Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,628 questions
Azure VPN on Mac: Connected but Unable to Browse the Internet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 24%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIF%3C/text%3E%3C/svg%3E)
Istvan Fazakas
0
Reputation points
I have the following setup:
- Azure virtual Network
- having address space
10.0.0.0/16 - 3 subnets:
- application_subnet
- address prefixes:
10.0.2.0/24
- address prefixes:
- vpn_gateway_subnet
- address prefixes:
10.0.5.0/24
- address prefixes:
- app_gateway_subnet
- address prefixes:
10.0.6.0/24
- address prefixes:
- application_subnet
- having address space
- Azure VPN Gateway
- RouteBased
- having ip configuration with the vpn_gateway_subnet subnet id
- Point-to-site configuration
- authentication type: AAD
- address space: 172.10.0.0/24
- audience is a custom application, having
c632b3df-fb67-4d84-bdcf-b95ad541b5c8client ID added to the scope of the application - added
0.0.0.0/1and128.0.0.1/1for forced tunneling,
I am on Mac, I downloaded the Azure VPN client, downloaded the configuration from the VPN Gateway Point-to-Site configuration.
I updated the downloaded XML file, adding <applicationid>c632b3df-fb67-4d84-bdcf-b95ad541b5c8</applicationid> as it was mentioned on one of the discussions (p.s. I also tried it without this setting).
The VPN client is connecting successfully - authentication with Microsft Entra ID is working.
When I try to access anything in the browser or try to ping anything in the terminal, I can see in the VPN client that I do have outbound traffic, but the inbound traffic is 0 -> nothing is working.
How could I properly debug this? What could cause the issue?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 260 Reputation points Microsoft Vendor2025-01-24T06:19:23.0566667+00:00 Hello Istvan Fazakas
Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It appears that force tunneling is applied on the VPN client, causing the ranges 0.0.0.0/1 and 128.0.0.0/1 to be directed to the VPN gateway. Consequently, public ranges will also fall under these ranges.
Please try to share the below information for further investigation:
- For testing purposes, please remove the force tunneling and conduct the test. Meanwhile, share the nslookup results after connecting to the VPN to determine which DNS server is taking.
- And in the HUB VNET, could you please confirm whether you are using a custom DNS or the Azure-provided DNS?
- Is it working for windows machine?
Thanks,
Praveen
-
Istvan Fazakas 0 Reputation points
2025-01-24T19:53:33.8433333+00:00 Hello,
Thank you for checking this.
- In case I remove force tunneling, there will be absolutely no traffic flowing through - both in and out bytes show 0
- I am using the Azure provided DNS
- I did not try, as I have my whole dev setup on Mac - I will give it a try next week.
Meantime I tried setting up a route table and an NSG - with those set up I did manage to see some traffic in and out, however the requests are timing out, and the websites are not loading.
In the route table I added as address prefix the public IP of my app service (the one I am trying to put behind a VPN).
In the NSG setup I added Inbound and Outbound security rule for Icmp, having the VPN gateway address space set as source/destination address prefix
and an Inbound and Outbound security rule for TCP, allowing*for bot source and destination address prefixes. -
Praveen Bandaru 260 Reputation points Microsoft Vendor
2025-01-29T04:13:53.4466667+00:00 Hello Istvan Fazakas
Greetings!
Thank you for your response.
For further investigation please share the below information:
- Are you attempting to access the app service through a private connection or a public one?
- Kindly perform an RDP of a VM and share the ping results.
- Could you please provide screenshots of the nslookup and psping results with the app service FQDN?
- Additionally, test on a Windows machine and share the outcomes with us.
Thanks,
Praveen
-
Praveen Bandaru 260 Reputation points Microsoft Vendor
2025-01-29T22:23:54.2266667+00:00 Hello Istvan Fazakas
Greetings!
I would like to follow up with the thread.
Could you please go through the last comment and provide us the required information to drive the thread further.
If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.
Regards,
Praveen
-
Istvan Fazakas 0 Reputation points
2025-01-30T15:13:40.3066667+00:00 hi @Praveen Bandaru I am currently trying out another way to achieve my goal. I am trying to add a private endpoint to the App Service. Will com back to you with an answer once I managed to try it out.
-
Praveen Bandaru 260 Reputation points Microsoft Vendor
2025-01-30T21:50:45.48+00:00 Hello Istvan Fazakas
Greetings!
Thank you for your update.
I understand that you are pursuing your goal through an alternative approach. If you require any additional information, please feel free to reach out to us.
Sign in to comment
Sign in to answer