Condividi tramite


How to Setup Windows Azure (Server 2012) as an SSTP and L2TP VPN Provider

---------- windows.azure.com
1. Create new Windows Server VM using "Quick Create"
2. The DNS name, username and password will be used to connect to the VPN
3. A0 or A1 VM (starts at around $10/month or free with an MSDN subscriptionno charge for stopped VM, billed by the minute)
4. Add HTTPS endpoint (TCP 443)
5. Connect using Remote Desktop (RDP) through the Dashboard

---------- Server Role
1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select "Deploy VPN only"

---------- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:
selfssl.exe /N:cn=<...>.cloudapp.net /V:3650
(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)
3. Confirm prompt with "y", ignore metabase error (if it appears)
4. Open the Certificate Manager for Computer Account: certlm.msc
5. Click on Personal -> Certificates
6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password

---------- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on "Configure and Enable RRAS"
3. Choose "Custom configuration", select "VPN access" and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <...>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")
10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"

---------- Server User
1. Open "Computer Management" (compmgmt.msc) console
2. Click on "Local Users and Groups", then on Users, double click on your account
3. Click on Dial-in and change "Network Access Permission" to "Allow access"

---------- Client Certificate
1. Double-click on the exported pfx server certificate file and install to client's "Local Machine" store, if you store the certificate in the personal store, the connection will fail with error 0x800B0109
2. Click on "Place all certificates in the following store", then on Browse
3. Select "Trusted Root Certificate Authorities"

---------- Client Connection
1. Go to Network and Sharing Center, click on "Setup a new connection or network"
2. Select "Connect to a workplace", then VPN
3. Enter <...>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter

---------- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on "Server Certificates"
3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)
4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab

---------- L2TP over IPsec
1. On the Azure Portal, add the following endpoints:
a) L2TP UDP: 1701
b) IPsec UDP: 500
c) IKEv2 UDP: 4500
2. On the Server, open the "Windows Firewall with Advanced Security" (WF.msc), create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
3. Using the RRAS tool, right-click on the server and then on Properties -> Security
4. Check "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter a preshared key
5. On the client, right-click on new VPN connection, then show properties
6. Click on Security, then on click on "Advanced settings" and enter the same preshared key

For help, see Troubleshooting common VPN related errors.

DISCLAIMER: This solution is provided "AS IS," without any warranty or representation of any kind. Please note that, as of June 2014, this solution is not yet officially supported by Microsoft.

Comments

  • Anonymous
    June 14, 2013
    connect private network to public network with NAT, it works fine now, thanks.

  • Anonymous
    July 08, 2013
    Great thanks! Is it possible to get L2TP or PPTP working as well? I need to connect with OS X which does not support SSTP.

  • Anonymous
    July 10, 2013
    For PPTP, endpoints for TCP 1723 and protocol 47 GRE are required, only TCP and UDP endpoint are currently supported. I have updated the article with information on how to add L2TP over IPsec support.

  • Anonymous
    July 16, 2013
    @JohannesRu: After closing the Security properties dialog, under the server node, there is a node called IPv4. Expand it and then right-click on NAT and follow the rest of the instructions. The public interface is called "Ethernet 2", but it might also be called "Ethernet 3", depending on some circumstances (the other interface is called Internal, but we need the external one). Yes, this is the reason why you cannot access the internet, you need to enable Network Address Translation.

  • Anonymous
    July 18, 2013
    Sorry, made a stupid mistake in the beginning. Got it to work now. Thanks a lot :)

  • Anonymous
    August 07, 2013
    @Shoukat: One thing to try is to connect from other machines on other networks. Some routers block certain protocols and/or ports and may result in the error that you are getting. So maybe your configuration is already correct and your router is blocking you. @Petriaev: What error are you getting? please also try other machines on other networks.

  • Anonymous
    August 13, 2013
    I figured it out, I missed the Routing role when I configure roles following another article. Thanks for your share. I can use VPN to access Internet now.

