How to Configure Point-to-Site VPN on Azure

Point-to-Site VPN helps us connect through a secure network from a client computer to an Azure virtual network. This simply means you can connect to a compute resource using their private IP on the Azure Virtual Network.

What is Point-to-Site VPN

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

What is a VPN Gateway

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.

Creating a Virtual Network

Firstly, we need to create a Virtual Network

Step 1: Sign in to the Azure Portal.

Step 2: Search for virtual network in Azure portal.

Step 3: In the search results, select virtual network right under Marketplace.

how-to-configure-point-to-site-vpn-on-azure 1

Step 4: On the Virtual network page, click on Create.

Step 5: Under the Basics tab, choose the Subscription you want to use for this project.

Step 6: Resource group can be selected from existing resource group, or a new resource group can be created by clicking on Create new.

Step 7: Enter a preferred name for the virtual network.

Step 8: Choose a preferred location for the Virtual Network, by clicking on the drop-down and selecting the region you prefer, and then click on next at the bottom. Note: The location determines where the resources that you deploy to this VNet will live.

point-to-site vpn

For this tutorial, we will leave the Security tab with the default settings and then click on next again.

We will be using the for our address space and for the subnet we will create two subnets: abcofcloudsubnet with a subnet address space of

Step 9: On the IP addresses tab click on the Add an IP address space and select the Address space type radio button for IPv4. Starting address type, Address space size use the drop-down to select /16 (65536 addresses) and click the Add button.

Step 10: After this has been added you can now delete the default address space.

Step 11: This is the time we add our subnet, click on the plus(+) button beside Add a subnet, and on the pop-out button by the right under the Subnet details enter a preferred name, for this tutorial I will be using abcofcloudsubnet, the Starting address as and Subnet size as /24 (256 addresses) then click on the Add button.

Step 12: Click on the Review + Create button to have an overview of your settings and then click Create.

Let’s Create the VPN Gateway

Step 1: Search for Virtual network gateway in Azure portal.

Step 2: In the Search result, under Marketplace select Virtual network gateway.

Step 3: Choose the subscription you want from the drop-down.

Step 4: The Resource Group will be auto-filled when we select the virtual network.

Step 5: Enter any preferred name for your gateway.

Step 6: We will be using VPN as the Gateway type in this tutorial.

Step 7: Route-based is the VPN type we will be using for this tutorial, this can be selected based on your requirement or business need.

Step 8: SKU will be VpnGw2AZ for this tutorial, I will be adding some links where you can learn more about the SKU, resizing, and zone redundant.

Step 9: Generation2 will be the choice for this tutorial.

Step 10: Our Virtual network will be the one we created previously.

Step 11. You can either create a subnet in your virtual subnet with the name Gatewaysubnet or you get the Gateway subnet address range automatically.

Step 12: We will change the default Gateway subnet address range to or larger which is (/26,/25,/24, etc.)  Anything lesser will throw an error if you’re trying to deploy a zone-redundant/zonal gateway and also this allows enough IP addresses for future changes.

Step 13: Public IP address is set to Create new; you can choose to use existing if you already have one created. These settings specify the public IP address object that gets associated with the VPN gateway. The public IP address is assigned to this object when the VPN gateway is created. The only time the primary Public IP address changes is when the gateway is deleted and re-created. It doesn’t change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

Step 14: Enter a preferred name for the Public IP address name.

The Assignment setting is controlled by the Public IP Address Type value.

Enable active-active mode and Configure BGP will be disabled in this tutorial.

Step 15: Click on Review + Create and then Create. Tags can be added based on your requirements.

Once you hit the Create button, it’s time to go get a bottle of drink because I also paused and went to a bottle of drink. Also, make sure you don’t refresh the page because it can take 45 minutes or more to fully create and deploy. You will see the status of the deployment on the overview page for the gateway.

point-to-site vpn

Welcome from the short break, the next thing we will be doing is creating a Self-Sign root and client certificate.

Creating Self-Signed Certificate

Step 1: Open PowerShell with elevated privileges from a computer running Windows 10 or later, or Windows Server 2016.

Step 2: Copy and paste the cmdlet below on PowerShell. This cmdlet will create a self-signed root certificate named ‘abcofcloudP2SRootCert’ that is automatically installed in ‘Certificates-Current User\Personal\Certificates’. If you want to use your preferred name modify the CN value.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject “CN=abcofcloudP2SRootCert” -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign

Note: Leave the PowerShell console open and proceed with Step 2 to generate a client certificate.

Step 2: If you haven’t closed your PowerShell console after creating the self-signed root certificate. This cmdlet continues from the previous section and uses the declared ‘$cert’ variable. The result is a client certificate named ‘abcofcloudP2SClientCert’. The client certificate that you generate is automatically installed in ‘Certificates – Current User\Personal\Certificates’ on your computer.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `

-Subject “CN=abcofcloudP2SClientCert” -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” `

-Signer $cert -TextExtension @(“{text}”)

What if you mistakenly closed the PowerShell console after running the first, there is a way to handle that. Please skip Step 2a, Step 2b, and Step 2c if you didn’t close your console before running the second cmdlet.

