Point-to-site VPN client configuration workflow: Certificate authentication - Windows
This article walks you through the workflow and steps to configure VPN clients for point-to-site (P2S) virtual network connections that use certificate authentication. These steps continue on from previous articles where the VPN Gateway point-to-site server settings are configured. In this article, you'll generate the client configuration files and install the necessary client certificates used for authentication.
Before you begin
This article assumes that you have already created and configured your VPN gateway for P2S certificate authentication. See Configure server settings for P2S VPN Gateway connections - certificate authentication for steps.
Before beginning the workflow, verify that you're on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
Authentication | Tunnel type | Generate config files | Configure VPN client |
---|---|---|---|
Azure certificate | IKEv2, SSTP | Windows | Native VPN client |
Azure certificate | OpenVPN | Windows | - OpenVPN client - Azure VPN client |
Azure certificate | IKEv2, OpenVPN | macOS-iOS | macOS-iOS |
Azure certificate | IKEv2, OpenVPN | Linux | Linux |
Microsoft Entra ID | OpenVPN (SSL) | Windows | Windows |
Microsoft Entra ID | OpenVPN (SSL) | macOS | macOS |
RADIUS - certificate | - | Article | Article |
RADIUS - password | - | Article | Article |
RADIUS - other methods | - | Article | Article |
Workflow
In this article, we start with generating VPN client configuration files and client certificates:
Configure the VPN client. The steps you use to configure your VPN client depend on the tunnel type for your P2S VPN gateway, and the VPN client on the client computer. Links are provided to configuration articles for the specific tunnel and corresponding client.
- IKEv2 and SSTP - native VPN client - If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. For steps, see IKEv2 and SSTP - native VPN client.
- OpenVPN - Azure VPN Client and OpenVPN client - If your P2S VPN gateway is configured to use an OpenVPN tunnel and certificate authentication, you have the option to connect using either the Azure VPN Client, or the OpenVPN client.
1. Generate VPN client configuration files
All of the necessary configuration settings for the VPN clients are contained in a VPN client profile configuration zip file. You can generate client profile configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file.
The VPN client profile configuration files that you generate are specific to the P2S VPN gateway configuration for the VNet. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client profile configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see About point-to-site VPN.
PowerShell
When you generate VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
$profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl
Copy the URL to your browser to download the zip file.
Azure portal
In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.
On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.
At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you might not see any indications until the packet generates.
Once the configuration package is generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.
Unzip the file to view the folders. You'll use some, or all, of these files to configure your VPN client. The files that are generated correspond to the authentication and tunnel type settings that you configured on the P2S server.
2. Generate client certificates
For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information.
In many cases, you can install the client certificate directly on the client computer by double-clicking. However, for certain OpenVPN client configurations, you might need to extract information from the client certificate in order to complete the configuration.
- For information about working with certificates, see Point-to site: Generate certificates.
- To view an installed client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.
3. Configure the VPN client
Next, configure the VPN client. Select from the following instructions:
Tunnel | VPN client |
---|---|
IKEv2 and SSTP | Native VPN client steps |
OpenVPN | Azure VPN Client steps |
OpenVPN | OpenVPN Client steps |
Next steps
For additional steps, return to the P2S article that you were working from.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for