Azure AD authentication is supported for Azure Point-to-Site (P2S) VPN. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to enable Azure AD authentication for Azure point-to-site VPN.

As we go along, we will be working on the following tasks,

• Setup Azure point-to-site VPN with native Azure certificate authentication
• Configure OpenVPN for Azure P2S VPN
• Enable Azure AD Authentication for Azure point-to-site VPN
• Configure VPN Client
• Testing

I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup Azure point-to-site VPN with native Azure certificate authentication

Before we configure OpenVPN for Azure P2S VPN, first we need to set up Azure P2S VPN with native Azure certificate authentication. To do this,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)
2. Create a new resource group using New-AzResourceGroup -Name REBELVPNRG -Location “East US”. Here REBELVPNRG is RG group name and East US is the location.

3. Now we need to create a new virtual network. We can create a virtual network using,

New-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location “East US”

In the above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.

4. Under the virtual network, I am going to create two subnets. One for servers and one for VPN gateway. To create subnets,

$vn = Get-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET
Add-AzVirtualNetworkSubnetConfig -Name “REBEL-SVR-SUB” -VirtualNetwork $vn -AddressPrefix 192.168.100.0/24
Add-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vn -AddressPrefix 192.168.5.0/24
Set-AzVirtualNetwork -VirtualNetwork $vn

In above REBEL-SVR-SUB is the server subnet and its address prefix is 192.168.100.0/24. GatewaySubnet is the VPN gateway subnet and its address prefix is 192.168.5.0/24.

Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet’

5. VPN gateway is required a public IP address. To create one use,

$publicip = New-AzPublicIpAddress -Name REBELVPNPublicIP -ResourceGroupName REBELVPNRG -Location “East US” -AllocationMethod Dynamic

VPN Gateway currently only supports Dynamic Public IP address allocation.

Then update ip configuration using,

$vn = Get-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET
$gwsubnet = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vn
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name REBELVPNGWipconf -Subnet $gwsubnet -PublicIpAddress $publicip

6. Next step of the configuration is to create a new VPN gateway,

New-AzVirtualNetworkGateway -Name REBELVPNGW -ResourceGroupName REBELVPNRG -Location “East US” -IpConfigurations $gwipconf -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol “IKEv2”

In the above, VpnType must be RouteBased. -GatewaySku should not be Basic as we are going to use OpenVPN and IKEv2. This can take up to 45 minutes to create the gateway.

7. Now we have the gateway. The next step is to configure VPN client address pool. In this demo, I am going to use 172.16.25.0/24 as a client pool.

$gw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -Name REBELVPNGW
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientAddressPool “172.16.25.0/24”