  • Anonymous
    August 13, 2013
    The comment has been removed

  • Anonymous
    August 17, 2013
    One more question, I added port 1701, 500 and 4500 in Azure portal and I have shut down firewall of VM. Why my iPad mini can access VPN through L2TP, but my laptop (Windows 8.1 Preview) can not? Always get error 809. Could you please help me?

  • Anonymous
    August 22, 2013
    @ShoukaT: Please check that you enabled NAT as explained under "Server RRAS". @K.F.Storm: Are both devices on the same network? I can connect using a Surface RT with Win 8.1 just fine, so it should work. Check that no routers or other hardware are blocking the needed ports and protocols.

  • Anonymous
    August 27, 2013
    I can successfully connect using SSTP on Windows 8.1 Preview but cannot on either iPhone or WIndows 8.1 Preview using L2TP. I got 809 on Windows 81. Preview. I did open the three ports and add the firewall rule. What am I missing? Or maybe the way I did the above is wrong?

  • Anonymous
    September 11, 2013
    Hi, Luis. First of all, thanks for the awesome tutorial. I need to create a VPN server which allow multiple users login at the same time. Is Windows Azure VPN a suitable approach ? Can I create different login accounts for all the VPN users in Windows Azure ? Thank you for the information.

  • Anonymous
    September 12, 2013
    Hi Ck, I'm glad you like it :) First of all, with Azure you can do anything. The only question is, how much do you have to do manually and for what things can you use existing MS or 3rd Party products/features. In this setup, the logins are managed by Windows, so you could manually create user accounts as you would normally do and give them remote access rights (see step regarding Network Access Permission). This would be feasible if you only have a bunch of users. If you want to create a commercial VPN provider, you would need a frontend from which users can create accounts and select a VPN server machine, the application should also be able to create or shutdown VMs depending on the demand to keep your costs to a minimum. There are some commercial products that do that, but you would need to do a little research to see if there is an existing product specifically for Azure. If you don’t find one, you may have to have it created. Azure can be fully controlled through PowerShell commands, so it is something that can definitely be done.

  • Anonymous
    November 07, 2013
    Fantastic tutorial. Easy to read, implement and it works on all PC's. Can't get it working on iPhone just yet, but will keep trying. Thanks!

  • Anonymous
    December 05, 2013
    The comment has been removed

  • Anonymous
    December 12, 2013
    add ip and hostname in local hosts -file

  • Anonymous
    December 22, 2013
    I've got up to the part where you login to the VPN on the VM (3rd last step) - as soon as I did this I lost connection to the Remote Desktop and can't reconnect now. What have I done wrong?

  • Anonymous
    December 22, 2013
    Didn't notice that was for client connection, oops. :)

  • Anonymous
    December 22, 2013
    I only have a Mac, iPad and iPhone so I haven't tested SSTP but I can't connect via L2TP IPSec, any ideas?

  • Anonymous
    January 03, 2014
    The comment has been removed

  • Anonymous
    March 28, 2014
    When VM restaert, VPN stop to work.

  1. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2") I can't see the interface after restart. One problem - Azure restart VM in maintrace work.
  • Anonymous
    May 03, 2014
    @Petriaev:
  • In the RRAS console, right-click on your server, then on "Disable RRAS".
  • Repeat the steps under "Server RRAS".
  • Anonymous
    October 29, 2014
    Hi. It is now possible to get multiple NICs on Azure. Would that enhance performance in your test scenario? azure.microsoft.com/.../multiple-vm-nics-and-network-virtual-appliances-in-azure Br, Martin.

  • Anonymous
    November 04, 2014
    Hi Luis, After I follow your tutorial here, I got the error 0x80072746 on client when I am trying to connect to the VPN server. I tried google it but not helpful solution. Do you have any idea what I can do to solve this error ? Thanks.

  • Anonymous
    November 23, 2014
    Hi Luis, I'm stuck on this part (when configure RASS on the server):

  1. Choose "Custom configuration", select "VPN access" and NAT The VM needed a second NIC. But my Azure machine has only one NIC... How can I solve this? Thanks
  • Anonymous
    December 23, 2014
    This step by step is from 2013 . At this point, an Azure VM had just 1 NIC  (Multi-NIC feature is from 2014, and is intended for Virtual Appliance´s ) How do you select the second NIC as the External NIC ?

