Azure WAN and P2S VPN Forced Tunneling

Ajeet Singh 71

I have setup Azure WAN with a secured hub(Azure Firewall). WAN also has a P2S VPN which am successfully able to connect to. I understand forced tunneling was not an option before Azure VWAN, but now can i do forced tunneling for my P2S clients and give them a common public IP address instead of their own ISP Public IP Address?

Accepted answer

GitaraniSharma-MSFT 47,011 Reputation points Microsoft Employee

2021-10-14T16:40:27.6+00:00

Hello @Ajeet Singh ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Yes, you can do forced tunneling for your P2S clients.

If you secure internet traffic via Firewall Manager you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

2 people found this answer helpful.
Ajeet Singh 71 Reputation points

2021-10-14T22:13:49.877+00:00

Hi @GitaraniSharma-MSFT

I already did what you've mentioned however i still not see the Public IP from Firewall on my client. It is still from my ISP.

GitaraniSharma-MSFT 47,011 Reputation points Microsoft Employee

2021-10-19T13:32:29.12+00:00

Hello @Ajeet Singh ,

Apologies for the delay in response.

I have confirmed with the PG and this should work if configured correctly. Did you setup the Azure Firewall Policy to allow P2S traffic to Internet?
To advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below doc:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Regards,
Gita

Ajeet Singh 71 Reputation points

2021-10-20T04:08:43.79+00:00

Hi @GitaraniSharma-MSFT

Thanks for your supoprt, however I already had the setup that you've mentioned. Finally I got it working by adding the route directly in my downloaded azurevpnconfig.xml.

I added the following and it worked.

<clientconfig>

<includeroutes> <route> <destination>0.0.0.0</destination><mask>1</mask> </route> <route> <destination>128.0.0.0</destination><mask>1</mask> </route> </includeroutes>

</clientconfig>

If i add these routes in Default Route on Portal it only adds 0.0.0/0 to my client and skips 0.0.0.0/1 and 128.0.0.0/1

GitaraniSharma-MSFT 47,011 Reputation points Microsoft Employee

2021-10-20T11:21:41.143+00:00

Thanks for the update @Ajeet Singh . Glad to know it worked.

NSimpraga 161 Reputation points

2022-05-13T13:22:49.68+00:00

Greetings, I am facing the same issue and the same thing is happening - I have to manually edit the azurevpnconfig.xml file to include the 0.0.0.0/1 and 128.0.0.0/1 routes. That is the only way to get the clients the needed routes. The routes don't get actually advertised to the clients if they're added to the route table of the Virtual Hub, they get skipped & ignored.

Any way to resolve this?

MostLourh 26 Reputation points

2022-05-13T15:20:54.6+00:00

@ NSimpraga-7653

in my case, i created a secure Hub as a hub of VWAN, i added P2S gateway and a azure Firewall, in VWAN you have a route server that propagate VNet routes using BGP including 0.0.0.0 /route. this route can be configured in routing table on virtual hub

Asad Rehman 1 Reputation point

2022-12-16T18:52:48.447+00:00

I am able to get the route 0.0.0.0/0 advertised, set the client config to version 2 from 1. When i connect to the VPN, j am not able to connect to any website, or ping google etc. Is this expected?

Navyanth Gowda 0 Reputation points

2024-01-29T18:52:17.4+00:00

running into similar issues. I've tried all the steps mentioned in this discussion forum, but not able to connect to the internet. here is my setup. I'm using macos for the Azure VPN client (entra id authentication) i'm able ping the private IP of the firewall once connected to the VPN but cannot get to the public or to the internet. The default route has 0.0.0.0/0 and in my config xml file i've included to the routes for 0.0.0.0/1 and 128.0.0.0/1 i also executed the poweshell command. unchecked the high avaulabiity option in the VPN client. firewall policy is created to allow traffic.

Jarvis 0 Reputation points

2024-01-31T14:33:43.7733333+00:00

@Navyanth Gowda is your dns resolving correctly? you will need an Azure private dns resolver and create a new network fw rule to let the vpn client pools to it.

Navyanth Gowda 0 Reputation points

2024-01-31T19:28:35.7566667+00:00

I dont have a DNS setup for this. Do we need it?

