How to Setup Windows Azure (Server 2012) as an SSTP and L2TP VPN Provider


———- windows.azure.com
1. Create new Windows Server VM using “Quick Create”
2. The DNS name, username and password will be used to connect to the VPN
3. A0 or A1 VM (starts at around $10/month or free with an MSDN subscriptionno charge for stopped VM, billed by the minute)
4. Create TCP endpoint at port 443
5. Connect using Remote Desktop (RDP) through the Dashboard

———- Server Role
1. Click on Server Manager -> Manage -> “Add Roles and Features”
2. Add “Remote Access”, include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> “Open the Getting Started Wizard”
4. Select “Deploy VPN only”

———- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:
selfssl.exe /N:cn=<…>.cloudapp.net /V:3650
(3650 == 10 years, “<…>.cloudapp.net” represents the fully-qualified domain name, FQDN)
3. Confirm prompt with “y”, ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the <…>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password

———- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on “Configure and Enable RRAS”
3. Choose “Custom configuration”, select “VPN access” and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <…>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a “Static address pool” for the number of clients, e.g.: 192.168.1.1 – 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don’t enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on “New Interface”, select the external interface (e.g. “Ethernet 2”)
10. Click on “Public interface connected to the Internet” and check “Enable NAT on this interface”

———- Server User
1. Open “Computer Management” console
2. Click on “Local Users and Groups”, then on Users, double click on your account
3. Click on Dial-in and change “Network Access Permission” to “Allow access”

———- Client Certificate
1. Double-click on the exported pfx server certificate file and install to client’s “Local Machine” store, if you store the certificate in the personal store, the connection will fail with error 0x800B0109
2. Click on “Place all certificates in the following store”, then on Browse
3. Select “Trusted Root Certificate Authorities”

———- Client Connection
1. Go to Network and Sharing Center, click on “Setup a new connection or network”
2. Select “Connect to a workplace”, then VPN
3. Enter <…>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter

———- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on “Server Certificates”
3. Click on “Create Certificate Request” (Certificate Signing Request, CSR)
4. Enter <…>.cloudapp.net as the “Common name”, fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server’s and client’s “Local Machine” personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab

———- L2TP over IPsec
1. On the Azure Portal, add the following endpoints:
a) L2TP UDP: 1701
b) IPsec UDP: 500
c) IKEv2 UDP: 4500
2. On the Server, open the “Windows Firewall with Advanced Security”, create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
3. Using the RRAS tool, right-click on the server and then on Properties -> Security
4. Check “Allow custom IPsec policy for L2TP/IKEv2 connection” and enter a preshared key
5. On the client, right-click on new VPN connection, then show properties
6. Click on Security, then on click on “Advanced settings” and enter the same preshared key

For help, see Troubleshooting common VPN related errors.

DISCLAIMER: This solution is provided “AS IS,” without any warranty or representation of any kind. Please note that, as of June 2014, this solution is not yet officially supported by Microsoft.

Comments (37)

  1. connect private network to public network with NAT, it works fine now, thanks.

  2. Great thanks!

    Is it possible to get L2TP or PPTP working as well?

    I need to connect with OS X which does not support SSTP.

  3. Luis Cantero says:

    For PPTP, endpoints for TCP 1723 and protocol 47 GRE are required, only TCP and UDP endpoint are currently supported. I have updated the article with information on how to add L2TP over IPsec support.

  4. Luis Cantero says:

    @JohannesRu: After closing the Security properties dialog, under the server node, there is a node called IPv4. Expand it and then right-click on NAT and follow the rest of the instructions.

    The public interface is called "Ethernet 2", but it might also be called "Ethernet 3", depending on some circumstances (the other interface is called Internal, but we need the external one).

    Yes, this is the reason why you cannot access the internet, you need to enable Network Address Translation.

  5. Sorry, made a stupid mistake in the beginning. Got it to work now. Thanks a lot 🙂

  6. Luis Cantero says:

    @Shoukat: One thing to try is to connect from other machines on other networks. Some routers block certain protocols and/or ports and may result in the error that you are getting. So maybe your configuration is already correct and your router is blocking you.

    @Petriaev: What error are you getting? please also try other machines on other networks.

  7. I figured it out, I missed the Routing role when I configure roles following another article.

    Thanks for your share. I can use VPN to access Internet now.

