Problems setting up Azure Point to Site VPN

Simon Götz 0

Hi guys, this is my first question here and I hope that I don't miss any relevant information or rules.
I am trying to setup a vpn gateway to be able to vpn into my private azure network to access a database that is running in one of the subnets.
I am on linux so I try setting up a Point-to-site think.
as AdressPool i have tried: 172.16.201.0/24 but also 10.1.0.0/24
the selected tunneltype is IKEv2 and OpenVPN.

I have created a self signed certificate using these instructions:
https://www.ismailzai.com/blog/azure-vpn-gateway-openvpn-openssl
Now the problem, when starting the connection nothing really happens. In the logs I can see that it is running in a loop trying to build up a connection. Here the logs from openvpn:
2024-06-15 09:58:07 OpenVPN 2.5.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 14 2024 2024-06-15 09:58:07 library versions: OpenSSL 3.3.0 9 Apr 2024, LZO 2.10 2024-06-15 09:58:13 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2024-06-15 09:58:13 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2024-06-15 09:58:13 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication 2024-06-15 09:58:13 TCP/UDP: Preserving recently used remote address: [AF_INET]4.185.151.49:443 2024-06-15 09:58:13 Socket Buffers: R=[131072->131072] S=[16384->16384] 2024-06-15 09:58:13 Attempting to establish TCP connection with [AF_INET]4.185.151.49:443 [nonblock] 2024-06-15 09:58:13 TCP connection established with [AF_INET]4.185.151.49:443 2024-06-15 09:58:13 TCP_CLIENT link local: (not bound) 2024-06-15 09:58:13 TCP_CLIENT link remote: [AF_INET]4.185.151.49:443 2024-06-15 09:58:13 TLS: Initial packet from [AF_INET]4.185.151.49:443, sid=c1c7b705 d3140cf0 2024-06-15 09:58:13 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 2024-06-15 09:58:13 VERIFY OK: depth=1, C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 2024-06-15 09:58:13 VERIFY KU OK 2024-06-15 09:58:13 Validating certificate extended key usage 2024-06-15 09:58:13 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication 2024-06-15 09:58:13 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication 2024-06-15 09:58:13 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2024-06-15 09:58:13 VERIFY EKU OK 2024-06-15 09:58:13 VERIFY X509NAME OK: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=93f70060-c046-40a2-8f98-25471a60f3b4.vpn.azure.com 2024-06-15 09:58:13 VERIFY OK: depth=0, C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=93f70060-c046-40a2-8f98-25471a60f3b4.vpn.azure.com 2024-06-15 09:58:13 Connection reset, restarting [0] 2024-06-15 09:58:13 SIGUSR1[soft,connection-reset] received, process restarting 2024-06-15 09:58:13 Restart pause, 5 second(s)

Can you guys spot at which step my communication attempts are going sideways? And what might be the root cause of it?

GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

2024-06-18T04:45:44.54+00:00
Hello @Simon Götz ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are facing issues setting up Azure Point to Site VPN on your Linux client where tunneltype is IKEv2 & OpenVPN and authentication type is Azure certificate.

Could you please share the below details?

Are you using strongSwan or OpenVPN client for the VPN connection? Since you mentioned "logs from openvpn:", I believe you are using OpenVPN client but would like to get a confirmation. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-linux#generate-vpn-client-configuration-files

If you are using OpenVPN client, validate the configuration again referring the following document: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-linux#openvpn

You mentioned for the VPN Address Pool, you've tried: 172.16.201.0/24 and 10.1.0.0/24. You need to make sure that you use a private IP address range that doesn't overlap with the on-premises location that you connect from, or the VNet that you want to connect to. So, could you please let me know the address space of your Azure Vnet where VPN gateway is deployed? Is the address range overlapping? Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool

From the above logs, it is difficult to troubleshoot the issue as it doesn't provide any specific error but just says "Connection reset, restarting [0]". So, you could try a VPN gateway reset to make sure there are no issues with the gateway itself. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/reset-gateway#reset-a-gateway

Regards,

Gita
GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

2024-06-21T06:03:43.4466667+00:00

@Simon Götz , could you please provide an update on this issue?
Simon Götz 0 Reputation points

2024-06-21T09:27:31.0766667+00:00

Ah I only saw you comment now.
Yes I am using OpenVpn client.

I will try out your ideas over the weekend
GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

2024-06-21T13:10:26.4466667+00:00

@Simon Götz , thank you for the update. I will await your response next week.
Simon Götz 0 Reputation points

2024-06-23T11:32:20.9666667+00:00

So I did start completly from scartch and used only Microsofts documentation.
I cannot proceed in this tutorial: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-openvpn-linux
at step: Configuration steps > 5. I cannot proceed here, because the tutorial is expecting a .pfx file is not created when i follow the instructions given in https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificates-linux-openssl
the files I have available are: caCert.pm, caCert.srl, caKey.pem, tinoCert.pem, tinoKey.pem, tinoReq.pem

Where is this pfx file comming from?
Is there an tutorial/documentation for setting up a vpn gateway using openssl from start to finish? Cause I feel like I am very much jumping between different tutorials that are not matching together
GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

2024-06-24T10:07:04.4433333+00:00

Hello @Simon Götz , thank you for the update.

I just checked the tutorial and looks like some clarity is missing, which makes it confusing.

I reached out to the document author to make some updates and below changes were made to the table of contents & documents:

Basically, if the VPN client software that the user wants to use requires certificate files using the .pfx format, right now we have PowerShell and MakeCert instructions to generate this format. And if the user doesn’t have a Windows computer, as a workaround, they can use a small Windows VM. If the VPN client software requires .pem files, we have steps to generate this format using OpenSSL or strongSwan.

The OpenVPN client supports PKCS #12 certificates or .pfx certificates and hence the instructions ask for a pfx file that was created using Azure PowerShell in a Windows machine or VM.

Refer: https://openvpn.net/connect-docs/assign-a-certificate-to-a-profile.html

Regards,

Gita
GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

2024-06-26T10:25:58.7833333+00:00

@Simon Götz , could you please provide an update on this issue?

Share via

Problems setting up Azure Point to Site VPN