[network-manager-sstp.wiki] Update Connect to Microsoft Azure VNetGateway

From: Eivind Næss <eivnaes src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-sstp.wiki] Update Connect to Microsoft Azure VNetGateway
Date: Mon, 11 Apr 2022 04:26:31 +0000 (UTC)
commit 38422447ffe679035a0dabc39d20e4efb6a776fc
Author: Eivind Næss <eivnaes yahoo com>
Date:   Mon Apr 11 04:26:31 2022 +0000

    Update Connect to Microsoft Azure VNetGateway

 Connect-to-Microsoft-Azure-VNetGateway.md | 48 +++++++++++++++++++++++--------
 1 file changed, 36 insertions(+), 12 deletions(-)
---
diff --git a/Connect-to-Microsoft-Azure-VNetGateway.md b/Connect-to-Microsoft-Azure-VNetGateway.md
index 3db6c5f..e12424c 100644
--- a/Connect-to-Microsoft-Azure-VNetGateway.md
+++ b/Connect-to-Microsoft-Azure-VNetGateway.md
@@ -2,7 +2,7 @@ You can connect to your Microsoft Azure VNET Gateway using network-manager-sstp
 
 ## Configure your Virtual Network Gateway
 
-Basically, you follow the documentation at Microsoft to configure your VNetGateway. 
+Basically, you follow the documentation at Microsoft to configure your VNetGateway.
 
 <https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal>
 
@@ -10,37 +10,61 @@ Setting up the certificates:
 
 <https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux>
 
-Export your CA certificate here:
-`openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo`
+Export your CA certificate here: `openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo`
 
 For the client certificates, skip the step in creating a PKCS12 envelope. The pppd doesn't currently support 
using PKCS12 certificates yet.
 
-You'll need to keep the .pem files for both user and key. 
+You'll need to keep the .pem files for both user and key.
 
 ## Configure your Linux Desktop
 
 ### Download the VPN Client
-On your Azure portal, view the details of your Virtual Network Gateway, then click "Point-to-Site 
Configuration". If this page is configured correctly, i.e. 
-- CA certificate, and 
+
+On your Azure portal, view the details of your Virtual Network Gateway, then click "Point-to-Site 
Configuration". If this page is configured correctly, i.e.
+
+- CA certificate, and
 - Address pool
 
 Then you should have a link at the top of this page that says "Download VPN Client". Click this link, and 
you'll download a VNetGway.zip.
 
 ### Extract Settings
-This file contains the details of your VPN connection. Unzip the archive into a folder on you computer. Open 
up the "Generic\VpnSettings.xml" file. 
+
+This file contains the details of your VPN connection. Unzip the archive into a folder on you computer. Open 
up the "Generic\\VpnSettings.xml" file.
 
 This XML contains these interesting details needed to configure your SSTP VPN on the GNOME desktop:
+
 - VpnServer: The fully qualified domain name of the Azure SSTP VPN server
 - Routes: needed for to reach your Azure resources
+- VpnClientAddressPool: The first address in this pool is your gateway
+
+### Configure your Connection
+
+Open up your Network Settings via the GNOME desktop. Under VPN, click the '+' icon. Select Secure Socket 
Tunneling Protocol (SSTP). This brings up the configuration page.
 
-### Configure your Network
-Open up your Network Settings via the GNOME desktop. Under VPN, click the '+' icon. Select Secure Socket 
Tunneling Protocol (SSTP). This brings up the configuration page. 
+![Screenshot_from_2022-04-10_20-56-29](uploads/0d1700fca24f8053cc9fe48cba2f8578/Screenshot_from_2022-04-10_20-56-29.png)
 
 Copy and paste the value from the VpnServer field in the XML document into the Gateway entry. Where it says 
Type: "Password", click and select "Certificate". This should change the layout of the dialog to let you 
enter the certificate details.
 
-For the "User certificate", select your .pem file previously generated for Certificate. For the "User 
private key", select the .pem file generated as the certificate key. If you didn't encrypt the private key, 
there is no need to supply a password for this. 
+For the "User certificate", select your .pem file previously generated for Certificate. For the "User 
private key", select the .pem file generated as the certificate key. If you didn't encrypt the private key, 
there is no need to supply a password for this.
+
+**Leave the CA certificate field blank!** The CA certificate you generated in order to sign the user 
certificate with is only need to validate the certificate the client presents to the server.
+
+Both the CA certificate for the EAP-TLS authentication session and the SSL connection to you Azure 
VNetGateway uses a certificate issued to Microsoft with DigiCert 
([www.digicert.com](http://www.digicert.com)) as the root CA. This certificate should be included in your 
list of root certificates in /etc/ssl/certs directory.
+
+### Configure your Virtual Network
+If you made it so far, congratulations. You are connected to your Azure VNET!
+
+#### IPv4 Settings
+You don't want to tunnel all your connections through your Azure VNET. However, you do want to edit the IPv4 
settings and add the routes to your remote network. The XML configuration file will specify the routes. For 
each of these elements on your VNET, you'll configure the a route. 
+
+For example, my configuration specified 10.10.0.0/16, and the VPN address pool was set to 172.20.0.0/16, the 
my route entry would use the first address in this VPN Address pool as gateway. This is specified as such:
+
+![Screenshot_from_2022-04-10_21-13-49](uploads/c0fc4e560eb437975382609c63159d74/Screenshot_from_2022-04-10_21-13-49.png)
 
-Leave the CA certificate field blank! The CA certificate you generated in order to sign the user certificate 
with is only need to validate the certificate the client presents to the server.
+Make sure the checkbox for "Use this connection for resources on its network" is checked.
 
-Both the CA certificate for the EAP-TLS authentication session and the SSL connection to you Azure 
VNetGateway uses a certificate issued to Microsoft with DigiCert (www.digicert.com) as the root CA. This 
certificate should be included in your list of root certificates in /etc/ssl/certs directory. 
+#### IPv6 Not Supported
+The IPv6 tab, you can change it to "Disabled", otherwise pppd will attempt to configure IPv6 networking and 
the Azure gateway will reply with a protocol-reject. It won't work.
 
+#### DNS not resolving
+The resolver will not send DNS replies to hosts outside it's VNET. You'll have to configure one of your VMs 
to act as a DNS server, or disable DNS resolution for this connection altogether. For quick access, you can 
add your frequently used VMs to your /etc/hosts file.
\ No newline at end of file
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]