned to a single gateway instance. This process is done in a round-robin manner for any gateway instances that have less than 10,000 IP addresses. For example, a pool with 5,000 addresses can be combined automatically by Virtual Wan with another pool that has 8,000 addresses and is assigned to a single gateway instance.
  3. A single address pool is only assigned to a single gateway instance by Virtual WAN.
  4. Address pools must be distinct. There can be no overlap between address pools.


If an address pool is associated to a gateway instance that is undergoing maintenance, the address pool cannot be re-assigned to another instance.


The following example describes a situation where 60 scale units support up to 30,000 connections but the allocated address pools results in fewer than 30,000 concurrent connections.

The total number of concurrent connections supported in this setup is 28,192. The first gateway instance supports 10,000 addresses, the second instance 8,192 connections, and the third instance also supports 10,000 addresses.

Address Pool Number Address Pool Supported Connections
1 10000
2 8192
3 10000

Recommendation #1: Ensure Address Pool #2 has at least 10,000 distinct IP addresses. (example:

Recommendation #2: Add one more address pool. (example: Address Pool #4 with 2048 addresses). Address Pools 2 and 4 will be automatically combined and allow that gateway instance to support 10,000 concurrent connections.

Specify DNS server

You can configure this setting when you create the hub, or modify it at a later time. To modify, locate the virtual hub. Under User VPN (point to site), select Configure and enter the DNS server IP address(es) in the Custom DNS Servers text box(es). You can specify up to 5 DNS Servers.

custom DNS

Generate VPN client profile package

Generate and download the VPN client profile package to configure your VPN clients.

  1. On the page for your virtual WAN, select User VPN configurations.

  2. On the User VPN configurations page, select a configuration, then select Download virtual WAN user VPN profile. When you download the WAN-level configuration, you get a built-in Traffic Manager-based User VPN profile. For more information about Global profiles or a hub-based profile, see Hub profiles. Failover scenarios are simplified with global profile.

    If for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users. You can always download a hub-specific VPN configuration by navigating to the hub. Under User VPN (point to site), download the virtual hub User VPN profile.

  3. On the Download virtual WAN user VPN profile page, select the Authentication type, then select Generate and download profile. The profile package will generate and a zip file containing the configuration settings will download.

Configure VPN clients

Use the downloaded profile package to configure the remote access VPN clients. The procedure for each operating system is different. Follow the instructions that apply to your system. Once you have finished configuring your client, you can connect.

Microsoft Windows

  1. Download and install the OpenVPN client from the official website.
  2. Download the VPN profile for the gateway. This can be done from the User VPN configurations tab in Azure portal, or New-AzureRmVpnClientConfiguration in PowerShell.
  3. Unzip the profile. Open the vpnconfig.ovpn configuration file from the OpenVPN folder in notepad.
  4. Fill in the P2S client certificate section with the P2S client certificate public key in base64. In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers. For steps, see How to export a certificate to get the encoded public key.
  5. Fill in the private key section with the P2S client certificate private key in base64. For steps, see How to extract private key..
  6. Do not change any other fields. Use the filled in configuration in client input to connect to the VPN.
  7. Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.
  8. Right-click the OpenVPN icon in the system tray and select connect.
  1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
  2. Double-click the package to install it. If you see a SmartScreen popup, select More info, then Run anyway.
  3. On the client computer, navigate to Network Settings and select VPN. The VPN connection shows the name of the virtual network that it connects to.
  4. Before you attempt to connect, verify that you have installed a client certificate on the client computer. A client certificate is required for authentication when using the native Azure certificate authentication type. For more information about generating certificates, see Generate Certificates. For information about how to install a client certificate, see Install a client certificate.

View your virtual WAN

  1. Navigate to the virtual WAN.
  2. On the Overview page, each point on the map represents a hub.
  3. In the Hubs and connections section, you can view hub status, site, region, VPN connection status, and bytes in and out.

Clean up resources

When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.

  1. Open the virtual WAN that you created.
  2. Select a virtual hub associated to the virtual WAN to open the hub page.
  3. Click Delete. Delete all entities (connections, gateways, etc.) in the hub. This can take 30 minutes to complete.
  4. You can either delete the hub at this point, or delete it later when you delete the resource group.
  5. Repeat for all hubs associated to the virtual WAN.
  6. Navigate to the resource group in the Azure portal.
  7. Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.

Next steps

Next, to learn more about Virtual WAN, see: