VPN, ПРОКСИ, АНОНИМНОСТЬ

ProtonVPN — хорошо известный сервис, предоставляющий доступ к VPN, который служит для безопасного доступа к интернет-ресурсам.

Hotspot Shield — один из самых популярных VPN-сервисов в мире. В первую очередь известен своим бесплатным планом.

Windscribe — бесплатный VPN для компьютеров и мобильных устройств, предлагающий 12 Гб трафика в месяц абсолютно бесплатно.

NordVPN — известный VPN-сервис, обладающий мощнейшей инфраструктурой из тысяч серверов по всему миру.

Mullvad VPN — безопасный VPN-сервис. Уважаемый сервис с хорошей репутацией и ориентацией на конфиденциальность.

Turbo VPN — бесплатный VPN-сервис для Windows, Android и iOS с неограниченным трафиком. Известнейший VPN-сервис.

TunnelBear VPN — известный VPN-сервис. Нужен для обеспечения анонимности в сети и обхода блокировок.

Speedify — бесплатный VPN. Не требует регистрации и предоставляет бесплатные 10 Гб трафика в месяц.

CyberGhost VPN — популярный сервис для анонимной работы в интернете через защищённую VPN-сеть.

ZenMate VPN — это мощная сеть с широкой инфраструктурой из множества серверов, расположенных в 74-х странах мира.

OpenVPN — самое популярное решение для реализации VPN. Открытый, постоянно развивающийся проект.

Shadowsocks — это socks5-прокси, служащий для маскировки трафика и доступа к заблокированному у контенту.

SurfEasy — популярный VPN-сервис с бесплатным планом обслуживания. Бесплатно предлагает лишь 600 Мб трафика в месяц.

Mozilla VPN — VPN-сервис от Mozilla. Новый продукт, призванный обеспечить защиту приватность.

WireGuard — быстро развивающееся решение для создания собственного VPN-сервиса. Бесплатный и открытый проект.

OpenVPN Connect — универсальный клиент VPN от разработчиков OpenVPN (популярнейший и бесплатный софт для организации VPN).

hide.me VPN — популярный VPN-сервис с бесплатным планом обслуживания, который включает 10 Гб трафика в месяц.

Клиент бесплатного сервиса, представляющего собой DNS-службу и сервис шифрования трафика. Альтернатива VPN.

SoftEther — программное обеспечение для построения VPN. Полностью бесплатный, кроссплатформенный проект, являющийся альтернативой OpenVPN.

Betternet — бесплатный VPN-сервис для Windows и мобильных устройств. Служит для работы в интернете через защищенную виртуальную сеть.

Amnezia VPN — программа для развертывания собственного VPN-сервиса на VPS. Абсолютно простой инструмент.

Популярный VPN-сервис от известного разработчика KeepSolid. Имеет хорошую репутацию и положительные отзывы.

About Point-to-Site VPN

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.

What protocol does P2S use?

Point-to-site VPN can use one of the following protocols:

OpenVPNВ® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).

Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later).

IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model.

How are P2S VPN clients authenticated?

Before Azure accepts a P2S VPN connection, the user has to be authenticated first. There are two mechanisms that Azure offers to authenticate a connecting user.

Authenticate using native Azure certificate authentication

When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. Client certificates are generated from a trusted root certificate and then installed on each client computer. You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure.

Authenticate using native Azure Active Directory authentication

Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. Native Azure AD authentication is only supported for OpenVPN protocol and Windows 10 and requires the use of the Azure VPN Client.

With native Azure AD authentication, you can leverage Azure AD’s conditional access as well as Multi-Factor Authentication (MFA) features for VPN.

At a high level, you need to perform the following steps to configure Azure AD authentication:

Authenticate using Active Directory (AD) Domain Server

AD Domain authentication allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also leverage their existing RADIUS deployment.

The RADIUS server could be deployed on-premises or in your Azure VNet. During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. So Gateway reachability to the RADIUS server is important. If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.

The RADIUS server can also integrate with AD certificate services. This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

A RADIUS server can also integrate with other external identity systems. This opens up plenty of authentication options for P2S VPN, including multi-factor options.

What are the client configuration requirements?

For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.

Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.

• For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
• For Mac devices, it consists of the mobileconfig file that users install on their devices.

The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Which gateway SKUs support P2S VPN?

