{"id":136,"date":"2014-08-08T00:41:22","date_gmt":"2014-08-08T00:41:22","guid":{"rendered":"http:\/\/outworx.com\/blog\/?p=136"},"modified":"2017-01-19T10:13:27","modified_gmt":"2017-01-19T10:13:27","slug":"setting-up-point-to-site-openvpn-on-microsoft-azure","status":"publish","type":"post","link":"https:\/\/www.outworx.com\/blog\/setting-up-point-to-site-openvpn-on-microsoft-azure\/","title":{"rendered":"Setting up Point-to-Site OpenVPN on Microsoft Azure"},"content":{"rendered":"

Microsoft Azure has some nice paid services<\/a> for creating site-to-site VPN.\u00a0 Using these, you can create a hybrid cloud that connects your enterprise network to a Virtual Network on Azure.\u00a0 But if you just want connect to a single Azure VM, this may be overkill.<\/p>\n

This article discusses how to use OpenVPN to connect a Windows client on your local network to a Linux VM running in Azure.\u00a0\u00a0 We will be following the general outline found at the OpenVPN HOWTO<\/a>.\u00a0 Our Azure VM is running Ubuntu 14.04LTS.<\/p>\n

Add OpenVPN to the Network ACL<\/strong><\/h1>\n

Go the the Virtual Machines tab in the Azure portal.\u00a0 Select the VM you want, and click on its Endpoints tab.\u00a0 At the bottom of the screen, click on ‘+ ADD’ to add a new endpoint for OpenVPN.<\/p>\n

\"Endpoints\"<\/a>
Figure 1 – Click on the ‘+ ADD’ button to add a new endpoint.<\/figcaption><\/figure>\n

 <\/p>\n

A small Wizard will pop-up to add the endpoint.\u00a0 Take the default setting to ‘Add a stand-alone endpoint’, and click the check mark to go to the next screen.<\/p>\n

\"Add<\/a>
Figure 2 – Take the default setting on this screen.<\/figcaption><\/figure>\n

In the screen below, enter ‘OpenVPN’ in the pulldown.\u00a0 Set the protocol to UDP.\u00a0 OpenVPN’s official port number is 1194, so set both the public and the private ports to that.\u00a0 Click on the check mark to actually add the endpoint.<\/p>\n

\"The<\/a>
Figure 3 – Set the protocol to UDP and both ports to 1194<\/figcaption><\/figure>\n

The Azure portal will take you back to Figure 1 while it works on changing its firewall rules for this VM to grant access on the specified port.\u00a0 Note that Azure merely configures its own networking, and does not alter any internal firewall rules in the VM.\u00a0 Azure will not change iptables<\/em> for you.\u00a0 If you set-up a Linux firewall on your VM, you’ll need to change it yourself to let UDP port 1194 through.\u00a0 However, if you just booted a machine from the Microsoft Gallery, this should not be a problem.\u00a0 By default, iptables<\/em> are not turned on on Gallery VMs.<\/p>\n

Limiting Network Access<\/strong><\/h2>\n

Next, you will almost certainly want to limit network access to this VM.\u00a0 Make sure that the OpenVPN endpoint is highlighted.<\/p>\n

\"OpenVPN<\/a>
Figure 4 – Make sure the OpenVPN row is highlighted<\/figcaption><\/figure>\n

Now click on ‘Manage ACL’.\u00a0 Enter the external IP address that your company uses to access the Internet.\u00a0 Follow it with a ‘\/32’ as shown below to indicate that access is only granted to this single IP address, and not a larger subnet.<\/p>\n

If you have DSL and don’t know what that address is, go to someplace like whatismyipaddress.com<\/a>.\u00a0 Low end DSL will often change the IP address when the router is rebooted.\u00a0 If that happens, you can just update the ACL.<\/p>\n

\"Limiting<\/a>
Figure 5 – Limiting access to your network alone is important for security<\/figcaption><\/figure>\n

While you are there, limit access to ssh as well.\u00a0 Bots from China and other countries continually probe ssh and other ports trying to break in.<\/p>\n

Configuring the Linux VM Server<\/strong><\/h1>\n

The VM will be the OpenVPN server.\u00a0 To start the configuration process, we need to install some software on it.<\/p>\n

Install OpenVPN and Easy RSA<\/strong><\/h2>\n

Logon to your VM, and install OpenVPN and Easy RSA.\u00a0 Our VM is running Ubuntu 14.04LTS, so it can easily be installed with the simple command<\/p>\n

$sudo apt-get install openvpn easy-rsa<\/pre>\n
The simplest way to set-up OpenVPN is to use a Static Key.\u00a0 This will give you exactly one client and one server.\u00a0 If that is fine with you, you can follow these instruction<\/a>.\u00a0 We will set-up things with PKI certificates so that multiple clients can connect to the VM.<\/p>\n
Set Up Easy RSA<\/strong><\/h2>\n
Now set-up the Easy RSA environment under \/etc\/openvpn on the VM.\u00a0 Run the following commands:<\/p>\n
\u00a0$ cd \/etc\/openvpn\r\n $ sudo mkdir easy-rsa\r\n $ cd easy-rsa\r\n $ sudo make-cadir my_ca\r\n $ sudo bash\r\n # cd my_ca<\/pre>\n
Now we need to edit the vars file, and make sure that the following variables are set:<\/p>\n