|
| 1 | +--- |
| 2 | +title: 'Configure P2S VPN clients: certificate authentication: OpenVPN Client 3.x series - Windows' |
| 3 | +titleSuffix: Azure VPN Gateway |
| 4 | +description: Learn how to configure VPN clients for P2S configurations that use certificate authentication. This article applies to Windows and the OpenVPN Client 3.x series. |
| 5 | +author: cherylmc |
| 6 | +ms.service: azure-vpn-gateway |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 10/08/2024 |
| 9 | +ms.author: cherylmc |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure OpenVPN Connect 3.x client for P2S certificate authentication connections - Windows |
| 13 | + |
| 14 | +If your point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate authentication, you can connect to your virtual network using the OpenVPN Client. This article walks you through the steps to configure the **OpenVPN Connect client 3.x** and connect to your virtual network. There are some configuration differences between the [OpenVPN 2.x](point-to-site-vpn-client-certificate-windows-openvpn-client.md) client and the OpenVPN Connect 3.x client. This article focuses on the OpenVPN Connect 3.x client. |
| 15 | + |
| 16 | +## Before you begin |
| 17 | + |
| 18 | +Before beginning client configuration steps, verify that you're on the correct VPN client configuration article. The following table shows the configuration articles available for VPN Gateway point-to-site VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS. |
| 19 | + |
| 20 | +[!INCLUDE [All client articles](../../includes/vpn-gateway-vpn-client-install-articles.md)] |
| 21 | + |
| 22 | +> [!NOTE] |
| 23 | +> The OpenVPN client is independently managed and not under Microsoft's control. This means Microsoft does not oversee its code, builds, roadmap, or legal aspects. Should customers encounter any bugs or issues with the OpenVPN client, they should directly contact OpenVPN Inc. support. The guidelines in this article are provided 'as is' and have not been validated by OpenVPN Inc. They are intended to assist customers who are already familiar with the client and wish to use it to connect to the Azure VPN Gateway in a Point-to-Site VPN setup. |
| 24 | +
|
| 25 | +### Prerequisites |
| 26 | + |
| 27 | +This article assumes that you've already performed the following prerequisites: |
| 28 | + |
| 29 | +* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](vpn-gateway-howto-point-to-site-resource-manager-portal.md) for steps. |
| 30 | +* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](vpn-gateway-howto-point-to-site-resource-manager-portal.md#profile-files) for steps. |
| 31 | +* You can either generate client certificates, or acquire the appropriate client certificates necessary for authentication. |
| 32 | + |
| 33 | +### Connection requirements |
| 34 | + |
| 35 | +To connect to Azure using the OpenVPN Connect 3.x client using certificate authentication, each connecting client computer requires the following items: |
| 36 | + |
| 37 | +* The OpenVPN Connect client software must be installed and configured on each client computer. |
| 38 | +* The client computer must have a client certificate that's installed locally. |
| 39 | +* If your certificate chain includes an intermediate certificate, see the [Intermediate certificates](#intermediate) section first to verify that your P2S VPN gateway configuration is set up to support this certificate chain. The certificate authentication behavior for 3.x clients is different than previous versions, where you could specify the intermediate certificate in the client profile. |
| 40 | + |
| 41 | +### Workflow |
| 42 | + |
| 43 | +The workflow for this article is: |
| 44 | + |
| 45 | +1. Generate and install client certificates if you haven't already done so. |
| 46 | +1. View the VPN client profile configuration files contained in the VPN client profile configuration package that you generated. |
| 47 | +1. Configure the OpenVPN Connect client. |
| 48 | +1. Connect to Azure. |
| 49 | + |
| 50 | +## Generate and install client certificates |
| 51 | + |
| 52 | +For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information. |
| 53 | + |
| 54 | +In many cases, you can install the client certificate directly on the client computer by double-clicking. However, for some OpenVPN client configurations, you might need to extract information from the client certificate in order to complete the configuration. |
| 55 | + |
| 56 | +* For information about working with certificates, see [Point-to site: Generate certificates](vpn-gateway-certificates-point-to-site.md). |
| 57 | +* To view an installed client certificate, open **Manage User Certificates**. The client certificate is installed in **Current User\Personal\Certificates**. |
| 58 | + |
| 59 | +### Install the client certificate |
| 60 | + |
| 61 | +Each computer needs a client certificate in order to authenticate. If the client certificate isn't already installed on the local computer, you can install it using the following steps: |
| 62 | + |
