Tutorial: Create a User VPN connection using Azure Virtual WAN

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an OpenVPN or IPsec/IKE (IKEv2) VPN connection using a User VPN (P2S) configuration. This type of connection requires the native VPN client to be configured on each connecting client computer.

In this tutorial, you learn how to:

  • Create a virtual WAN
  • Create the User VPN configuration
  • Create the virtual hub and gateway
  • Generate client configuration files
  • Configure VPN clients
  • Connect to a VNet
  • View your virtual WAN
  • Modify settings

Virtual WAN diagram.


  • You have an Azure subscription. If you don't have an Azure subscription, create a free account.

  • You have a virtual network that you want to connect to.

    • Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to.
    • To create a virtual network in the Azure portal, see the Quickstart article.
  • Your virtual network must not have any existing virtual network gateways.

    • If your virtual network already has gateways (VPN or ExpressRoute), you must remove all of the gateways before proceeding.
    • This configuration requires that virtual networks connect to the Virtual WAN hub gateway only.
  • Decide the IP address range that you want to use for your virtual hub private address space. This information is used when configuring your virtual hub. A virtual hub is a virtual network that is created and used by Virtual WAN. It's the core of your Virtual WAN network in a region. The address space range must conform the certain rules:

    • The address range that you specify for the hub can't overlap with any of the existing virtual networks that you connect to.
    • The address range can't overlap with the on-premises address ranges that you connect to.
    • If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.

Create a virtual WAN

  1. In the portal, in the Search resources bar, type Virtual WAN in the search box and select Enter.

  2. Select Virtual WANs from the results. On the Virtual WANs page, select + Create to open the Create WAN page.

  3. On the Create WAN page, on the Basics tab, fill in the fields. Modify the example values to apply to your environment.

    Screenshot shows the Create WAN pane with the Basics tab selected.

    • Subscription: Select the subscription that you want to use.
    • Resource group: Create new or use existing.
    • Resource group location: Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to manage and locate the WAN resource that you create.
    • Name: Type the Name that you want to call your virtual WAN.
    • Type: Basic or Standard. Select Standard. If you select Basic, understand that Basic virtual WANs can only contain Basic hubs. Basic hubs can only be used for site-to-site connections.
  4. After you finish filling out the fields, at the bottom of the page, select Review +Create.

  5. Once validation passes, click Create to create the virtual WAN.

Create a User VPN configuration

The User VPN (P2S) configuration defines the parameters for remote clients to connect. The instructions you follow depend on the authentication method you want to use.

In the following steps, when selecting the authentication method, you have three choices. Each method has specific requirements. Select one of the following methods, and then complete the steps.

  • Azure certificates: For this configuration, certificates are required. You need to either generate or obtain certificates. A client certificate is required for each client. Additionally, the root certificate information (public key) needs to be uploaded. For more information about the required certificates, see Generate and export certificates.

  • Azure Active Directory authentication: Use the Configure a User VPN connection - Azure Active Directory authentication article, which contains the specific steps necessary for this configuration.

  • Radius-based authentication: Obtain the Radius server IP, Radius server secret, and certificate information.

Configuration steps

  1. Navigate to the virtual WAN that you created.

  2. Select User VPN configurations from the menu on the left.

  3. On the User VPN configurations page, select +Create user VPN config.

    Screenshot of user VPN configurations page.

  4. On the Create new User VPN configuration page Basics tab, under Instance details, enter the Name you want to assign to your VPN configuration.

    Screenshot of IPsec switch to custom.

  5. For Tunnel type, select the tunnel type that you want from the dropdown. The tunnel type options are: IKEv2 VPN, OpenVPN, and OpenVpn and IKEv2. Each tunnel type has different required settings.

    Requirements and parameters:

    IKEv2 VPN

    • Requirements: When you select the IKEv2 tunnel type, you see a message directing you to select an authentication method. For IKEv2, you may specify only one authentication method. You can choose Azure Certificate, Azure Active Directory, or RADIUS-based authentication.

    • IPSec custom parameters: To customize the parameters for IKE Phase 1 and IKE Phase 2, toggle the IPsec switch to Custom and select the parameter values. For more information about customizable parameters, see the Custom IPsec article.


    • Requirements: When you select the OpenVPN tunnel type, you see a message directing you to select an authentication mechanism. If OpenVPN is selected as the tunnel type, you may specify multiple authentication methods. You can choose any subset of Azure Certificate, Azure Active Directory, or RADIUS-based authentication. For RADIUS-based authentication, you can provide a secondary RADIUS server IP address and server secret.
  6. Configure the Authentication methods you want to use. Each authentication method is in a separate tab: Azure certificate, RADIUS authentication, and Azure Active Directory. Some authentication methods are only available on certain tunnel types.

    On the tab for the authentication method you want to configure, select Yes to reveal the available configuration settings.

    Screenshot of No screen - Yes is highlighted.

    • Example - Certificate authentication

      Screenshot of Yes selected.

    • Example - RADIUS authentication

      Screenshot of RADIUS authentication page.

    • Example - Azure Active Directory authentication

      Azure Active Directory authentication page.

  7. When you have finished configuring the settings, click Review + create at the bottom of the page.

  8. Click Create to create the User VPN configuration.

Create a virtual hub and gateway

  1. On the page for your virtual WAN, on the left pane, select Hubs. On the Hubs page, select +New Hub.

    Screenshot of new hub.

  2. On the Create virtual hub page, view the Basics tab.

    Screenshot of create virtual hub.

