Share via

Azure VPN Gateway: Point-to-Site Configuration

Alan Sosa 40 Reputation points
2024-11-26T00:18:54.55+00:00 
I hope they are very well.

I am implementing a new VPN to be able to access different resources in Azure, I need it to be compatible with MacOS and Windows users, so I am having problems configuring the Azure VPN Gateway: Point-to-Site Configuration

At the moment it only allows me to connect from the OpenVPNConnect client but it doesn't let me ping, it only connects...

I would like to use AzureVPNClient because then I could have two-step authentication with Microsoft Authenticator and login with the EntraID/ActiveDirectory access accounts.

How and what are the steps to follow to be able to correctly implement a VPN as I describe.
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,792 questions
0 comments
Accepted answer
  1. hossein jalilian 10,980 Reputation points Volunteer Moderator
    2024-11-26T00:27:48.49+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Follow these steps:

    Step 1: Create and Configure VPN Gateway

    Create a Virtual Network Gateway in Azure Portal

    • Select VPN as the gateway type
    • Choose Route-based VPN type
    • Select an appropriate SKU (e.g., VpnGw1 or higher for better performance)

    Configure Point-to-Site settings

    • Go to your VPN gateway's "Point-to-site configuration" page
    • Click "Configure now"
    • Set the Address pool for VPN clients
    • For Tunnel type, select "OpenVPN (SSL)"
    • For Authentication type, choose "Azure Active Directory"

    Step 2: Set Up Azure AD Authentication

    Register a new application in Azure AD

    • Go to Azure Active Directory in the Azure Portal
    • Navigate to "App registrations" and create a new application
    • Note down the Application ID and Tenant ID

    Configure the VPN gateway to use Azure AD authentication

    • In the Point-to-site configuration, add the Azure AD tenant information
    • Include the Application ID from the registered app

    Step 3: Configure Client Settings

    Download the VPN client configuration package

    • On the Point-to-site configuration page, click "Download VPN client"

    Set up AzureVPN Client for Windows and MacOS

    • Download and install AzureVPN Client for respective operating systems
    • Import the downloaded configuration into the AzureVPN Client

    Step 4: Enable Multi-Factor Authentication

    Configure Azure AD Conditional Access

    • Create a new policy in Azure AD Conditional Access
    • Set the policy to require MFA for VPN connections

    Set up Microsoft Authenticator for users

    • Guide users to install and configure Microsoft Authenticator app

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator
    2024-11-26T08:34:11.63+00:00

    Hi @Alan Sosa

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Adding to the points provided by @hossein jalilian

    1. Deploy a Virtual Network with a dedicated name specific subnet called gateway subnet.
    2. Deploy a VPN gateway in that gateway subnet.
    3. Go to Point to Site configuration fill the below information:
      1. Address Pool: Client Address Pool (Open PS as an administrator and run "ipconfig", find an IPV4 address. Ex: if you get 192.168.2.55, you can give 192.168.2.0/24)
      2. Tunnel type: OpenVPN (SSL)
      3. Authentication type: Azure Active Directory
      4. If you select an "Active-Active mode" VPN, you need to create a new PIP address.
    4. For Azure Active Directory, please follow the below steps:
      1. Tenant: https://login.microsoftonline.com/{Microsoft ID Entra Tenant ID}/
      2. Audience: c632b3df-fb67-4d84-bdcf-b95ad541b5c8
      3. Issuer: https://sts.windows.net/{Microsoft ID Entra Tenant ID}/
    5. Save the Configuration and Download the Azure VPN Client from top.
    6. Download the "Azure VPN Client" application by following the document. Make sure that the Azure VPN Client has permission to run in the background.
    7. For steps, see Windows background apps. Also use the latest version of the app, you can verify it by opening the Azure VPN Client. Go to the bottom of the client and click ... ->? Help.
    8. In the right pane, you can see the client version number.
    9. Extract the downloaded Azure VPN Client zip file and find the "azurevpnconfig_aad.xml or azurevpnconfig.xml" file.
    10. Go to Azure VPN Client app and import the file by following the document.
    11. You need to Grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL in browser, which is mentioned in the document. To grant admin consent you need to have Cloud Application Administrator role in your AAD level.
    12. Please follow this document to enable MFA for your application.

    If above is unclear and/or you are unsure about something, please add a comment below.

    Please don’t forget to close the thread by clicking "Accept the answer" if the information provided helps you, as this can be beneficial to other community members.

    Thanks,

    Sai Prasanna.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.