Note: This post has contributions from our Cloud Support Engineer, Vinod
We recently helped a US based eneterprise move their Infra to Azure. They had a couple of colocation on prem datacenters and few servers on Rackspace. We have setup different VNets for Prod, Staging, Dev and Test. This setup was pretty elaborate with extending the on-premise AD to Azure, setting up a management VNet for restricting traffic, configuring site-to-site and Vnet-to-Vnet VPN connections etc. All of this deployment was in the new
ARM mode. More about this setup in a future post.
This customer also has groups of development teams in multiple locations in US and India. How do we enable these developers securely access the the servers from multiple locations? Thats right, Poing-to-Site VPN. Azure offers a way to setup point-to-site using a VPN Gateway. Here are detailed steps to configure it. We briefly tried this approach and decided that this is not a right solution.
Lets take a look at what it takes to get it working -
- You must generate a root certificate. You can upload upto 20 root certiticates
- For each client that wants to connect, generate a client certificate
- Export and install the certificate
- Configure your VPN client.
Now think about allowing 200 developers trying to connect. This solution simply won't scale. You will have tough time trying to maintain all those certificates etc.
So we ditched Azure's solution and went ahead with deploying OpenVPN server on management VNet. OpenVPN is hugely popular and widely used and it also allows following benefits:
- Active Directory integration via LDAP
- Multi factor authentication using Google's Authenticator app
It costs money to run the VPN machine and license per user - but the easy of use and management, allowing users from any platform to download and configure the client with a single click, user management makes it worth it. What follows is a step by step of how we configured OpenVPN with AD integration and how MFA was enabled.
Create a VNet
I assume that you have installed the latest Azure powershell.
Connect to your account
# To login to Azure Resource Manager Login-AzureRmAccount # To view all subscriptions for your account Get-AzureRmSubscription # To select a default subscription for your current session Get-AzureRmSubscription –SubscriptionName “your sub” | Select-AzureRmSubscription
Create a Resource Group
New-AzureRmResourceGroup -Name Aurora -Location centralus
Create a VNet
New-AzureRmVirtualNetwork -ResourceGroupName Aurora -Name AuroraVNet -AddressPrefix 10.10.0.0/16 -Location centralus
Your actual production VNet should be more elaborate with proper subnet design and network security groups to regulate traffic. For the sake of simplicity, I will just go ahead with a single management subnet for this article.
Create a subnet
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName Aurora -Name AuroraVNet Add-AzureRmVirtualNetworkSubnetConfig -Name ManagementSubnet ` -VirtualNetwork $vnet -AddressPrefix 10.10.1.0/24
Create a VM for running OpenVPN
You can use portal.azure.com or powershell. Make sure that the server has a public IP address.
$ResourceGroupName = "Aurora" $Location = "centralus" ## Storage $StorageName = "aurorastorage" $StorageType = "Standard_GRS" ## Network $InterfaceName = "aurorainterface01" $Subnet1Name = "ManagementSubnet" $VNetName = "AuroraVnet" ## Compute $VMName = "OpenVPN" $ComputerName = "OpenVPN" $VMSize = "Standard_A2" $OSDiskName = $VMName + "OSDisk" # Storage $StorageAccount = New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageName -Type $StorageType -Location $Location # Network $PIp = New-AzureRmPublicIpAddress -Name $InterfaceName -ResourceGroupName $ResourceGroupName -Location $Location -AllocationMethod Dynamic $SubnetConfig = Get-AzureRmVirtualNetworkSubnetConfig -Name $Subnet1Name -AddressPrefix $VNetSubnetAddressPrefix $VNet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $ResourceGroupName -Location $Location -AddressPrefix $VNetAddressPrefix -Subnet $SubnetConfig $Interface = New-AzureRmNetworkInterface -Name $InterfaceName -ResourceGroupName $ResourceGroupName -Location $Location -SubnetId $VNet.Subnets.Id -PublicIpAddressId $PIp.Id # Compute ## Setup local VM object $Credential = Get-Credential $VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize $VirtualMachine = Set-AzureRmVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate $VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest" $VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $Interface.Id $OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName + ".vhd" $VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -Name $OSDiskName -VhdUri $OSDiskUri -CreateOption FromImage ## Create the VM in Azure New-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $Location -VM $VirtualMachine
Edit the network security group attached to this instance and open following ports:
- HTTPS: TCP 443
- Port for AdminUI: TCP 943
- Port for OpenVpn Server: TCP 1194
- 22 for SSH, obviously :)
- port 389 for LDAP
Connect to the VM you created above and install OpenVPN. I chose Ubuntu 14.04 instance.
Install the package
wget -c http://swupdate.openvpn.org/as/openvpn-as-2.0-Ubuntu13.amd_64.deb
sudo dpkg -i openvpn-as-2.0-Ubuntu13.amd_64.deb
Change password for openvpn user
sudo passwd openvpn
You should now be able to connect to the console. You can access the admin UI using this URL
https://[serverpublicIP address ]:943/admin. Username is
openvpn and password is the one you changed in the previous step.
Once you connect to the console, change the server IP to the Public IP of the server.
For now, use user authentication mode.
Add a user
You can now connect to the console as a user and download OpenVPN client using this URL: https://[serverpublicIP address]:943/
Enable MFA using Google Authenticator
Connect to the console as administrator and navigate to
When a new user now connects to the VPN console, it will prompt for google authenticator setup
Enable LDAP/AD Authentication
Connect to OpenVPN console using Administrator user. Go to Authentication and click on LDAP. The screenshot below has configuration details
You should now be able to connect to the VPN server using AD credentials with Google authenticator for MFA.