![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 14.000000000000002%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
185 questions
Hello @FlatulentMonk ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
To setup connectivity from the remote user to on-premises via Virtual WAN, you have two options:
1) Set up Site-to-site connectivity with any existing VPN device. When you connect the IPsec VPN device to Azure Virtual WAN hub, interconnectivity between the Point-to-site User VPN (Remote user) and Site-to-site VPN is automatic.
2) Connect your ExpressRoute circuit to the Virtual WAN hub. Connecting an ExpressRoute circuit requires deploying an ExpressRoute gateway in Virtual WAN. As soon as you have deployed one, interconnectivity between the Point-to-site User VPN and ExpressRoute user is automatic.
Please refer : https://learn.microsoft.com/en-us/azure/virtual-wan/work-remotely-support
Most possible cause of it not working in your case could be the below:
On the P2S User side, do you see the on-premises routes getting added to the VPN client?
Once connected to Azure Point to site VPN, the VPN client should get the routes from Azure VPN gateway, which are stored in this path - C:\Users\UserName\AppData\Roaming\Microsoft\Network\Connections\cm\<VirtualNetworkId\routes.txt
If the on-premise routes are missing, you can manually add those routes in the routes.txt notepad. After adding the routes, check if you are able to access on-premises sites from P2S VPN client.
Other things to check:
Is it same vHUB or across vHUBs?
Do you have any Firewall in the middle?
Virtual WAN allows transit connectivity between VPN and ExpressRoute. This implies that VPN-connected sites or remote users can communicate with ExpressRoute-connected sites. There is also an implicit assumption that the Branch-to-branch flag is enabled and BGP is supported in VPN and ExpressRoute connections.
Bringing ExpressRoute to the setup will not affect transitive routing but as mentioned above, you need BGP on your VPN to be able to connect to ExpressRoute-connected sites from your VPN-connected sites.
Please refer : https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#transit-er
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 55.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)