Step-By-Step Demo Of Creating A Point-To-Site VPN Connection

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

Step 1

Create a new virtual network. Keep address space as


Step 2

Subnet address range 


Step 3

A virtual network (VNet) in Azure are infrastructure services that are connected to other networks and must have a gateway subnet, which contains the systems that exchanges packets with other networks.


Step 4

You will not be able to change the name since there is just one Gateway Subnet in every virtual network. Click on OK.

Step 5

There will be two subnets now. One is the subnet that was created at the time of VNet creation and the other one is the GatewaySubnet.


Now, let us understand what is Virtual Network Gateway,
  • A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection to an on-premises location. You can also use VPN gateways to send encrypted traffic between Azure virtual networks over the Microsoft network.
  • In short to establish Cross-Premises VPN Connections you need Virtual Network Gateway.
  •  A virtual network gateway is the software VPN device for your Azure virtual network. Use this with a connection to set up a site-to-site VPN connection between an Azure virtual network and your local network, or a VNet-to-VNet VPN connection between two Azure virtual networks. It can also be used to connect a virtual network to an ExpressRoute circuit.
Step 6

Now, we need to create a virtual network gateway. 


Step 7

Keep the gateway type as VPN and VPN type as route based. Keep SKU (Stock Keeping Unit) as basic. Choose the Virtual Network.


Step 8

Create a new public IP address. Remember, a virtual network gateway can take up to 45 minutes to create. 


Step 9

Next, we need to create a VM. Search for Windows 2012 R2 Datacenter and click on create. Give the basic details and select disk type as HDD.


Step 10

In the virtual machine size, choose the basic configuration A2 Basic.

Step 11

Select VNet. Select the subnet. Keep public IP as none. Boot diagnostics disabled. Everything else defaults and click on OK. Then click on create.


Step 12

Next, we need to create a root certificate for the VPN. For that, we need to download and install Windows 10 SDK. This will download an installer file. Open it and follow the steps.


Step 13

All the features will collectively require some 2.7 GB of the space. Click on install. 


Step 14

Once it gets installed, open Powershell, go to the folder where the SDK is installed i.e Program Files (x86) - Windows Kits - 10 - bin - x86. 


Step 15

Run the command dir and you will see makecert.exe in the list. 


Step 16

Press cmd. It will change your PS command prompt to a normal command prompt.

Step 17

Create a new folder Azure inside the temp folder and navigate to it through Powershell.


Step 18

Run this command to generate the root certificate.

makecert -sky exchange -r -n "CN=KrunalRootCert" -pe -a sha1 -len 2048 -ss My "KrunalRootCert.cer" 


Step 19

You will be able to see the certificate. And it is most probably installed as well. 


Step 20

Then type certmgr.msc.

You can find the certificate in Personal - Certificates. 


Step 21

Right-click on the certificate name and click on export. Do not export the private key. Choose base 64.


Step 22

Specify the file name with path. CertificateName.Base64.cer 

Step 23

The certificate will be exported.

Step 24

Go to explorer and right click and open it in notepad.  


Step 25

Make sure the text is in one single line so that you can cut and paste it.

Step 26

It would be something like this. 


Step 27



Step 28

Copy the certificate part and paste it into some other notepad file in the same folder and keep it aside for some other time. 


Step 29

Now, we need to create a client certificate. This command will create a client certificate for the root certificate. 


Step 30

Go to cert manager and refresh. You will see the client certificate.

Step 31

Right-click on your client certificate name and export it. Export the private key as well.  Also, the file extension will be .pfx and after exporting it will be available in explorer as well. Also, set the Password. 
Step 32

Once you get the VPN client, you will have to distribute that with the pfx file.

Step 33

Once the gateway gets successfully deployed, go to its overview and click on the point to site configuration.


Step 34

Paste the one line key and click on Save. 


Step 35

Once it gets updated, the download VPN button will get activated. Click on download VPN to download the VPN client. 


Step 36

It won't probably run though because we don’t have the client certificate installed. So double click on the client certificate to import it. Everyone who needs to download and install this VPN must have the client certificate imported. Once it gets done, you can install your VPN client.

Step 37

Just double-click on the client certificate and follow the steps. It will ask for the password. Import the certificate. Now, you can install the VPN.

Step 38

You can see the VPN in your connections tab. Connect to it and use the client cert in the option.


Step 39

Once, you are connected to your VNET then try to take RDP of your VM with the Private IP. So just go to the portal, select VM and connect it. You would be able to download RDP and connect it.

Now, disconnect from your VNET and perform the same steps to connect the VM and take RDP. You will be able to download RDP file but not be able to take RDP.
Step 40

If you do ipconfig/all in the Powershell, you will be able to find the address pool as well.


Step 41

Go to the VM overview and connect via the private IP address.

Step 42

The alternative way to connect to your VM is by opening RDP on your local machine and entering the private IP to connect to your VM.  Hence, we have established a Point to Site connection in Microsoft Azure.