  8. Anonymous says:

    After many days , i finally figured it out

    The problem was that you also have to open port 443 for TCP

    anyways now my VPN is connecting but i cant access internet through VPN

    can you tell me what am i doing wrong??

  9. One more question,

    I added port 1701, 500 and 4500 in Azure portal and I have shut down firewall of VM. Why my iPad mini can access VPN through L2TP, but my laptop (Windows 8.1 Preview) can not? Always get error 809.

    Could you please help me?

  10. Luis Cantero says:

    @ShoukaT: Please check that you enabled NAT as explained under "Server RRAS".

    @K.F.Storm: Are both devices on the same network? I can connect using a Surface RT with Win 8.1 just fine, so it should work. Check that no routers or other hardware are blocking the needed ports and protocols.

  11. Anonymous says:

    I can successfully connect using SSTP on Windows 8.1 Preview but cannot on either iPhone or WIndows 8.1 Preview using L2TP. I got 809 on Windows 81. Preview. I did open the three ports and add the firewall rule. What am I missing? Or maybe the way I did the above is wrong?

  12. Anonymous says:

    Hi, Luis. First of all, thanks for the awesome tutorial.

    I need to create a VPN server which allow multiple users login at the same time. Is Windows Azure VPN a suitable approach ?

    Can I create different login accounts for all the VPN users in Windows Azure ?

    Thank you for the information.

  13. Luis Cantero says:

    Hi Ck, I'm glad you like it 🙂

    First of all, with Azure you can do anything. The only question is, how much do you have to do manually and for what things can you use existing MS or 3rd Party products/features.

    In this setup, the logins are managed by Windows, so you could manually create user accounts as you would normally do and give them remote access rights (see step regarding Network Access Permission). This would be feasible if you only have a bunch of users.

    If you want to create a commercial VPN provider, you would need a frontend from which users can create accounts and select a VPN server machine, the application should also be able to create or shutdown VMs depending on the demand to keep your costs to a minimum. There are some commercial products that do that, but you would need to do a little research to see if there is an existing product specifically for Azure. If you don’t find one, you may have to have it created. Azure can be fully controlled through PowerShell commands, so it is something that can definitely be done.

  14. Anonymous says:

    Fantastic tutorial. Easy to read, implement and it works on all PC's.

    Can't get it working on iPhone just yet, but will keep trying.

    Thanks!

  15. Anonymous says:

    I have configured rras with the same configuration but without NAT because I don't want to use internet from azure's network.  I have my DC on azure cloud. with these configurations I am unable to get my dns queries resolved.  I have manually add route to my route tables. I can get ping from azure infra servers but dns queries are still issue. Any clue?

  16. Anonymous says:

    add ip and hostname in local hosts -file

  17. Anonymous says:

    I've got up to the part where you login to the VPN on the VM (3rd last step) – as soon as I did this I lost connection to the Remote Desktop and can't reconnect now.

    What have I done wrong?

  18. Anonymous says:

    Didn't notice that was for client connection, oops. 🙂

  19. Anonymous says:

    I only have a Mac, iPad and iPhone so I haven't tested SSTP but I can't connect via L2TP IPSec, any ideas?

  20. Anonymous says:

    Ok i have a problem, i did everything as the guide said, but i just cant connect, if i try with the socket it says it times out , if i try with L2 i get error 789 can anyone help me?

  21. Petriaev Viacheslav says:

    When VM restaert, VPN stop to work.

    9. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")

    I can't see the interface after restart.

    One problem – Azure restart VM in maintrace work.

  22. Luis Cantero says:

    @Petriaev:

    – In the RRAS console, right-click on your server, then on "Disable RRAS".

    – Repeat the steps under "Server RRAS".

  23. Anonymous says:

    Hi.

    It is now possible to get multiple NICs on Azure. Would that enhance performance in your test scenario?

    azure.microsoft.com/…/multiple-vm-nics-and-network-virtual-appliances-in-azure

    Br, Martin.

  24. Anonymous says:

    Hi Luis,

    After I follow your tutorial here, I got the error 0x80072746 on client when I am trying to connect to the VPN server. I tried google it but not helpful solution.

    Do you have any idea what I can do to solve this error ?

    Thanks.

