---------- windows.azure.com1. Create new Windows Server VM using "Quick Create"2. The DNS name, username and password will be used to connect to the VPN3. Extra-small or small VM (starts at around $10/month or free with an MSDN subscription, no charge for stopped VM, billed by the minute)4. Create TCP endpoint at port 4435. Connect using Remote Desktop (RDP) through the Dashboard---------- Server Role1. Click on Server Manager -> Manage -> "Add Roles and Features"2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"4. Select "Deploy VPN only"---------- Server Certificate1. Open an elevated CMD prompt2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:selfssl.exe /N:cn=<...>.cloudapp.net /V:3650(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)3. Confirm prompt with "y", ignore metabase error (if it appears)4. Run mmc.exe, add snap-in for Certificates -> Computer account5. Click on Personal -> Certificates6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password---------- Server RRAS1. Run Routing and Remote Access (RRAS) tool2. Right-click on the server and then on "Configure and Enable RRAS"3. Choose "Custom configuration", select "VPN access" and NAT4. Right-click on the server and then on Properties -> Security5. Select the <...>.cloudapp.net certificate6. Click on the IPv4 tab7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C9. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"---------- Server User1. Open "Computer Management" console2. Click on "Local Users and Groups", then on Users, double click on your account3. Click on Dial-in and change "Network Access Permission" to "Allow access"---------- Client Certificate1. Install exported server certificate to client's "Local Machine" store2. Click on "Place all certificates in the following store", then on Browse3. Select "Trusted Root Certificate Authorities", if you store the certificate in the personal store, the connection will fail with error 0x800B0109---------- Client Connection1. Go to Network and Sharing Center, click on "Setup a new connection or network"2. Select "Connect to a workplace", then VPN3. Enter <...>.cloudapp.net, name and create4. Click on Network tray icon5. Right-click on new VPN connection, then show properties6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v27. Connect using same credentials used to create the VM and for RDP8. Test your internet connectivity9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter---------- SSL CertificateTo avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:1. Open the IIS Manager on the server2. Click on the server, then on "Server Certificates"3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)6. Once the SSL authority issues the certificate:a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted storeb) Select the same certificate in the RRAS tool, on the Security tab---------- L2TP over IPsec1. On the Azure Portal, add the following endpoints:a) L2TP UDP: 1701b) IPsec UDP: 500c) IKEv2 UDP: 45002. On the Server, open the "Windows Firewall with Advanced Security", create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)3. Using the RRAS tool, right-click on the server and then on Properties -> Security4. Check "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter a preshared key5. On the client, right-click on new VPN connection, then show properties6. Click on Security, then on click on "Advanced settings" and enter the same preshared keyFor help, see Troubleshooting common VPN related errors.
DISCLAIMER: This solution is provided "AS IS," without any warranty or representation of any kind. Please note that, as of June 2014, this solution is not yet officially supported by Microsoft.