VPN Gateway Route Fix - INSTRUCTIONS

⚠️ DEPRECATED (2025-10-24): VPN Gateway has been replaced by Azure Bastion (ADR-050). This troubleshooting guide is for historical reference only.

→ See Bastion Dev Access for current approach.

⚠️ Root Cause Identified (Historical)

Azure Limitation: VPN Gateway with OpenVPN + Azure AD authentication does NOT automatically include routes in the VPN client configuration. This is a known Microsoft limitation.

Your VPN config shows:

<includeroutes i:nil="true" />
<excluderoutes i:nil="true" />

This means the VPN client doesn't know to route VNet traffic (10.0.0.0/16) through the tunnel, causing slow/dying connections.

✅ Solution: Manual Route Configuration

You need to manually add routes after connecting to VPN. This is required for OpenVPN + Azure AD setups.

📥 Step 1: Connect to VPN

Use your existing Azure VPN Client configuration: - Open Azure VPN Client - Connect to "ldfdev-vnet" - Authenticate with Azure AD

(Your existing config is fine - the issue is missing routes, not the config itself)

🔧 Step 2: Add Routes (REQUIRED - Choose Your Platform)

After connecting, you MUST manually add routes. Pick your operating system:

Windows (Run PowerShell as Administrator)

cd infrastructure\scripts
.\Add-AzureVPNRoutes.ps1

Or manually:

route add 10.0.0.0 mask 255.255.0.0 172.16.0.1 metric 1

macOS/Linux (Run with sudo)

cd infrastructure/scripts
sudo ./add-azure-vpn-routes.sh

Or manually:

# macOS
sudo route add -net 10.0.0.0/16 172.16.0.1

# Linux
sudo ip route add 10.0.0.0/16 via 172.16.0.1

📝 Note: You need to run this after each VPN connection (routes are temporary)

✅ Step 3: Verify Routes

Check that routes were added:

Windows:

route print | findstr "10.0.0.0"

macOS:

netstat -rn | grep 10.0.0.0

Linux:

ip route show | grep 10.0.0.0

You should see: 10.0.0.0 ... 172.16.0.1

🧪 Step 4: Test Connectivity

After connecting:

1. Test VPN tunnel is working

ping 10.0.0.1
# Should work if gateway is in VNet

2. Test internet is NOT through VPN

curl ifconfig.me
# Should show your regular public IP, not VPN gateway IP

3. Test Azure DNS

nslookup ldfdev-vnet
# Should resolve using Azure DNS 168.63.129.16

4. Access AI Foundry

Open https://ai.azure.com in browser
Should work normally

🔄 Making Routes Persistent (Optional)

Windows - Make permanent:

route add 10.0.0.0 mask 255.255.0.0 172.16.0.1 metric 1 -p

macOS/Linux - See detailed instructions: vpn-manual-route-fix.md

🚀 Alternative: Azure VPN Client Custom Script (Windows Only)

Azure VPN Client supports post-connection scripts:

Open Azure VPN Client
Click profile → Settings (gear icon)

Add Post-Connect Script:

route add 10.0.0.0 mask 255.255.0.0 172.16.0.1 metric 1

Save

Now routes will be added automatically after each connection!

⚠️ Why This Happens

Azure Limitation: When using: - Protocol: OpenVPN - Authentication: Azure AD

→ Routes are NOT automatically included in VPN profiles

This is different from: - IKEv2 with certificate auth (includes routes automatically) - Azure Virtual WAN (includes routes automatically)

Microsoft Docs: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client

💡 Quick Reference

Route Details: - VNet CIDR: 10.0.0.0/16 - VPN Gateway: 172.16.0.1 - VPN Client Pool: 172.16.0.0/24

After each VPN connection: 1. Connect to VPN 2. Run route script (or add route manually) 3. Verify with ping/curl 4. Access Azure resources

📚 Documentation

Full troubleshooting guide: vpn-slow-connection.md

🐛 Need Help?

Check deployment logs in Azure Portal or run:

az deployment group show -g ldfdev-rg -n vpn-perf-fix-TIMESTAMP

What was fixed: 1. Missing routes: VPN client config now includes VNet routes (10.0.0.0/16) 2. NSG rules: Added internet and DNS access for VPN clients
3. Gateway SKU: Upgraded to VpnGw2 for better throughput 4. Network config: Updated for optimal VPN routing

Your slow connection was caused by missing route advertisement - the VPN client didn't know which traffic should go through the tunnel!