Azure Active Directory authentication: Configure a VPN client for P2S OpenVPN protocol connections
This article helps you configure a VPN client to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see Configure an Azure AD tenant.
Azure AD authentication is supported only for OpenVPN® protocol connections.
Working with client profiles
To connect, you need to download the Azure VPN Client and configure a VPN client profile on every computer that wants to connect to the VNet. You can create a client profile on a computer, export it, and then import it to additional computers.
To download the Azure VPN client
Use this link to download the Azure VPN Client. Please ensure that the Azure VPN Client has permission to run in the background. To check/enable the permission follow the steps below:
- Go to Start , then select Settings > Privacy > Background apps.
- Under Background Apps, make sure Let apps run in the background is turned On.
- Under Choose which apps can run in the background, turn settings for Azure VPN Client to On.
To create a certificate-based client profile
When working with a certificate-based profile, make sure that the appropriate certificates are installed on the client computer. For more information about certificates, see Install client certificates.
To create a RADIUS client profile
The Server Secret can be exported in the P2S VPN client profile. Instructions on how to export a client profile can be found here.
To export and distribute a client profile
Once you have a working profile and need to distribute it to other users, you can export it using the following steps:
Highlight the VPN client profile that you want to export, select the ..., then select Export.
Select the location that you want to save this profile to, leave the file name as is, then select Save to save the xml file.
To import a client profile
On the page, select Import.
Browse to the profile xml file and select it. With the file selected, select Open.
Specify the name of the profile and select Save.
Select Connect to connect to the VPN.
Once connected, the icon will turn green and say Connected.
To delete a client profile
Select the ellipses next to the client profile that you want to delete. Then, select Remove.
Select Remove to delete.
Create a connection
On the page, select +, then + Add.
Fill out the connection information. If you are unsure of the values, contact your administrator. After filling out the values, select Save.
Select Connect to connect to the VPN.
Select the proper credentials, then select Continue.
Once successfully connected, the icon will turn green and say Connected.
To connect automatically
These steps help you configure your connection to connect automatically with Always-on.
On the home page for your VPN client, select VPN Settings.
Select Yes on the switch apps dialogue box.
Make sure the connection that you want to set is not already connected, then highlight the profile and check the Connect automatically check box.
Select Connect to initiate the VPN connection.
Diagnose connection issues
To diagnose connection issues, you can use the Diagnose tool. Select the ... next to the VPN connection that you want to diagnose to reveal the menu. Then select Diagnose.
On the Connection Properties page, select Run Diagnosis.
Sign in with your credentials.
View the diagnosis results.
How do I add DNS suffixes to the VPN client?
You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags
<azvpnprofile> <clientconfig> <dnssuffixes> <dnssuffix>.mycorp.com</dnssuffix> <dnssuffix>.xyz.com</dnssuffix> <dnssuffix>.etc.net</dnssuffix> </dnssuffixes> </clientconfig> </azvpnprofile>
How do I add custom DNS servers to the VPN client?
You can modify the downloaded profile XML file and add the <dnsservers><dnsserver> </dnsserver></dnsservers> tags
<azvpnprofile> <clientconfig> <dnsservers> <dnsserver>x.x.x.x</dnsserver> <dnsserver>y.y.y.y</dnsserver> </dnsservers> </clientconfig> </azvpnprofile>
The OpenVPN Azure AD client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of
ipconfig /all. To confirm your in-use DNS settings, please consult Get-DnsClientNrptPolicy in PowerShell.
How do I add custom routes to the VPN client?
You can modify the downloaded profile XML file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags
<azvpnprofile> <clientconfig> <includeroutes> <route> <destination>x.x.x.x</destination><mask>24</mask> </route> </includeroutes> </clientconfig> </azvpnprofile>
How do I block (exclude) routes from the VPN client?
You can modify the downloaded profile XML file and add the <excluderoutes><route><destination><mask> </destination></mask></route></excluderoutes> tags
<azvpnprofile> <clientconfig> <excluderoutes> <route> <destination>x.x.x.x</destination><mask>24</mask> </route> </excluderoutes> </clientconfig> </azvpnprofile>
Can I import the profile from a command line prompt?
You can import the profile from a command line prompt by placing the downloaded azurevpnconfig.xml file in the %userprofile%\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState folder and running the following command:
azurevpn -i azurevpnconfig.xml
to force the import use the -f switch as well
For more information, see Create an Azure Active Directory tenant for P2S Open VPN connections that use Azure AD authentication.