Azure VPN Client - configure optional DNS and routing settings
This article helps you configure optional settings for the Azure VPN Client for VPN Gateway P2S connections. You can configure DNS suffixes, custom DNS servers, custom routes, and VPN client-side forced tunneling.
Note
The Azure VPN Client is only supported for OpenVPNĀ® protocol connections.
Before you begin
If you haven't already done so, make sure you complete the following items:
Generate and download the VPN client profile configuration files for your P2S deployment. Use the following steps:
- In the Azure portal, go to the virtual network gateway.
- Click Point-to-Site configuration.
- Click Download VPN client.
- Select the client and fill out any information that is requested.
- Click Download to generate the .zip file.
- The .zip file will download, typically to your Downloads folder.
Download and install the Azure VPN Client. For steps, see one of the following articles:
Working with VPN client profile configuration files
The steps in this article require you to modify and import the Azure VPN Client profile configuration file. To work with VPN client profile configuration files (xml files), use the following steps:
Locate the profile configuration file and open it using the editor of your choice.
Using the examples in the following sections, modify the file as necessary, then save your changes.
Import the file to configure the Azure VPN client. You can import the file for the Azure VPN Client using these methods:
Azure VPN Client interface: Open the Azure VPN Client and click + and then Import. Locate the modified xml file, configure any additional settings in the Azure VPN Client interface (if necessary), then click Save.
Command-line prompt: Place the downloaded azurevpnconfig.xml file in the %userprofile%\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState folder, then run the following command:
azurevpn -i azurevpnconfig.xml. To force the import, use the -f switch.
DNS
Add DNS suffixes
Note
At this time, additional DNS suffixes for the Azure VPN Client aren't generated in a format that can be properly used by macOS. The specified values for DNS suffixes don't persist for macOS.
To add DNS suffixes, modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.
<azvpnprofile>
<clientconfig>
<dnssuffixes>
<dnssuffix>.mycorp.com</dnssuffix>
<dnssuffix>.xyz.com</dnssuffix>
<dnssuffix>.etc.net</dnssuffix>
</dnssuffixes>
</clientconfig>
</azvpnprofile>
Add custom DNS servers
To add custom DNS servers, modify the downloaded profile XML file and add the <dnsservers><dnsserver> </dnsserver></dnsservers> tags.
<azvpnprofile>
<clientconfig>
<dnsservers>
<dnsserver>x.x.x.x</dnsserver>
<dnsserver>y.y.y.y</dnsserver>
</dnsservers>
</clientconfig>
</azvpnprofile>
Note
The OpenVPN Microsoft Entra client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of ipconfig /all. To confirm your in-use DNS settings, please consult Get-DnsClientNrptPolicy in PowerShell.
Routing
Split tunneling
Split tunneling is configured by default for the VPN client.
Forced tunneling
You can configure forced tunneling in order to direct all traffic to the VPN tunnel. Forced tunneling can be configured using two different methods; either by advertising custom routes, or by modifying the profile XML file. You can include 0/0 if you're using the Azure VPN Client version 2.1900:39.0 or higher.
Note
Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Advertise custom routes: You can advertise custom routes
0.0.0.0/1and128.0.0.0/1. For more information, see Advertise custom routes for P2S VPN clients.Profile XML: You can modify the downloaded profile xml file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags. Make sure to update the version number to 2.
<azvpnprofile> <clientconfig> <includeroutes> <route> <destination>0.0.0.0</destination><mask>1</mask> </route> <route> <destination>128.0.0.0</destination><mask>1</mask> </route> </includeroutes> </clientconfig> </azvpnprofile>
Note
- The default status for the clientconfig tag is
<clientconfig i:nil="true" />, which can be modified based on the requirement. - A duplicate clientconfig tag is not supported on macOS, so make sure the clientconfig tag is not duplicated in the XML file.
Add custom routes
You can add custom routes. Modify the downloaded profile XML file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags.
<azvpnprofile>
<clientconfig>
<includeroutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
<route>
<destination>y.y.y.y</destination><mask>24</mask>
</route>
</includeroutes>
</clientconfig>
</azvpnprofile>
Block (exclude) routes
The ability to completely block routes isn't supported by the Azure VPN Client. The Azure VPN Client doesn't support dropping routes from the local routing table. Instead, you can exclude routes from the VPN interface. Modify the downloaded profile XML file and add the <excluderoutes><route><destination><mask> </destination></mask></route></excluderoutes> tags.
<azvpnprofile>
<clientconfig>
<excluderoutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
<route>
<destination>y.y.y.y</destination><mask>24</mask>
</route>
</excluderoutes>
</clientconfig>
</azvpnprofile>
Note
- To include/exclude multiple destination routes, put each destination address under a separate route tag (as shown in the above examples), because multiple destination addresses in a single route tag won't work.
- If you encounter the error "Destination cannot be empty or have more than one entry inside route tag", check the profile XML file and ensure that the includeroutes/excluderoutes section has only one destination address inside a route tag.
Azure VPN Client version information
For Azure VPN Client version information, see Azure VPN Client versions.
Next steps
For more information about P2S VPN, see the following articles:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for