Loading...

Point-to-Site VPN - antusnet.ca

  • Home
  • /
  • Point-to-Site VPN

Azure Quick Links

Networking

VNet-toVNet VPN

Private Endpoint

DNS Name Resolution

Public Load Balancer

 

Security

Azure Firewall Rule

Container Registry

Privileged Access and Monitoring

User & Identity Security

Microsoft Defender for Cloud

Compute & Storage

Azure File Sync

Azure AI Services

Create Storage with Terraform

ARM Template Deployment

Bicep template deployment

Disaster recovery plan

AD Lab for Hybrid Azure

Expert-level projects

Azure Data Factory & Synapse

Databricks Analytics

Securing Azure SQL Database

Azure Sentinel & playbook

Azure & Power BI Visualizations

Hybrid Identity Synchronization

Site-to-Site VPN

VNet Peering

Point-to-Site VPN

DevOps

App service deployment

Agents, Pipelines & Secrets

DevOps IaC Pipeline

*

Microsoft Fabric

 Fabric Data Engineering & Analytics Pipeline

Fabric Data Modeling

Power BI

Advanced Data Preparation

Model the Data 

Visualization & Report Creation

Report Deployment & Management

*

*

Back to Projects

Azure Cloud Projects

Point-to-Site VPN

Modern Enterprise Point-to-Site VPN Architecture Using Microsoft Entra ID.

Task Details

1. Deploy 4 virtual networks with NSG in each VNet.

2. Register Azure VPN Gateway as an App in Entra ID. (Optional)

3. Prepare the Azure VPN Gateway.

4. Assign Users or Groups.

5. Configure Conditional Access (Optional, Recommended)

6. Download and configure the VPN client.

7. Configure network peering between VNet-P2S-VPN 10.10.0.0/16 and VNet-HUB 10.20.0.0/16

8. Add an NSG rule to allow RDP access from the VPN.

9. Test the Connection.

*

Steps

Deploy 4 virtual networks with NSG in each VNet.

I will use a template to create 4 virtual networks with NSG in each.

Note: This template gives you 4 VNets + 4 subnets + 4 NSGs + outputs - a clean foundation for enterprise P2S hub-and-spoke architecture.

Virtual networks:

  • VNet-P2S-VPN    10.10.0.0/16
  • VNet-HUB            10.20.0.0/16
  • VNet-SPOKE1      10.30.0.0/16
  • VNet-SPOKE2     10.40.0.0/16

1. Go to custom deployment and click "Build your own template."

*

2. Paste the template and click save.

Copy template code

*

3. Review and create the template.

*

4. You should have the following resources after deployment.

*

Register Azure VPN Gateway as an app in Entra ID. (Optional)

Important: You do not need to create a custom app registration if you use the default Microsoft GUID (41b23e61-6c1e-4545-b367-cd054e0ed4b4) as the audience - this is the recommended method.

Copy Default Microsoft GUID 

Use the default Microsoft GUID unless you have a business requirement that can only be solved with a custom app registration.

If you want to register your own app, follow these steps:

1. Go to Entra ID App Registrations

  • Open Azure Portal → search “Entra ID”
  • In the left menu, click App registrations

*

2. Create a new app.

  • Click New registration

*

  • Name: P2S-VPN (or any descriptive name).
  • Supported account types: Choose Accounts in this organizational directory only.
  • Redirect URI (optional): leave blank (OpenVPN doesn’t need it)
  • Click Register.

*

3. Expose API (configure audience)

  • Go to your registered app → Expose an API.
  • Click Set next to Application ID URI. (It will create Application ID URI)
  • Use this format: api://<Application (client) ID>
  • Click Save.

Note: This Application ID URI is what your OpenVPN client will validate tokens against.

*

Prepare the Azure VPN Gateway.

Action: Deploy a VPN gateway in the hub VNet or use an existing one.
*
Explanation:

  • P2S connections terminate here.
  • Supports multiple authentication types.
  • The Gateway SKU must support P2S (VpnGw1 or higher is recommended for production, and it also supports the OpenVPN protocol).

Note: Enable the OpenVPN protocol, which is supported on most modern OSes and integrates with Entra ID by choosing SKU VpnGw1AZ or higher.

1. Go to Hybrid connectivity and click Create VPN gateway.

*

2. Fill up the details as follows.

Note: You usually don’t need active-active for P2S.

What Active-Active Actually Means. (Azure VPN Gateway).

Active-Passive (default)

  • 1 active VPN instance.
  • 1 standby instance.
  • One public IP (two total for S2S).
  • If active fails → brief reconnection.

Active-Active

  • 2 active VPN instances.
  • Both handle traffic at the same time.
  • Multiple public IPs.
  • Higher availability + throughput.

Disable BGP if:

  • You are using Point-to-Site (P2S) only.
  • You have simple hub-and-spoke VNets.
  • You do not have on-prem routers exchanging routes.

Enable BGP if:

  • You are using Site-to-Site (S2S) or VNet-to-VNet.
  • You want dynamic route exchange.
  • You expect networks to change over time.

*

3. Enable the OpenVPN protocol, which is supported on most modern OSes and integrates with Entra ID.

  • Go to Virtual network gateway.
  • Point-to-site configuration.
  • Configure now.

*

4. Fill up point-to-site configuration settings.

Address Pool

  • The private IP range is assigned to VPN clients after they connect.
  • Used as the source IP when accessing Azure resources.

Important: Must not overlap with any:

  • Azure VNets
  • On-premises networks
  • Peered VNets

Example format: 172.16.100.0/24

Tenant ID.

  • Your Microsoft Entra (Azure AD) Tenant ID.
  • Can be found in Azure Portal → Microsoft Entra ID → Overview
  • Format: https://login.microsoftonline.com/<TenantID> (copy)

Audience.

  • The app registration, or well-known GUID, that represents the VPN as a trusted resource.
  • Use Microsoft's default GUID (recommended): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
  • Or your custom App Registration Application ID URI: api://<Your-App-GUID> (copy)

*
Issuer

The URL representing the token issuer (Entra ID).

Used by VPN Gateway to verify that the token is from your tenant.

Format: https://sts.windows.net/<TenantID> (copy)

*
Recommended method.

If you don't want to register your own application, then use the default Microsoft GUID (41b23e61-6c1e-4545-b367-cd054e0ed4b4) as the audience in your P2S VPN configuration.

This Audience ID is fixed and standard across all Azure P2S + Entra ID deployments.

You do not need to create a custom app registration if you use the default Microsoft GUID (41b23e61-6c1e-4545-b367-cd054e0ed4b4) as the audience.

Note: When you use Microsoft’s default GUID, you do NOT need to add api://

*

5. Use your app registration ID only if you want to use a custom app for authentication.

Note: api:// is not strictly required, but it is the recommended format when creating a custom Application ID URI in Microsoft Entra ID.

*

Assign Users or Groups.

1. Go to Entra ID → Enterprise applications → [Your P2S-VPN app] → Users and groups.

*

  • Assign the users/groups allowed to connect to the VPN.
  • Only these accounts can log in via OpenVPN.

*

  • Click Assign.

*

*

Configure Conditional Access (Optional, Recommended)

Since your P2S VPN uses Azure AD authentication, you can control who can connect, from where, and under what conditions using Conditional Access (CA) policies.

Refer to this guide to configure conditional access.

*

Step 1: Go to Conditional Access

  • Open Azure Portal → Entra ID → Security → Conditional Access.
  • Click New policy and give it a descriptive name, e.g., P2S VPN Access Policy.

Step 2: Assign Users/Groups

  • Under Assignments → Users and groups, select:
  • The users/groups allowed for the VPN.
  • Usually, this is the same group you assigned in the P2S VPN app.

Step 3: Assign Cloud App

  • Under Assignments → Cloud apps or actions → Include, select:
  • Select apps → pick your VPN gateway enterprise app (the one you registered).
  • This ensures the CA policy applies only when logging in to the VPN.

