| title | titleSuffix | description | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Configure P2S VPN clients: certificate authentication: Azure VPN client: Windows |
Azure VPN Gateway |
Learn how to configure VPN clients for P2S configurations that use certificate authentication. This article applies to Windows and the Azure VPN client. |
cherylmc |
azure-vpn-gateway |
how-to |
05/20/2024 |
cherylmc |
If your point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate authentication, you can connect to your virtual network using the Azure VPN Client. This article walks you through the steps to configure the Azure VPN Client and connect to your virtual network.
Before beginning client configuration steps, verify that you're on the correct VPN client configuration article. The following table shows the configuration articles available for VPN Gateway point-to-site VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
[!INCLUDE All client articles]
This article assumes that you've already performed the following prerequisites:
- You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See Configure server settings for P2S VPN Gateway connections - certificate authentication for steps.
- You generated and downloaded the VPN client configuration files. See Generate VPN client profile configuration files for steps.
- You can either generate client certificates, or acquire the appropriate client certificates necessary for authentication.
To connect to Azure, each connecting client computer requires the following items:
- The Azure VPN Client software must be installed on each client computer.
- The Azure VPN Client profile must be configured using the downloaded azurevpnconfig.xml configuration file.
- The client computer must have a client certificate that's installed locally.
For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information.
- For information about working with certificates, see Point-to site: Generate certificates.
- To view an installed client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.
Each computer needs a client certificate in order to authenticate. If the client certificate isn't already installed on the local computer, you can install it using the following steps:
- Locate the client certificate. For more information about client certificates, see Install client certificates.
- Install the client certificate. Typically, you can do this by double-clicking the certificate file and providing a password (if required).
The VPN client profile configuration package contains specific folders. The files within the folders contain the settings needed to configure the VPN client profile on the client computer. The files and the settings they contain are specific to the VPN gateway and the type of authentication and tunnel your VPN gateway is configured to use.
Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and OpenVPN, you'll see the AzureVPN folder. Locate the azurevpnconfig.xml file. This file contains the settings you use to configure the VPN client profile.
If you don't see the file, verify the following items:
- Verify that your VPN gateway is configured to use the OpenVPN tunnel type.
- If you're using Microsoft Entra authentication, you might not have an AzureVPN folder. See the Microsoft Entra ID configuration article instead.
[!INCLUDE Download the Azure VPN client]
-
Open the Azure VPN Client.
-
Select + on the bottom left of the page, then select Import.
-
In the window, navigate to the azurevpnconfig.xml file. Select the file, then select Open.
-
On the client profile page, notice that many of the settings are already specified. The preconfigured settings are contained in the VPN client profile package that you imported. Even though most of the settings are already specified, you need to configure settings specific to the client computer.
From the Certificate Information dropdown, select the name of the child certificate (the client certificate). For example, P2SChildCert. You can also (optionally) select a Secondary Profile. For this exercise, select None.
:::image type="content" source="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png" alt-text="Screenshot showing Azure VPN client profile configuration page." lightbox="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png":::
If you don't see a client certificate in the Certificate Information dropdown, you'll need to cancel and fix the issue before proceeding. It's possible that one of the following things is causing the problem:
- The client certificate isn't installed locally on the client computer.
- There are multiple certificates with exactly the same name installed on your local computer (common in test environments).
- The child certificate is corrupt.
-
After the import validates (imports with no errors), select Save.
-
In the left pane, locate the VPN connection, then select Connect.
The following sections discuss optional configuration settings that are available for the Azure VPN Client.
[!INCLUDE Secondary profile]
You can configure the Azure VPN Client with optional configuration settings such as more DNS servers, custom DNS, forced tunneling, custom routes, and other settings. For a description of the available settings and configuration steps, see Azure VPN Client optional settings.
Follow up with any additional server or connection settings. See Point-to-site configuration steps.