When you have an Azure subscription you might be able to use a client VPN for your users.
The minimal SKU you need to have is listed below.
Which gateway SKUs support P2S VPN?
|Generation1||Basic||Max. 10||Max. 128||Not Supported||100 Mbps||Not Supported||No|
|Generation1||VpnGw1||Max. 30*||Max. 128||Max. 250||650 Mbps||Supported||No|
|Generation1||VpnGw2||Max. 30*||Max. 128||Max. 500||1 Gbps||Supported||No|
To configure the Azure Point to Site Connection in my post will be based on the VpnGw1 and it’s based on Radius instead of certificates. First, you have to the azure portal of your organization. Click on Virtual network gateways, assuming you have one already. Click on the virtual network gateway and select Point-to-Site configuration.
If you don’t have a point-to-site configuration you need to add a new one. Create an Address Pool and select a type of Tunnel.
- Choose an address pool
- Select SSTP (SSL) in this case
- Choose Radius Authentication
- Select your NPS Server
- Choose a secret key
Follow the following post to create a rule on your NPS Server: https://github.com/yinghli/Azure-P2S-VPN
At one point in this post, they write about MS-CHAPv2 you need to select at EAP type Select there Microsoft: Secured password (EAP-MSCHAP v2) like below in the picture
If you don’t select this option the VPN client is unable to authenticate and you won’t get a proper connection You will see messages in the event log of an authentication failure.
The connection will be a split-tunnel with only the subnets of azure. in case you have an on-premise environment then you will be able to connect to the on-premise subnet by adding a static route to the VPN tunnel. (yo have to allow the Azure-client-VPN to the necessary NAT rules on your local office firewall.
Add-VpnConnectionRoute -ConnectionName “<vpn tunnel name>” -DestinationPrefix “/24” -PassThru
This route will be added after you connect to the Azure-VPN in the future.
More information: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about