Jarvis 0 Reputation points

2024-01-31T19:58:29.9933333+00:00

@Navyanth Gowda yes, you will need it if you want access to the internet. Default Azure DNS will not work.

Navyanth Gowda 0 Reputation points

2024-02-03T20:32:55.12+00:00

ok, can you provide any links on how to set it up?

Jarvis 0 Reputation points

2024-02-06T14:45:26.9866667+00:00

@Navyanth Gowda you can use terraform https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver
or https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

You'll need a virtual network for the private dns resolver, private dns resolver inbound endpoint, virtual network dns servers, private dns zone virtual network links for each network that needs dns.

Navyanth Gowda 0 Reputation points

2024-02-15T22:16:57.49+00:00

thank you Jarvis . I was able to resolve this by enabling DNS and DNS proxy at the firewall, and using custom DNS in the virtual hub to point to the private IP of the firewall.
Sign in to comment

6 additional answers

MostLourh 26 Reputation points

2022-01-11T02:24:26.363+00:00

Hi AjeetSingh

I have the same need, what rule was added on Firewall policy?

Thanks
Please sign in to rate this answer.

1 person found this answer helpful.
Ajeet Singh 71 Reputation points

2022-12-04T10:32:57.797+00:00

Hi,

All you have done on Azure WAN side is correct. Last bit is to add the route to your client' xml. add this to the azure vpn xml and it should force the internet traffic to route via Azure' Firewall.

<includeroutes>
<route>
<destination>0.0.0.0</destination><mask>1</mask>
</route>
<route>
<destination>128.0.0.0</destination><mask>1</mask>
</route>
</includeroutes>

Asad Rehman 1 Reputation point

2022-12-15T06:20:57.877+00:00

Hi Ajeet,

Thank you for you information so far. I am running into the same issue. Seeing the 0.0.0.0 route advertised, after connecting to VPN but I am not able to get to the internet.

Did you set anything firewall policy wise or in routing wise. Thank you
Sign in to comment
Patrick Holohan 1 Reputation point

2022-09-25T09:48:47.35+00:00

Hi All,

I'm not sure if you are still looking for the answer. I recently built an Azure virtual WAN with a secure virtual hub, I configured Azure point-to-site (Azure AD authentication) and wanted to route all traffic through the firewall.

I found the answer to be as simple as changing the version number in the downloaded azurevpnconfig.xml from 1 to 2.

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

This worked for me.

Regards
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Victor Tan 1 Reputation point

2022-12-02T00:20:22.563+00:00

I am trying to do the same. I have created a virtual wan, create a virtual hub, and attached my p2s VPN to it. the virtual hub is secured by an azure firewall. I have added 0.0.0.0/0 to the default route and the next hop is the firewall.

also, update the VPN using Update-AzP2sVpnGateway

I have also updated the version from 1 to 2

but none of this forced internet traffic from my local machine to use the VPN connection.

Any ideas to troubleshoot?

thanks
Please sign in to rate this answer.
Patrick Holohan 1 Reputation point

2022-12-02T15:39:35.727+00:00

I'm not sure of your configuration, however have you configured your P2S traffic to go out via the secure virtual hub? Not just entering the default route?

Azure Firewall manager \ Security configuration \ P2S connection \ Send internet traffic via Azure Firewall.
Sign in to comment
Victor Tan 1 Reputation point

2022-12-02T17:49:45.873+00:00

I do have this enabled for secured traffic. What policy do you have on your firewall?
Please sign in to rate this answer.
Victor Tan 1 Reputation point

2022-12-02T19:41:31.31+00:00

I can't even ping the private ip address associated with the firewall.

my local route table is showing 0.0.0.0 going to the VPN ip with a lower metric. Once I turn on the VPN, it nuked my internet connection.

Patrick Holohan 1 Reputation point

2022-12-02T19:52:01.437+00:00

You will need a firewall policy allow https and DNS (UDP 53). Firewall policy will deny all traffic by default.

This will allow all traffic from the P2S subnet. You will want to be more specific, but this is good for testing.

Victor Tan 1 Reputation point

2022-12-02T20:32:52.627+00:00

for purpose of testing i have created a rule to allow all but still does not work.
Sign in to comment