  25. Anonymous says:

    Hi Luis,

    I'm stuck on this part (when configure RASS on the server):

    3. Choose "Custom configuration", select "VPN access" and NAT

    The VM needed a second NIC. But my Azure machine has only one NIC… How can I solve this?

    Thanks

  26. Anonymous says:

    This step by step is from 2013 . At this point, an Azure VM had just 1 NIC  (Multi-NIC feature is from 2014, and is intended for Virtual Appliance´s )

    How do you select the second NIC as the External NIC ?

  27. Anonymous says:

    Hi, thanks for sharing! I ran through the steps to setup the SSTP VPN, but when I connect to the VPN,I get an error: Error 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.  I checked the MMC Console, under Certificates > Trusted Root Certificate Authorities, that my certificate is installed & visible in that list. So that seems to work when installing the Client Certificate while in remote desktop. Am I suppose to install this certificate on all computers that will use this VPN? One difference I noticed when following the step to add "New Interface", I only see one option "Ethernet", but it doesn't say "Ethernet 2". Any other tips to fix this problem? Thanks.

  28. Anonymous says:

    For SSTP, your need to install certificate on computer account, not on user account.

  29. Anonymous says:

    On Azure Virtual Machine, L2TP does not work. Could you please tell me how to fix it?

    Thank you!

  30. Luis Cantero says:

    @Ck: According to the page "Troubleshooting common VPN related errors" that I linked above, it could be that the "certificate is not installed on the VPN server".

    @Lisa: If you want to use the free, self-certificate, then yes, you need to install it on every client. Otherwise you can use a paid certificate, see my notes under "SSL Certificate" above. It could be "Ethernet", "Ethernet 2", 3, 4 and so on. The number will increase if for some reason the VPN stops working and you disable and re-enable RRAS to fix it (see steps under "Server RRAS").

  31. Robert says:

    The NIC changing the MAC address and name after each reboot makes Azure not suitable for a production RRAS setup. Is it possible to automatically update the RRAS configuration via a script each time the NIC changes?

  32. Leo says:

    Great post, thank you

  33. Dave says:

    as Robert mentioned, the interface changes after a reboot and therefore the NAT settings. This means RRAS needs to be reconfigured every time – is there a workaround for this?

  34. Shane says:

    Hi, my certificate is installed on the client machine but i still receive 0x800B0109. Any ideas?

  35. James says:

    Hi there –

    Nice tutorial!

    I'm trying to setup RRAS on Windows Server 2012 R2 server in Azure to support inbound VPN connections from internet machines using SSTP.

    I've setup the RRAS service, and am able to successfully VPN into the host from a guest machine, and can establish connectivity to the RRAS server using ICMP etc. However, I cannot connect to any other VMs in the same subnet as the RRAS server… no matter what I do. My connection is just limited to the RRAS machine.

    My environment is as follows

       RRAS server – single interface.

       IP address of 10.50.0.12

       Configured as a VPN service (SSTP with public wildcard certificate)

       RRAS configured with a static address pool of 172.16.10.10 – 172.16.10.254

    I have configured a static route on another server in tenant (10.50.0.11) that points all traffic to the static address pool via the RRAS server (route add 172.16.10.0 mask 255.255.255.0 10.50.0.12 -p)

    I can successfully connect from my client machine, and establish connecting and ping the RRAS server on 10.50.0.12.

    However, I cannot ping anything else, including the secondary VM that I put the static route on (10.50.0.11). I've tried disabling the Windows firewall on all machines… no difference.

    I don't have NAT configured as don't want my client PCs to use the Azure VPN connection as their default internet route.

    Can you point me in the right direction as to what might be wrong?

    Regards, James.

  36. Qiang says:

    @Luis, I confiigured RRAS on Azure following the steps. And I succeeded with SSTP connection, however L2TP doesn't work on same Windows 10 client. UDP ports 500, 4500 and 1701 are opened both on VM endpoint and host firewall. What's the possible reason and how to diagnose it?

  37. Kai Yang says:

    Hi everybody,

    I’ve created some scripts to deploy VM (with NSG rules) and/or configure VPN for you. So you don’t need to go through these steps manually, which we often make mistakes on them. Optionally, I created scripts to install SSH server too. Enjoy!

    https://github.com/kfstorm/AzureVpnSshScripts