Configure a point-to-site VPN on Linux for Azure Files

Here’s a concise, GitBook-optimized summary of the article, preserving structure and links.

This guide explains how to configure a Point-to-Site (P2S) VPN on Linux so you can mount Azure file shares from outside Azure without sending data over the public internet. It uses IPsec with strongSwan on Linux and requires a private endpoint for the storage account.

Overview / When to use P2S

P2S is a VPN between Azure and an individual client. Use it to mount Azure file shares from an on-premises machine.
If many on-premises clients need access, consider a Site-to-Site (S2S) VPN instead: https://docs.azure.cn/en-us/storage/files/storage-files-configure-s2s-vpn.
Recommended reading before starting: Azure Files networking overview: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

Applies to (summary)

Azure Files via SMB is supported across typical storage account/redudancy combos shown in the article (see the original table for details).
NFS supported only for certain premium scenarios (see original table).

Prerequisites

Latest Azure CLI (or Azure PowerShell if preferred). Install instructions: https://learn.microsoft.com/cli/azure/install-azure-cli
An Azure file share and storage account. Create: https://docs.azure.cn/en-us/storage/files/storage-how-to-create-file-share
A private endpoint for the storage account: https://docs.azure.cn/en-us/storage/files/storage-files-networking-endpoints?tabs=azure-cli

Install required software on Linux

strongSwan (IPsec) is used in the example. Example commands (Ubuntu verified):
- sudo apt update
- sudo apt install strongswan strongswan-pki libstrongswan-extra-plugins curl libxml2-utils cifs-utils unzip
If you see EAP_IDENTITY errors, install extra plugins:
- sudo apt install -y libcharon-extra-plugins

Deploy an Azure virtual network (VNet)

Create a VNet with three subnets:
- ServiceEndpointSubnet (for storage service endpoint)
- PrivateEndpointSubnet (for storage private endpoint)
- GatewaySubnet (for the VPN gateway)
The article supplies an az CLI script; replace , , .

Create certificates for VPN authentication

Create a root certificate (uploaded to the virtual network gateway) and a client certificate signed by that root.
The article includes an ipsec/openssl script that produces:
- rootCert.pem (converted to base64 for gateway)
- client.p12 (client certificate bundle)
Example variables shown: ROOT_CERT_NAME, USERNAME, PASSWORD.

Deploy the virtual network gateway

Gateway requires:
- A public IP to identify the gateway.
- The root certificate public data uploaded to the gateway.
Note: deployment can take up to ~45 minutes.
P2S IKEv2/OpenVPN requires a non-Basic SKU (example uses VpnGw1).
The article includes az CLI commands to create the public IP, gateway, and upload the root cert.

Configure the VPN client on Linux

Download the gateway's VPN client package (the gateway provides a download link).
Place the generated certificates in the correct strongSwan directories and update ipsec.conf and ipsec.secrets with values from the downloaded config.
Restart strongSwan and bring up the connection (the article provides the exact commands and xml parsing steps).

Once connected via P2S VPN, mount the Azure file share as you would normally:
- SMB on Linux: https://docs.azure.cn/en-us/storage/files/storage-how-to-use-files-linux
- NFS on Linux: https://docs.azure.cn/en-us/storage/files/storage-files-how-to-mount-nfs-shares