| 63 | +1. Locate the client certificate. For more information about client certificates, see [Install client certificates](point-to-site-how-to-vpn-client-install-azure-cert.md). |
| 64 | +1. Install the client certificate. Typically, you can do this by double-clicking the certificate file and providing a password (if required). |
| 65 | + |
| 66 | +## View configuration files |
| 67 | + |
| 68 | +The VPN client profile configuration package contains specific folders. The files within the folders contain the settings needed to configure the VPN client profile on the client computer. The files and the settings they contain are specific to the VPN gateway and the type of authentication and tunnel your VPN gateway is configured to use. |
| 69 | + |
| 70 | +Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and OpenVPN, you should see the **OpenVPN** folder. If you don't see the folder, verify the following items: |
| 71 | + |
| 72 | +* Verify that your VPN gateway is configured to use the OpenVPN tunnel type. |
| 73 | +* If you're using Microsoft Entra ID authentication, you might not have an OpenVPN folder. See the [Microsoft Entra ID](point-to-site-entra-vpn-client-windows.md) configuration article instead. |
| 74 | + |
| 75 | +## Configure the client |
| 76 | + |
| 77 | +[!INCLUDE [Configuration steps](../../includes/vpn-gateway-vwan-config-openvpn-3-series-windows.md)] |
| 78 | + |
| 79 | +### <a name="example"></a>User profile example |
| 80 | + |
| 81 | +The following example shows a user profile configuration file for 3.x OpenVPN Connect clients. This example shows the log file commented out and the "ping-restart 0" option added to prevent periodic reconnects due to no traffic being sent to the client. |
| 82 | + |
| 83 | +``` |
| 84 | +client |
| 85 | +remote <vpnGatewayname>.ln.vpn.azure.com 443 |
| 86 | +verify-x509-name <IdGateway>.ln.vpn.azure.com name |
| 87 | +remote-cert-tls server |
| 88 | +
|
| 89 | +dev tun |
| 90 | +proto tcp |
| 91 | +resolv-retry infinite |
| 92 | +nobind |
| 93 | +
|
| 94 | +auth SHA256 |
| 95 | +cipher AES-256-GCM |
| 96 | +persist-key |
| 97 | +persist-tun |
| 98 | +
|
| 99 | +tls-timeout 30 |
| 100 | +tls-version-min 1.2 |
| 101 | +key-direction 1 |
| 102 | +
|
| 103 | +#log openvpn.log |
| 104 | +#inactive 0 |
| 105 | +ping-restart 0 |
| 106 | +verb 3 |
| 107 | +
|
| 108 | +# P2S CA root certificate |
| 109 | +<ca> |
| 110 | +-----BEGIN CERTIFICATE----- |
| 111 | +…… |
| 112 | +…….. |
| 113 | +…….. |
| 114 | +…….. |
| 115 | +
|
| 116 | +-----END CERTIFICATE----- |
| 117 | +</ca> |
| 118 | +
|
| 119 | +# Pre Shared Key |
| 120 | +<tls-auth> |
| 121 | +-----BEGIN OpenVPN Static key V1----- |
| 122 | +…….. |
| 123 | +…….. |
| 124 | +…….. |
| 125 | +
|
| 126 | +-----END OpenVPN Static key V1----- |
| 127 | +</tls-auth> |
| 128 | +
|
| 129 | +# P2S client certificate |
| 130 | +# Please fill this field with a PEM formatted client certificate |
| 131 | +# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file. |
| 132 | +<cert> |
| 133 | +-----BEGIN CERTIFICATE----- |
| 134 | +…….. |
| 135 | +…….. |
| 136 | +…….. |
| 137 | +-----END CERTIFICATE----- |
| 138 | +</cert> |
| 139 | +
|
| 140 | +# P2S client certificate private key |
| 141 | +# Please fill this field with a PEM formatted private key of the client certificate. |
| 142 | +# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file. |
| 143 | +<key> |
| 144 | +-----BEGIN PRIVATE KEY----- |
| 145 | +…….. |
| 146 | +…….. |
| 147 | +…….. |
| 148 | +-----END PRIVATE KEY----- |
| 149 | +</key> |
| 150 | +``` |
| 151 | + |
| 152 | +## <a name="intermediate"></a>Intermediate certificates |
| 153 | + |
| 154 | +If your certificate chain includes intermediate certificates, you must upload the intermediate certificates to the Azure VPN gateway. |
| 155 | +This is the preferred method to use, regardless of the VPN client you choose to connect from. In previous versions, you could specify intermediate certificates in the user profile. This is no longer supported in OpenVPN Connect client version 3.x. |
| 156 | + |
| 157 | +When you're working with intermediate certificates, the intermediate certificate must be uploaded after the root certificate. |
| 158 | + |
| 159 | +:::image type="content" source="./media/point-to-site-open-vpn-client-series-3/intermediate-certificate.png" alt-text="Intermediate certificate for point-to-site configuration." lightbox="./media/point-to-site-open-vpn-client-series-3/intermediate-certificate.png"::: |
| 160 | + |
| 161 | +## Reconnects |
| 162 | + |
| 163 | +If you experience periodic reconnects due to no traffic being sent to client, you can add the "ping-restart 0" option to the profile to prevent disconnections from causing reconnects. This is described in the OpenVPN Connect documentation as follows: " --ping-restart n Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote." |
| 164 | + |
| 165 | +See the [User profile example](#example) for an example of how to add this option. |
| 166 | + |
| 167 | +## Next steps |
| 168 | + |
| 169 | +Follow up with any additional server or connection settings. See [Point-to-site configuration steps](vpn-gateway-howto-point-to-site-resource-manager-portal.md). |
0 commit comments