Azure Point-to-Site VPN with Certificate Based Authentication

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

I watched this one yesterday, good explanation without the usual marketing, just straight to the point. Love it.

👍︎︎ 1 👤︎︎ u/aprimeproblem 📅︎︎ Jun 06 2020 🗫︎ replies

Captions

in this video I'm going to show you how to set up a point to site VPN connection in Azure hello everyone I'm Travis and this is Ciraltos a while ago I did a video on setting up a site-to-site VPN connection between an azure vina gateway and a routing and remote access server not everyone needs a dedicated VPN into their Azure network this video covers another option of using a point a site VPN to connect to a host in Azure specifically I go over how to deploy a basic gateway and enable certificate based authentication before that please subscribe like share and click the bell icon to get a notification of new content most Microsoft services don't require VPN connectivity path services such as Azure functions app services and Azure SQL are accessible and managed from the public Internet some services are not accessible from the internet for example I as servers can be deployed without publicly accessible RDP or SSH access or services that have been configured to prevent public access private endpoints for example those required network connectivity to the private v-net some organizations connect their on-premises network to the azure VNet using point-to-point VPN or Express route connections in this configuration users can access Azure resources on the private VNet directly from their corporate network how then do we allow network access when there's no site-to-site VPN our Express route in place the solution is point to site connections into the azure v-net let's start with an overview a VPN creates a secure tunnel to pass private network traffic over a public network a point to site VPN is initiated by a single endpoint a workstation in this case and terminates at a gateway on the network and azure v-net gateway in this example all resources on that remote network are available to the client by default network restrictions may limit that access however Azure point to site VPN connection support a combination of different methods these sonication methods include certificate either self side or from an enterprise security authority radius authentication with Windows Active Directory azure ad authentication this also supports MFA and Azure point to site VPN supports 3 VPN standards Open VPN is a SSL TLS based VPN it works over standard TCP port 443 it can be used with iOS Android Windows Linux and Mac secure socket tunneling protocol is a proprietary SSL based VPN that connects over TCP port 443 it is only supported on Windows clients i ke v2 is a standard based VPN it can be used with Mac clients 10.11 or above i ke is not supported on the basic gateway in this video I go over to point a basic gateway with certificate based authentication using a self-signed certificate this is a good option for small environments and test labs the basic gateway is the least expensive but comes with some limitations such as it only supports secure socket tunneling protocol that's fine for Windows environments but it's not if there's a mixed clients virtual network gateways come in different sizes and SKUs here's a chart of the different gateway sizes and features there's an option to deploy v-net gateways to availability zones for high availability those gateways are indicated with the AZ at the end of the SKU as you can imagine the larger and more options the Gateway to higher the price review the pricing information from Microsoft's website for your region the price goes up along with the bandwidth in the number of tunnels with each version I'll bone data rates also apply a certificate is needed to authenticate the connection this can be self-signed certificates or Enterprise certificates this example goes over using self-signed certificates I'm going to use PowerShell to create a self-signed root certificate the root certificate is used to generate one or more client certificates the root certificate is uploaded to the Gateway and used to authenticate clients let's walk through the process the example coming up assumes you have and Azure subscription with a v-net in place the steps we'll walk through include craving a beam at Gateway creating a root certificate creating a client certificate from that root exporting the certificates configuring the gateway for point to site connections configuring the client and then finally we'll revoke a certificate to stop a client from logging in Here I am at the azure portal and if you go into virtual networks we can see I have a West v net that's already been deployed so that's in place now I'm gonna set up a v-net gateway I'll go to create a resource and type in network gateway and here is virtual network gateway I'll click create I'll leave the subscription as is I'll give it a name I'll call it West GW next I'll change in the region to West US that's the same region as the virtual network I'll leave the Gateway type as VPN but notice there is the option for Express route I'll leave the VPN type route based and under SKU I'll select basic and basic is a limited feature v-not gateway but it's a fraction of the cost of the next level so this is what I use for my test lab it's also good for demo environments for dev environments but it does lack some of the features that the other vena gateways have there's only one generation 4 basic so I'll leave it as generation 1 virtual network I will select West V net here to ask me for a subnet range for the gateway subnet and it only needs a couple IP addresses so I'm gonna do a couple things I'm going to change this to 254 and give it a slash 27 I don't need to allocate all 254 of those IP addresses but if you don't care you can leave it as default either way will work I'll create a new public IP address and I'll call it West GW IP and for this I'll leave enable active active mode and configure BGP as disabled next to vote it takes I'll leave that blank for and go to review and great so validation passed and now I'll hit crate the deployment is underway this will take 45 minutes maybe even longer depending on how busy things are but it is not a quick deployment so I'm gonna pause here and I'll be back once it's done okay then virtual network gateway has been deployed it did take it close to an hour to finish the next step is to generate the certificates I'm gonna create a route certificate and then based on that route certificate create two client certificates so the first thing I'll do is open up PowerShell as an administrator I'm gonna run a new self signed certificate command in PowerShell this is gonna create the root certificate and put it in the certificate store for the user I'll make this available on my blog so just check the link below the video and you should be able to find the command there and notice for this certificate I'm using West as part of the name just so I can tell the difference because I already have a certificate for my central being a gateway in the central region you can name these anything you want so now that that's done I'll create the first client certificate so this will be West p2s client cert one and there's the thumbprint the next I'll create the second one you notice this has a different thumbprint so with one root certificate you can create multiple client certificates and hand them out to different users that