|
| 1 | +--- |
| 2 | +title: 'Configure P2S VPN clients: certificate authentication: Windows native client' |
| 3 | +titleSuffix: Azure VPN Gateway |
| 4 | +description: Learn how to configure the native VPN client on a Windows computer for P2S connections |
| 5 | +author: cherylmc |
| 6 | +ms.service: vpn-gateway |
| 7 | +ms.date: 01/24/2024 |
| 8 | +ms.author: cherylmc |
| 9 | +--- |
| 10 | + |
| 11 | +# Configure point-to-site VPN clients: certificate authentication - Windows |
| 12 | + |
| 13 | +This article walks you through the necessary steps to configure VPN clients for point-to-site (P2S) virtual network connections that use certificate authentication. These steps continue on from previous articles where the [VPN Gateway point-to-site](vpn-gateway-howto-point-to-site-resource-manager-portal.md) server settings are configured. |
| 14 | + |
| 15 | +There are multiple sets of steps in this article, depending on the tunnel type you selected for your P2S configuration, and the VPN client that is used to connect. |
| 16 | + |
| 17 | +## Before you begin |
| 18 | + |
| 19 | +This article assumes that you have already created and configured your VPN gateway for P2S certificate authentication. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](vpn-gateway-howto-point-to-site-resource-manager-portal.md) for steps. |
| 20 | + |
| 21 | +Before beginning the workflow, verify that you're on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS. |
| 22 | + |
| 23 | +[!INCLUDE [All client articles](../../includes/vpn-gateway-vpn-client-install-articles.md)] |
| 24 | + |
| 25 | +>[!IMPORTANT] |
| 26 | +>[!INCLUDE [TLS](../../includes/vpn-gateway-tls-change.md)] |
| 27 | +
|
| 28 | +## Workflow |
| 29 | + |
| 30 | +In this article, we start with generating VPN client configuration files and client certificates: |
| 31 | + |
| 32 | +1. [Generate files to configure the VPN client](#1-generate-vpn-client-configuration-files) |
| 33 | +1. [Generate certificates for the VPN client](#2-generate-client-certificates) |
| 34 | + |
| 35 | +After the steps in these sections are completed, continue on to [3. Configure the VPN client](#3-configure-the-vpn-client). The steps you use to configure your VPN client depend on the tunnel type for your P2S VPN gateway, and the VPN client on the client computer. |
| 36 | + |
| 37 | +* **IKEv2 and SSTP - native VPN client steps** - If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you can connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. See [IKEv2 and SSTP - native VPN client](#ike). |
| 38 | +* **OpenVPN** - If your P2S VPN gateway is configured to use an OpenVPN tunnel and certificate authentication, you have the option of using either the [Azure VPN Client](#openvpn), or the [OpenVPN client](#azurevpn). |
| 39 | + |
| 40 | +## 1. Generate VPN client configuration files |
| 41 | + |
| 42 | +All of the necessary configuration settings for the VPN clients are contained in a VPN client profile configuration zip file. You can generate client profile configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file. |
| 43 | + |
| 44 | +The VPN client profile configuration files that you generate are specific to the P2S VPN gateway configuration for the VNet. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client profile configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see [About point-to-site VPN](point-to-site-about.md). |
| 45 | + |
| 46 | +### PowerShell |
| 47 | + |
| 48 | +[!INCLUDE [Generate profile configuration files - PowerShell](../../includes/vpn-gateway-generate-profile-powershell.md)] |
| 49 | + |
| 50 | +### Azure portal |
| 51 | + |
| 52 | +[!INCLUDE [Generate profile configuration files - Azure portal](../../includes/vpn-gateway-generate-profile-portal.md)] |
| 53 | + |
| 54 | +## 2. Generate client certificates |
| 55 | + |
| 56 | +For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information. |
| 57 | + |
| 58 | +In many cases, you can install the client certificate directly on the client computer by double-clicking. However, for certain OpenVPN client configurations, you might need to extract information from the client certificate in order to complete the configuration. |
