Quick notes about self-signed certificate with Point-to-Site Azure VPN

Connecting directly through RDP to your system is not recommended in a practical security. It is because the RDP connection goes through the Internet which is weak. To add more extra layer of security, you should set up a jump virtual machine (as known as bastion host) which connects privately to your system via Point-to-site VPN. The illustration below shows you the setup target. In this setup, there is a virtual machine which resides in a different virtual network to connect to your private network. There is a Point-to-site connection between the jump virtual network and your private virtual network to secure the connection.

The setup with Point-to-site VPN is quite straightforward from setting a new jump virtual machine, to creating a virtual network gateway. However, there are important notes you need to know to complete the setup. You can find an article with the format of step-by-step here to follow to set up Point-to-site VPN for Azure Resource Manager model on Microsoft Azure. Ironically the article is not so clear in some points. In this article, I would like to clarify them to assist you.

If you want to learn advanced Azure IaaS Defense in Depth with many hands-on lab to practice, go pre-order my upcoming book here

Self-Signed Certificate

For evaluation, you may be lazy at setting up a corporate CA to issue a certificate. Purchasing a public certificate from a trusted provider (e.g. VeriSign) is also out of your mind. Instead, you’d like to practice with self-signed certificate to learn more about Microsoft Azure, or to show your boss how Azure is cool from setting things up. To me during my lab preparation for my upcoming book, I use self-signed certificate to set up the environment like the illustration above.

With Self-signed certificate, the first thing you must do is generate a self-signed root certificate. This can be done by PowerShell on Windows 10 or Makecert utility tool on Windows 8. No matter what operating system you are using, the self-signed certificate should not be different from the creation process. Make sure the target store is Personal. And the root certificate must be created with the mode of Current User (not your local computer).

Follow steps described here if you are using Windows 10 to create certificates

After Self-signed certificate, you need to create a client certificate which has to be part of the self-signed root certificate. This client certificate is not for your machine but for any machine you’d like to connect from it to your private virtual network. Open the client certificate, if you do not see the certification path like the below screen then you will not be able to connect to your private virtual network with Point-to-site VPN via VPN client.

Click to General tab, ensure you see the client certificate is issued by the self-signed root certificate. This is the key to a successful setup. Do not worry about the certificate status because your self-signed root certificate is not normally trusted.

Another note is that if you want to use your laptop (not the jump virtual machine) to connect to your private virtual network via VPN client, make sure you export the client certificate in the format of PFX. You must select Include all certificates in the certificate path if possible. Because by this way, you are going to export both self-signed root certificate and the client certificate. When importing, the PFX file must be installed into Personal store. Unless you will encounter the message “A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

As a security practice, make sure to set password to protect the certificate. If the certificate is lost to an attacker, he cannot import to his machine without knowing your password.

When you click Connect in the VPN client tool, it will firstly connect to Azure gateway (e.g. azuregateway-c2237b51-c1ab-4492-b4fb-bd8b40dd7aea-0106e55eb2d8.cloudapp.net) then verify your certificate. The verification process is done on both self-signed certificate and client certificate to see whether the certificate on your machine matches the public certificate you configured in virtual network gateway.

There are some articles on the Internet guiding you to create a VPN manually on your machine. I’d not recommend this way. Simply follow Microsoft guidance and my article.

Client Address Pool

I cannot seem to find anywhere guiding on how to qualify a client address pool during the point-to-site configuration in your virtual network gateway. That’s why I stated from the beginning that the article has some unclear points. The only thing to remember is that the client address pool must not be the same address space with your virtual network. Unless when you save your configuration, the update will 100% be failed. Why do we need client address pool? This is considered a reserved pool for your machine where you connect to your private virtual network.

When you make it successfully done, you can run ipconfig /all command to check your PPP adapter address of your machine. The address is automatically assigned with an IP in the address pool.

VPN Client

I don’t know if this is my fault but I realize that if I download the VPN client from my laptop, then copy it to the jump virtual machine (refer to the above illustration), the point-to-site VPN setup does not work. The download seems to be blocked by Windows Defender. If you download the VPN client, all anti-virus/antimalware software should be turned off. Another way is to directly download and install VPN client (Run anyway mode).

I’m in the process of finalizing my upcoming book covering advanced Azure IaaS Defense in Depth with many hands-on lab to practice. One of the labs is to fully cover step-by-step guidance on to set up the environment like the above illustration. I will also explain more details on each step. The book can be ordered now with only $9.99 at Amazon http://amzn.com/B07117YWFZ . After your successful purchase, the book will be delivered on your Kindle on 15 June 2017. If you do not see my book helpful, I will give back to you fully refundable price.



Leave a Reply