Point-to-site VPN client configuration workflow: Certificate authentication - Windows

This article walks you through the workflow and steps to configure VPN clients for point-to-site (P2S) virtual network connections that use certificate authentication. These steps continue on from previous articles where the VPN Gateway point-to-site server settings are configured. In this article, you'll generate the client configuration files and install the necessary client certificates used for authentication.

Before you begin

This article assumes that you have already created and configured your VPN gateway for P2S certificate authentication. See Configure server settings for P2S VPN Gateway connections - certificate authentication for steps.

Before beginning the workflow, verify that you're on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.

Authentication Tunnel type Generate config files Configure VPN client
Azure certificate IKEv2, SSTP Windows Native VPN client
Azure certificate OpenVPN Windows - OpenVPN client
- Azure VPN client
Azure certificate IKEv2, OpenVPN macOS-iOS macOS-iOS
Azure certificate IKEv2, OpenVPN Linux Linux
Microsoft Entra ID OpenVPN (SSL) Windows Windows
Microsoft Entra ID OpenVPN (SSL) macOS macOS
RADIUS - certificate - Article Article
RADIUS - password - Article Article
RADIUS - other methods - Article Article


In this article, we start with generating VPN client configuration files and client certificates:

  1. Generate files to configure the VPN client.

  2. Generate certificates for the VPN client.

  3. Configure the VPN client. The steps you use to configure your VPN client depend on the tunnel type for your P2S VPN gateway, and the VPN client on the client computer. Links are provided to configuration articles for the specific tunnel and corresponding client.

    • IKEv2 and SSTP - native VPN client - If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. For steps, see IKEv2 and SSTP - native VPN client.
    • OpenVPN - Azure VPN Client and OpenVPN client - If your P2S VPN gateway is configured to use an OpenVPN tunnel and certificate authentication, you have the option to connect using either the Azure VPN Client, or the OpenVPN client.

1. Generate VPN client configuration files

All of the necessary configuration settings for the VPN clients are contained in a VPN client profile configuration zip file. You can generate client profile configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file.

The VPN client profile configuration files that you generate are specific to the P2S VPN gateway configuration for the VNet. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client profile configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see About point-to-site VPN.


When you generate VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:

$profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls"


Copy the URL to your browser to download the zip file.

Azure portal

  1. In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.

  2. On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.

  3. At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you might not see any indications until the packet generates.

    Screenshot of Point-to-site configuration page.

  4. Once the configuration package is generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

  5. Unzip the file to view the folders. You'll use some, or all, of these files to configure your VPN client. The files that are generated correspond to the authentication and tunnel type settings that you configured on the P2S server.

2. Generate client certificates

For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information.

In many cases, you can install the client certificate directly on the client computer by double-clicking. However, for certain OpenVPN client configurations, you might need to extract information from the client certificate in order to complete the configuration.

  • For information about working with certificates, see Point-to site: Generate certificates.
  • To view an installed client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.

3. Configure the VPN client

Next, configure the VPN client. Select from the following instructions:

Tunnel VPN client
IKEv2 and SSTP Native VPN client steps
OpenVPN Azure VPN Client steps
OpenVPN OpenVPN Client steps

Next steps

For additional steps, return to the P2S article that you were working from.