![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 31%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,461 questions
Hello @Darren Mizzi ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
In order to create a VPN that you can use to connect to an Azure Virtual machine with certificate authentication, you need to follow the below steps:
1) Create a VPN gateway in your Azure Vnet. The subnet where you deploy the gateway should be named as GatewaySubnet and should have an address space of /27 or larger (/26,/25 etc.).
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
2) Generate certificates for the point to site VPN connection. You need to obtain a root certificate, whose public key information is uploaded to Azure. Then you need to generate client certificates from the trusted root certificate, and install them on each client computer. You can use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#generatecert
If you do not have an enterprise certificate solution, you can create a self-signed root certificate & generate a client certificate from it to use them for point to site VPN connection.
To create a self-signed root certificate and generate client certificates you need to use PowerShell on a Windows 10 machine or Windows Server 2016:
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
NOTE: If you do not have access to a Windows 10 or Windows Server 2016 computer, you can use MakeCert to generate certificates. Can also use Linux instructions as documented in the above link.
3) Upload the root certificate to Azure and configure the point to site settings such as Address pool, tunnel type, authentication type etc.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#type
4) Install the client certificate in your local machine from where you want to access Azure VM (this step needs to be repeated for all the local machines which needs access to Azure via P2S VPN).
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert
5) Download and install the VPN client from Azure portal and connect to it.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert#generate
If you face any issues in your Azure point to site VPN connection, you can refer the below troubleshooting doc for various symptoms and their recommended solutions:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems
Azure Point-to-Site - Certificate authentication FAQs for your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#P2S
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.