Azure | Point to Site configuration

When you have an Azure subscription you might be able to use a client VPN for your users.
The minimal SKU you need to have is listed below.

Which gateway SKUs support P2S VPN?

SSTP Connections
IKEv2/OpenVPN Connections
Throughput Benchmark
Generation1BasicMax. 10Max. 128Not Supported100 MbpsNot SupportedNo
Generation1VpnGw1Max. 30*Max. 128Max. 250650 MbpsSupportedNo
Generation1VpnGw2Max. 30*Max. 128Max. 5001 GbpsSupportedNo

To configure the Azure Point to Site Connection in my post will be based on the VpnGw1 and it’s based on Radius instead of certificates. First, you have to the azure portal of your organization. Click on Virtual network gateways, assuming you have one already. Click on the virtual network gateway and select Point-to-Site configuration.

If you don’t have a point-to-site configuration you need to add a new one. Create an Address Pool and select a type of Tunnel.

  • Choose an address pool
  • Select SSTP (SSL) in this case
  • Choose Radius Authentication
    • Select your NPS Server
    • Choose a secret key

Follow the following post to create a rule on your NPS Server:
At one point in this post, they write about MS-CHAPv2 you need to select at EAP type Select there Microsoft: Secured password (EAP-MSCHAP v2) like below in the picture

If you don’t select this option the VPN client is unable to authenticate and you won’t get a proper connection You will see messages in the event log of an authentication failure.

The connection will be a split-tunnel with only the subnets of azure. in case you have an on-premise environment then you will be able to connect to the on-premise subnet by adding a static route to the VPN tunnel. (yo have to allow the Azure-client-VPN to the necessary NAT rules on your local office firewall.

Add-VpnConnectionRoute -ConnectionName “<vpn tunnel name>” -DestinationPrefix “/24” -PassThru

This route will be added after you connect to the Azure-VPN in the future.
More information:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.