-->
Download Azure VPN Client for macOS 10.15 or later and enjoy it on your Mac. The Azure VPN Client lets you connect to Azure securely from anywhere in the world. It supports Azure Active Directory, certificate-based and RADIUS authentication. The Azure VPN Client lets you connect to Azure securely from anywhere in the world. It supports Azure Active Directory, certificate-based and RADIUS authentication.
When you connect to an Azure VNet using Point-to-Site and certificate authentication, you use the VPN client that is natively installed on the operating system from which you are connecting. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients for Windows, Mac IKEv2 VPN, or Linux.
The VPN client configuration files that you generate are specific to the P2S VPN gateway configuration for the virtual network. If there are any changes to the Point-to-Site VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect.
- For more information about Point-to-Site connections, see About Point-to-Site VPN.
- For OpenVPN instructions, see Configure OpenVPN for P2S and Configure OpenVPN clients.
Important
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
Generate VPN client configuration files
You can generate client configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file. Unzip the file to view the following folders:
- WindowsAmd64 and WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
- Generic, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder is not present.
Generate files using the Azure portal
In the Azure portal, navigate to the virtual network gateway for the virtual network that you want to connect to.
On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.
At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.
Once the configuration package has been generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway. Unzip the file to view the folders.
Generate files using PowerShell
When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
Copy the URL to your browser to download the zip file, then unzip the file to view the folders.
Windows
You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the Point-to-Site section of the VPN Gateway FAQ.
Note
You must have Administrator rights on the Windows client computer from which you want to connect.
Install the configuration files
- Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
- Double-click the package to install it. If you see a SmartScreen popup, click More info, then Run anyway.
Verify and connect
- Verify that you have installed a client certificate on the client computer. A client certificate is required for authentication when using the native Azure certificate authentication type. To view the client certificate, open Manage User Certificates. The client certificate is installed in Current UserPersonalCertificates.
- To connect, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to.
Mac (macOS)
In order to connect to Azure, you must manually configure the native IKEv2 VPN client. Azure does not provide a mobileconfig file. You can find all of the information that you need for configuration in the Generic folder.
If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. Note that the VPN gateway Basic SKU does not support IKEv2. On the VPN gateway, verify that the SKU is not Basic. Then, select IKEv2 and generate the zip file again to retrieve the Generic folder.
The Generic folder contains the following files:
- VpnSettings.xml, which contains important settings like server address and tunnel type.
- VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN Gateway during P2S connection setup.
Use the following steps to configure the native VPN client on Mac for certificate authentication. These steps must be completed on every Mac that you want to connect to Azure.
Import root certificate file
Copy to the root certificate file to your Mac. Double-click the certificate. The certificate will either automatically install, or you will see the Add Certificates page.
On the Add Certificates page, select login from the dropdown.
Click Add to import the file.
Verify certificate install
Verify that both the client and the root certificate are installed. The client certificate is used for authentication and is required. For information about how to install a client certificate, see Install a client certificate.
Open the Keychain Access application.
Navigate to the Certificates tab.
Verify that both the client and the root certificate are installed.
Create VPN client profile
Navigate to System Preferences -> Network. On the Network page, select '+' to create a new VPN client connection profile for a P2S connection to the Azure virtual network.
For Interface, from the dropdown, select VPN.
For VPN Type, from the dropdown, select IKEv2. In the Service Name field,specify a friendly name for the profile.
Select Create to create the VPN client connection profile.
In the Generic folder, open the VpnSettings.xml file using a text editor, and copy the VpnServer tag value.
Paste the VpnServer tag value in both the Server Address and Remote ID fields of the profile.
Configure authentication settings. There are two sets of instructions. Choose the instructions that correspond to your OS version.
Catalina:
For Authentication Settings select None.
Select Certificate, click Select and select the correct client certificate that you installed earlier. Then, click OK.
Big Sur:
Click Authentication Settings, then select Certificate.
Click Select to open the Choose An Identity page. The Choose An Identity page displays a list of certificates for you to choose from. If you are unsure which certificate to use, you can click Show Certificate to see more information about each certificate.
Select the proper certificate, then select Continue.
On the Authentication Settings page, verify that the correct certificate is shown, then click OK.
For both Catalina and Big Sur, in the Local ID field, specify the name of the certificate. In this example, it is
P2SChildCert
.Select Apply to save all changes.
Select Connect to start the P2S connection to the Azure virtual network.
Once the connection has been established, the status shows as Connected and you can view the IP address that was pulled from the VPN client address pool.
Linux (strongSwan GUI)
Install strongSwan
The following configuration was used for the steps below:
- Computer: Ubuntu Server 18.04
- Dependencies: strongSwan
Use the following commands to install the required strongSwan configuration:
Use the following command to install the Azure command-line interface:
Azure
Generate certificates
If you have not already generated certificates, use the following steps:
Generate the CA certificate.
Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.
Generate the user certificate.
Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.
Install and configure
The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 does not support strongSwan GUI. If you want to use Ubuntu 16.0.10, you will have to use the command line. The examples below may not match screens that you see, depending on your version of Linux and strongSwan.
Open the Terminal to install strongSwan and its Network Manager by running the command in the example.
Select Settings, then select Network. Select the + button to create a new connection.
Select IPsec/IKEv2 (strongSwan) from the menu, and double-click.
On the Add VPN page, add a name for your VPN connection.
Open the VpnSettings.xml file from the Generic folder contained in the downloaded client configuration files. Find the tag called VpnServer and copy the name, beginning with 'azuregateway' and ending with '.cloudapp.net'.
Paste the name in the Address field of your new VPN connection in the Gateway section. Next, select the folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.
In the Client section of the connection, for Authentication, select Certificate/private key. For Certificate and Private key, choose the certificate and the private key that were created earlier. In Options, select Request an inner IP address. Then, select Add.
Turn the connection On.
Linux (strongSwan CLI)
Install strongSwan
The following configuration was used for the steps below:
- Computer: Ubuntu Server 18.04
- Dependencies: strongSwan
Use the following commands to install the required strongSwan configuration:
Use the following command to install the Azure command-line interface:
Generate certificates
Download Azure Machine Learning Studio
If you have not already generated certificates, use the following steps:
Generate the CA certificate.
Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.
Generate the user certificate.
Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.
Install and configure
Download the VPNClient package from Azure portal.
Extract the file.
From the Generic folder, copy or move the VpnServerRoot.cer to /etc/ipsec.d/cacerts.
Copy or move cp client.p12 to /etc/ipsec.d/private/. This file is the client certificate for the VPN gateway.
Open the VpnSettings.xml file and copy the
<VpnServer>
value. You will use this value in the next step.Adjust the values in the example below, then add the example to the /etc/ipsec.conf configuration.
Add the following values to /etc/ipsec.secrets.
Run the following commands:
Next steps
Return to the original article that you were working from, then complete your P2S configuration.
Download Azure Machine Learning Studio
- PowerShell configuration steps.
- Azure portal configuration steps.