Managing OpenVPN-based Azure VPN Gateway certificates with easyrsa3

November 19, 2021 

The Azure VPN Gateway supports the OpenVPN protocol (except the "Basic SKU"). Unlike, for example, the commercial Access Server, the VPN Gateway does not have a built-in certificate authority (CA) tool for managing client certificates. And client certificates are essentially a requirement if you need to support clients other than Windows and Mac, such as Linux, iOS or Android. The use of easy-rsa-old as a CA for Azure VPN Gateway is documented quite well in this blog post, but this post is about using the newer easyrsa3 instead. Basic familiarity with easyrsa3 is assumed, so we just go through the steps you'd normally take.

First clone easyrsa3:

git clone

Then go initialize the PKI:

cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca

We recommend giving CA key a strong password. The next step is to create client certificates for everyone who needs them. Here we do not protect the client's private key with a password here, but feel free to do otherwise:

./easyrsa build-client-full john.doe nopass 

Once you have all the client certificates and keys available you need to add the CA certificate to Azure VPN Gateway. Navigate to Azure Portal -> Virtual Network Gateways -> <name of your gateway> -> Point-to-site configuration, then add a new Root certificate:

  • Name can be anything (no spaces though)
  • Public certificate data is the long string between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in easy-rsa/easyrsa3/pki/ca.crt.

Once the public certificate has been uploaded to the VPN Gateway download the client configuration ZIP file. This can be done from the VPN Gateway's Point-to-site configuration in Azure Portal by clicking on Download VPN client.

Once you have the ZIP file extract it. Under the OpenVPN directory you will find a file called vpnconfig.ovpn. That is an OpenVPN configuration file, but not a fully functional one because the client certificate and private key are missing. Open the file and go to the <cert></cert> and <key></key> sections, remove the placeholder variables and insert the certificate (e.g. easy-rsa/easyrsa3/pki/issued/john.doe.crt) and key (e.g. easy-rsa/easyrsa3/pki/private/john.doe.key) there. Make sure you do not replace the certificate in the <ca></ca> section with ca.crt from easyrsa3: Azure expects that the original CA certificate is retained and connections will fail if you remove it.

You may want to consider disabling the "log" parameter if you're doing debugging or using systemctl (on Linux) to connect to the VPN Gateway. If you don't, you will have to look at the logfile to figure out what is happening.

Related articles

Samuli Seppänen
Samuli Seppänen
Author archive