I have been helping out on the MSDN forums and came across a post where a user was struggling to create a Point to Site (P2S) VPN connection to an Azure Resource Manager (ARM) Virtual Network – https://social.msdn.microsoft.com/Forums/azure/en-US/567b968e-aa50-4ee4-b554-af09c54a40e0/routing-in-azure-between-pointtosite-and-sitetosite-networks?forum=WAVirtualMachinesVirtualNetwork. At the time of writing it is not possible using the portal. I had a look at the ARM PowerShell commands and found the command
Set-AzureRmVirtualNetworkGatewayVpnClientConfig but failed to find any documentation. I set about the task of working out how to do this.
Gateway Subnet
The Virtual Network Gateway must connect to a subnet named GatewaySubnet. I created this using the portal. Yes, I know I could do this in PowerShell, but I often use the portal for a quick fix.
Certificates
Certificates are used to authenticate clients. You must have a root certificate and client certificate(s) that have been created using the root certificate. The root certificate is uploaded to Azure and the client certificate imported into the installed in the User’s personal store on the client machine.
The documentation that exists for creating a P2S VPN connection to a service manager virtual network details how to create these using makecert – https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/. This is the method I used, although if you have an Enterprise Certification Authority it would make sense to use that.
To upload the root certificate to Azure it must be exported in Base64 format:
If you then open the exported certificate in notepad you will see similar to the following:
The Add-AzureRmVpnClientRootCertificate PowerShell command requires the characters between the BEGIN and END certificate markers in a single string with no carriage returns.
The PowerShell
Here’s the PowerShell I used to create the gateways and P2S connection. Note it can take over 20 minutes for the gateway to successfully create. Be patient! At the end of the script the URL to download the VPN client is stored in the variable $packageUrl
# Must create a subnet called GatewaySubnet for the gateway to connect to prior to creating the gateway $vnetname = "TestNetwork" $rgname = "TestRG" $region = "North Europe" $clientpool = "192.168.10.0/24" $RootCertName = "MyRootCert.cer" $publicCertData = "<Replace_With_Your_Base64_Cert_Data>" #Export cert as Base64, and put data into single line. #$publicCertData = "MIIDFDCCAgCgAwIBAgIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFFBvaW50VG9Qb2ludFJvb3RDZXJ0MB4XDTE1MDEwNjA5MTMzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUUG9pbnRUb1BvaW50Um9vdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDONIScIVcbFGK/WojhRLyVtSFPhc67tKj2yDCUoaRyT8kfPAm5lvNL1WP5qWurd1ydbK/8hPGHWhkomeac6IEPd9IxmOHY3n6WfcAeCq6BcTDtvUdGSFEtB3gor0wZAIwehhmlAC9ZrdLdDRy3us1AxwJfxcoTZ4EbxKaM1HZGMTOE+2bvkvG+IshQULPScTVieLKLSZSYf57CdFl6OpoYScsrsuQuHNpSWb0kFwJwq83hWtjbojTkQyblcdI9jWG7nD0gb6Fe/BOkN8TtJ/il48X1eE5m3IpCKyU/RTzrumrtG1huwvYDqr1WzGOR5FJGtZtQxZjsg9BRepaOWB2DAgMBAAGjVDBSMFAGA1UdAQRJMEeAEGE1PUv6Gv4noBNem2xCw8ChITAfMR0wGwYDVQQDExRQb2ludFRvUG9pbnRSb290Q2VydIIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAA4IBAQAEJCytWDQ9UzNl/vwT/xI+nkB/lRtRhUOKqsuCxa45PNQg6OFN4WwS+zaAZcg0UiJA324Bf4o8ivRXDML107smcakLJXPMJ7clvKga6QlG++6NwyRV6FIJnG8chxJlbxZNNVu2xmi0DZ2uqlzv8KNsLWkHuB6DjkVX82QYmPz9jjT3gTjtCML7bvJND0GTb2pEw4SAQD/h+tRaaaYETeUzQl0+wqk69/i7jQ8tKhZD5Xw38/SNU5gKp5bD4ofjFew6rfGhaPWPqRinsJ/PBYbE02rBU86NlTZ5Yvsg6sWvHTb+NVYbD0mJ7fPpKuFnNLAqyNC0kXBvfvOeCKV9U9hg" #Login to Azure RM Login-AzureRMAccount # Get the Virtual Network $vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $rgname #Create IP for the gateway $GWIP = New-AzureRmPublicIpAddress -AllocationMethod Dynamic -ResourceGroupName $rgname -Location $region -Name GWIP1 #Get the gateway subnet $GWSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet # Create GW Config $GWIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name GWIPConfig -SubnetId $gwsubnet.Id -PublicIpAddressId $GWIP.Id #Create Gateway $gw = New-AzureRmVirtualNetworkGateway -Location $region -Name GW1 -ResourceGroupName $rgname -GatewayType Vpn -IpConfigurations $GWIPConfig -VpnType RouteBased # Create client VPN config Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool # Create Root Cert $rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $RootCertName -PublicCertData $publicCertData -VirtualNetworkGatewayName $gw.Name -ResourceGroupName $rgname #Get URL for VPN client - download the exe from here $packageUrl = Get-AzureRmVpnClientPackage -ResourceGroupName $rgname -VirtualNetworkGatewayName $gw.Name -ProcessorArchitecture Amd64
Hey, thanks for the post.
Am wondering how will the above change in case you have the VPN connection for only allowing web apps in the same subscription to connect to the Virtual network. In other words, I dont feel that I need a certificate or a public IP to have this. Am still struggling to know what should I leave out, and whether will the VPN connection work without the Public IP or not.
What do you think?
Hopefully I addressed this in the next post. 🙂
Thanks, this helped me out a lot!
Glad I could help!
Hi
Is there a way to add a point 2 site connection to an existing gateway using Resource Manager?
Yes, you can use PowerShell to get the existing gateway and follow the script from “# Create client VPN config”. Hope that helps.
Thanks for the reply. If I have a couple of site2site connections on this gateway, i should be able to add a point2site using the instructions at which point the client’s connecting to the cloud should be able to access services across the 2 site2sites as well?
Hi Mike. I’ve not actually tried that, but I don’t see why not. I’m not sure if the P2S client VPN connection adds routes to the other S2S local sites. you might have to add some custom routes on the clients. Give it a try and let me know!
This is a excellent post, thank you, however when I run “Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool
Set-AzureRmVirtualNetworkGatewayVpnClientConfig : A virtual network gateway SKU of Standard or higher is required for BGP support on virtual network gateway”
Have you seen this before? I am a bit confused as I get this when trying to upload the root certificate as well. Trying to avoid upgrading the SKU to standard unless I really have to and I didn’t think BGP was supported on any Azure gateway anyway…
Hi Tommy, afraid I haven’t seen that before. It could be that your IP range being provided has an issue. If you still have issues I would suggest posting full details here https://social.msdn.microsoft.com/Forums/en-US/home?forum=WAVirtualMachinesVirtualNetwork and send me a tweet @techdiction and I will take a look.
Looks like newer PS module is broken, works with older versions.
I'll give it a go when I have some time, maybe early next week.
I have BGP disabled on VNET GW, but I have the same error. If VNET gateway pricing plan is "Basic", you have this error. If I upgrade VNET GW SKU to "Standard" pricing plan, command Set-AzureRmVirtualNetworkGatewayVpnClientConfig is working. Support for P2S VPN is declared for "Basic" VNET gateway plan too, but is not working for Resource Manager VNET GW. Why??? To resize VPN Gateway SKU to Standard plan you can run: $Gateway = Get-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG Resize-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -GatewaySku Standard Keep in mind that the Basic an Standard GW have different prices. https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
Great post. Followed the steps and everything appeared to go through, however, I am not sure where/how to retrieve the root and client certificates. The package only creates the connection on the client but fails to launch because it could not find a corresponding certificate. Please help. Thanks.
Everything work fine, but when I try to dowloand de exe from the URL HTTP 404 error shows, can anyone knows why?
This helped me immensly setting up a VPN gateway so we could integrate a web app with one of our Azure virtual networks. Only amendment oin our environment I had to make to the above script was add in the cmdlet New-AzureRMVPNClientRootCertificate just below the first $publicCertData variable.
$publicCertData = "<cert-data>" #Export cert as Base64, and put data into single line.
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $RootCertName -PublicCertData $publicCertData
# Get the Virtual Network
Marcus… Nice post.
Most intelligent process I've seen on how to do this in resource manager mode.
Follow up question, and please bear with me, as networking is not my speciality.
The VPN works and I'm connected.
ipconfig /all shows me just what I expect in the ppp area.
However, I can't see any of my servers in the vnet, which I expected to see.
A simple domain controller and and RDS VM.
They were all created, prior to constructing the gateway.
Any suggestions?
Thanks…
When you say "can't see" what do you mean? Ensure DNS is working as expected if using machine names.
Thanks, so much easier to do than trawling through the official documentation.
The result of running the exe is a vpn connection which doesn't show in powershell – Get-VpnConnection returns empty. Any idea how to automate the connection of that vpn after installation?