Azure VPN Gateway: Point-to-Site (P2S) Configuration Guide

Configuring both Azure VPN Gateway and VPN client to connect to your Azure VNet from a local Windows machine.

Basic SKU of Azure VPN Gateway cannot be setup in Azure portal UI yet, that's why this repo describes its configuration through PowerShell commands.

📑 Table of Contents:

• Part 1: Provisioning Azure Infrastructure
• Part 2: Certificate Management & Security
• Part 3: Local Windows Client Configuration
• Part 4: Private Link DNS Resolution

Part 1: Provisioning Azure Infrastructure

1.1 Preparing Gateway Subnet

Azure requires a dedicated subnet named GatewaySubnet to host the VPN infrastructure.

• Subnet Purpose: Virtual Network Gateway,
• Subnet Name: GatewaySubnet (assigned automatically),
• Address Space: Recommended /27 or larger.

1.2 Deploying Basic VPN Gateway

Deploy the Basic SKU Gateway with a Dynamic Public IP.

# Create Public IP
$gwpip = New-AzPublicIpAddress -Name "VNetGWIP1" -ResourceGroupName "Network_RG" -Location "SwedenCentral" -AllocationMethod Dynamic -Sku Basic

# Get VNet and Subnet info
$vnet = Get-AzVirtualNetwork -Name "Core-VNet" -ResourceGroupName "Network_RG"
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

# Create Gateway configuration
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

# Provision the Gateway
New-AzVirtualNetworkGateway -Name "P2S-VPNGW" -ResourceGroupName "Network_RG" -Location "SwedenCentral" -IpConfigurations $gwipconfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "Basic"

Note

Provisoning of VPN Gateway may take roughly 30-40 min.

Part 2: Certificate Management & Security

Azure Point-to-Site (P2S) connectivity can use certificates for authentication. You must generate a Root certificate for Azure and a Client certificate for your local machine.

2.1 Generating Self-Signed Root Certificate

Run this command in an Admin PowerShell session to create the root certificate:

$rootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

2.2 Generating Self-Signed Client Certificate

Run this command in an Admin PowerShell session to create client certificate signed by the root one:

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature -Subject "CN=P2SClientCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Important

When generating the client certificate, the -TextExtension for Client Authentication (1.3.6.1.5.5.7.3.2) is mandatory. Without this, the Windows VPN client will not "see" the certificate, resulting in Error 798.

2.3 Uploading to Azure

Extract the Public Key data from your Root certificate and upload it to the Gateway.

# Get the Public Key string from the local cert
$cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "CN=P2SRootCert"}
$rootCertText = [System.Convert]::ToBase64String($cert.RawData)

# Create the certificate configuration object
$rootCertConfig = New-AzVpnClientRootCertificate -Name "P2SRootCert" -PublicCertData $rootCertText

# Apply to the Gateway
$vng = Get-AzVirtualNetworkGateway -Name "P2S-VPNGW" -ResourceGroupName "Network_RG"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vng -VpnClientAddressPool "172.16.0.0/24" -VpnClientRootCertificate $rootCertConfig

# CRITICAL: Basic SKU defaults to IkeV2 only. You MUST add SSTP for Windows compatibility.
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vng -VpnClientProtocol "IkeV2", "SSTP"

Part 3: Local Windows Client Configuration

You can now access VPN Gateway resource in Azure portal UI, and click "Settings -> Point-to-site configuration -> Download VPN client" to get a .zip file with VPN client packages.

3.1 Understanding the Folders

• WindowsAmd64 Folder: Contains the automated installer (VpnClientSetupAmd64.exe) for 64-bit Windows. Use this for a quick, standard installation.
• Generic Folder: Contains VpnSettings.xml. Use this if the installer fails or if you need to manually configure the connection using the SSTP FQDN.

3.2 Resolving the "Trust Chain"

• Open certmgr.msc in Win + R,
• Copy P2SRootCert from Personal > Certificates,
• Paste it into Trusted Root Certification Authorities > Certificates.

3.3 Manual Profile Setup

If the .exe installer fails, create a manual VPN connection:

• VPN Type: SSTP (Secure Socket Tunneling Protocol),
• Server Address: Found in VpnSettings.xml (e.g., azuregateway-xxx.vpn.azure.com),
• Authentication: Microsoft: Smart Card or other certificate.

Part 4: Private Link DNS Resolution

Once connected to the VPN, you will have a 172.16.x.x IP address, but you will not be able to resolve Private Link FQDNs (like services.ai.azure.com) because the Azure DNS IP (168.63.129.16) is not routable over VPN.

4.1 The "Hosts File" Bridge

Update your local hosts file (C:\Windows\System32\drivers\etc\hosts) as an Administrator to map the Private Endpoint IPs.

Private IP	FQDN
10.0.x.x	<FOUNDRY_RESOURCE>.cognitiveservices.azure.com
10.0.x.y	<FOUNDRY_RESOURCE>.openai.azure.com
10.0.x.z	<FOUNDRY_RESOURCE>.services.ai.azure.com

4.2 Verification

Verify connectivity using Test-NetConnection to bypass ICMP blocks:

Test-NetConnection -ComputerName <FOUNDRY_RESOURCE>.services.ai.azure.com -Port 443
# Result: TcpTestSucceeded : True