Step 4: Configure Conditions (Optional)

  • You can fine-tune access with conditions such as:
  • Sign-in risk: Block risky sign-ins.
  • Locations: Only allow from trusted IPs (e.g., office/home).
  • Device platform: Restrict to Windows/macOS/iOS/Android.
  • Client apps: Limit to browser, mobile apps, or other clients if needed.

Step 5: Access Controls

  • Under Grant → Grant access, choose one of:
  • Require multi-factor authentication (MFA) → strongly recommended.
  • Require device to be marked compliant (if using Intune).
  • Require password change or other controls as needed.
  • Typically, for VPN: Grant access + Require MFA is enough.

Step 6: Enable Policy

  • Under Enable policy → On, then click Create.
  • Users will now be prompted for MFA when connecting via OpenVPN.

Result:

  • Only allowed users can connect.
  • You can enforce MFA, device compliance, or location restrictions.
  • Works seamlessly with your Azure AD P2S VPN.

*

Download and configure the VPN client.

Download the VPN client

1. Go to Azure Portal → Virtual Network Gateway → Point-to-Site configuration.

  • Click Download VPN client.

Note: The downloaded package contains the client configuration files (.xml).

Install the VPN client

1. Go to the Microsoft Store and install the Azure VPN Client if not already installed.

*

*

Import the configuration.

1. Open Azure VPN Client → click import → select the .xml config you downloaded.

*

2. After importing, the connection profile appears in the client.

  • Click Save.

*

3. Click connect.

*

4. Sign in with a user account that is assigned permission to connect to the P2S VPN.

*

5. If you encounter this error:

  • Azure VPN cannot read the user’s identity because:
  • The Microsoft Graph permission (User.Read) is missing, or
  • Admin consent was not granted for the permission.

Without the User.Read permission, Microsoft Entra ID cannot retrieve the user’s identity, causing the VPN authentication to fail.

*

6. Open the correct app.

  • Go to Entra ID
  • Enterprise applications
  • Search for Azure VPN
  • App ID should be: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
  • Open it

*

7. Add Microsoft Graph permission.

  • In Azure VPN, go to Permissions.
  • Click Grant admin consent.

Note: Only admin can grant those permissions.

*

*

8. Ensure Microsoft Graph → User.Read exists

*

9. Try to sign in again.

*

*

10. Login successful!

Configure network peering between VNet-P2S-VPN 10.10.0.0/16 and VNet-HUB 10.20.0.0/16 

We have four virtual networks:

  • VNet-P2S-VPN 10.10.0.0/16 - Used for VPN
  • VNet-HUB 10.20.0.0/16 - The virtual machine is here.
  • VNet-SPOKE1 10.30.0.0/16
  • VNet-SPOKE2 10.40.0.0/16

*

1. Go to virtual networks → VNet-P2S-VPN → Peerings → Add

*

2. To allow the VNet-HUB virtual network to use the VPN gateway hosted in the VNet-P2S-VPN virtual network, you must configure VNet peering to enable Gateway Transit.
This allows peered virtual networks (hub/spokes) to use and route traffic through the shared VPN gateway.

Configure the peering as follows:

*

3. Disconnect and reconnect the VPN client to refresh routes and apply the updated VNet peering configuration.

*

Add an NSG rule on VM1 to allow RDP access from the VPN.

1. Configure an inbound NSG rule to allow restricted access to the virtual machine.

  • Source: VPN address pool (P2S client address space)
  • Destination: Private IP address of VM1
  • Service: RDP (TCP 3389)
  • Action: Allow 

*

Test the Connection.

1. This is my VM1 on the VNet-HUB VNet with only a private IP assigned.

*

2. Connect to the VM1 through RDP by running mstsc /v:10.20.0.4

*

*

Conclusion
You now have a fully functional Azure VPN environment with user-based access, NSG protections, and VNet peering. Users can securely connect, traffic flows are controlled, and the network is ready to scale with your organization’s needs.

*

Written by Kirill.A - Azure & Cybersecurity Consultant at AntusNet

➤ Want more? Browse all our Azure implementation guides.

Need help implementing secure Azure solutions?

Contact us for a free consultation.

    error: Content is protected !!