How to set up an azure vpn gateway from a remote user laptop to an Azure VM

Question

How to set up an azure vpn gateway from a remote user laptop to an Azure VM

Anonymous

Hi.
I am trying to set up vpn access from a remote user's laptop to an Azure VM.

I am attempting to configure the vpn gateway to use point to site (I don't see anything point to point) with the "site" being the resource group that the VM is in. (is there any way to do this point to point, as in remote laptop to 1 Azure VM?)

I tried to set this up using Azure AD authentication, but I don't know the answer to the "audience" or "issuer" question. I am ultimately wanting to have a secure RDP session to the VM's desktop application.

What is the best way to do this? I have looked at the documentation but don't see the answers I am looking for.

Any help would be appreciated!

Thanks in advance!
Sharyn

Accepted answer

1 additional answer

Your answer

Answer 1

Hello @Anonymous ,

Thank you for the update.

For better clarity, I have provided the step-by-step instructions with screenshots on how to enable Point to Site with OpenVPN + Azure AD Authentication:

Step 1 - Create or Verify you have a Global Admin account:

Your Azure AD tenant needs the following accounts: a Global Admin account and a user account.
If you do not have Global Administrator account, please create one by following below:

Navigate to Azure Portal : https://portal.azure.com/ --> Search “Azure Active Directory” --> Click on Users --> New User
Add the new user to the subscription with owner access.

Step 2 - Get Azure AD Directory ID that you want to use for authentication:
Navigate to Azure Portal : https://portal.azure.com/ --> Search “Azure Active Directory” --> Properties (Make a note of the Directory ID).

Step 3 - Register the App which will be authorized for Azure AD authentication.
Open Incognito Windows --> Navigate to Azure Portal : https://portal.azure.com/ --> Sign-in with the newly created Global Admin Account.

URL where you need to sign in : https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

NOTE : If you using a global admin account that is not native to the Azure AD tenant to provide consent, please replace “common” with the Azure AD directory id in the above URL. You may also have to replace “common” with your directory id in certain other cases as well.

Native member to Azure AD tenant is a member user or Azure AD member whose account is created via Azure AD > Users > Create user option in the tenant.
A user not native to the Azure AD tenant means a user who is brought over from another directory as a business-to-business (B2B) collaboration guest (guest user).

Select Accept when prompted.

Step 4 - Create a VNET and a VPN gateway (Route Based) if you don’t have any existing VNET\Gateway. If you already have a VPN gateway, skip to next step.

Step 5 - Enable Azure AD authentication on the VPN gateway:

To enable Azure AD authentication on the VPN gateway navigate to VPN gateway -> Point-to-site configuration and add below details:

Client address pool: Add an address space - VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.
Select OpenVPN (SSL) as the Tunnel type.
Select Azure Active Directory as the Authentication type,
Then fill in the information under the Azure Active Directory section as below:
Tenant: TenantID for the Azure AD tenant : https://login.microsoftonline.com/{AzureAD TenantID}/
Audience: Application ID of the "Azure VPN" Azure AD Enterprise App : 41b23e61-6c1e-4545-b367-cd054e0ed4b4
Issuer: URL of the Secure Token Service : https://sts.windows.net/{AzureAD TenantID}/

NOTE : Replace your Tenant ID above where it says AzureAD TenantID. Make sure you include a trailing slash at the end of the AadIssuerUri value. Otherwise, the connection may fail.

Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication
You can find the Tenant, Audience and Issuer values in the step 9 of the above doc and they are provided to you for all Azure clouds. I believe you are using Azure Public cloud and hence I have added the Public cloud values in my step.

Step 6 - Download the VPN Client profile & extract the VPN Client Package.
Navigate to Azure Portal : https://portal.azure.com/ --> go to your VPN gateway --> select Point-to-site configuration --> At the top of the Point-to-site configuration page, select Download VPN client. It takes a few minutes for the client configuration package to generate.

Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download

Step 7 - Download and Install Azure VPN Client from Microsoft Store :

Browse to Microsoft store - https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb#activetab=pivot:overviewtab and get the Azure VPN client.

