Azure VPN Client - configure optional DNS and routing settings
This article helps you configure optional settings for the Azure VPN Client for VPN Gateway point-to-site (P2S) connections. You can configure DNS suffixes, custom DNS servers, custom routes, and VPN client-side forced tunneling.
Note
The Azure VPN Client is only supported for OpenVPNĀ® protocol connections.
Prerequisites
The steps in this article assume that you have configured your P2S gateway and have downloaded the Azure VPN Client to connecting client computers. For steps, see the following articles:
Working with VPN client profile configuration files
The steps in this article require you to modify and import the Azure VPN Client profile configuration file. The following profile configuration files are generated, depending on the authentication types configured for your P2S VPN gateway.
- azurevpnconfig.xml: This file is generated when only one authentication type is selected.
- azurevpnconfig_aad.xml: This file is generated for Microsoft Entra ID authentication when there are multiple authentication types selected.
- azurevpnconfig_cert.xml: This file is generated for Certificate authentication when there are multiple authentication types selected.
To work with VPN client profile configuration files (xml files), use the following steps:
Locate the profile configuration file and open it using the editor of your choice.
Using the examples in the following sections, modify the file as necessary, then save your changes.
Import the file to configure the Azure VPN client. You can import the file for the Azure VPN Client using these methods:
Azure VPN Client interface: Open the Azure VPN Client and click + and then Import. Locate the modified .xml file, configure any additional settings in the Azure VPN Client interface (if necessary), then click Save.
Command-line prompt: Place the appropriate downloaded configuration xml file in the %userprofile%\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState folder, then run the command that corresponds to the configuration file name. For example,
azurevpn -i azurevpnconfig_aad.xml
. To force the import, use the -f switch.
DNS
Add DNS suffixes
To add DNS suffixes, modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.
<azvpnprofile>
<clientconfig>
<dnssuffixes>
<dnssuffix>.mycorp.com</dnssuffix>
<dnssuffix>.xyz.com</dnssuffix>
<dnssuffix>.etc.net</dnssuffix>
</dnssuffixes>
</clientconfig>
</azvpnprofile>
Add custom DNS servers
To add custom DNS servers, modify the downloaded profile XML file and add the <dnsservers><dnsserver> </dnsserver></dnsservers> tags.
<azvpnprofile>
<clientconfig>
<dnsservers>
<dnsserver>x.x.x.x</dnsserver>
<dnsserver>y.y.y.y</dnsserver>
</dnsservers>
</clientconfig>
</azvpnprofile>
Note
When using Microsoft Entra ID authentication, the Azure VPN Client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of ipconfig /all
. To confirm your in-use DNS settings, please consult Get-DnsClientNrptPolicy in PowerShell.
Routing
Split tunneling
Split tunneling is configured by default for the VPN client.
Forced tunneling
You can configure forced tunneling in order to direct all traffic to the VPN tunnel. Forced tunneling can be configured using two different methods; either by advertising custom routes, or by modifying the profile XML file. You can include 0/0 if you're using the Azure VPN Client version 2.1900:39.0 or higher.
Note
Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Advertise custom routes: You can advertise custom routes
0.0.0.0/1
and128.0.0.0/1
. For more information, see Advertise custom routes for P2S VPN clients.Profile XML: You can modify the downloaded profile xml file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags.
<azvpnprofile> <clientconfig> <includeroutes> <route> <destination>0.0.0.0</destination><mask>1</mask> </route> <route> <destination>128.0.0.0</destination><mask>1</mask> </route> </includeroutes> </clientconfig> </azvpnprofile>
Note
- The default status for the clientconfig tag is
<clientconfig i:nil="true" />
, which can be modified based on the requirement.
Add custom routes
You can add custom routes. Modify the downloaded profile XML file and add the <includeroutes><route><destination><mask> </destination></mask></route></includeroutes> tags.
<azvpnprofile>
<clientconfig>
<includeroutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
<route>
<destination>y.y.y.y</destination><mask>24</mask>
</route>
</includeroutes>
</clientconfig>
</azvpnprofile>
Block (exclude) routes
The ability to completely block routes isn't supported by the Azure VPN Client. The Azure VPN Client doesn't support dropping routes from the local routing table. Instead, you can exclude routes from the VPN interface. Modify the downloaded profile XML file and add the <excluderoutes><route><destination><mask> </destination></mask></route></excluderoutes> tags.
<azvpnprofile>
<clientconfig>
<excluderoutes>
<route>
<destination>x.x.x.x</destination><mask>24</mask>
</route>
<route>
<destination>y.y.y.y</destination><mask>24</mask>
</route>
</excluderoutes>
</clientconfig>
</azvpnprofile>
Note
- To include/exclude multiple destination routes, put each destination address under a separate route tag (as shown in the above examples), because multiple destination addresses in a single route tag won't work.
- If you encounter the error "Destination cannot be empty or have more than one entry inside route tag", check the profile XML file and ensure that the includeroutes/excluderoutes section has only one destination address inside a route tag.
Azure VPN Client version information
For Azure VPN Client version information, see Azure VPN Client versions.
Next steps
For more information about P2S VPN, see the following articles: