Search code examples
azurevpnpppazure-vpn

How to setup a Azure VPN on the client side for internet access purposes (Google behind GFW)?


I'm trying to setup a VPN for internet access purposes (I'm in china behind the the great firewall) but I'm not an networking expert.

Someone out of China who has an Azure subscription created a package for allowing me to connect to that VPN with the related pfx certificate and so far everything, seems to be good, the connection can be achieved with a server located in Europe, the VPN server is 172.16.0.1 the VPN Client is within a range 172.16.0.X.

About the package creation he followed: http://blogs.msdn.com/b/kaevans/archive/2015/06/05/configure-a-point-to-site-vpn-connection-to-an-azure-vnet.aspx

However, when I'm connected to the VPN I do not have any way to access to Google, I'm struggling to affirm whether it is a configuration on my side or just the GFW that is messing up. I'm struggling about my configuration cause it seems that there is no real connection with that newly defined connection:

enter image description here

enter image description here

enter image description here

I can ping the related server server when I'm connected to the VPN but there is no way to get access to google.com, however the DNS resolution name lookup seems to work at least.

Being connected to the VPN the lookup operation gives a me an appropriate result

enter image description here

enter image description here

and while I'm not connected to the almighty VPN:

enter image description here

enter image description here

I can still ping the VPN server when connected and vice versa when I'm not, which is quite normal:

enter image description here

enter image description here

Is there any way to check and settle that the internet access is passing through the VPN? I'm also thinking whether this can result from a routing issue, but when checking route print I obtain the following list, but I don't really see anything wrong:

enter image description here


Solution

  • Initially feel free to try this solution for end user: Enable local Internet when connected to Azure VPN via VPN Client

    If above solution won't work for you, I've tested a secondary solution - useful especially for organization infrastructures in Azure or Hybrid.

    Alternative/corporate steps:

    1. Set MS EDGE DNS Settings (mentioned in the previous solution) the DEFAULT and close/open web browser

    2. Log into your Azure Portal - portal.azure.com.

    3. Check if you have any DNS Forwarder server there (e.g. Active Directory DC with DNS on VM, Linux Bind DNS on VM or some DNS in Azure Container) and collect it's IP address (you may have more DNS servers so 2-3 IP addresses of such should be enough) - PS: Do not use Azure DNS as it is not routable via VPN tunnels.  If you do not have such DNS you have to create it (e.g. Active Directory DC with DNS on VM, Linux Bind DNS on VM or some DNS in Azure Container). Note your DNS servers IP address/addresses (1-3 max for now). Those DNS server/-s needs to be able to resolve local addresses and have DNS Forwarders for external IP addresses as well. NOTE: DNS Forwarder server cannot be in the same subnet in Azure as the Azure VPN Gateway.

    4. When your DNS server is in place in one of the Azure VNet then in Azure Portal go to the "Virtual Networks".

    5. For each "Azure Virtual Network" go into its "Settings/DNS Servers" and check/set the above IP addresses of DNS Forwarders there (1-3 max for now). Verify that all IP addresses are valid. Remove invalid once.

    6. When all VNets in Azure have been configured with the correct DNS Forwarders (DNS servers) IP addresses go into the Azure VPN Gateway and P2S connection required.

    7. Download the Azure VPN Client configuration file (NOTE: It needs to be downloaded and update on client machines every time you make a change to DNS servers on VNets)

    8. Remove the old Azure VPN connection (if any) and import the new Azure VPN Client configuration file into Azure VPN Client application on client machines. (If there is no Azure VPN Client installed yet then install it)

    9. When new Azure VPN Connection is imported use it and connect to Azure via P2S VPN.

    10. The internet should work well now and desktop applications like Outlook as well when Azure VPN P2S connection is active. And you should be able to connect to the Azure resources as well like VMs via RDP.

    Additionally - if you still face some issues - you may check Metrics & Indexes of the network interfaces of the client machines: "netsh interface ipv4 show interfaces" command from PowerShell.

    The network interface with the lowest Metric/Interface number has higher priority so you may try to adjust that if necessary. But first try to set you environment correctly and with the valid IPs of the DNS Forwarders before you start to dig in the text and commands.

    Conclusion: The source of the problem for Azure VPN Client & internet/desktop app connections while it is active is mostly the valid DNS configuration and availability of the DNS Servers/DNS Forwarders, updated DNS settings on all Azure VNets and updated/downloaded/imported onto client machines Azure VPN P2S configuration file.