  • Anonymous
    January 18, 2015
    Hi, thanks for sharing! I ran through the steps to setup the SSTP VPN, but when I connect to the VPN,I get an error: Error 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.  I checked the MMC Console, under Certificates > Trusted Root Certificate Authorities, that my certificate is installed & visible in that list. So that seems to work when installing the Client Certificate while in remote desktop. Am I suppose to install this certificate on all computers that will use this VPN? One difference I noticed when following the step to add "New Interface", I only see one option "Ethernet", but it doesn't say "Ethernet 2". Any other tips to fix this problem? Thanks.

  • Anonymous
    February 16, 2015
    For SSTP, your need to install certificate on computer account, not on user account.

  • Anonymous
    June 10, 2015
    On Azure Virtual Machine, L2TP does not work. Could you please tell me how to fix it? Thank you!

  • Anonymous
    August 01, 2015
    @Ck: According to the page "Troubleshooting common VPN related errors" that I linked above, it could be that the "certificate is not installed on the VPN server". @Lisa: If you want to use the free, self-certificate, then yes, you need to install it on every client. Otherwise you can use a paid certificate, see my notes under "SSL Certificate" above. It could be "Ethernet", "Ethernet 2", 3, 4 and so on. The number will increase if for some reason the VPN stops working and you disable and re-enable RRAS to fix it (see steps under "Server RRAS").

  • Anonymous
    September 08, 2015
    The NIC changing the MAC address and name after each reboot makes Azure not suitable for a production RRAS setup. Is it possible to automatically update the RRAS configuration via a script each time the NIC changes?

  • Anonymous
    October 27, 2015
    Great post, thank you

  • Anonymous
    November 04, 2015
    as Robert mentioned, the interface changes after a reboot and therefore the NAT settings. This means RRAS needs to be reconfigured every time - is there a workaround for this?

  • Anonymous
    November 12, 2015
    Hi, my certificate is installed on the client machine but i still receive 0x800B0109. Any ideas?

  • Anonymous
    February 12, 2016
    Hi there - Nice tutorial! I'm trying to setup RRAS on Windows Server 2012 R2 server in Azure to support inbound VPN connections from internet machines using SSTP. I've setup the RRAS service, and am able to successfully VPN into the host from a guest machine, and can establish connectivity to the RRAS server using ICMP etc. However, I cannot connect to any other VMs in the same subnet as the RRAS server... no matter what I do. My connection is just limited to the RRAS machine. My environment is as follows    RRAS server - single interface.    IP address of 10.50.0.12    Configured as a VPN service (SSTP with public wildcard certificate)    RRAS configured with a static address pool of 172.16.10.10 - 172.16.10.254 I have configured a static route on another server in tenant (10.50.0.11) that points all traffic to the static address pool via the RRAS server (route add 172.16.10.0 mask 255.255.255.0 10.50.0.12 -p) I can successfully connect from my client machine, and establish connecting and ping the RRAS server on 10.50.0.12. However, I cannot ping anything else, including the secondary VM that I put the static route on (10.50.0.11). I've tried disabling the Windows firewall on all machines... no difference. I don't have NAT configured as don't want my client PCs to use the Azure VPN connection as their default internet route. Can you point me in the right direction as to what might be wrong? Regards, James.

  • Anonymous
    February 16, 2016
    @Luis, I confiigured RRAS on Azure following the steps. And I succeeded with SSTP connection, however L2TP doesn't work on same Windows 10 client. UDP ports 500, 4500 and 1701 are opened both on VM endpoint and host firewall. What's the possible reason and how to diagnose it?

  • Anonymous
    May 08, 2016
    Hi everybody,I've created some scripts to deploy VM (with NSG rules) and/or configure VPN for you. So you don't need to go through these steps manually, which we often make mistakes on them. Optionally, I created scripts to install SSH server too. Enjoy!https://github.com/kfstorm/AzureVpnSshScripts