Wednesday, 6 April 2022

Create and Configure Certificates for Azure Gateway P2S VPN Connection

Azure offers the ability to create Site to Site and Point to Site VPN connections to Azure Virtual Networks using the native Azure Virtual Network Gateway. It is becoming increasing irritating to have VMs exposed to the Internet on port 3389 for RDP, therefore P2S VPN connections can be useful to remove the need to have these rules created on your NSGs. You can of course you Azure Bastion, but some people prefer a VPN-like connection. Authentication for P2S VPNs can be either AAD or by a pair of certificates. A root certificate installed at the VNG, with a subordinate client certificate from that root installed on the incoming, connecting device.

Create the root certificate using the following code, you can change the Subject field if you like. This is how the certificate will be identified within the local certificate store on the machine you generate the certificate on. You will notice that this command creates the root certificate under the CurrentUser context.

$rootcert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject “CN=RPBP2SRootCert” -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign

Create the client certificate from the root certificate, the linkage here is done by the Subject name, so ensure they match to avoid any problems with the trust chain. 

New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject “CN=RPBP2SClientCert” -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(1) `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” `

-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)


Once the commands have completed you will notice both the certificates within the Current User trust store, the next step is to export the root certificate so that it can be imported into the VNG. 



The correct format is Base-64 (CER) as we must be able to open the exported root certificate with Notepad to copy the code onto the VNG.


Copy the content of the root certificate, excluding the BEGIN CERTIFICATE part. 


Head to the Azure Portal, then to the VNG. From here click on Point to Site Configuration and configure the connection pane as follows.


  • Address Pool - this is an address block which is required to assign to incoming VPN clients. This pool is virtual in nature and has no bearing on the address space used on the VN. 
  • Tunnel Type - select IKEv2 and OpenVPN (SSL) by default this configuration will attempt to connect via IKEv2 first, then fall back to SSL.
  • Authentication type - Azure certificate should be selected, it is possible to use AAD as well. 
The VPN Client comes pre-packaged with the correct certificate configuration once you make changes to the Azure Portal, be sure to redownload the client package if you have made changes here.