Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,443 questions
How do I use a vpn inside a azure vm?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 40%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Mohammed aaqib
0
Reputation points
I Had created a windows server virtual machine on Azure, I want to know How do I use a vpn inside the virtual machine as It disconnects the remote desktop, the vpn I am using does not have split tunneling feature, I tried using azure bastion but that didn't help either, Could you please suggest any way to use a vpn inside the azure virtual machine without the rdp getting disconnected.
{count} votes
-
glebgreenspan 1,600 Reputation points2024-07-12T14:09:41.4233333+00:00 Hello Mohammed
Can you try these steps:
Using a VPN inside a Windows Server virtual machine (VM) on Azure can be a bit tricky, especially when you don't have split tunneling. Here are some possible solutions to help you use a VPN inside the VM without disconnecting Remote Desktop (RDP):
Solution 1: Use a different VPN client
Instead of using the built-in VPN client on your Windows Server VM, try installing a third-party VPN client like OpenVPN, SoftEther VPN, or WireGuard. These clients often have better compatibility with Azure VMs and might not disconnect your RDP session.
Solution 2: Configure Azure Load Balancer (ALB)
Azure Load Balancer (ALB) can help you route traffic from your VM to the VPN server. You'll need to:
- Create an ALB with a public IP address.
- Configure the ALB to route traffic from the VM to the VPN server.
- Update your VM's network configuration to use the ALB as the default gateway.
This approach will allow you to maintain RDP connectivity while using the VPN.
Solution 3: Use Azure Virtual Network (VNet) peering
If you're using a VNet in Azure, you can peer it with another VNet that contains the VPN server. This will allow your VM to communicate with the VPN server without going through the Azure public internet.
Solution 4: Set up Site-to-Site VPN
Create a Site-to-Site VPN connection between your Azure virtual network and your on-premises network (where the VPN server is located). This will allow your VM to communicate with the VPN server through a secure, dedicated connection.
Solution 5: Use Azure Virtual Network Gateway
Azure Virtual Network Gateway allows you to create a secure, managed VPN gateway for your VNet. You can configure this gateway to connect to your on-premises network, allowing your VM to communicate with the VPN server.
-
Mohammed aaqib 0 Reputation points
2024-07-12T14:22:02.49+00:00 Thankyou very much for your response, If it's not a problem could you please tell how do I implement solution 3 or 4?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 60%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)
Udayashankar K.N 0 Reputation points Microsoft Employee2024-07-15T04:51:35.7466667+00:00 - Start the virtual machine -> Install OS -> Configure IP Addresses and rename the network connections (for better management and config) by noted MAC addresses-> Install Network Access and Protection Role - Select RRAS -> Start RRAS -> Configure -> Custom -> Select VPN Server, eventually NAT => Configure LAN network as a Private Network and WAN as a Public Network
-
KapilAnanth-MSFT 40,581 Reputation points Microsoft Employee2024-07-15T08:33:32.9566667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It appears you are using a 3rd party VPN inside an Azure VM
- Is that correct?
- Or are you using Azure P2S VPN and not a 3rd party?
If the RDP is getting dropped, even with a Bastion
- This could only mean that the VPN Client you are connecting to is routing all the traffic including traffic within the VNET.
- In that case, you have to check the configuration of your VPN Client only, and understand what are the routes that are learnt/advertised to your OS once you connect.
You can try using Azure Serial Console (for Windows)
- Enable it by following the document
- Then RDP to the VM and try to connect to the VPN
- Once the RDP drops, try to access the VM using Serial Console
- Run route PRINT
- This should tell us where the traffic is headed.
NOTE : The above is just for troubleshooting.
You must work on the VPN Client to not advertise every traffic to route via the VPN Tunnel
Hope this helps.
Cheers,
Kapil
-
Mohammed aaqib 0 Reputation points
2024-07-15T13:51:02.7033333+00:00 @KapilAnanth-MSFT Thankyou for your response,
Yes I am using a third party vpn service,
If I use azure serial console I won't be able to access the GUI of Windows which I require
Is there any alternate way like using it in a sandbox or something which seperates the network?
-
KapilAnanth-MSFT 40,581 Reputation points Microsoft Employee
2024-07-16T06:36:39.7466667+00:00 As I mentioned, "The above is just for troubleshooting."
Not for regularly accessing the VM.
- The idea here is to use the route PRINT command to understand the routing in the OS
Wrt, "Is there any alternate way like using it in a sandbox or something which separates the network?"
- Since you said Azure Bastion, which uses private IP to connect to the VM did not work, I doubt having a sandbox VM to connect to this VM would also fail
- Nevertheless, you can give it a try
However, you should work with the vendor to understand if the VPN itself supports such Virtual Machine scenarios.
- If yes, then you must check how to influence VNET Address range's traffic to stay within the VM and not go via the VPN Tunnel
- If you are able to do this, you can use Bastion as Bastion is from within the VNET's Address range
Cheers,
Kapil
Sign in to comment