Azure/VPN

From SETV Springfield Technical Wiki
Jump to: navigation, search

Step-by-set on how to set up VPNs in Azure [1]

Point-to-Site

For roaming and individual users, connect a machine to the Vnet using a certificated VPN Profile.

Create Self-Signed Root Certificate[2]

You need to use PowerShell to create the certificates.

  • Run PowerShell as Admin
  • Run this command clanging "P25RootCert" to a a static name
   $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
   -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
   -HashAlgorithm sha256 -KeyLength 2048 `
   -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
  • Export the Key run certmgr.msc
  • Navigate to 'Certificates - Current User\Personal\Certificates', and right-click. Click All Tasks, and then click Export.
  • Export format as Base-64 encoded X.509 (.CER)
  • Import into Certificates tab in Azure

Generate Client Certificate

   Get-ChildItem -Path “Cert:\CurrentUser\My”

Find your Root Cert and copy the {Thumbprint}

   $cert = Get-ChildItem -Path "Cert:\CurrentUser\My\{THUMBPRINT}"

Use the below code to create the Client certificate

   New-SelfSignedCertificate -Type Custom -KeySpec Signature `
   -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable ` 
   -HashAlgorithm sha256 -KeyLength 2048 `
   -CertStoreLocation "Cert:\CurrentUser\My" `
   -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Export Client Certificate

  • Export the Key run certmgr.msc
  • Navigate to 'Certificates - Current User\Personal\Certificates', and right-click. Click All Tasks, and then click Export.
  • Yes, export private key, Next,
  • Enter a password for cert import
  • Browse to and export the file.
  • Give to client
  • Double click *.pfx file, installs cert

How to connect

Download the VPN Client installer from Azure portal

Client certificate is INDEPENDENT of the client installer downloaded. The downloaded installer can be distributed.

On Imaged machines, make sure to IMPORT the *.cer file that is embedded in the .exe file. [3]

Once the Root cert is added to the Trusted Authority group, the exe file can now install on the win.10 machine, and the profile is now added to the VPN blade in Settings.

Attempt to connect and test.

  1. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-point-to-site-create
  2. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
  3. http://stackoverflow.com/questions/16320918/windows-azure-virtual-network-point-to-site-connection-error