Step 2a: Run this cmdlet to get a list of certificates that are installed on your computer.

Get-ChildItem -Path “Cert:\CurrentUser\My”

Step 2b: Using the thumbprint of the root certificate that was returned after running the previous cmdlet, run this next cmdlet.

$cert = Get-ChildItem -Path “Cert:\CurrentUser\My\B45EE33AEF140FCAF382C7FD2164CBA451AFC935”

Note: B45EE33AEF140FCAF382C7FD2164CBA451AFC935 is the thumbprint from my own root certificate.

Step 2c: You can now run this cmdlet to generate a client certificate. Modify the CN to give it your preferred name.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `

-Subject “CN=abcofcloudP2SClientCert” -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” `

-Signer $cert -TextExtension @(“{text}”)

Now that we have been able to create our self-signed certificate it is time for us to view and export it.

View and Export Root Certificate

Step 1: Press Win + R key and type certmgr.msc or Manage User Certificates, common error that you should avoid is accidentally opening the Certificates of your Local Computer, rather than Certificates of the Current User.

point-to-site vpn

Step 2: Right-click on the root certificate, click on All Task then Click on Export.

point-to-site vpn

Step 3: Click on Next on the Certificate Export Wizard, and Select No, do not export the private key, then click on Next.

point-to-site vpn

Step 4: On the Export File Format page, select the Base-64 encoded X.509 (.CER), and then click Next.

point-to-site vpn

Step 5: Browse the location you want to save it and then give it a preferred name then click Next, Click Finish to export the certificate to your preferred location. You’ll see a confirmation from a pop-up saying, “The export was successful”.

point-to-site vpn


View and Export Client Certificate

Step 1: Press Win + R key and type certmgr.msc or Manage User Certificates.

Step 2: Right-click on the client certificate and click on All Tasks then click on Export.

point-to-site vpn

Step 3: On the Certificate Export Wizard click on Next to continue.

Step 4: Select Yes, export the private key, and then click Next.

point-to-site vpn

Step 5: On the Export File Format page, leave the defaults selected. This setting additionally exports the root certificate information that is required for successful client authentication. Without it, client authentication fails because the client doesn’t have the trusted root certificate. Then, click Next.

point-to-site vpn

Step 6: Tick the Password check box on the Security page and type in your password. Remember you will be using this password if you try connecting with this certificate from another client.

point-to-site vpn

Step 7: Browse to the location you want to save it and give it your preferred name. Once that is done click on Next and then Finish. You will get a pop-up saying “The export was successful”.

point-to-site vpn

Now we have successfully exported our root and client certificates.

For us to configure Point-to-site on the virtual network gateway we created we will need our root certificate.

Configure Point-to-Site

Step 1: Browse to the location the root certificate was exported to and open it with a text editor such as Notepad.

point-to-site vpn

Step 2: If you exported your root certificate in the required Base-64 encoded X.509 (.CER), you will have similar text to the one on this tutorial, also note it is recommended you use Notepad as the text editor to avoid unintended formatting background which can create a problem when uploaded to Azure.

Step 3: Copy the text that is in between the —BEGIN CERTIFICATE— and —END CERTIFICATE—

point-to-site vpn

Step 4: Log in to the Azure portal and open the Virtual network gateway we created earlier.

Step 5: On the Virtual network gateway page click on the Point-to-site configuration under Settings on the left side menu and then click on Configure now on the right.

point-to-site vpn

Step 6: Add the Address pool you want the client computers to get their IP address from when they connect, for this tutorial the address pool I will be using is

Step 7: The tunnel type will be IKEv2 and SSTP (SSL), while the Authentication type will be Azure certificate.

Step 8: Under the Root certificates select a preferred name, for this Tutorial I will be using abcofcloudP2SRootCert and for the Public certificate data paste the text that was copied from the root certificate in our client computer and click on Save at the top.

point-to-site vpn

Step 9: Download the VPN client by clicking on Download VPN client at the top.

point-to-site vpn

Step 10: Copy the downloaded VPN client to the client computer and install it. For this tutorial, I will be installing WindowsAmd64.

Step 11: After installing the VPN client go to Network and Internet in settings then click on VPN, you should see the Virtual network we created on Azure, click on it then click on Connect.

point-to-site vpn

Step 12: Once you click on the connect button the Azure VPN will pop up, then click on connect again.


At this point, you have successfully configured your Point-to-Site VPN.

point-to-site vpn

point-to-site vpn


I create a Virtual Machine on my VNet, I will connect to the Virtual Machine using the private IP of the Virtual Machine from my client computer.

point-to-site vpn

I went ahead to use Remote Desktop Connection to connect with the Virtual Machines using the Private IP :

point-to-site vpn

If you made it to this point, Thank you for your time!


References: About Point-to-Site VPN

About VPN Gateway configuration settings

3 thoughts on “How to Configure Point-to-Site VPN on Azure”

Leave a Comment

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Who we are

Suggested text: Our website address is:


Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


Suggested text: If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Suggested text: Visitor comments may be checked through an automated spam detection service.
Save settings
Verified by MonsterInsights