VPN Gateway Generation	SKU	S2S/VNet-to-VNet Tunnels	P2S SSTP Connections	P2S IKEv2/OpenVPN Connections	Aggregate Throughput Benchmark	BGP	Zone-redundant
Generation1	Basic	Max. 10	Max. 128	Not Supported	100 Mbps	Not Supported	No
Generation1	VpnGw1	Max. 30*	Max. 128	Max. 250	650 Mbps	Supported	No
Generation1	VpnGw2	Max. 30*	Max. 128	Max. 500	1 Gbps	Supported	No
Generation1	VpnGw3	Max. 30*	Max. 128	Max. 1000	1.25 Gbps	Supported	No
Generation1	VpnGw1AZ	Max. 30*	Max. 128	Max. 250	650 Mbps	Supported	Yes
Generation1	VpnGw2AZ	Max. 30*	Max. 128	Max. 500	1 Gbps	Supported	Yes
Generation1	VpnGw3AZ	Max. 30*	Max. 128	Max. 1000	1.25 Gbps	Supported	Yes
Generation2	VpnGw2	Max. 30*	Max. 128	Max. 500	1.25 Gbps	Supported	No
Generation2	VpnGw3	Max. 30*	Max. 128	Max. 1000	2.5 Gbps	Supported	No
Generation2	VpnGw4	Max. 30*	Max. 128	Max. 5000	5 Gbps	Supported	No
Generation2	VpnGw5	Max. 30*	Max. 128	Max. 10000	10 Gbps	Supported	No
Generation2	VpnGw2AZ	Max. 30*	Max. 128	Max. 500	1.25 Gbps	Supported	Yes
Generation2	VpnGw3AZ	Max. 30*	Max. 128	Max. 1000	2.5 Gbps	Supported	Yes
Generation2	VpnGw4AZ	Max. 30*	Max. 128	Max. 5000	5 Gbps	Supported	Yes
Generation2	VpnGw5AZ	Max. 30*	Max. 128	Max. 10000	10 Gbps	Supported	Yes

(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

Pricing information can be found on the Pricing page.

SLA (Service Level Agreement) information can be found on the SLA page.

On a single tunnel a maximum of 1 Gbps throughput can be achieved. Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. The table below lists the results of performance tests for Generation 1, VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

Generation	SKU	Algorithms used	Throughput observed	Packets per second observed
Generation1	VpnGw1	GCMAES256 AES256 & SHA256 DES3 & SHA256	650 Mbps 500 Mbps 120 Mbps	58,000 50,000 50,000
Generation1	VpnGw2	GCMAES256 AES256 & SHA256 DES3 & SHA256	1 Gbps 500 Mbps 120 Mbps	90,000 80,000 55,000
Generation1	VpnGw3	GCMAES256 AES256 & SHA256 DES3 & SHA256	1.25 Gbps 550 Mbps 120 Mbps	105,000 90,000 60,000
Generation1	VpnGw1AZ	GCMAES256 AES256 & SHA256 DES3 & SHA256	650 Mbps 500 Mbps 120 Mbps	58,000 50,000 50,000
Generation1	VpnGw2AZ	GCMAES256 AES256 & SHA256 DES3 & SHA256	1 Gbps 500 Mbps 120 Mbps	90,000 80,000 55,000
Generation1	VpnGw3AZ	GCMAES256 AES256 & SHA256 DES3 & SHA256	1.25 Gbps 550 Mbps 120 Mbps	105,000 90,000 60,000

• For Gateway SKU recommendations, see About VPN Gateway settings.

The Basic SKU does not support IKEv2 or RADIUS authentication.

What IKE/IPsec policies are configured on VPN gateways for P2S?

IKEv2

Cipher	Integrity	PRF	DH Group
GCM_AES256	GCM_AES256	SHA384	GROUP_24
GCM_AES256	GCM_AES256	SHA384	GROUP_14
GCM_AES256	GCM_AES256	SHA384	GROUP_ECP384
GCM_AES256	GCM_AES256	SHA384	GROUP_ECP256
GCM_AES256	GCM_AES256	SHA256	GROUP_24
GCM_AES256	GCM_AES256	SHA256	GROUP_14
GCM_AES256	GCM_AES256	SHA256	GROUP_ECP384
GCM_AES256	GCM_AES256	SHA256	GROUP_ECP256
AES256	SHA384	SHA384	GROUP_24
AES256	SHA384	SHA384	GROUP_14
AES256	SHA384	SHA384	GROUP_ECP384
AES256	SHA384	SHA384	GROUP_ECP256
AES256	SHA256	SHA256	GROUP_24
AES256	SHA256	SHA256	GROUP_14
AES256	SHA256	SHA256	GROUP_ECP384
AES256	SHA256	SHA256	GROUP_ECP256
AES256	SHA256	SHA256	GROUP_2

IPsec

Cipher	Integrity	PFS Group
GCM_AES256	GCM_AES256	GROUP_NONE
GCM_AES256	GCM_AES256	GROUP_24
GCM_AES256	GCM_AES256	GROUP_14
GCM_AES256	GCM_AES256	GROUP_ECP384
GCM_AES256	GCM_AES256	GROUP_ECP256
AES256	SHA256	GROUP_NONE
AES256	SHA256	GROUP_24
AES256	SHA256	GROUP_14
AES256	SHA256	GROUP_ECP384
AES256	SHA256	GROUP_ECP256
AES256	SHA1	GROUP_NONE

What TLS policies are configured on VPN gateways for P2S?

TLS

Policies
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

How do I configure a P2S connection?

A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices: