Android – Azure OpenVPN

(19 Jan 2019)

In this test the VPN connection was established from an Android phone to Azure with OpenVPN client and OpenVPN server. The Android phone was running the OpenVPN Client software. The OpenVPN server was running in Ubuntu Linux virtual machine in Azure cloud. OpenVPN was configured to route all the packets to the server. Both sides were authenticated with certificates which were created in the Ubuntu server.

The following client and server environments were in use:

Android phone:

  • Android v.6.0.1
  • OpenVPN for Android client v.0.7.5

OpenVPN server:

  • Resource Manager mode
  • OpenVPN server v2.3.10 in Azure Ubuntu Linux 16.04 virtual machine
  • Virtual network: 10.1.0.0/24 (default subnet), 10.1.1.0/24, 10.1.2.0/24 (ip address pool for OpenVPN clients)
  • OpenVPN Public ip address: yyy.yyy.yyy.yyy (created when setting up the virtual machine)
  • OpenVPN server internal ip address: 10.1.0.4

Android_Azure_OpenVPN

OpenVPN server setup steps:

  1. In Azure portal,create Ubuntu 16.04 Linux virtual machine.
  2. Select the virtual network and assign a public ip address for the virtual machine.
  3. In the Networking menu, select Inbound Security Rules and add a rule to allow the OpenVPN data traffic on port 1194 :
    Port 1194, Protocol Any, Source Any, Destination Any
  4. In the Virtual Machine Overview menu check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
  5. Connect to the Ubuntu server e.g. with Putty app.
  6. Install OpenVPN server with command: sudo apt-get install openvpn
  7. Edit the server settings in the configuration file: /etc/openvpn/server.conf
  8. If no certificates are yet created, create the CA certificate (Certificate Authority), OpenVPN server certificate and the OpenVPN client certificates. Keep the corresponding key files in a safe place.
  9. Copy the CA certificate and OpenVPN server certificate to the same folder with the server configuration file (/etc/openvpn) and copy the server’s private key file to a safe folder (e.g. /home/myfolder…/keys/).
  10. Modify the routing settings in Azure Virtual Network as discussed in the test case Routing with Ubuntu Linux VPN Gateway (ResourceManager mode). The settings need to be modified if accessing other servers in the virtual network than the one where the OpenVPN server is running.
  11. Start the OpenVPN service: sudo service openvpn start

If creating the certificates in the Ubuntu server, you can use e.g. the sample scripts of the easy-rsa package. Install the package with command sudo apt-get install easy-rsa or check for a version in GitHub (e.g. https://github.com/OpenVPN/easy-rsa-old).

SAMPLE OPENVPN SERVER CONFIGURATION:
server 10.1.2.0 255.255.255.0
dev tun
push “redirect-gateway def1 bypass-dhcp”
ca ca.crt
cert server.crt
key /home/myfolder/easy-rsa-old-master/easy-rsa/2.0/keys/server.key
dh dh2048.pem

 

NOTES:
  • In the above configuration, the VPN clients get their internal address from the pool 10.1.2.0/24
  • All connections will be routed to VPN tunnel when VPN is active
  • The OpenVPN server is reading the certificates from the files ca.crt, server.crt and the server key from the file server.key.

Ubuntu UFW firewall configuration

In addition, to access the public internet, the UFW (Uncomplicated Firewall) settings in the Ubuntu server need to be modified as follows:

  1. Edit the configuration file /etc/ufw/before.rules and add the commands below at the top of the file (as the source subnet give the internal client address pool 10.1.2.0/24 from which the OpenVPN server assigns  the internal addresses for the VPN Clients):
    *nat
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE
    COMMIT
  2. Edit the configuration file /etc/default/ufw and allow the forwarding by editing the forward setting to: DEFAULT_FORWARD_POLICY=”ACCEPT”
  3. Go back to the command line and allow the OpenVPN port 1194 and the OpenSSH port 22 with commands:
    sudo ufw allow 1194
    sudo ufw allow OpenSSH
  4. Restart UFW firewall with commands:
    sudo ufw disable
    sudo ufw enable
SAMPLE /etc/ufw/before.rules:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE
COMMIT

# Don’t delete these required lines, otherwise there will be errors
*filter
:ufw-before-input – [0:0]
:ufw-before-output – [0:0]
:ufw-before-forward – [0:0]
:ufw-not-local – [0:0]
# End required lines


OpenVPN Client setup steps

  1. Install the OpenVPN client in the Android phone. In this test the app OpenVPN for Android was installed from Google Play Store
  2. Create a client configuration file with extension .ovpn (e.g. client1.ovpn)
  3. Paste the CA certificate, VPN Client certificate and the VPN Client key in their places between the lines <ca></ca> , <cert></cert> and <key></key>
  4. In OpenVPN client select Profiles and Add (+)
  5. Select Import and import the *.ovpn configuration file
  6. Tap the imported profile to start the VPN connection
SAMPLE OPENVPN CLIENT CONFIGURATION FILE:
client
remote yyy.yyy.yyy.yyy
dev tun
<ca>
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
</ca>
<cert>
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
</cert>
<key>
—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
</key>
NOTES:
  • In the above configuration both sides will during the authentication check that the remote side certificate is signed by the given CA. The assumption is that the CA is private and trusted. If using a public CA, you may wish to add further authentication checks.