Like a proper VPN Connection, routes should be added as needed when the connection is established and they need to be removed when the connection is ended or disconnected.
It’s a one-time thing, it has to be registered somewhere right? But the second problem with this solution, and one that prevented me from trying to figure out how to get rid of the first one, is that you need to add routes to tell your machine where to route packets if they are meant to go to the Azure Virtual Network using the VPN Gateway.Ī normal user does not have enough rights to do this, and besides, I don’t want them to be static. I have two issues with this solution though.įirst one is a pesky (one-time) certificate warning.įor which a workaround could probably be found. Looking around my favorite wiki () to look for solutions other people have come up with, I found this excellent article which got me started.
So how to install the connection in the user context, or how to install the connection machine wide, and of course, I want it to be unattended. Spoiler-alert: even running it as System, using psexec, it will not install machine-wide. It shows up for the administrator I am logged on with, so it will also not show up for a normal user. So the installation of the VPN Client package is not a machine-wide installer, when using an administrative account. Now logging back in with the normal user, without administrative permissions: So no pesky SmartScreen popup for administrators.
Logging on with an administrator and running the same setup again: Let’s see if it installs machine-wide using an administrator account. Need elevated administrator access to install this. Ignoring that for now, click “More info” and click “Run anyway”. Unsigned, meaning crappy user experience. Installing the package in the user context: Let’s check the obvious choice, the 圆4 client package.
Examine the xml file, it will tell you all sort of configuration stuff for the VPN Client:įrom this we can get the actual VPN Gateway address, the type, which is SSTP, the routes that are needed, and the authentication method that is needed.Ĭreating a PKI, and getting the right certificates installed is out of scope of this post. The Generic client simply shows an xml file and the Gateway certificate.
The download is a zip file, which once extracted, shows 3 client options:Ī “Generic” “Client”, a 圆4 client package, and a x86 client package. That is why it takes a little while before your download starts. I specifically say “your” because this package is tailored for this VPN Gateway, and this VPN Gateway only. You can download your VPN client package in the Point-to-site configuration blade for your VPN Gateway.
So I started some research on how to effectively deploy and manage the VPN client (on Windows 10) when using the Azure VPN Gateway Basic Sku.įor reference, this is the setup for my VPN infrastructure, showing the managed Windows 10 client on which I want to deploy the P2S VPN connection:įirst, let’s have a look at why I don’t like the out of the box VPN client options. (Classic, but shows the basic implementation). You can find more info and instructions in some of my other posts: The out of the box solution and how to get there is not in scope of this post. The only thing I don’t like about the Basic Sku is the P2S Client options you get out of the box when you deploy the solution. In short, Basic Sku seems like the perfect solution for small businesses and especially for home Labs. Basic Sku is by far the cheapest solution. This table is taken from and it shows pricing in Euros for West Europe. Again, more than enough for small businesses. A maximum of 10 S2S tunnels, which means you can connect 10 sites to the Virtual Network holding the VPN Gateway deployment. BGP not supported, which means you need to take care of routing tables yourself. SSTP only, 128 (simultaneous) connections. The table goes on and on, but I just wanted to show the Basic Sku’s properties. This table is taken from and it shows the limitations of the Basic Sku.
If you check the notes on the Azure VPN Basic Sku P2S solution: