Azure Start Point | Point-to-Site VPN

Azure Start Point | Point-to-Site VPN

In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.

If you don’t have an Azure Subscription, you can easily create a free trial by just going to

Create typical a VIrtual Network

In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.

FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.

The Virtual Network Gateway can take up to 45 minutes to be created.

Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.

We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here:

For the root certificate run the below PowerShell using ISE:

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

For the client certificate run the below PowerShell using ISE:

New-SelfSignedCertificate -Type Custom -DnsName ProDevChildCert -KeySpec Signature `
-Subject "CN=ProDevChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("{text}")

Export the root certificate in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export

Select to “not export the private key” and use Base64 encoded.

Now you have the prodevrootcert.cer

After that, export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.

Now you have the prodevchildcert.pfx. This pfx file must be installed to all the client computers that will use this Point-to-Site connection.

Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.

Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.

Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.

Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.

In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.