Configure internal Lan & OpenVPN on Azure

If you want to create a company like infrastruture on Azure you could expect to create a VPN to have a secured access to it and have an internal lan to protect you servers against external access. Basically the system provides all that you need but, as usual in the closed world of MicroSoft. The VPN server based on SSTP protocol sound hard and not documented to be used with MacOsX or Linux.

I’ll describe in this post how I fixed this issue par using an OpenVpn gateway server.

Create your private LAN

You can create a private LAN by adding a new NETWORK ; in the different screen to configure it, you will let DNS server empty (this means azure will manage the name resolution) ; configure no VPN and select a network space of your choice. Select as area the one fitting with your need ; it is important as then all the VMs will be created in the same area as the network.

As an example, you can use 192.168.0.0/24 with a sub-net named “inetwork” on 168.168.0.0/24.

Create a new VM on that LAN

Only new Vm can be attached to this private LAN, it seems you can’t change the configuration later. I choose a Ubuntu image. To create a VM in this LAN, during creation process, when you select a zone to deploy the VM, you will see you network name appearing on top of the zone list. Select this zone.

The VM will be created with 2 IP addresses : one on the private lan, one on the Internet. You can get the IP addresses in the machine dashboard

Deploy Open-VPN on the machine

To install the open-vpn  (from here)

# sudo apt-get install openvpn
# wget http://swupdate.openvpn.org/as/openvpn-as-2.0.12-Ubuntu14.amd_64.deb
# sudo dpkg -i openvpn-as-2.0.12-Ubuntu14.amd_64.deb

Once done, you will find in the console the url to reach the server. This Url is a private IP address

Next you have to change openvpn password:

# sudo passwd openvpn

Configure a new endpoint and access the administration

On Azure, you must create a new endpoint (go to vm panel and endpoint tab) named openVpn with TCP protocol ; public and private port 943.

Then you can access the service using the public internet address of your VM ; like

https://my-gateway-vm.cloudapp.net:943/admin

You can access the VPN admin using the openvpn account set previously

Now, you have to create two other endpoint to manage the VPN connectivity

  • port TCP/443
  • port UDP/1194

Add a VPN user

You need to create a unix user able to use the VPN. Type in command line

# sudo useradd foo

Then you can add this user in the openVpn web admin interface (menu User Management / User Permissions). Set the user as auto-login – he will have to give the password to get the configuration file ; then he will be able to log w/o password.

Once done, you can connect with this user.

Configure Server

Some customizations are required:

  • In Configuration / Server Network Settings

Change the hostname by the public name giver by azure (xxxx.cloudapp.net)

 

Connect to the VPN from iOS

To connect from iOS, you need to install the OpenVPN application (go to AppStore) it is free.

In the application you can import parameter from the OpenVPN access server url by entering the url of the server in the field with the OpenVPN Access Server icon. Login, then click on “Connect profiles can be downloaded for Youself (autologin profile).

The ovpn file will be displayed. Click on Open in OpenVPN app ; then click on the green “+” to add the profile.

Now you can connect the VPN.

Connect to VPN from Windows / Mac Os X

Open your brower to https://xxxx.cloudapp.net/ then login and follow the procedure.

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.