  3. On the Basics tab, configure the following settings:

    • Region: Select the region in which you want to deploy the virtual hub.
    • Name: The name by which you want the virtual hub to be known.
    • Hub private address space: The hub's address range in CIDR notation.
  4. Click the Point to site tab to open the configuration page for point-to-site. To view the point to site settings, click Yes.

    Screenshot of virtual hub configuration with point-to-site selected.

  5. Configure the following settings:

    • Gateway scale units - This represents the aggregate capacity of the User VPN gateway. If you select 40 or more gateway scale units, plan your client address pool accordingly. For information about how this setting impacts the client address pool, see About client address pools. For information about gateway scale units, see the FAQ.
    • Point to site configuration - Select the User VPN configuration that you created in a previous step.
    • Routing preference - Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing, respectively. The public IP address in Virtual WAN is assigned by the service based on the routing option selected. For more information about routing preference via Microsoft network or ISP, see the Routing preference article.
    • Client address pool - The address pool from which IP addresses will be automatically assigned to VPN clients. For more information, see About client address pools.
    • Custom DNS Servers - The IP address of the DNS server(s) the clients will use. You can specify up to 5.
  6. Select Review + create to validate your settings.

  7. When validation passes, select Create. Creating a hub can take 30 minutes or more to complete.

Generate client configuration files

When you connect to VNet using User VPN (P2S), you use the VPN client that is natively installed on the operating system from which you are connecting. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients. The VPN client configuration files that you generate are specific to the User VPN configuration for your gateway. In this section, you generate and download the files used to configure your VPN clients.

  1. On the page for your virtual WAN, select User VPN configurations.

  2. On the User VPN configurations page, select a configuration, then select Download virtual WAN user VPN profile.

    Screenshot of Download virtual WAN user VPN profile.

    • When you download the WAN-level configuration, you get a built-in Traffic Manager-based User VPN profile.

    • For information about Global profiles and hub-based profiles, see Hub profiles. Failover scenarios are simplified with global profile.

    • If for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users. You can always download a hub-specific VPN configuration by navigating to the hub. Under User VPN (point to site), download the virtual hub User VPN profile.

  3. On the Download virtual WAN user VPN profile page, select the Authentication type you want, then click Generate and download profile.

    A profile package (zip file) containing the client configuration settings is generated and downloads to your computer.

    Screenshot of generate and download profile.

Configure VPN clients

Use the downloaded profile package to configure the remote access VPN clients. The procedure for each operating system is different. Follow the instructions that apply to your system. Once you have finished configuring your client, you can connect.



  1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.

  2. Double-click the package to install it. If you see a SmartScreen popup, select More info, then Run anyway.

  3. On the client computer, navigate to Network Settings and select VPN. The VPN connection shows the name of the virtual network that it connects to.

  4. Before you attempt to connect, verify that you have installed a client certificate on the client computer. A client certificate is required for authentication when using the native Azure certificate authentication type. For more information about generating certificates, see Generate Certificates. For information about how to install a client certificate, see Install a client certificate.

Connect VNet to hub

In this section, you create a connection between your virtual hub and your VNet. For this tutorial, you do not need to configure the routing settings.

  1. Navigate to your Virtual WAN.

  2. Select Virtual network connections.

  3. On the virtual network connection page, select +Add connection.

    Screenshot shows add.

  4. On the Add connection page, configure the required settings. For more information about routing settings, see About routing.

    Screenshot shows VNet connection page.

    • Connection name: Name your connection.
    • Hubs: Select the hub you want to associate with this connection.
    • Subscription: Verify the subscription.
    • Resource group: The resource group that contains the VNet.
    • Virtual network: Select the virtual network you want to connect to this hub. The virtual network you select can't have an already existing virtual network gateway.
    • Propagate to none: This is set to No by default. Changing the switch to Yes makes the configuration options for Propagate to Route Tables and Propagate to labels unavailable for configuration.
    • Associate Route Table: You can select the route table that you want to associate.
    • Static routes: You can use this setting to specify next hop.
  5. Once you have completed the settings you want to configure, select Create to create the connection.

View a virtual WAN

  1. Navigate to your virtual WAN.

  2. On the Overview page, each point on the map represents a hub.

  3. In the Hubs and connections section, you can view hub status, site, region, VPN connection status, and bytes in and out.

Modify settings

Modify client address pool

  1. Navigate to your Virtual HUB -> User VPN (Point to site).

  2. Click the value next to Gateway scale units to open the Edit User VPN gateway page.

  3. On the Edit User VPN gateway page, edit the settings.

  4. Click Edit at the bottom of the page to validate your settings.

  5. Click Confirm to save your settings. Any changes on this page could take up to 30 minutes to complete.

Modify DNS servers

  1. Navigate to your Virtual HUB -> User VPN (Point to site).

  2. Click the value next to Custom DNS Servers to open the Edit User VPN gateway page.

  3. On the Edit User VPN gateway page, edit the Custom DNS Servers field. Enter the DNS server IP addresses in the Custom DNS Servers text boxes. You can specify up to five DNS Servers.

  4. Click Edit at the bottom of the page to validate your settings.

  5. Click Confirm to save your settings. Any changes on this page could take up to 30 minutes to complete.

Clean up resources

When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.

  1. Open the virtual WAN that you created.

  2. Select a virtual hub associated to the virtual WAN to open the hub page.

  3. Click Delete. Delete all entities (connections, gateways, etc.) in the hub. This can take 30 minutes to complete.

  4. You can either delete the hub at this point, or delete it later when you delete the resource group.

  5. Repeat for all hubs associated to the virtual WAN.

  6. Navigate to the resource group in the Azure portal.

  7. Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.

Next steps