Edit

Configure User VPN P2S clients - certificate authentication - macOS and iOS

  • Article

This article helps you connect to Azure Virtual WAN from a macOS or iOS operating system over User VPN P2S for configurations that use Certificate Authentication. To connect from an iOS or macOS operating system over an OpenVPN tunnel, you use an OpenVPN client. To connect from a macOS operating system over an IKEv2 tunnel, you use the VPN client that is natively installed on your Mac.

Before you begin

  • Make sure you've completed the necessary configuration steps in the Tutorial: Create a P2S User VPN connection using Azure Virtual WAN.

  • Generate VPN client configuration files: The VPN client configuration files that you generate are specific to the Virtual WAN User VPN profile that you download. Virtual WAN has two different types of configuration profiles: WAN-level (global), and hub-level. If there are any changes to the P2S VPN configuration after you generate the files, or you change to a different profile type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect. See Generate User VPN client configuration files.

  • Obtain certificates: The sections below require certificates. Make sure you have both the client certificate and the root server certificate information. For more information, see Generate and export certificates for more information.

IKEv2 - native client - macOS steps

After you generate and download the VPN client configuration package, unzip it to view the folders. When you configure macOS native clients, you use the files in the Generic folder. The Generic folder is present if IKEv2 was configured on the gateway. You can find all of the information that you need to configure the native VPN client in the Generic folder. If you don't see the Generic folder, make sure IKEv2 is one of the tunnel types, then download the configuration package again.

The Generic folder contains the following files.

  • VpnSettings.xml, which contains important settings like server address and tunnel type.
  • VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN gateway during P2S connection setup.

Use the following steps to configure the native VPN client on Mac for certificate authentication. These steps must be completed on every Mac that you want to connect to Azure.

Install certificates

Root certificate

  1. Copy to the root certificate file - VpnServerRoot.cer - to your Mac. Double-click the certificate. Depending on your operating system, the certificate will either automatically install, or you'll see the Add Certificates page.
  2. If you see the Add Certificates page, for Keychain: click the arrows and select login from the dropdown.
  3. Click Add to import the file.

Client certificate

The client certificate is used for authentication and is required. Typically, you can just click the client certificate to install. For more information about how to install a client certificate, see Install a client certificate.

Verify certificate install

Verify that both the client and the root certificate are installed.

  1. Open Keychain Access.
  2. Go to the Certificates tab.
  3. Verify that both the client and the root certificate are installed.

Configure VPN client profile

  1. Go to System Preferences -> Network. On the Network page, click '+' to create a new VPN client connection profile for a P2S connection to the Azure virtual network.

    Screenshot shows the Network window to click on the plus sign.

  2. On the Select the interface page, click the arrows next to Interface:. From the dropdown, click VPN.

    Screenshot shows the Network window with the option to select an interface, VPN is selected.

  3. For VPN Type, from the dropdown, click IKEv2. In the Service Name field, specify a friendly name for the profile, then click Create.

    Screenshot shows the Network window with the option to select an interface, select VPN type, and enter a service name.

  4. Go to the VPN client profile that you downloaded. In the Generic folder, open the VpnSettings.xml file using a text editor. In the example, you can see that this VPN client profile connects to a WAN-level User VPN profile and that the VpnTypes are IKEv2 and OpenVPN. Even though there are two VPN types listed, this VPN client will connect over IKEv2. Copy the VpnServer tag value.

    Screenshot shows the VpnSettings.xml file open with the VpnServer tag highlighted.

  5. Paste the VpnServer tag value in both the Server Address and Remote ID fields of the profile. Leave Local ID blank. Then, click Authentication Settings....

    Screenshot shows server info pasted to fields.

Configure authentication settings

Big Sur and later

  1. On the Authentication Settings page, for the Authentication settings field, click the arrows to select Certificate.

    Screenshot shows authentication settings with certificate selected.

  2. Click Select to open the Choose An Identity page.

    Screenshot to click Select.

  3. The Choose An Identity page displays a list of certificates for you to choose from. If you’re unsure which certificate to use, you can select Show Certificate to see more information about each certificate. Click the proper certificate, then click Continue.

    Screenshot shows certificate properties.

  4. On the Authentication Settings page, verify that the correct certificate is shown, then click OK.

    Screenshot shows the Choose An Identity dialog box where you can select the proper certificate.

Catalina

If you're using Catalina, use these authentication settings steps:

  1. For Authentication Settings choose None.

  2. Click Certificate, click Select and click the correct client certificate that you installed earlier. Then, click OK.

Specify certificate

  1. In the Local ID field, specify the name of the certificate. In this example, it’s P2SChildCertMac.

    Screenshot shows local ID value.

  2. Click Apply to save all changes.

Connect

  1. Click Connect to start the P2S connection to the Azure virtual network. You may need to enter your "login" keychain password.

    Screenshot shows connect button.

  2. Once the connection has been established, the status shows as Connected and you can view the IP address that was pulled from the VPN client address pool.

    Screenshot shows Connected.

OpenVPN Client - macOS steps

The following example uses TunnelBlick.

Important

Only MacOS 10.13 and above is supported with OpenVPN protocol.

Note

OpenVPN Client version 2.6 is not yet supported.

  1. Download and install an OpenVPN client, such as TunnelBlick.

  2. If you haven't already done so, download the VPN client profile package from the Azure portal.

  3. Unzip the profile. Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.

  4. Fill in the P2S client certificate section with the P2S client certificate public key in base64. In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers.

  5. Fill in the private key section with the P2S client certificate private key in base64. See Export your private key on the OpenVPN site for information about how to extract a private key.

  6. Don't change any other fields. Use the filled in configuration in client input to connect to the VPN.

  7. Double-click the profile file to create the profile in Tunnelblick.

  8. Launch Tunnelblick from the applications folder.

  9. Click on the Tunnelblick icon in the system tray and pick connect.

OpenVPN Client - iOS steps

The following example uses OpenVPN Connect from the App store.

Important

Only iOS 11.0 and above is supported with OpenVPN protocol.

Note

OpenVPN Client version 2.6 is not yet supported.

  1. Install the OpenVPN client (version 2.4 or higher) from the App store. Version 2.6 is not yet supported.

  2. If you haven't already done so, download the VPN client profile package from the Azure portal.

  3. Unzip the profile. Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.

  4. Fill in the P2S client certificate section with the P2S client certificate public key in base64. In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers.

  5. Fill in the private key section with the P2S client certificate private key in base64. See Export your private key on the OpenVPN site for information about how to extract a private key.

  6. Don't change any other fields.

  7. E-mail the profile file (.ovpn) to your email account that is configured in the mail app on your iPhone.

  8. Open the e-mail in the mail app on the iPhone, and tap the attached file.

    Screenshot shows message ready to be sent.

  9. Tap More if you don't see Copy to OpenVPN option.

    Screenshot shows to tap more.

  10. Tap Copy to OpenVPN.

    Screenshot shows to copy to OpenVPN.

  11. Tap on ADD in the Import Profile page

    Screenshot shows Import profile.

  12. Tap on ADD in the Imported Profile page

    Screenshot shows Imported Profile.

  13. Launch the OpenVPN app and slide the switch in the Profile page right to connect

    Screenshot shows slide to connect.

Next steps

Tutorial: Create a P2S User VPN connection using Azure Virtual WAN.