Preface

The Azure Point to Site VPN Setup, also called Azure P2S VPN Setup, is most widely used where the number of clients connecting to Azure Virtual Network is less. The Point to Site VPN allows you to connect to the Azure Virtual network using a secure connection over the internet. The client computers running Windows, MAC X OS, Linux can connect to Azure Virtual Network securely from a remote location, such as home or conference, useful for telecommuters. There are multiple client protocols available to connect using Point to Site VPN, such as OpenVPN, SSTP, and Ikev2. In this article, we are going to use SSTP and IKEv2. Where windows client uses SSTP and MAC X OS, and Linux client uses iKEv2.

We are using the Azure certificate authentication, and here we demonstrate how to create a self-signed certificate on Windows 10 computer and upload a root certificate to Azure. The client those are using the VPN connection client needs to be installed with a client certificate created. We are going to see how to export root and client certificates and how to upload the root certificate to Azure VPN gateway. In the end, we are going to install the Azure VPN client downloaded from Azure Virtual private gateway on the Windows 10 client and establish the VPN connection using the client certificate already installed.

The following steps are involved in setting up Azure Virtual Network Gateway. We see the steps one by one and create complete Virtual Network Gateway setup and connect the VPN gateway from a Windows 10 client computer.

1. Create Azure Virtual Network
2. Create Gateway Subnet
3. Deploy Virtual Network Gateway
4. Generate self-signed Certificate
5. Export the Root and Client Certificates using certificates MMC
6. Connect Azure Virtual Network using VPN client on Windows 10 PC.

Create Azure Virtual Network

Open Azure Portal using Azure Portal client or Web browser.

Click Menu Icon and Virtual Network

In this demonstration, we are creating a new Virtual Network named VNet3. On the Azure portal, click add on the Virtual Network screen opened in the previous step. Clicking Add on the Virtual Network tab will add a Net Virtual Network.

A new Resource Group for this demo created with the name RGDEMO. Type a name for this Virtual Network. I have given Vnet3 as a Virtual Network name for this demonstration.

The address space with the IP address 192.168.0.0/16 set on the IP Address Tab on the create virtual network window with subnet range 192.168.100.0/24 added.

Azure Point to Site VPN Setup

Once the subnet range added within the address space, click Review+create to validate the settings.

As the validation passed, click Create to start the Virtual Network deployment.

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subnet.

Azure Point to Site VPN Setup

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subenet.

On the newly created Virtual Network, click +Gateway Subnet to add a Gateway subnet to configure this Virtual network deploy Virtual Network Gateway. A new subnet range 192.168.101.0/24 assigned for  gateway subnet. Type the subnet range and leave other settings default and click OK.

The newly created Gateway subnet will be listed on the subnet list with the name GatewaySubnet.

We have completed adding Gateway Subnet. Next, we are deploying Virtual Network Gateway.

Go to Menu ico on the top left corner and select All Services and Networking category on the menu.

Azure Point to Site VPN Setup

On the Virtual Network Gateway tab click Create virtual network gateway on the middle of the window.

The create virtual network gateway window open and type a name for this gateway and select Region. Select Virtual network name, in this case, the newly created Virtual Net Vnet3 selected.

Scroll down and type a name for public IP address, leave all the other settings to deailt and click Review+Create.

The Virtual network gateway parameters are correct, so we get validation passed. Click  Create to start the deployment of Virtual Network Gateway. This deployment process will take more than 15 mins, so wait for the deployment to complete.

Azure Point to Site VPN Setup

The Virtual Network Gateway deployment is complere. Click Go to resource to configure it.

Open PowerShell ISE as an administrator in a Windows 10 Client computer and copy and paste Powheshell ISE script editor window (you can customize the subject name as you want).

$rootcert = New-SelfSignedCertificate -Type Custom  `
-Subject "CN=P2SROOT" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign

The above command will create a variable with the root certificate for the Client certificate that we are generating in the next step. Select the command as in the picture below and run it.

