Azure Stack VPN for MAC OS X

Microsoft release the latest version of their Azure Stack during the Ignite 2016 conference in Atlanta. The new version has a lot of great features. One thing that I was not able to find is how to establish a VPN Session from your MAC OS X to Azure Stack.

You will ask why do we need it? Well one of the groups that will benefit the most from Azure Stack are the developers. As azure brings a lot of the services available from the Azure Cloud to the Enterprise On-Premise environment. Now the developers with Windows or MAC OS X environments can start testing in the latest TP2 version connecting directly and using their tools.

There is a very good PowerShell module that will do all the steps on Windows but it does not work in MAC OS X so here are all the steps to gather the details

Ebook Version (Click the book to get the PDF version)



Download Scripts to collect required information

Login to your Azure Stack Hyper-V host with your administrator account. ex: azurestack\administrator

Download the scripts. Ex: Invoke-WebRequest -Uri -OutFile


Expand the downloaded file. Expand-Archive



Gathering Certificates for Azure Stack

Azure Stack has its own internal certificate authority. All services and websites use SSL certificates and you need to download the Root CA certificate to your MAC in order to access all the resources.

Execute the Get-AzureStackRootCACert.ps1 script to get the certificate



Gather external IP from the MAS-BGPNAT VM

In order to establish a connection to your Azure Stack you need the external IP address of the MAS-BGBNAT VM hosted in your Hyper-V host.




Transfer certificate and VPN IP output out

The certificate and VPN IP address are saved in the %userprofile%\downloads folder.


You need to copy it out. I will use my On-Premise File Sync And Share HCP Anywhere for this function.


Install Azure Stack Root CA certificate in your MAC OS X

Now we need to install the Azure Stack Root CA certificate in the MAC OS X.  My files are automatically synchronized to my MAC OS X with the HCP Anywhere client. You see two files: CA.cer is the root certificate, the natip.txt is the file with the IP address for the VPN server.

Double click the CA.Cer file


Open your Keychain  and you will see a new certificate with a red x. Double click the certificate with the name AzureStackCertificationAuthority.


Because all the services use SSL certificates our MAC OS X need to trust the Azure Stack Certificate Authority. Click the first option and switch to Always Trust. And then click the close button (red dot).



Type your password


Now will the Azure Stack Certification Authority is trusted.


Configure Static Routes for Azure Stack in MAC OS X

In order to access all the services in the Internal Azure Stack you need to add two static routes that will be executed when you connect with the VPN profile

Create a new script in /etc/ppp/ip-up. Ex: sudo vi /etc/ppp/ip-up

Configure VPN Connection in your MAC OS X

Now we need to configure our new VPN connection to the Azure Stack MAS-BGPNAT01 VM.

Click your System Preferences


Click Network


Click the plus sign (+) in the lower left corner of the network screen


Select VPN in the Interface drop down, LT2P over IPSec for VPN Type and a name for your VPN connection.


Type the External IP for BGPNAT VM in the server Address. (This is located in the natip.txt file you copied before). Account Name is administrator and click Authentication Settings.


Then type the Azure Stack administrator password in the Password field and Shared Secret and click OK.


Click the Advanced button for your VPN connection.


Click the DNS tab and add azurestack.local as a search domain for your VPN connection and click OK.


Click connect


Type your Azure Stack administrator password


Open your browser and type: https://portal.azurestack.local and login to with an account that has access to Azure Stack.


You are now connected to your Azure Stack environment.



Subscribe For Latest Updates

Sign up for best of digital marketing, livestream and technology opinions on what matters to you.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.

8 thoughts on “Azure Stack VPN for MAC OS X”

  1. Thanks for this – provided the last couple of clues I needed to get VPN connectivity from OSX working for my Azure Stack TP2 environment. One quick correction (for me anyway) – the name of the script to add the required routes needs to be ‘/etc/ppp/ip-up’ and not ‘/etc/pp/if-up’ as in your document. Also, if you create a parallel ‘/etc/ppp/ip-down’ script you can automatically remove the routes when the VPN connection ends which keeps things a bit tidier.

  2. Hi,

    I work for a nonprofit and contemplating migrating our on-prem file server to Azure. Our managed IT services consultant suggested a vm of Server 2016 that we can then vpn into from any Win 10 computer to access production files. The same consultant believes Mac Users will have to use some sort of really expensive VPN client because Windows doesn’t have anything for Mac.

    I just wanted to make sure that your guide applies to an Azure file server vm as well as to an Azure developer stack. To me it seems to either be the same setup or very slight differences in config for my use case.

    • This is local access only. Have you ever consider to Use Office 365? You can get OneDrive and share files and keep it in the Azure Cloud and there is a client that works with Windows and MacOSX

      • We are currently using Office 365 including OneDrive for Business and Sharepoint online. I find the stability of the sync client very lacking. We run Server 2012 r2 with ext backups to local drives. The thinking, last month, was to get rid of on-prem and mimic it virtually in Azure.

        A month later, we’re sticking with Sharepoint, dropping OneDrive, and looking at backup services like StorageCraft while still keeping our local external drive backups which I rotate off-site.

        However, I think I would like to still try a vm of Server 2016 in Azure to replace my on-prem Server 2012.

        In your response, what client were you referring to other than using a web browser to access O365?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: