P2S Forced Tunnel no internet

Question

P2S Forced Tunnel no internet

Steve Downey 0

I have setup standard VPN Gateway, Firewall and P2S connection which is all working, although P2S client was showing the users' public IPs their end.

To fix this I had made is do Forced Tunnelling which sends P2S traffic though the gateway, but there is no internet egress through that.

Researching I've seen I need to send gateway traffic through the firewall, which I've done (0.0.0.0/0 routes to firewall private IP), but I still can't get internet client side of P2S.

Further research some are saying only a VWAN can allow internet egress from an Azure Firewall, showing it's public IP client side, but this seems very strange and wrong that I will have to tear down all the current VPN Gateway and connections (S2S/P2S/Routes) that i spend a week building just to rebuild it in VWAN to allow internet egress from the firewall.

Surely there must be a solution with my current setup?

I have already added firewall rules to allow http,https from P2S private IP range, and from firewal private IP, doesn't work.

Jeevan Shanigarapu 255 Reputation points Microsoft External Staff Moderator

2025-08-25T09:11:16.1+00:00

Hello @Steve Downey,
Good day.

Could you please review my comment and let me know if it was helpful? If you need any further assistance, please feel free to reach us

Regards
Jeevan S

2 answers

Your answer

Jeevan Shanigarapu 255 Reputation points Microsoft External Staff Moderator

2025-08-25T09:11:16.1+00:00

Hello @Steve Downey,
Good day.

Could you please review my comment and let me know if it was helpful? If you need any further assistance, please feel free to reach us

Regards
Jeevan S

Answer 1

Michele Ariis 4,505 MVP

Hi, this is a routing/DNS hairpin issue, not a hard “needs vWAN” limitation. With P2S force tunnel the path must be: Client - VPN Gateway - Azure Firewall (SNAT) - Internet → Azure Firewall - VPN Gateway - Client. Make it work with this checklist: 1) GatewaySubnet - UDR: attach a route table to GatewaySubnet with 0.0.0.0/0 → Next hop: Virtual appliance = <AzureFirewallPrivateIP>. 2) AzureFirewallSubnet - UDR back to P2S pool: attach a route table to AzureFirewallSubnet with (<your P2S address pool>, e.g. 172.16.250.0/24) → Next hop: Virtual network gateway. Without this return route the firewall can’t send replies to VPN clients. 3) Firewall egress: ensure Azure Firewall has at least one Public IP (Standard) so outbound traffic is SNATed, and create rules: Application rule allowing Source: <P2S pool>, Protocol: HTTP/HTTPS, Destinations: * (or your FQDNs); add Network rules for any non-web ports you need. 4) DNS (most common blocker): in the P2S configuration set DNS servers to resolvers reachable via the tunnel (e.g., your internal DNS or Firewall DNS Proxy if enabled) and on the firewall allow UDP/TCP 53 from the P2S pool to those resolvers; otherwise clients can’t resolve and “no internet” ensues. 5) Split tunnel OFF & fresh profile: set P2S Split tunneling = Disabled (RouteAll) and re-download/re-import the client profile so the default route is actually pushed. 6) NSG/Policies: don’t put NSGs on GatewaySubnet; on AzureFirewallSubnet allow from GatewaySubnet; make sure no policy denies Internet from that subnet. 7) Sanity checks: from a P2S client tracert 8.8.8.8 should go to the firewall, and nslookup microsoft.com should hit your intended DNS. If after this you still see the client’s local ISP IP or no egress, you’re missing (2) or DNS; you do not need to rebuild in vWAN unless you want the managed hub experience.

Steve Downey 0 Reputation points

2025-08-19T08:43:52.2466667+00:00

Thanks but this doesn't seem to work, "attach a route table to GatewaySubnet with 0.0.0.0/0" - I just get the error "Cannot associate the default route 0.0.0.0/0 to GatewaySubnet."

I already have 0.0.0.0/0 attached to the firewall subnet pointing to the private IP of the firewall, am I meant to delete this and add to GatewaySubnet instead?

I've tried the forced tunnel split ranges 0.0.0.0/1,128.0.0.0/1 instead but it still doesn't work and the rest have been checked. There must be something wrong with my routes/rules but I can't see it.
Many days now of frustration.
Michele Ariis 4,505 Reputation points MVP

2025-08-20T06:02:17.7733333+00:00

You’ve hit two hard platform limits: 1 with a standard VPN Gateway, P2S forced tunneling doesn’t provide Internet egress, the gateway drops Internet-bound traffic, and Azure Firewall won’t SNAT that P2S traffic; 2 you can’t associate 0.0.0.0/0 to GatewaySubnet, so the portal rightly blocks it. That’s why your current routing changes never take effect.

What does work: if you want users’ Internet to break out from Azure with the firewall’s public IP, the supported native path is Virtual WAN + Secured Virtual Hub (Firewall Manager). Put the P2S gateway in the hub, advertise 0.0.0.0/1 and 128.0.0.0/1 to clients, and allow/inspect egress on the hub firewall; then connect your existing VNets to the hub. You don’t need to tear everything down, stand up the hub, move P2S there, peer your VNets, and keep your existing S2S as is (migrate later if you want).

If you don’t want vWAN, your choices are: keep split-tunnel P2S (Internet stays local), or terminate P2S on a 3rd-party NVA that can SNAT to its own public IP (not the Azure VPN Gateway). NAT Gateway won’t help here, and you can’t attach it to GatewaySubnet anyway.
Jeevan Shanigarapu 255 Reputation points Microsoft External Staff Moderator

2025-08-21T09:23:09.91+00:00

Hello Steve Downey,
Good day.

Just checking in to see if you had a chance to see the previous response by @Michele Ariis/ Jeevan S. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer. And, if you have any further questions do let us know

Regards,
Jeevan S

Answer 2

Hello @Steve Downey,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand the effort you have put into setting up your current environment with standard VPN Gateway, Azure Firewall and Point to Site (P2S) connections. The issue you are experiencing is a known result of a platform limitation within Azure.

When using a standard VPN gateway, Azure Firewall does not apply SNAT to P2S VPN traffic. As you mentioned, even if you configured forced tunneling and set default routes through the firewall, P2S clients cannot use the firewall’s public IP for internet access.

You can configure forced tunneling on your Azure P2S VPN to direct all traffic to the VPN tunnel, but Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped. Hence, you need to secure Internet traffic using Azure Firewall Manager. If you secure Internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your P2S VPN clients send all Internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet.

No need to remove your existing VPN Gateway setup, but if you require internet egress from the firewall with a static public IP, you will need to include VWAN.

Migration Path:

You don’t need to rebuild everything from the beginning. You can,

Create a Virtual WAN and a Secured Virtual Hub in addition to your existing configuration.
Please set up your P2S configuration again in VWAN.
Advertise the 0.0.0.0/1 and 128.0.0.0/1 routes to clients to allow for forced tunneling
Connect your current VNets to the VWAN hub using peering.

This keeps the majority of your work intact and prevents you from having to begin again.

Please note that to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below document:

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

You have to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

P2S Forced Tunnel no internet

2 answers

Your answer