Azure Point to Site VPN Setup

With the root certificate that we created in the previous step, we are using the root certicate variable that we have created and us the code below to generate a client certificate with the name P2SClient on the PowerShell ISE.`

New-SelfSignedCertificate -Type Custom `
-DnsName P2SCLIENT `
-KeySpec Signature `
-Subject "CN=P2SCLIENT" `
-KeyExportPolicy Exportable `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $rootcert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

In the previous two steps, we have created a root certificate and client certificate using that root certificate. We are going to export the root certificate and the client certificate using the Microsoft Management Console (MMC) with the certificate snap-in.

Press Windows+R and type mmc and click OK.

On the Microsoft Management Console, click File and  Add/Remove Snap-In

Azure Point to Site VPN Setup

Select Certificates from available snap-in and click Add.

Select My user account on the available certificate snap-ins and click Finish.

As Certificates snap-in selected, click OK.

Azure Point to Site VPN Setup

We are exporting Root certificate first and then client certificate subsequently. Right click the P2SRoot and click Export under All Tasks.

A Certificate export wizard will open with a Welcome page, click Next to continue.

On the Root certificate export, we are not exporting a private key, select No, do not export the private key, and click Next.

On Export file format page, select “Base-64 Encoded X.509 (.CER)” and click Next.

Type the file path and file name with .cer extension and store the certificate in a secure page and click Next.

On the certificate export complete page of the Wizard, click Finish closing the Wizard.

Click OK on Certificate export wizard, “The export was successful”  message popup.

The next step is to export the client certificate with the private key.

Right-click the client certificate P2SCLIENT and click export under All Tasks.

The certificate export wizard will start with a welcome page, click Next to continue.

This time we are selecting “Export private key.” This certificate is going to be installed on the client computer that needs Azure Point to Site VPN access for authentication. Select ”Yes, Export Private key” and click Next.

Leave the default selections and click Next.

Type a password for the certificate file and click Next.

Type a file path and file name with extension and click Next.

On the completing export wizard, click Finish.

Click OK on the confirmation message popup.

Go to file path that we exported and right-click the root certificate, and select the Notepad in the open with apps selection.

Copy the certificate content as selected in the image below.

As the certificate content copied on the clipboard, open Azure Network gateway on the Azure portal and click configure now.

Type an Address pool range, IKEv2, and SSTP as tunnel type, Azure as authentication type and type a name for root certificate name and paste the certificate content, which is there in the clipboard on the public certificate data box.

Click Save and exit from the screen.

As the last step, click download VPN client to download he VPN client.

AZURE VPN Client Configuration

Right click eenergycleint.pfx certificate and select Install PFX

Select Current User and click Next,

On the File to import page, leave the default and click Next.

Type the password and click Next.

Please the certificate in the following store select the personal store and click Next.

On the completing wizard page click Finish

Click OK to confirmation popup.

Next we are going to install the VPN client binary, right click the install file and select Run as administrator.

Click yes to install confirmation dialog box.

On the Task bar click the network icon and click VNET3.

The Network & Internet settings page will open, select the VNET3, and click connect.

Click connect to Azure point to client VPN.

Check “Do not show this message again for this connection” and click Continue.

Once connected, use the private IP address of the VM to RDP access.

Goto Virtual Machine overview on Azure Portal and copy the private IP of the VM.

Go to StartàRun and type “mstsc” and click OK.

Paste the private IP address copied on the clipboard from Azure Portal and click Connect.

The remote desktop connection will prompt for credentials, type credentials and click OK.

The ipconfig command on the picture shows you have logged in using the private IP with VPN Connectivity.

Conclusion

In this article we have gone through the Azure VPN client setup for Point to Site setup. We have created subnet gateway, deployed VPN gateway and connected windows 10 client and accessed the resource inside the Azure network with the private IP address of the device.

If you have any questions or feed back, please post it in the comment column below. I’m happy to help you resolve the issues or answer to the questions if any at the earliest possible.

Preface

We already posted an article to set up a VPN on Windows Server 2019 using Secure Socket Tunneling Protocol (SSTP) using a third-party certificate. This one, we are going to discuss ‘How to Setup VPN using PPTP’ based article . The Point to Point Tunneling Protocol using the Generic Routing Encapsulation feature along with tunneling over TCP/IP wrapped transmission. The PPTP creates a tunnel on TCP/IP and transfer the packets securely—this very old and reliable method of transferring or accessing the private network over the internet. We can deploy this method to connect a Home or a user with a laptop to access their home network or small office network efficiently and quickly.

