Azure WAN and P2S VPN Forced Tunneling

Ajeet Singh 71

I have setup Azure WAN with a secured hub(Azure Firewall). WAN also has a P2S VPN which am successfully able to connect to. I understand forced tunneling was not an option before Azure VWAN, but now can i do forced tunneling for my P2S clients and give them a common public IP address instead of their own ISP Public IP Address?

Accepted answer

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2021-10-14T16:40:27.6+00:00

Hello @Ajeet Singh ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Yes, you can do forced tunneling for your P2S clients.

If you secure internet traffic via Firewall Manager you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

2 people found this answer helpful.
Ajeet Singh 71 Reputation points

2021-10-14T22:13:49.877+00:00

Hi @GitaraniSharma-MSFT

I already did what you've mentioned however i still not see the Public IP from Firewall on my client. It is still from my ISP.

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2021-10-19T13:32:29.12+00:00

Hello @Ajeet Singh ,

Apologies for the delay in response.

I have confirmed with the PG and this should work if configured correctly. Did you setup the Azure Firewall Policy to allow P2S traffic to Internet?
To advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Regards,
Gita

Ajeet Singh 71 Reputation points

2021-10-20T04:08:43.79+00:00

Hi @GitaraniSharma-MSFT

Thanks for your supoprt, however I already had the setup that you've mentioned. Finally I got it working by adding the route directly in my downloaded azurevpnconfig.xml.

I added the following and it worked.

<clientconfig>

<includeroutes> <route> <destination>0.0.0.0</destination><mask>1</mask> </route> <route> <destination>128.0.0.0</destination><mask>1</mask> </route> </includeroutes>

</clientconfig>

If i add these routes in Default Route on Portal it only adds 0.0.0/0 to my client and skips 0.0.0.0/1 and 128.0.0.0/1

GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee

2021-10-20T11:21:41.143+00:00

Thanks for the update @Ajeet Singh . Glad to know it worked.

NSimpraga 166 Reputation points

2022-05-13T13:22:49.68+00:00

Greetings, I am facing the same issue and the same thing is happening - I have to manually edit the azurevpnconfig.xml file to include the 0.0.0.0/1 and 128.0.0.0/1 routes. That is the only way to get the clients the needed routes. The routes don't get actually advertised to the clients if they're added to the route table of the Virtual Hub, they get skipped & ignored.

Any way to resolve this?

MostLourh 26 Reputation points

2022-05-13T15:20:54.6+00:00

@ NSimpraga-7653

in my case, i created a secure Hub as a hub of VWAN, i added P2S gateway and a azure Firewall, in VWAN you have a route server that propagate VNet routes using BGP including 0.0.0.0 /route. this route can be configured in routing table on virtual hub

Asad Rehman 1 Reputation point

2022-12-16T18:52:48.447+00:00

I am able to get the route 0.0.0.0/0 advertised, set the client config to version 2 from 1. When i connect to the VPN, j am not able to connect to any website, or ping google etc. Is this expected?

Navyanth Gowda 0 Reputation points

2024-01-29T18:52:17.4+00:00

running into similar issues. I've tried all the steps mentioned in this discussion forum, but not able to connect to the internet. here is my setup. I'm using macos for the Azure VPN client (entra id authentication) i'm able ping the private IP of the firewall once connected to the VPN but cannot get to the public or to the internet. The default route has 0.0.0.0/0 and in my config xml file i've included to the routes for 0.0.0.0/1 and 128.0.0.0/1 i also executed the poweshell command. unchecked the high avaulabiity option in the VPN client. firewall policy is created to allow traffic.

Jarvis 0 Reputation points

2024-01-31T14:33:43.7733333+00:00

@Navyanth Gowda is your dns resolving correctly? you will need an Azure private dns resolver and create a new network fw rule to let the vpn client pools to it.

Navyanth Gowda 0 Reputation points

2024-01-31T19:28:35.7566667+00:00

I dont have a DNS setup for this. Do we need it?

Jarvis 0 Reputation points

2024-01-31T19:58:29.9933333+00:00

@Navyanth Gowda yes, you will need it if you want access to the internet. Default Azure DNS will not work.

