Point-to-Site VPN: Remote Access
Connect individual devices to Azure VNets with Point-to-Site VPN β tunnel types, authentication methods, Always On VPN, and troubleshooting.
Point-to-Site VPN: Remote Access
Point-to-Site (P2S) VPN connects individual devices (laptops, tablets) to your Azure VNet β no corporate VPN device needed. Itβs perfect for remote workers who need access to Azure resources.
A point-to-site VPN connects a single computer to your Azure network β like giving someone a personal key to a specific building. Where site-to-site connects entire networks, point-to-site connects individual devices. A remote worker opens a VPN client, authenticates, and gets secure access to Azure resources.
Tunnel Types
| Feature | OpenVPN | IKEv2 | SSTP |
|---|---|---|---|
| Protocol | TLS-based (port 443) | IPsec (ports 500/4500) | TLS-based (port 443) |
| Windows | Yes | Yes | Yes |
| macOS | Yes | Yes | No |
| Linux | Yes | Yes (manual) | No |
| iOS / Android | Yes | Yes | No |
| Firewall-friendly | Yes (HTTPS port 443) | May be blocked by firewalls | Yes (HTTPS port 443) |
| Entra ID auth | Yes β only tunnel type that supports it | No | No |
| Max connections | SKU dependent (up to 10,000) | SKU dependent | 128 max (regardless of SKU) |
| Performance | Good | Best (native IPsec) | Good |
Exam Tip: If the question mentions Entra ID authentication, the answer is always OpenVPN β itβs the only tunnel type that supports it. If the question mentions SSTP, remember itβs Windows-only and limited to 128 connections. For cross-platform support, OpenVPN or IKEv2 are the choices.
Authentication Methods
| Method | How It Works | Best For |
|---|---|---|
| Azure certificate | Root CA cert uploaded to Azure, client certs installed on devices | Small deployments, no RADIUS infra |
| RADIUS | VPN Gateway forwards auth to your RADIUS server (NPS, etc.) | Existing RADIUS infrastructure, MFA via NPS extension |
| Entra ID | Users sign in with Entra ID credentials, supports Conditional Access | Modern auth, MFA, Conditional Access β OpenVPN only |
Certificate Authentication β The 5 Steps
- Generate a self-signed root CA certificate (or use an enterprise CA)
- Export the root certificate public key (.cer format) and upload to Azure VPN Gateway
- Generate client certificates from the root CA (one per user/device)
- Install client certificates on each connecting device (including the private key)
- Download and install the VPN client configuration from the Azure portal
When a client connects, the VPN Gateway validates that the client certificate was signed by the uploaded root CA. If it matches, the connection is established.
Revoking access: Upload individual client certificate thumbprints to the gatewayβs revocation list. Revoking the root certificate disconnects all clients.
Entra ID Authentication
βοΈ Elenaβs scenario: Skyline Logistics wants P2S VPN with Conditional Access β users must pass MFA and connect from compliant devices only. Entra ID auth makes this possible.
Setup steps:
- Enable the Azure VPN enterprise application in Entra ID
- Configure the VPN Gateway with Entra ID tenant, audience, and issuer
- Choose OpenVPN as the tunnel type (required for Entra ID)
- Users download the Azure VPN Client and sign in with their Entra ID credentials
Conditional Access bonus: Because auth goes through Entra ID, you can apply Conditional Access policies β require MFA, require compliant device, block risky sign-ins, restrict by location. This is a major advantage over certificate auth.
RADIUS Authentication Deep Dive
RADIUS (Remote Authentication Dial-In User Service) is the traditional enterprise auth method:
How it works:
- Client connects to VPN Gateway
- Gateway forwards credentials to your RADIUS server (e.g., Windows NPS)
- RADIUS server validates against Active Directory
- RADIUS returns Accept or Reject
MFA with RADIUS: Install the Azure MFA NPS Extension on your RADIUS server. When a user connects:
- NPS validates AD credentials
- MFA extension triggers a phone call, push notification, or TOTP verification
- Only after both succeed does the VPN connect
When to choose RADIUS:
- You already have NPS infrastructure
- You need to authenticate against on-premises AD directly
- You need MFA but canβt use Entra ID (e.g., OpenVPN not an option for legacy clients)
Limitation: Two RADIUS servers maximum per gateway for HA.
VPN Client Configuration
After configuring the gateway, you download a VPN client profile package:
| Client | Configuration |
|---|---|
| Windows (native) | Import the VPN profile; supports IKEv2 and SSTP natively |
| Azure VPN Client | Required for OpenVPN with Entra ID auth; supports Windows and macOS |
| OpenVPN client | Works on all platforms; import the .ovpn file from the download package |
| strongSwan | Linux IKEv2 client |
P2S address pool: You must configure a non-overlapping address range for P2S clients (e.g., 172.16.201.0/24). Connected clients get IPs from this pool. This range must not overlap with your VNets or on-premises ranges.
Always On VPN
Always On VPN keeps the VPN connection active at all times β the user doesnβt have to manually connect.
Requirements:
- Windows 10/11 Enterprise or Education edition
- IKEv2 tunnel type (SSTP and OpenVPN donβt support Always On)
- Device tunnel (connects before user sign-in, using machine certificates)
- User tunnel (connects after sign-in, can use any auth method)
Device tunnel enables scenarios like pre-logon access to domain controllers for Group Policy and credential validation.
Azure Network Adapter
A simpler alternative for connecting individual Windows servers:
- Uses Windows Admin Center
- Creates a P2S connection to Azure without full VPN Gateway configuration
- Self-signed certificate generated automatically
- Useful for quickly connecting a single on-prem server to Azure
Troubleshooting P2S Issues
| Symptom | Common Cause | Fix |
|---|---|---|
| Client canβt connect at all | Client cert not from uploaded root CA | Verify cert chain; re-export and reinstall |
| Connected but canβt reach resources | DNS not resolving Azure private names | Configure VPN client DNS settings or use split DNS |
| Connection drops frequently | Idle timeout | Increase idle timeout on gateway; enable keepalives |
| βCertificate revokedβ error | Client cert thumbprint in revocation list | Remove thumbprint from CRL or issue new cert |
| βAuthentication failedβ (Entra ID) | Azure VPN app not granted consent | Admin-consent the Azure VPN enterprise app in Entra ID |
| Slow performance | Routing all traffic through VPN (full tunnel) | Consider split tunneling for non-Azure traffic |
Key Takeaways
- OpenVPN is the only tunnel type supporting Entra ID authentication
- SSTP is Windows-only and limited to 128 connections
- Certificate auth: root cert on gateway, client certs on devices
- Entra ID auth enables Conditional Access policies (MFA, compliant devices)
- Always On VPN requires IKEv2 and Windows Enterprise/Education
Test Your Knowledge
Elena wants P2S VPN with Conditional Access requiring MFA and compliant devices. Which configuration must she use?
A P2S client connects successfully but cannot resolve Azure VM hostnames. What's the most likely cause?
Next up: ExpressRoute Fundamentals β Private, dedicated connectivity to Azure that doesnβt traverse the public internet.