About Point-to-Site VPN

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.

What protocol does P2S use?

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).

  • Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

Note

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They aren't available for the classic deployment model.

How are P2S VPN clients authenticated?

Before Azure accepts a P2S VPN connection, the user has to be authenticated first. There are two mechanisms that Azure offers to authenticate a connecting user.

Certificate authentication

When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. Client certificates are generated from a trusted root certificate and then installed on each client computer. You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure.

Microsoft Entra authentication

Microsoft Entra authentication allows users to connect to Azure using their Microsoft Entra credentials. Native Microsoft Entra authentication is only supported for OpenVPN protocol and also requires the use of the Azure VPN Client. The supported client operation systems are Windows 10 or later and macOS.

With native Microsoft Entra authentication, you can use Microsoft Entra Conditional Access and multifactor authentication (MFA) features for VPN.

At a high level, you need to perform the following steps to configure Microsoft Entra authentication:

  1. Configure a Microsoft Entra tenant

  2. Enable Microsoft Entra authentication on the gateway

  3. Download the latest version of the Azure VPN Client install files using one of the following links:

Active Directory (AD) Domain Server

AD Domain authentication allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also use their existing RADIUS deployment.

The RADIUS server could be deployed on-premises or in your Azure VNet. During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. So Gateway reachability to the RADIUS server is important. If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.

The RADIUS server can also integrate with AD certificate services. This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

A RADIUS server can also integrate with other external identity systems. This opens up plenty of authentication options for P2S VPN, including multi-factor options.

Diagram that shows a point-to-site VPN with an on-premises site.

What are the client configuration requirements?

The client configuration requirements vary, based on the VPN client that you use, the authentication type, and the protocol. The following table shows the available clients and the corresponding articles for each configuration.

Authentication Tunnel type Generate config files Configure VPN client
Azure certificate IKEv2, SSTP Windows Native VPN client
Azure certificate OpenVPN Windows - OpenVPN client
- Azure VPN client
Azure certificate IKEv2, OpenVPN macOS-iOS macOS-iOS
Azure certificate IKEv2, OpenVPN Linux Linux
Microsoft Entra ID OpenVPN (SSL) Windows Windows
Microsoft Entra ID OpenVPN (SSL) macOS macOS
RADIUS - certificate - Article Article
RADIUS - password - Article Article
RADIUS - other methods - Article Article

Important

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections won't be affected. If you’re using TLS for point-to-site VPNs on Windows 10 or later clients, you don’t need to take any action. If you're using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Which gateway SKUs support P2S VPN?

The following table shows gateway SKUs by tunnel, connection, and throughput. For additional tables and more information regarding this table, see the Gateway SKUs section of the VPN Gateway settings article.

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant Supported Number of VMs in the Virtual Network
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No 200
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No 450
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No 1300
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No 4000
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes 1000
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes 2000
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes 5000
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No 685
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No 2240
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No 5300
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No 6700
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes 2000
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes 3300
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes 4400
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes 9000

Note

The Basic SKU has limitations and does not support IKEv2, IPv6, or RADIUS authentication. See the VPN Gateway settings article for more information.

What IKE/IPsec policies are configured on VPN gateways for P2S?

The tables in this section show the values for the default policies. However, they don't reflect the available supported values for custom policies. For custom policies, see the Accepted values listed in the New-AzVpnClientIpsecParameter PowerShell cmdlet.

IKEv2

Cipher Integrity PRF DH Group
GCM_AES256 GCM_AES256 SHA384 GROUP_24
GCM_AES256 GCM_AES256 SHA384 GROUP_14
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP256
GCM_AES256 GCM_AES256 SHA256 GROUP_24
GCM_AES256 GCM_AES256 SHA256 GROUP_14
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP256
AES256 SHA384 SHA384 GROUP_24
AES256 SHA384 SHA384 GROUP_14
AES256 SHA384 SHA384 GROUP_ECP384
AES256 SHA384 SHA384 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_24
AES256 SHA256 SHA256 GROUP_14
AES256 SHA256 SHA256 GROUP_ECP384
AES256 SHA256 SHA256 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_2

IPsec

Cipher Integrity PFS Group
GCM_AES256 GCM_AES256 GROUP_NONE
GCM_AES256 GCM_AES256 GROUP_24
GCM_AES256 GCM_AES256 GROUP_14
GCM_AES256 GCM_AES256 GROUP_ECP384
GCM_AES256 GCM_AES256 GROUP_ECP256
AES256 SHA256 GROUP_NONE
AES256 SHA256 GROUP_24
AES256 SHA256 GROUP_14
AES256 SHA256 GROUP_ECP384
AES256 SHA256 GROUP_ECP256
AES256 SHA1 GROUP_NONE

What TLS policies are configured on VPN gateways for P2S?

TLS

Policies
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

How do I configure a P2S connection?

A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through common P2S configuration steps.

To remove the configuration of a P2S connection

You can remove the configuration of a connection by using PowerShell or CLI. For examples, see the FAQ.

How does P2S routing work?

See the following articles:

FAQs

There are multiple FAQ sections for P2S, based on authentication.

Next Steps

"OpenVPN" is a trademark of OpenVPN Inc.