Azure – Simplest solution for OS X Point-to-Site VPN access to an Azure VNet

azuremac-osxvpn

We've been using Azure's built-in VNet/VPN solution, with a combination of both point-to-site and site-to-site connections, and so far it's worked reasonably well. But our company is very – very – distributed, and we need to grant some remote OS X clients access to resources inside our Azure VNet. And of course, despite it being one of the top requests on UserVoice, MS doesn't support any non-Windows client in their Point-to-Site VPN configuration.

So I'm left looking for other options. One possibility, of course, would be to configure each of the remote home offices with, say, a Dell Sonicwall, and configure that Sonicwall with a Site-to-Site VPN connection. But that gets expensive and complicated, and still doesn't allow them to, say, connect to the VPN if they're on the road or at a coffee shop.

So I've been looking into some of the VPN solutions that show up on the Azure marketplace – for instance, VNS3 from Cohesive, or SohaCloud, or pfSense, or whatever. The problem is that these all seem to be focused on the (much more complex) Site-to-Site configuration style – at least, that's what all their documentation seems to be pointing to (for instance, https://cohesive.net/dnld/Cohesive-Networks_VNS3-3.5-Azure.pdf). And all I want is a really simple Point-to-Site configuration.

What's my best (meaning simplest) option here? I'm no network guy, and I start feeling out of my depth (and like I'm headed down a rathole) whenever I start trying to translate the documentation into my particular scenario.

I certainly can't be the only person who's had to figure out how to let OS X clients into an Azure VNet – what's the recommended approach here?

Best Answer

They now support the mac natively using IKEv2: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert#installmac

Download Azure Management Certificate

Get-AzurePublishSettingsFile

Import Azure Management Certificate

Import-AzurePublishSettingsFile "${env:USERPROFILE}\Documents\Azure.publishsettings"

Select Azure Subscription

$subscriptionName = (Get-AzureSubscription).SubscriptionName | Out-GridView -Title "Select Azure Subscription" -PassThru

Select-AzureSubscription -SubscriptionName $subscriptionName

Get Azure subscription information

$subscription = Get-AzureSubscription $subscriptionName -ExtendedDetails

$certificate = $subscription.Certificate

$subscriptionId = $subscription.SubscriptionId

Select Azure VNet for which to manage VPN certificates

$azureVNet = (Get-AzureVNetSite).Name | Out-GridView -Title "Select Azure VNet" -PassThru

Import saved copy of user's VPN client certificate

$certPassword = Read-Host "Enter VPN client certificate password" -AsSecureString

Import-PfxCertificate -FilePath "${env:USERPROFILE}\Documents\Azure\P2S VPN\VPN01Client.pfx" -CertStoreLocation Cert:CurrentUser\My -Exportable -Password $certPassword

Select VPN client certificate to Revoke

$vpnCertThumbprint = (Get-ChildItem Cert:\CurrentUser\My | Out-GridView -Title "Select VPN certificate to revoke" -PassThru).Thumbprint

Build web request header

$requestHeader = @{"x-ms-version" = "2012-03-01"}

Revoke a VPN Client Certificate

$revokeVPNCertUri = "https://management.core.windows.net/$subscriptionId/services/networking/$azureVNet/gateway/clientcertificates/$vpnCertThumbprint"

$response = Invoke-RestMethod -Uri $revokeVPNCertUri -Certificate $certificate -Method Post -Headers $requestHeader

Confirm Revoked VPN Client Certificates

$listRevokedVPNCertUri = "https://management.core.windows.net/$subscriptionId/services/networking/$azureVNet/gateway/clientcertificates"

$response = Invoke-RestMethod -Uri $listRevokedVPNCertUri -Certificate $certificate -Method Get -Headers $requestHeader

$response.ClientCertificates.Thumbprint