| 59 | + |
| 60 | +* For information about working with certificates, see [Point-to site: Generate certificates](vpn-gateway-certificates-point-to-site.md). |
| 61 | +* To view an installed client certificate, open **Manage User Certificates**. The client certificate is installed in **Current User\Personal\Certificates**. |
| 62 | + |
| 63 | +## 3. Configure the VPN client |
| 64 | + |
| 65 | +Next, configure the VPN client. Select from the following instructions: |
| 66 | + |
| 67 | +* [IKEv2 and SSTP - native VPN client steps](#ike) |
| 68 | +* [OpenVPN - OpenVPN client steps](#openvpn) |
| 69 | +* [OpenVPN - Azure VPN Client steps](#azurevpn) |
| 70 | + |
| 71 | +## <a name="ike"></a>Native VPN client steps - IKEv2/SSTP |
| 72 | + |
| 73 | +If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you can connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. |
| 74 | + |
| 75 | +### <a name="view-ike"></a>View configuration files |
| 76 | + |
| 77 | +Unzip the VPN client profile configuration file to view the following folders: |
| 78 | + |
| 79 | +* **WindowsAmd64** and **WindowsX86**, which contain the Windows 64-bit and 32-bit installer packages, respectively. The **WindowsAmd64** installer package is for all supported 64-bit Windows clients, not just Amd. |
| 80 | +* **Generic**, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder isn’t present. |
| 81 | + |
| 82 | +### <a name="install"></a>Configure VPN client profile |
| 83 | + |
| 84 | +You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the point-to-site section of the [VPN Gateway FAQ](vpn-gateway-vpn-faq.md#P2S). |
| 85 | + |
| 86 | +>[!NOTE] |
| 87 | +>You must have Administrator rights on the Windows client computer from which you want to connect. |
| 88 | +
|
| 89 | +1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package. |
| 90 | + |
| 91 | +1. Double-click the package to install it. If you see a SmartScreen popup, click **More info**, then **Run anyway**. |
| 92 | + |
| 93 | +1. Install the client certificate. Typically, you can do this by double-clicking the certificate file and providing a password if required. For more information, see [Install client certificates](point-to-site-how-to-vpn-client-install-azure-cert.md). |
| 94 | + |
| 95 | +1. Connect to your VPN. Go to the **VPN** settings and locate the VPN connection that you created. It's the same name as your virtual network. Select **Connect**. A pop-up message might appear. Select **Continue** to use elevated privileges. |
| 96 | +1. On the **Connection status** page, select **Connect** to start the connection. If you see a **Select Certificate** screen, verify that the client certificate showing is the one that you want to use to connect. If it isn't, use the drop-down arrow to select the correct certificate, and then select **OK**. |
| 97 | + |
| 98 | +## <a name="azurevpn"></a>Azure VPN Client steps - OpenVPN |
| 99 | + |
| 100 | +If your P2S VPN gateway is configured to use an OpenVPN tunnel type and certificate authentication, you can connect using the Azure VPN Client. |
| 101 | + |
| 102 | +The following steps help you download, install, and configure the Azure VPN Client to connect to your VNet. Note that these steps apply to certificate authentication. If you're using OpenVPN with Microsoft Entra authentication, see the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. |
| 103 | + |
| 104 | +To connect, each client computer requires the following items: |
| 105 | + |
| 106 | +* The Azure VPN Client software must be installed on each client computer that you want to connect. |
| 107 | +* The Azure VPN Client profile must be configured using the downloaded **azurevpnconfig.xml** configuration file. |
| 108 | +* The client computer must have a client certificate that's installed locally. |
| 109 | + |
| 110 | +### <a name="view-azurevpn"></a>View configuration files |
| 111 | + |
