Configure an OpenVPN client for Azure Virtual WAN

This article helps you configure OpenVPN ® Protocol clients. You can also use the Azure VPN Client to connect via OpenVPN protocol. For more information, see Configure a VPN client for P2S OpenVPN connections.

Before you begin

Create a User VPN (point-to-site) configuration. Make sure that you select "OpenVPN" for tunnel type. For steps, see Create a P2S configuration for Azure Virtual WAN.

Windows clients

  1. Download and install the OpenVPN client (version 2.4 or higher) from the official OpenVPN website.

  2. Locate the VPN client profile configuration package that you generated and downloaded to your computer. Extract the package. Go to the OpenVPN folder and open the vpnconfig.ovpn configuration file using Notepad.

  3. Next, locate the child certificate you created. If you don't have the certificate, use one of the following links for steps to export the certificate. You'll use the certificate information in the next step.

  4. From the child certificate, extract the private key and the base64 thumbprint from the .pfx. There are multiple ways to do this. Using OpenSSL on your computer is one way. The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate. Be sure to use the thumbprint of the client certificate.

    openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"
    
  5. Switch to the vpnconfig.ovpn file you opened in Notepad. Fill in the section between <cert> and </cert>, getting the values for $CLIENT_CERTIFICATE, $INTERMEDIATE_CERTIFICATE, and $ROOT_CERTIFICATE as shown in the following example.

       # P2S client certificate
       # please fill this field with a PEM formatted cert
       <cert>
       $CLIENT_CERTIFICATE
       $INTERMEDIATE_CERTIFICATE (optional)
       $ROOT_CERTIFICATE
       </cert>
    
    • Open profileinfo.txt from the previous step in Notepad. You can identify each certificate by looking at the subject= line. For example, if your child certificate is called P2SChildCert, your client certificate will be after the subject=CN = P2SChildCert attribute.
    • For each certificate in the chain, copy the text (including and between) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
    • Only include an $INTERMEDIATE_CERTIFICATE value if you have an intermediate certificate in your profileinfo.txt file.
  6. Open the profileinfo.txt in Notepad. To get the private key, select the text (including and between) "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.

  7. Go back to the vpnconfig.ovpn file in Notepad and find this section. Paste the private key replacing everything between and <key> and </key>.

    # P2S client root certificate private key
    # please fill this field with a PEM formatted key
    <key>
    $PRIVATEKEY
    </key>
    
  8. If you're using the 2.6 version of the OpenVPN client, add the "disable-dco" option to the profile. This option doesn't seem to be backward compatible with previous versions, so it should only be added to OpenVPN client version 2.6.

  9. Don't change any other fields. Use the filled in configuration in client input to connect to the VPN.

  10. Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.

  11. Right-click the OpenVPN icon in the system tray and click Connect.

macOS clients

Important

Only MacOS 10.13 and above is supported with OpenVPN protocol.

Note

OpenVPN Client version 2.6 is not yet supported.

  1. Download and install an OpenVPN client, such as TunnelBlick.

  2. If you haven't already done so, download the VPN client profile package from the Azure portal.

  3. Unzip the profile. Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.

  4. Fill in the P2S client certificate section with the P2S client certificate public key in base64. In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers.

  5. Fill in the private key section with the P2S client certificate private key in base64. See Export your private key on the OpenVPN site for information about how to extract a private key.

  6. Don't change any other fields. Use the filled in configuration in client input to connect to the VPN.

  7. Double-click the profile file to create the profile in Tunnelblick.

  8. Launch Tunnelblick from the applications folder.

  9. Click on the Tunnelblick icon in the system tray and pick connect.

Linux clients

Note

OpenVPN Client version 2.6 is not yet supported.

  1. Open a new Terminal session. You can open a new session by pressing 'Ctrl + Alt + t' at the same time.

  2. Enter the following command to install needed components:

    sudo apt-get install openvpn
    sudo apt-get -y install network-manager-openvpn
    sudo service network-manager restart
    
  3. Download the VPN profile for the gateway. This can be done from the Point-to-site configuration tab in the Azure portal.

  4. Export the P2S client certificate you created and uploaded to your P2S configuration on the gateway. See Virtual WAN point-to-site for instructions.

  5. Extract the private key and the base64 thumbprint from the .pfx. There are multiple ways to do this. Using OpenSSL on your computer is one way.

    openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"
    

    The profileinfo.txt file will contain the private key and the thumbprint for the CA, and the Client certificate. Be sure to use the thumbprint of the client certificate.

  6. Open profileinfo.txt in a text editor. To get the thumbprint of the client (child) certificate, select the text including and between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for the child certificate and copy it. You can identify the child certificate by looking at the subject=/ line.

  7. Open the vpnconfig.ovpn file and find the section shown below. Replace everything between "cert" and "/cert".

    # P2S client certificate
    # please fill this field with a PEM formatted cert
    <cert>
    $CLIENTCERTIFICATE
    </cert>
    
  8. Open the profileinfo.txt in a text editor. To get the private key, select the text including and between "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.

  9. Open the vpnconfig.ovpn file in a text editor and find this section. Paste the private key replacing everything between "key" and "/key".

    # P2S client root certificate private key
    # please fill this field with a PEM formatted key
    <key>
    $PRIVATEKEY
    </key>
    
  10. Don't change any other fields. Use the filled in configuration in client input to connect to the VPN.

  11. To connect using the command line, type the following command:

    sudo openvpn --config <name and path of your VPN profile file>&
    
  12. To connect using the GUI, go to system settings.

  13. Click + to add a new VPN connection.

  14. Under Add VPN, pick Import from file….

  15. Browse to the profile file and double-click or pick Open.

  16. Click Add on the Add VPN window.

    Screenshot shows Import from file on the Add VPN page.

  17. You can connect by turning the VPN ON on the Network Settings page, or under the network icon in the system tray.

Next steps

For more information about User VPN (point-to-site), see Create User VPN connections.

"OpenVPN" is a trademark of OpenVPN Inc.