Configure Azure VPN Client for User VPN P2S certificate authentication connections - Windows
If your User VPN point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate authentication, you can connect to your virtual network using the Azure VPN Client. This article walks you through the steps to configure the Azure VPN Client and connect to your virtual network.
This article applies to Windows operating system clients. For more information about other VPN client configuration articles, see the following table:
Before you begin
Before beginning client configuration steps, verify that you're on the correct VPN client configuration article. The following table shows the configuration articles available for Virtual WAN point-to-site VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
| Authentication method | Tunnel type | Client OS | VPN client |
|---|---|---|---|
| Certificate | IKEv2, SSTP | Windows | Native VPN client |
| IKEv2 | macOS | Native VPN client | |
| IKEv2 | Linux | strongSwan | |
| OpenVPN | Windows | Azure VPN client OpenVPN client version 2.x OpenVPN client version 3.x |
|
| OpenVPN | macOS | OpenVPN client | |
| OpenVPN | iOS | OpenVPN client | |
| OpenVPN | Linux | Azure VPN client OpenVPN client |
|
| Microsoft Entra ID | OpenVPN | Windows | Azure VPN client |
| OpenVPN | macOS | Azure VPN client | |
| OpenVPN | Linux | Azure VPN client |
Prerequisites
This article assumes that you've already performed the following prerequisites:
- You configured a virtual WAN according to the steps in the Create User VPN point-to-site connections article. Your User VPN configuration must use certificate authentication and the OpenVPN tunnel type.
- You generated and downloaded the VPN client configuration files. For steps to generate a VPN client profile configuration package, see Generate VPN client configuration files.
- You can either generate client certificates, or acquire the appropriate client certificates necessary for authentication.
Workflow
The workflow for this article is as follows:
- Generate and install client certificates if you haven't already done so.
- View the VPN client profile configuration files contained in the VPN client profile configuration package that you generated.
- Configure the Azure VPN Client.
- Connect to Azure.
Install client certificates
When your User VPN configuration settings are configured for certificate authentication, in order to authenticate, a client certificate must be installed on each connecting client computer. Later in this article, you specify the client certificates that you install in this section. The client certificate that you install must have been exported with its private key, and must contain all certificates in the certification path.
For steps to generate a client certificate, see Generate and export certificates.
For steps to install a client certificate see Install client certificates.
To view an installed client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.
View configuration files
The VPN client profile configuration package contains specific folders. The files within the folders contain the settings needed to configure the VPN client profile on the client computer. The files and the settings they contain are specific to the P2S VPN gateway and the type of authentication and tunnel your VPN gateway is configured to use.
Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and OpenVPN, you'll see the AzureVPN folder. In this folder, you'll see either the azurevpnconfig_cert.xml file or the azurevpnconfig.xml file, depending on whether your P2S configuration includes multiple authentication types. The .xml file contains the settings you use to configure the VPN client profile.
If you don't see either file, or you don't have an AzureVPN folder, verify that your VPN gateway is configured to use the OpenVPN tunnel type and that certificate authentication is selected.
Download the Azure VPN Client
Download the latest version of the Azure VPN Client install files using one of the following links:
- Install using Client Install files: https://aka.ms/azvpnclientdownload.
- Install directly, when signed in on a client computer: Microsoft Store.
Install the Azure VPN Client to each computer.
Verify that the Azure VPN Client has permission to run in the background. For steps, see Windows background apps.
To verify the installed client version, open the Azure VPN Client. Go to the bottom of the client and click ... -> ? Help. In the right pane, you can see the client version number.
Configure the Azure VPN Client profile
Open the Azure VPN Client.
Select + on the bottom left of the page, then select Import.
In the window, navigate to the azurevpnconfig.xml or azurevpnconfig_cert.xml file, depending on your configuration. Select the file, then select Open.
On the client profile page, notice that many of the settings are already specified. The preconfigured settings are contained in the VPN client profile package that you imported. Even though most of the settings are already specified, you need to configure settings specific to the client computer.
From the Certificate Information dropdown, select the name of the child certificate (the client certificate). For example, P2SChildCert. For this exercise, for secondary profile, select None.
If you don't see a client certificate in the Certificate Information dropdown, you'll need to cancel the profile configuration import and fix the issue before proceeding. It's possible that one of the following things is true:
- The client certificate isn't installed locally on the client computer.
- There are multiple certificates with exactly the same name installed on your local computer (common in test environments).
- The child certificate is corrupt.
After the import validates (imports with no errors), select Save.
In the left pane, locate the VPN connection, then select Connect.
Next steps
To modify additional P2S User VPN connection settings, see Tutorial: Create a P2S User VPN connection.