by Dr. Radut

Enabling Azure Point-to-site-VPN

Published by Laurie Rhodes -

Using Azure's Point-to-site vpn avoids having to expose ssh or winrm ports to the internet to get onto the systems.

Before a Point-to-site VPN can be established, a Virtual Network Gateway must be created.  This will be associated with the Virtual Network that will be accessible.

Access to the network will be controlled by certificates.

Azure will be configured to recognize the signing certificate.  As clients attempt to connect to the VPN, Azure will expect a presented certificate that has been signed by the certificate held by the cloud service.

The code snippet below will produce a signing certificate and a client certificate for use with Azure.

#Generate the Root Cert - up to 20 can be present for a VPN Gateway

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject "CN=PointToSiteRootCert" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign



$certificate = Get-Item -path Cert:\CurrentUser\My\$($cert.Thumbprint)

write-output "--- RootCert --"

[convert]::tobase64string( $certificate.RawData )

Write-Output ""



#Generate a Client Cert - must be exported with certificate chain

#authorised clients require VPN Client and Client Cert Chain

$chilecert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject "CN=PointToSiteChildCert" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" `

-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

The output can be copied from PowerShell into the Root Certificates area of the Point-to-Site connection page.

The Point-to-Site connection requires a subnet / address pool to be created.  These IP addresses will be allocated to systems as they successfully authenticate on the connection.

If multiple machines are to use the VPN, client certificates (signed by the root certificate) need to be exported and installed on the recipient client machines.

The VPN client for Point-to-Site is downloaded from the Azure portal.

 

The downloaded package contains both 32bit and 64bit setup executables.

Running the appropriate installer on a machine containing a valid client certificate will establish a connection to the virtual network.

Tags
Azure
PowerShell