OpenVPN for Azure VNet with AD Integration and Google Authenticator

Note: This post has contributions from our Cloud Support Engineer, Vinod

We recently helped a US based eneterprise move their Infra to Azure. They had a couple of colocation on prem datacenters and few servers on Rackspace. We have setup different VNets for Prod, Staging, Dev and Test. This setup was pretty elaborate with extending the on-premise AD to Azure, setting up a management VNet for restricting traffic, configuring site-to-site and Vnet-to-Vnet VPN connections etc. All of this deployment was in the new ARM mode. More about this setup in a future post.

This customer also has groups of development teams in multiple locations in US and India. How do we enable these developers securely access the the servers from multiple locations? Thats right, Poing-to-Site VPN. Azure offers a way to setup point-to-site using a VPN Gateway. Here are detailed steps to configure it. We briefly tried this approach and decided that this is not a right solution.

Lets take a look at what it takes to get it working -

  • You must generate a root certificate. You can upload upto 20 root certiticates
  • For each client that wants to connect, generate a client certificate
  • Export and install the certificate
  • Configure your VPN client.

Now think about allowing 200 developers trying to connect. This solution simply won't scale. You will have tough time trying to maintain all those certificates etc.

So we ditched Azure's solution and went ahead with deploying OpenVPN server on management VNet. OpenVPN is hugely popular and widely used and it also allows following benefits:

  • Active Directory integration via LDAP
  • Multi factor authentication using Google's Authenticator app

It costs money to run the VPN machine and license per user - but the easy of use and management, allowing users from any platform to download and configure the client with a single click, user management makes it worth it. What follows is a step by step of how we configured OpenVPN with AD integration and how MFA was enabled.

Create a VNet

I assume that you have installed the latest Azure powershell.

Connect to your account

# To login to Azure Resource Manager
Login-AzureRmAccount

# To view all subscriptions for your account
Get-AzureRmSubscription

# To select a default subscription for your current session
Get-AzureRmSubscription –SubscriptionName “your sub” | Select-AzureRmSubscription  

Create a Resource Group

New-AzureRmResourceGroup -Name Aurora -Location centralus  

Create a VNet

New-AzureRmVirtualNetwork -ResourceGroupName Aurora -Name AuroraVNet -AddressPrefix 10.10.0.0/16 -Location centralus  

Your actual production VNet should be more elaborate with proper subnet design and network security groups to regulate traffic. For the sake of simplicity, I will just go ahead with a single management subnet for this article.

Create a subnet

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName Aurora -Name AuroraVNet
Add-AzureRmVirtualNetworkSubnetConfig -Name ManagementSubnet `  
    -VirtualNetwork $vnet -AddressPrefix 10.10.1.0/24  

Create a VM for running OpenVPN

You can use portal.azure.com or powershell. Make sure that the server has a public IP address.

$ResourceGroupName = "Aurora"
$Location = "centralus"

## Storage
$StorageName = "aurorastorage"
$StorageType = "Standard_GRS"

## Network
$InterfaceName = "aurorainterface01"
$Subnet1Name = "ManagementSubnet"
$VNetName = "AuroraVnet"


## Compute
$VMName = "OpenVPN"
$ComputerName = "OpenVPN"
$VMSize = "Standard_A2"
$OSDiskName = $VMName + "OSDisk"


# Storage
$StorageAccount = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageName -Type $StorageType -Location $Location

# Network
$PIp = New-AzureRmPublicIpAddress -Name $InterfaceName -ResourceGroupName $ResourceGroupName -Location $Location -AllocationMethod Dynamic
$SubnetConfig = Get-AzureRmVirtualNetworkSubnetConfig -Name $Subnet1Name -AddressPrefix $VNetSubnetAddressPrefix
$VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $ResourceGroupName -Location $Location -AddressPrefix $VNetAddressPrefix -Subnet $SubnetConfig
$Interface = New-AzureRmNetworkInterface -Name $InterfaceName -ResourceGroupName $ResourceGroupName -Location $Location -SubnetId $VNet.Subnets[0].Id -PublicIpAddressId $PIp.Id

# Compute

## Setup local VM object
$Credential = Get-Credential
$VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize
$VirtualMachine = Set-AzureRmVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"
$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $Interface.Id
$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName + ".vhd"
$VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -Name $OSDiskName -VhdUri $OSDiskUri -CreateOption FromImage

## Create the VM in Azure
New-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $Location -VM $VirtualMachine  

Edit the network security group attached to this instance and open following ports:

  • HTTPS: TCP 443
  • Port for AdminUI: TCP 943
  • Port for OpenVpn Server: TCP 1194
  • 22 for SSH, obviously :)
  • port 389 for LDAP

Install OpenVPN

Connect to the VM you created above and install OpenVPN. I chose Ubuntu 14.04 instance.

Install the package

wget -c http://swupdate.openvpn.org/as/openvpn-as-2.0-Ubuntu13.amd_64.deb  

Install

sudo dpkg -i openvpn-as-2.0-Ubuntu13.amd_64.deb  

Change password for openvpn user

sudo passwd openvpn  

You should now be able to connect to the console. You can access the admin UI using this URL https://[serverpublicIP address ]:943/admin. Username is openvpn and password is the one you changed in the previous step.

Configure OpenVPN

Once you connect to the console, change the server IP to the Public IP of the server.

For now, use user authentication mode.

Add a user

You can now connect to the console as a user and download OpenVPN client using this URL: https://[serverpublicIP address]:943/

Enable MFA using Google Authenticator

Connect to the console as administrator and navigate to client settings

When a new user now connects to the VPN console, it will prompt for google authenticator setup

Enable LDAP/AD Authentication

Connect to OpenVPN console using Administrator user. Go to Authentication and click on LDAP. The screenshot below has configuration details

You should now be able to connect to the VPN server using AD credentials with Google authenticator for MFA.

comments powered by Disqus