Configuring Point to Pointing Tunneling Virtual Private Network on a Windows Server 2019 is straightforward. We can use this method of deploying a VPN where the Secure Socket Layer type of VPN is not possible. In this method of configuring VPN, we need to open the port 1723 and enable a feature called Generic Routing Encapsulation (GRE) on the edge firewall or router under security settings. I am going to explain the step by step and cover the entire setup process from install and configure Remote Access Role to configure Client device to connect the network where we have installed the PPTP VPN.

So, let get to the server and start the Remote Access Role installation and subsequently look at configuring VPN policy on the Network Policy Server on the Windows Server 2019. If you are ready to take a configuration task, we are here, to begin with, so let us get started.

• Add Remote Access Server Role
• Configure Remote Access with VPN Access
• Configure Remote Access Settings for VPN
• Configure Dian-in connection on the user object
• Configure Dial-in policy on Network Policy Server
• Crete VPN network connection on Windows 10 device
• Connect VPN Server over the Internet

Add Remote Access Server Role

The first step in deploying a VPN server is Adding the Remote Access Server Role on the server—the remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through this wizard to complete the Remote Access role installation.

The wizard will start with instructions on using this tool to add the roles and features. If you don’t want to see this page, you can click the checkbox next to ‘Skip this page by default,’ and you won’t be prompted with this page anymore.

In this wizard, we are going to use the role-based installation to add this role, so select Role-based or Feature-based Installation to begin with and click Next to continue.

Make sure the local server in the server pool and select it and click Next.

In the Select Server Role page, select Remote Access checkbox, and click Next.

On the next page, leave the Features as it is and click Next.

If you need more details, you may go through the details about remote access on this page, and once you are ready to move, click Next.

This step is significant, select the Direct Access and VPN (RAS) alone, and you would be prompted with related features on the pop-up and click Add Features, which will return to select the role services page.

We have selected the roles services and its feature, and we are right to move to continue, click Next.

The next page is an information page, and it describes that adding this role service also install the Web Server (IIS) role, Click Next to continue.

The Web Server (IIS) role will install this role services, leave the default selection, and click Next.

On the confirmation page, verify that the Roles mentioned above and Role Services correct and click Install to start the Remote Access role installation. Sit back and relax for a few minutes to get the installation to complete.

The Remote Access role installation started. Let wait till the installation complete, and then we start the configuration.

You would notice the installation succeeded message and there is a link to open the getting started wizard to start the configuration of the Remote Access Role, click the link.

Clicking the link will start Configure Remote Access Wizard, on the wizard click Deploy VPN only tab as in the screen below.

Configure Remote Access with VPN Access

On the Configure Remote Access prompt select the Deploy VPN Only to define the Remote Access multiple configuration methods.

The Routing and Remote Access management console will be opened and right-click on the server node and click ‘Configure and Enable Routing and Remote Access.’

The Routing and Remote Access Server Setup Wizard will start with a Welcome Screen, Click Next to begin the wizard.

Select the Radio button next to Custom Configuration and click Next.

On the Custom Configuration page, select the checkbox next to VPN Access and click Next.

The VPN Access configuration selected on the wizard, and that is the end of the wizard and click Finish.

Click OK to the warning message that the Remote Access Configuration couldn’t open the required port. We will open the port on the Windows Firewall manually.

As we have configured Routing and Remote Access services with VPN Access and the wizard will end by prompting to start service.

Once the Routing and Remote Access Service Started, you will see a green arrow on the server node implying that the service started and running.

Configure Remote Access Settings for VPN

There are specific settings we need to update to set the VPN to function securely and get the IP4 IPs to the client system.

Right-click the server node and click properties as in the screen below.