way they're not all using the same client cert that's important because if you have to revoke somebody's certificate you can just revoke the one client certificate without affecting the rest of the clients the next step is to open up the users certificate store this is the user store not the local machine store let me just clear some of this out of here there we go now if I go to personal certificates you can see I have three certificates here I've got the rid cert and then to client certs I've got a couple other again those are for other things but just notice these ones that start with West so the first thing I'm going to do is export the root certificate we'll go on right click all tasks export I'll click Next I'm not going to export the private key I'll select base64 encoding for a dot CER file then I'm gonna browse to the desktop I'll call this West root certificate and save once I'm done click finish and the export was successful I'm using multiple monitors so you can't see it there but it is exported so with this I'm just going to quickly export that root certificate so I can get the cert and upload it to the v-neck Gateway but you could also export the self sign right cert with a private key to back it up someplace safe that way this computer goes away you can add that root certificate to another computer and generate more clients Hertz now I'm going to export the first client cert this one we're going to do some different settings we are going to export the private key I'm going to use personal information exchange the dot P FX suffix I'll leave the include all certificates and enable certificate privacy I'll give it a password don't lose the password and Alex to the desktop again I'll do the same thing for the second cert I'll export the private key include all certificates in the path and enable certificate privacy I'll give it a password we'll call this one West client sir - there we go now I have those three certificates on the desktop I move them over to the second one so we can see them and on the first one I'm going to open with notepad and I'll copy everything between begins certificate and end certificate make sure you get every letter next we're gonna add this to the Gateway so let's go back to the portal I'm going to go to the resource and in the Gateway I'm going to point to site configuration configure now it will ask for an address pool this is the IP address pool that clients will get when it's connected the address pool is the dynamically assigned IP addresses for the clients make sure it doesn't overlap with the IP space on the V net or any other subnet the client may try to access such as on-premises network if you have a VPN or Express route between the V net and your on-premises Network for this I'm going to use 172 dot 16.1 0/24 for the name i'll call it West ret cert and under public certificate data just gonna paste in the information we copied from notepad so that's the certificate and then click Save I'll wait for that to finish saving if this was a different SKU I'd have options for tunnel type and sonication type when setting up the VPN connection this is a basic skew though so the options are limited it looks like that finished let's download the VPN client it will take a minute or so to build that client and download it there goes so this is finished the gateways deployed and the certificates have been uploaded let's set up the client next have you got a virtual machine running on this I'm gonna open up I'm going to copy the to client certificates over I don't need the root certificate for this I'm also going to copy over that client I could log in from this machine and download it from the portal but I'm just going to copy it over the first step is to unzip this client three folders in there ones generic and that's an XML document with settings for the client I'm gonna go back and there's a version for 32 and 64-bit I'm going to go to the AMD 64 version and run the client and this will set up the client specifically for the v-net we deployed before I go on to the next step I'm just gonna open up the VPN connection and here is West v-net so now I can double click on it and connect okay so here it's saying that a certificate could not be found okay I knew that would happen because we didn't install the certificates so let's go into West client certificate one I'm just gonna double click on that I'm going to import it for the current user everything's default I have to enter in that password we use to secure the certificate and the rest is default settings and I'll click yes to install the cert now if they come back and try to connect again I'll click connect continue and now it's establishing a connection and I'm connected so I'm gonna go to the portal I have a VM running in West us connected to that V net with an IP address of 10.1 0.4 so let's try to RDP to that I'll click connect there goes Hoos go back to that VM you can see it has no public IP address so I'm accessing this by its private IP address without exposing the RDP port to the Internet let me just minimize that if I disconnect you can see it stops right away if I connect again it will reconnect there goes so we use the first certificate for this let's go into the user certificate store we go to personal certificates if I open the certificate by double-clicking on it and go into the details I'm looking for a thumbprint so I'm gonna copy this thumbprint then come back to the portal go to my virtual networks West v-net go to my Gateway point to site configuration I'm gonna call this client cert one and add that thumbprint now it doesn't like that because I have spaces in it but I can pull them out I will point out you can also pull that from PowerShell so now it has the thumbprint and I'll click Save also notice we can see the allocated IP address so that's the one client connected I'll let that finish saving okay so that's done that finished saving and these saves do take a couple minutes to run through just be aware of that now we have the thumbprint for client cert one and the revoked certificates and let's go back we're connected it didn't disconnect but not let's disconnect and try reconnecting well I'm gonna authenticate infilled because the certificate is not valid so good that worked so now this client can no longer connect so let's do this let's delete this and import the second certificate so refresh over here now we can see that clients are two is installed let me connect now this was attempting to reconnect in the background let's see if it reconnects and again this is just an RDP connection to a server back on the V net I'm just using this to test connectivity you can see it worked so that's it that's how you create the certificates add the certificate to a client and to the Vienna gateway download the configuration file install the client connect to the VPN endpoint and revoke the certificate that's it for the demo I hope you found this video helpful don't forget to Like subscribe and click the bell icon for new content thanks for watching

Info

Channel: Travis Roberts

Views: 20,816

Rating: 4.9736843 out of 5

Keywords: Azure, Network, Virtual Network, VNet, VNet Gateway, Gateway, VPN, SSTP, OpenVPN, SSL, TLS, IKEv2, Mac, Windows, Linux, iOS, Android, certificate, RADIUS, Gateway SKU, SKU, Point-to-site, P2S, site-to-site, S2S, security, secure connection, client VPN, revoke certificate

Id: Yshpo6V1qUQ

Channel Id: undefined

Length: 19min 37sec (1177 seconds)

Published: Fri Jun 05 2020