| 112 | +When you open the zip file, you'll see the **AzureVPN** folder. Locate the **azurevpnconfig.xml** file. This file contains the settings you use to configure the VPN client profile. |
| 113 | + |
| 114 | +If you don't see the file, verify the following items: |
| 115 | + |
| 116 | +* Verify that your VPN gateway is configured to use the OpenVPN tunnel type. |
| 117 | +* If you're using Microsoft Entra authentication, you might not have an AzureVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. |
| 118 | + |
| 119 | +### Download the Azure VPN Client |
| 120 | + |
| 121 | +[!INCLUDE [Download the Azure VPN client](../../includes/vpn-gateway-download-vpn-client.md)] |
| 122 | + |
| 123 | +### Configure the VPN client profile |
| 124 | + |
| 125 | +1. Open the Azure VPN Client. |
| 126 | + |
| 127 | +1. Click **+** on the bottom left of the page, then select **Import**. |
| 128 | + |
| 129 | +1. In the window, navigate to the **azurevpnconfig.xml** file, select it, then click **Open**. |
| 130 | + |
| 131 | +1. From the **Certificate Information** dropdown, select the name of the child certificate (the client certificate). For example, **P2SChildCert**. You can also (optionally) select a [Secondary Profile](#secondary-profile). |
| 132 | + |
| 133 | + :::image type="content" source="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png" alt-text="Screenshot showing Azure VPN client profile configuration page." lightbox="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png"::: |
| 134 | + |
| 135 | + If you don't see a client certificate in the **Certificate Information** dropdown, you'll need to cancel and fix the issue before proceeding. It's possible that one of the following things is true: |
| 136 | + |
| 137 | + * The client certificate isn't installed locally on the client computer. |
| 138 | + * There are multiple certificates with exactly the same name installed on your local computer (common in test environments). |
| 139 | + * The child certificate is corrupt. |
| 140 | + |
| 141 | +1. After the import validates (imports with no errors), click **Save**. |
| 142 | + |
| 143 | +1. In the left pane, locate the **VPN connection**, then click **Connect**. |
| 144 | + |
| 145 | +### Optional settings for the Azure VPN Client |
| 146 | + |
| 147 | +The following sections discuss additional optional configuration settings that are available for the Azure VPN Client. |
| 148 | + |
| 149 | +#### Secondary Profile |
| 150 | + |
| 151 | +[!INCLUDE [Secondary profile](../../includes/vpn-gateway-azure-vpn-client-secondary-profile.md)] |
| 152 | + |
| 153 | +#### Custom settings: DNS and routing |
| 154 | + |
| 155 | +You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available settings and configuration steps, see [Azure VPN Client optional settings](azure-vpn-client-optional-configurations.md). |
| 156 | + |
| 157 | +## <a name="openvpn"></a>OpenVPN Client steps - OpenVPN |
| 158 | + |
| 159 | +If your P2S VPN gateway is configured to use an OpenVPN tunnel type and certificate authentication, you can connect using an OpenVPN client. The following steps help you configure the **OpenVPN ® Protocol** client and connect to your VNet. |
| 160 | + |
| 161 | +### <a name="view-openvpn"></a>View configuration files |
| 162 | + |
| 163 | +When you open the VPN client configuration package zip file, you should see an OpenVPN folder. If you don't see the folder, verify the following items: |
| 164 | + |
| 165 | +* Verify that your VPN gateway is configured to use the OpenVPN tunnel type. |
| 166 | +* If you're using Microsoft Entra authentication, you might not have an OpenVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. |
| 167 | + |
| 168 | +[!INCLUDE [Configuration steps](../../includes/vpn-gateway-vwan-config-openvpn-windows.md)] |
| 169 | + |
| 170 | +## Next steps |
| 171 | + |
| 172 | +For additional steps, return to the P2S article that you were working from. |
| 173 | + |
| 174 | +* [PowerShell configuration steps](vpn-gateway-howto-point-to-site-rm-ps.md). |
| 175 | +* [Azure portal configuration steps](vpn-gateway-howto-point-to-site-resource-manager-portal.md). |
0 commit comments