On the Remote Access, Server Properties go to the IPV4 tab and Select the Static Address pool radio button under IPv4 Assignment and click add to add IP address pool. Choose an IP address Pool and type start and end IP address of the pool. The IPV4 address pool is a static one, and if you are running the DHCP server on the server, you can leave the IP address to assign from the DHCP server. As we are not running a DHCP service, we are creating a static address pool in this example.

Choose IP address pool and type start and end IP address on the Add dialog box. We have chosen 172.16.1.1 to 172.16.1.10 range to assign the IP addresses to the VPN clients.

Click OK once the IP address properly typed.

How to Setup VPN using PPTP

Configure VPN Policy on Network Policy Server

Open the Server Manager window and on the Tools menu select Network Policy Server to begin with configuring VPN Policy

Expand the Network Policy Server and select New to create a new policy for VPN access.

On the New Network Policy Window type VPN Access as Policy Name and in the drop-down list of typer of network access server select Remote Access Server (VPN-Dial Up) and Click Next.

On the Specify Condition page, select Windows Group and Click Add.

I have already created an Active Directory group called “vpngroup” for this purpose, and we are going to add that group. Please note that we are adding all users who need VPN access to this group.

How to Setup VPN using PPTP

Once we confirmed the group added, click Next to continue.

As we are granting access to this AD Group users, we are selecting Access Granted and Clicking Next.

On the Configure Access methods, select Add and Microsoft Secure Password (EAP-MSCHAP v2 as Extensible Authentication Protocol on the list of authentication methods.

Also, uncheck the boxes near Less Secure Authentication methods.

How to Setup VPN using PPTP

Once the Authentication method has been selected, click Next.

On the Configure Constraints page, leave the defaults and click Next.

Also, Configure Settings page leave the default and click Next.

Click Finish to end the wizard.

Create a Windows Firewall rule to open port PPTP VPN

Go to Control Panel>System and Security>Windows Defender Firewall and click Advanced settings.

Select Inbound Rule from the left navigation and New Rule on the Actions Menu

Select Port as Rule type and click Next

How to Setup VPN using PPTP

The PPTP port number is 1723, Select Rule “Apply to TCP” and Specific local ports 1723 and, click Next.

Select Allow Connections and click Next.

Select all the Network Locations and click Next.

Type a name for the Rule and Click Finish

Create VPN Network Connection

So, we have completed all server configurations, now is the time to create a VPN connection on the Windows 10 client computer.

Right-click network Icon on the taskbar and select ‘Open Network & Connection Sharing.’ On settings, windows click ‘Network and Sharing Center’ that will open the ‘Network and Sharing Center’ where we need to select ‘Set up a New Connection or Network’ as in the steps provided on the screenshot below.

How to Setup VPN using PPTP

Select the steps as in the steps below.

1. Open Network & Internet Sharing
2. Network Sharing Center
3. Set up a New Connection or network

There is a Wizard start, and in the connection options, select ‘Connect to a workplace’ and click Next.

In the destination name type, a name implies the connection purpose. I left the default name in this example.

Leave the selection of ‘Remember my credentials’ and click create.

1. Type the VPN server’s internet hostname or IP address.
2. Give a name to the VPN Connection.
3. Click Create to create a workplace connect.

To change the type of VPN, right-click newly created Network Connection and select properties.

On the Security tab, select Point to Point Tunneling Protocol (PPTP) and click OK.

How to Setup VPN using PPTP

Click Network icon on the taskbar and the newly created VPN connection will appear on the list of connections, click that, and there will be a credentials box open.

On the Sign-in prompt type, the AD user and password and click OK.

The VPN connection will show connected. Now we can access the internal devices on the office network using their private IP address.

Conclusion

In this article, we have gone through step by step instructions on how to 1. Install and configure Remote Access VPN role 2.  Network Policy Server VPN policy 3. Creating windows firewall rule and 4. Making a VPN Connection on the Windows client system and connected to Office network remotely using PPTP. Also, we have one more step to that on the router or Firewall device connecting to the internet we need to add a port forwarding rule to point the VPN server connecting port 1723. On the security settings on the firewall, we need to enable Generic Routing Encapsulation to connect the VPN from remote windows client to the VPN Server that we just configured.

You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.