About Point-to-Site VPN

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure virtual networks from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of site-to-site (S2S) VPN when you have only a few clients that need to connect to a virtual network. Point-to-site configurations require a route-based VPN type.

What protocol does P2S use?

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above). Supported versions are TLS 1.2 and TLS 1.3 based on TLS handshake.

  • Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

How are P2S VPN clients authenticated?

Before Azure accepts a P2S VPN connection, the user has to be authenticated first. There are three authentication types that you can select when you configure your P2S gateway. The options are:

You can select multiple authentication types for your P2S gateway configuration. If you select multiple authentication types, the VPN client you use must be supported by at least one authentication type and corresponding tunnel type. For example, if you select "IKEv2 and OpenVPN" for tunnel types, and "Microsoft Entra ID and Radius" or "Microsoft Entra ID and Azure Certificate" for authentication type, Microsoft Entra ID will only use the OpenVPN tunnel type since it's not supported by IKEv2.

The following table shows authentication mechanisms that are compatible with selected tunnel types. Each mechanism requires corresponding VPN client software on the connecting device to be configured with the proper settings available in the VPN client profile configuration files.

Tunnel Type Authentication Mechanism
OpenVPN Any subset of Microsoft Entra ID, Radius Auth and Azure Certificate
SSTP Radius Auth/ Azure Certificate
IKEv2 Radius Auth/ Azure Certificate
IKEv2 and OpenVPN Radius Auth/ Azure Certificate/ Microsoft Entra ID and Radius Auth/ Microsoft Entra ID and Azure Certificate
IKEv2 and SSTP Radius Auth/ Azure Certificate

Certificate authentication

When you configure your P2S gateway for certificate authentication, you upload the trusted root certificate public key to the Azure gateway. You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

To authenticate, each client that connects must have an installed client certificate that's generated from the trusted root certificate. This is in addition to VPN client software. The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection.

Certificate authentication workflow

At a high level, you need to perform the following steps to configure Certificate authentication:

  1. Enable Certificate authentication on the P2S gateway, along with the additional required settings (client address pool, etc.), and upload the root CA public key information.
  2. Generate and download VPN client profile configuration files (profile configuration package).
  3. Install the client certificate on each connecting client computer.
  4. Configure the VPN client on the client computer using the settings found in the VPN profile configuration package.
  5. Connect.

Microsoft Entra ID authentication

You can configure your P2S gateway to allow VPN users to authenticate using Microsoft Entra ID credentials. With Microsoft Entra ID authentication, you can use Microsoft Entra Conditional Access and multifactor authentication (MFA) features for VPN. Microsoft Entra ID authentication is supported only for the OpenVPN protocol. To authenticate and connect, clients must use the Azure VPN Client.

VPN Gateway now supports a new Microsoft-registered App ID and corresponding Audience values for the latest versions of the Azure VPN Client. When you configure a P2S VPN gateway using the new Audience values, you skip the Azure VPN Client app manual registration process for your Microsoft Entra tenant. The App ID is already created and your tenant is automatically able to use it with no extra registration steps. This process is more secure than manually registering the Azure VPN Client because you don't need to authorize the app or assign permissions via the Global administrator role.

Previously, you were required to manually register (integrate) the Azure VPN Client app with your Microsoft Entra tenant. Registering the client app creates an App ID representing the identity of the Azure VPN Client application and requires authorization using the Global Administrator role. To better understand the difference between the types of application objects, see How and why applications are added to Microsoft Entra ID.

When possible, we recommend that you configure new P2S gateways using the Microsoft-registered Azure VPN client App ID and its corresponding Audience values, instead of manually registering the Azure VPN Client app with your tenant. If you have a previously configured Azure VPN gateway that uses Microsoft Entra ID authentication, you can update the gateway and clients to take advantage of the new Microsoft-registered App ID. Updating the P2S gateway with the new Audience value is required if you want Linux clients to connect. The Azure VPN Client for Linux isn't backward compatible with the older Audience values.

If you have an existing P2S gateway that you want to update to use a new Audience value, see Change Audience for a P2S VPN gateway. If you want to create or modify a custom Audience value, see Create a custom audience app ID for P2S VPN. If you want to configure or restrict access to P2S based on users and groups, see Scenario: Configure P2S VPN access based on users and groups.

Considerations and limitations

  • A P2S VPN gateway can only support one Audience value. It can't support multiple Audience values simultaneously.

  • At this time, the newer Microsoft-registered App ID doesn't support as many Audience values as the older, manually registered app. If you need an Audience value for anything other than Azure Public or Custom, use the older manually registered method and values.

  • The Azure VPN Client for Linux isn't backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. The Azure VPN Client for Linux does support Custom Audience values.

  • While it's possible that the Azure VPN Client for Linux might work on other Linux distributions and releases, the Azure VPN Client for Linux is only supported on the following releases:

    • Ubuntu 20.04
    • Ubuntu 22.04
  • The Azure VPN Client for macOS and Windows is backward compatible with P2S gateways configured to use the older Audience values that align with the manually registered app. You can also use Custom Audience values with these clients.

Azure VPN Client Audience values

The following table shows the versions of the Azure VPN Client that are supported for each App ID and the corresponding available Audience values.

App ID Supported Audience values Supported clients
Microsoft-registered - Azure Public: c632b3df-fb67-4d84-bdcf-b95ad541b5c8 - Linux
- Windows
- macOS
Manually registered - Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
- Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
- Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
- Microsoft Azure operated by 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa
- Windows
- macOS
Custom <custom-app-id> - Linux
- Windows
- macOS

Microsoft Entra ID authentication workflow

At a high level, you need to perform the following steps to configure Microsoft Entra ID authentication:

  1. If using manual app registration, perform the necessary steps on the Microsoft Entra tenant.
  2. Enable Microsoft Entra ID authentication on the P2S gateway, along with the additional required settings (client address pool, etc.).
  3. Generate and download VPN client profile configuration files (profile configuration package).
  4. Download, install, and configure the Azure VPN Client on the client computer.
  5. Connect.

RADIUS - Active Directory (AD) Domain Server authentication

AD Domain authentication allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also use their existing RADIUS deployment.

The RADIUS server could be deployed on-premises or in your Azure virtual network. During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. So Gateway reachability to the RADIUS server is important. If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.

The RADIUS server can also integrate with AD certificate services. This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

A RADIUS server can also integrate with other external identity systems. This opens up plenty of authentication options for P2S VPN, including multi-factor options.

Diagram that shows a point-to-site VPN with an on-premises site.

For P2S gateway configuration steps, see Configure P2S - RADIUS.

What are the client configuration requirements?

The client configuration requirements vary, based on the VPN client that you use, the authentication type, and the protocol. The following table shows the available clients and the corresponding articles for each configuration.

Authentication Tunnel type Client OS VPN client
Certificate
IKEv2, SSTP Windows Native VPN client
IKEv2 macOS Native VPN client
IKEv2 Linux strongSwan
OpenVPN Windows Azure VPN client
OpenVPN client version 2.x
OpenVPN client version 3.x
OpenVPN macOS OpenVPN client
OpenVPN iOS OpenVPN client
OpenVPN Linux Azure VPN Client
OpenVPN client
Microsoft Entra ID
OpenVPN Windows Azure VPN client
OpenVPN macOS Azure VPN Client
OpenVPN Linux Azure VPN Client

What versions of the Azure VPN Client are available?

For information about available Azure VPN Client versions, release dates, and what's new in each release, see Azure VPN Client versions.

Which gateway SKUs support P2S VPN?

The following table shows gateway SKUs by tunnel, connection, and throughput. For more information, see About gateway SKUs.

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant Supported Number of VMs in the Virtual Network
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No 200
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No 450
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No 1300
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No 4000
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes 1000
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes 2000
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes 5000
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No 685
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No 2240
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No 5300
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No 6700
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes 2000
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes 3300
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes 4400
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes 9000

Note

The Basic SKU has limitations and does not support IKEv2, IPv6, or RADIUS authentication. For more information, see VPN Gateway settings.

What IKE/IPsec policies are configured on VPN gateways for P2S?

The tables in this section show the values for the default policies. However, they don't reflect the available supported values for custom policies. For custom policies, see the Accepted values listed in the New-AzVpnClientIpsecParameter PowerShell cmdlet.

IKEv2

Cipher Integrity PRF DH Group
GCM_AES256 GCM_AES256 SHA384 GROUP_24
GCM_AES256 GCM_AES256 SHA384 GROUP_14
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP256
GCM_AES256 GCM_AES256 SHA256 GROUP_24
GCM_AES256 GCM_AES256 SHA256 GROUP_14
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP256
AES256 SHA384 SHA384 GROUP_24
AES256 SHA384 SHA384 GROUP_14
AES256 SHA384 SHA384 GROUP_ECP384
AES256 SHA384 SHA384 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_24
AES256 SHA256 SHA256 GROUP_14
AES256 SHA256 SHA256 GROUP_ECP384
AES256 SHA256 SHA256 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_2

IPsec

Cipher Integrity PFS Group
GCM_AES256 GCM_AES256 GROUP_NONE
GCM_AES256 GCM_AES256 GROUP_24
GCM_AES256 GCM_AES256 GROUP_14
GCM_AES256 GCM_AES256 GROUP_ECP384
GCM_AES256 GCM_AES256 GROUP_ECP256
AES256 SHA256 GROUP_NONE
AES256 SHA256 GROUP_24
AES256 SHA256 GROUP_14
AES256 SHA256 GROUP_ECP384
AES256 SHA256 GROUP_ECP256
AES256 SHA1 GROUP_NONE

What TLS policies are configured on VPN gateways for P2S?

TLS

Policies
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
**TLS_AES_256_GCM_SHA384
**TLS_AES_128_GCM_SHA256

**Only supported on TLS1.3 with OpenVPN

How do I configure a P2S connection?

A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through common P2S configuration steps.

To remove the configuration of a P2S connection

You can remove the configuration of a connection by using PowerShell or CLI. For examples, see the FAQ.

How does P2S routing work?

See the following articles:

FAQs

There are multiple FAQ entries for point-to-site. See the VPN Gateway FAQ, paying particular attention to the Certificate authentication and RADIUS sections, as appropriate.

Next Steps

"OpenVPN" is a trademark of OpenVPN Inc.