Navyanth Gowda 0 Reputation points

2024-02-03T20:32:55.12+00:00

ok, can you provide any links on how to set it up?

Jarvis 0 Reputation points

2024-02-06T14:45:26.9866667+00:00

@Navyanth Gowda you can use terraform https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver
or https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

You'll need a virtual network for the private dns resolver, private dns resolver inbound endpoint, virtual network dns servers, private dns zone virtual network links for each network that needs dns.

Navyanth Gowda 0 Reputation points

2024-02-15T22:16:57.49+00:00

thank you Jarvis . I was able to resolve this by enabling DNS and DNS proxy at the firewall, and using custom DNS in the virtual hub to point to the private IP of the firewall.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

6 additional answers

Victor Tan 1 Reputation point

2022-12-02T21:36:15.053+00:00

anyone running into this issue? I can't see what else can be wrong.
Please sign in to rate this answer.
Patrick Holohan 1 Reputation point

2022-12-03T08:10:47.577+00:00

Have you added a default route 0.0.0.0/0 with a next hop as the Azure firewall/secure hub on the default route table?

Try a more specific source in you rule?

Also, when you connect, do you get a error saying the firewall is denying traffic?

Victor Tan 1 Reputation point

2022-12-03T16:52:03.953+00:00

Yes I have the default route to 0.0.0.0/0 point to the firewall.

I don't get any error with the connection. However I don't see any incoming traffic when the VPN is connected. I can ping any private or public IP.

I have a network policy to allow ping to every where.
I have a network policy to allow access to the firewall
I have a application policy to allow access to all the http/https

]4

Patrick Holohan 1 Reputation point

2022-12-04T08:13:17.553+00:00

Outgoing traffic? Or Incoming?

If you can ping any private/public address and is successful it would suggest an issue with DNS.

Have you enable log analytics to see if the traffic is hitting the firewall. Also network watcher tools to see if the traffic is getting dropped by a policy rule or NSG?

I had some users with a similar issue and it turned out to be the HA setting in the Azure VPN client.

It was enabled and users couldn't connect, disabled and it was fine.

Azure VPN Client \ ... \ Settings \ Enable High Availability

Victor Tan 1 Reputation point

2022-12-04T16:11:18.76+00:00

This is it. It was the HA setting. Once I disable it, it works fine.

thank you so much for your help.

Patrick Holohan 1 Reputation point

2022-12-04T16:20:32.537+00:00

Glad it is working now and happy to help.

Asad Rehman 1 Reputation point

2022-12-15T18:41:58.75+00:00

Hi Patrick thank you for all your help so far. I tried this and still not seeing the internet traffic go through the Azure Firewall. Did you make changes to the Azure Client, adding routes there. Thanks

Bhushan Gawale 316 Reputation points

2023-03-25T17:55:18.67+00:00

Yes, we have the same issue. After following all the steps and even after making the changes to the XML, we could not get the internet traffic working on the client machine.

Any help will be appreciated.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Lab Coat1 6 Reputation points

2023-04-18T14:19:56.95+00:00

Running into a similar issue. Followed: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel Ran the powershell command and update the version in the xml file route to 0.0.0.0 shows up pointing to the virtual wan. What I notice, is that simply adding the 0.0.0.0/0 route does not keep traffic from the client to going anywhere within the client's internal network. Which, among other things, if there is a web proxy configured on the local network, then the client machine can completely bypass the tunnel to the Internet. We are wanting to move away from the Cisco AnyConnect client, which seems to more strictly enforce all traffic.
Please sign in to rate this answer.
Navyanth Gowda 0 Reputation points

2024-01-29T18:49:29.5066667+00:00

running into similar issues. I've tried all the steps mentioned in this discussion forum, but not able to connect to the internet. here is my setup. I'm using macos for the Azure VPN client (entra id authentication) i'm able ping the private IP of the firewall once connected to the VPN but cannot get to the public or to the internet. The default route has 0.0.0.0/0 and in my config xml file i've included to the routes for 0.0.0.0/1 and 128.0.0.0/1 i also executed the poweshell command. unchecked the high avaulabiity option in the VPN client. firewall policy is created to allow traffic.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure WAN and P2S VPN Forced Tunneling

6 additional answers

Your answer