none
Create windows P2S VPN using powershell RRS feed

  • Question

  • Hi ,

    I want to create a windows VPN using powershell. I want to accomplish following things. 

    Create a single script which 

    1. automatically imports a client certificate which is stored in Azure blob container

    2.create a windows VPN with above imported client certificate as authentication method. 

    3. connect to vpn ( using rasdial with client certificate)

    4. Add dns connection suffix, DNS server and specific routes to accomplish split tunneling. 

    I have done some work interms of point 2) and 4) . Can someone please help me with points 1) and 3) . 

    how this can be achieved? 

    My script: 

     $D = New-EapConfiguration -Tls -verifyserveridentity -usercertificate
     Add-VpnConnection -Name "temp2" -ServerAddress "azuregateway-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.vpn.azure.com" -TunnelType Automatic -splittunneling -AllUserConnection -AuthenticationMethod Eap -EapConfigXmlStream  $D.EapConfigXmlStream -PassThru

    Monday, September 16, 2019 3:48 PM

All replies

  • Hi, 

    For the first step, you need to download the cert locally to the workstation where you are running the script and then execute the below PS commands:

    $P2SRootCertName = "P2SRootCert.cer"
    $filePathForCert = "C:\cert\P2SRootCert.cer"
    $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
    $CertBase64 = [system.convert]::ToBase64String($cert.RawData)
    $p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG" -PublicCertData $CertBase64
    
    

    To download the cert from blob, you can download the file using below commands:

    $ctx = New-AzureStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $StorageAccountKey
    $localTargetDirectory = "D:\cert\file"
    
    $BlobName = "client.cer"
    Get-AzureStorageBlobContent -Blob $BlobName -Container $ContainerName -Destination $localTargetDirectory -Context $ctx

    You can connect to P2S using RASdial:

    rasdial "Your VPN name" /phonebook:%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Cm\Your-VPN\Your-VPN.pbk"

    Reference: https://stackoverflow.com/questions/17524710/azure-virtual-network-point-to-site-ex-azure-connect-autoconnect

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Tuesday, September 17, 2019 6:29 AM
    Moderator
  • after creating VPN , I didn't find any phonebook entry for it. 

    and I get below error when I tried initiating rasdial connection to it. 

    rasdial temp2                    %userprofile%\AppData\Roaming\Microsoft\Network\Connections\pbk\_hiidenpbk\rasphone.pbk

    Remote Access error 703 - The connection needs information from you, but the application does not allow user interaction.

    For more help on this error:
            Type 'hh netcfg.chm'
            In help, click Troubleshooting, then Error Messages, then 703


    Tuesday, September 17, 2019 2:58 PM
  • Can you try the solution as per the below blog ?

    https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet

    Regards, 

    Msrini

    Tuesday, September 17, 2019 4:30 PM
    Moderator
  • this uses rasdial with username and pwd. 

    In my case, I wanted it to be automatically picked up by user certificate imported on the laptop. 

    Is there anyway to achieve it? 

    Wednesday, September 18, 2019 12:09 PM
  • I am not aware of other ways to achieve this ask. 

    You can use the rasdial as an alternative if that fits your requirement. 

    Regards, 

    Msrini

     
    Wednesday, September 18, 2019 12:35 PM
    Moderator