Step 8 - Configure Azure VPN Client :
Open the installed Azure VPN Client --> Click on Import --> Navigate to the VPNclientConfiguration extracted folder (refer step6)
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#import

To manually add the VPN profile, you can use the VpnSettings.xml file extracted in step 6 to get the required information such as Audience, Issuer, Tenant, FQDN & ServerSecret.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#connection
After filling out the values, select Save.

Step 9 - Connect to P2S VPN.
Select Connect on the Azure VPN client to connect to the VPN.
Select the proper credentials (Azure AD account) to sign-in.
Once successfully connected, the icon will turn green and say Connected.

Additional Information:
Now, coming to your question of why you need another address space in the point to site configuration when you already have added a GatewaySubnet, please find the answer below:

Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway. We don't recommend creating a range any smaller than /28. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Select Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet. So, while you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26, /25 etc.).
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#do-i-need-a-gatewaysubnet

P2S VPN Client address pool: The client address pool is a range of private IP addresses that you specify in your P2S VPN configuration. The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to. VPN clients dynamically receive an IP address from the range that you specify. The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anonymous

2022-03-16T14:24:41.647+00:00

Thank you so much for this!

I'll work on this and give an update in the next day or 2.

Sharyn
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-17T14:12:41.103+00:00

Sure, @Anonymous . Will wait for your update on this.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-22T11:09:50.59+00:00

Hello @Anonymous ,

Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita
Anonymous

2022-03-22T14:38:48.41+00:00

Hi.

I am still having some issues/questions on this.

The Azure vpn client is not importing the xml profile that was created before downloading the client. It is also asking me about a certificate. I did create a self signed cert but if I'm using Azure AD as authentication,, do I need the cert?

I created it from Azures cert documentation but I don't know what to do with it to get it to where it's supposed to be. Also, I'm uncertain what type of self signed cert I created from powershell in order to choose the correct one from the client settings.

So, even though your step by step instructions were great and helped me get started, I still can't seem to get this working.

What did I miss?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-22T14:45:33.297+00:00

Hello @Anonymous ,

The authentication configuration on your point to site VPN in Azure portal and the VPN client should be set to Azure Active Directory as below:

Azure portal:

VPN client on your machine:

Could you please validate that they are set accordingly?

Regards,
Gita
Anonymous

2022-03-22T14:54:54.513+00:00

Here are my Gateway settings, with my real tenant ID blacked out
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-22T15:37:27.947+00:00

Thank you, @Anonymous . And did you try to add the configuration on your VPN client?

You can try to manually add the VPN profile, using the extracted VpnSettings.xml file where you have the required information such as Audience, Issuer, Tenant, FQDN & ServerSecret.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#connection
After filling out the values, select Save.

And please let me know if that works.

Answer 2

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @Anonymous ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to setup an Azure point to site VPN with Azure AD authentication and need help in finding the "audience" and "issuer" information to configure the VPN profile.

Please validate if you have already created the Azure AD tenant for P2S connections and enabled Azure AD authentication on the VPN gateway following the below article:
https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

Post that you configure a VPN client to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication with OpenVPN protocol, you need to download the Azure VPN Client and configure a VPN client profile on every computer that wants to connect to the VNet.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client

You can generate & download client configuration files using PowerShell, or by using the Azure portal. In the downloaded AzureVPN folder, the azurevpnconfig.xml file contains information that is necessary to configure a VPN connection such as Audience, Issuer, Tenant, FQDN & ServerSecret etc.
How to generate and download VPN profile : https://learn.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anonymous

2022-03-15T13:46:31.693+00:00

Hi.
Thanks for your response.

I am unsure what creating another tenant is going to do to our default tenant, already created in Azure AD
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-15T13:51:45.387+00:00

Hello @Anonymous ,

As mentioned in this doc, verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps mentioned in the doc.
So, if you already have a tenant, you do not need to create another.

You can start from enabling Azure AD authentication on your VPN gateway.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication

Regards,
Gita
Anonymous

2022-03-15T15:34:50.34+00:00

I am lost. Do I need to configure/create a certificate AND enable Azure AD authentication? I thought it was one or the other. ?

Concerning the private IPs used for client connection, I thought that I had already configured that in the gateway subnet

GatewaySubnet (10.x.xx.xx/27) (obviously I used a real ip range)

If the client subnet requires a different set of IPs, why do I need so many in the gateway subnet?

I I have read and re-read the enabling AD authentication page. When I try to do that, It is asking for an audience and issuer. What is that? What does that mean?

Do all of these have to be filled out?

The part that says go to the AD properties page and copy the directory ID....There is no directory ID, just the tenant ID. If I put in the tenant ID, I get this page.

Obviously this is the first time doing this. The documentation is confusing! It's written for folks who already know to a point, how to do this.
Thanks for your patience
Sharyn
BASSEY-GODWIN BLESSING 1 Reputation point

2022-03-15T15:54:58.743+00:00

certainly sure..
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-15T18:38:58.367+00:00

Hello @Anonymous ,

Thank you for the update.

I've added another answer below with the step-by-step instructions and screenshots on how to enable Point to Site with OpenVPN + Azure AD Authentication.

Hope that helps!

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Anonymous

2022-03-22T16:03:46.077+00:00

im getting this error on the client

3‎/‎22‎/‎2022‎ ‎11‎:‎55‎:‎37‎ ‎AM: Failed to validate the VPN connection with error -2147024809
‎3‎/‎22‎/‎2022‎ ‎11‎:‎55‎:‎37‎ ‎AM: AAD Issuer must begin with https://
Anonymous

2022-03-22T16:05:46.153+00:00

<issuer> https://sts.windows.net/ My tenant ID

This is the line in the xml file, I can clearly see https://
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-22T16:31:42.94+00:00

Hello @Anonymous ,

I have seen this issue before and it normally happens when there is a space before the AAD Issuer in your configuration. Please make sure that there is no extra space at the beginning of the issuer ID on the P2S config.

Regards,
Gita
Anonymous

2022-03-22T16:33:20.81+00:00

Im getting a new error now on the client:
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-22T16:47:38.643+00:00

Hello @Anonymous ,

This error could pop up due to incorrect AAD tenant.
Could you please validate the tenant ID on your P2S VPN client configuration again? Also, try a machine restart (if possible).

If this issue persists, we may need to collect logs for further investigation.

Regards,
Gita
Anonymous

2022-03-22T17:10:06.057+00:00

I did a machine restart and nothing changed.

I will re-validate my tenant id on my client.

Thank you for all your help so far
Anonymous

2022-03-22T20:57:15.727+00:00

no matter what I do, I get the same error over and over , the one about the vpn control packets.

I have checked and double checked both gateway and client settings.

I don't know what else to do.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-23T09:15:04.17+00:00

Hello @Anonymous ,

Thank you for the update.
Usually these errors occur when there is an extra space before or after the AAD Tenant, Audience & Issuer.
Could you please check again and make sure that there are no extra spaces before or after the AAD Tenant, Audience & Issuer information?

As I mentioned earlier, if the issue persists, we would need log collection for further investigation. So if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Regards,
Gita
Anonymous

2022-03-23T11:41:41.667+00:00

Thank you.

I copied the tenant, issuer and audience directly from a notepad file. I am 100% sure there are no extra spaces.

We do not have a support plan unfortunately.

Anything else you can do would be appreciated,

I may just ask my boss if we can buy support for a month to get this fixed.

Thanks again,
Sharyn
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-23T15:56:27.05+00:00

Hello @Anonymous ,

Please send us an email as requested over the private message for us to help you get a one-time free technical support.

Regards,
Gita
Anonymous

2022-03-23T16:21:22.36+00:00

just sent it, thanks
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-03-24T06:53:10.913+00:00

Thank you for your email, @Anonymous .

Update : We've successfully created a support request for further troubleshooting on the P2S VPN connection issue.

Regards,
Gita

Share via

How to set up an azure vpn gateway from a remote user laptop to an Azure VM

1 additional answer

Your answer