Windows 10 – Azure OpenVPN

(19 Jan 2019)

In this test a VPN connection was established from a Windows 10 laptop to Azure virtual network via OpenVPN client and server. The server was running in Ubuntu Linux virtual machine in Azure cloud. Both sides were authenticated with certificates which were created in the Ubuntu server.

The following client and server environments were in use:

Windows 10 laptop:

  • Windows 10 version 1709, OS Build: 16299.309
  • OpenVPN Windows client v2.4.5

OpenVPN server:

  • Resource Manager mode
  • OpenVPN server v2.3.10 in Azure Ubuntu Linux 16.04 virtual machine
  • Virtual network: 10.1.0.0/24 (default subnet), 10.1.1.0/24, 10.1.2.0/24 (ip address pool for OpenVPN clients)
  • OpenVPN Public ip address: yyy.yyy.yyy.yyy (created when setting up the virtual machine)
  • OpenVPN server internal ip address: 10.1.0.4
  • In addition,  a Windows 2016 VM server was located in the virtual network for testing the connectivity (10.1.0.6)

win10_azure_openvpn

OpenVPN server setup steps:

  1. In Azure portal,create Ubuntu 16.04 Linux virtual machine.
  2. Select the virtual network and assign a public ip address for the virtual machine.
  3. In the Networking menu, select Inbound Security Rules and add a rule to allow the OpenVPN data traffic on port 1194 :
    Port 1194, Protocol Any, Source Any, Destination Any
  4. In the Virtual Machine Overview menu check the Public Virtual IP Address assigned to the Virtual Machine. Use this address as the server address in the client configuration.
  5. Connect to the Ubuntu server e.g. with Putty app.
  6. Install OpenVPN server with command: sudo apt-get install openvpn
  7. Edit the server settings in the configuration file: /etc/openvpn/server.conf
  8. If no certificates are yet available, create the CA certificate (Certificate Authority), OpenVPN server certificate and the OpenVPN client certificates. Keep the corresponding key files in a safe place.
  9. Copy the CA certificate and OpenVPN server certificate to the same folder with the server configuration file (/etc/openvpn) and copy the server’s private key file to a safe folder (e.g. /home/myfolder…/keys/).
  10. Start the OpenVPN service: sudo service openvpn start

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway (ResourceManager mode). The settings need to be modified if accessing other servers in the virtual network than the one where the OpenVPN server is running.

NOTES:

If creating the certificates in the Ubuntu server, you can use e.g. the sample scripts of the easy-rsa package. Install the package with command sudo apt-get install easy-rsa or check for a version at GitHub (e.g. https://github.com/OpenVPN/easy-rsa-old).

SAMPLE OPENVPN SERVER CONFIGURATION:
server 10.1.2.0 255.255.255.0
dev tun
push “route 10.1.0.0 255.255.255.0”
ca ca.crt
cert server.crt
key /home/myfolder/easy-rsa-old-master/easy-rsa/2.0/keys/server.key
dh dh2048.pem

 

NOTES:
  • In the above configuration, the VPN clients get their internal address from the pool 10.1.2.0/24
  • Connections to the internal network 10.1.0.0/24 will be routed to the VPN tunnel, other connections will bypass the tunnel
  • The OpenVPN server is reading the certificates from the files ca.crt, server.crt and the server key from the file server.key.

OpenVPN Client setup steps

  1. Install the OpenVPN client package in Windows 10 (from OpenVPN download page https://openvpn.net/index.php/open-source/downloads.html)
  2. Create a client configuration file with extension .ovpn (e.g. client1.ovpn)
  3. Copy the CA certificate, VPN Client certificate and the VPN Client key file to the config subdirectory in the OpenVPN install directory
  4. Add the references to the certificate files in the client configuration file
  5. Connect to OpenVPN server by opening the OpenVPN GUI icon in the hidden icons in the lower right corner of the screen. Right-click the icon, select the client configuration file and select “Connect”.
SAMPLE OPENVPN CLIENT CONFIGURATION:
client
remote yyy.yyy.yyy.yyy
dev tun
ca ca.crt
cert client1.crt
key client1.key
NOTES:
  • In the above configuration both sides will during the authentication check that the remote side certificate is signed by the given CA. The assumption is that the CA is private and trusted. If using a public CA, you may wish to add further authentication checks.
  • Instead of referring to the certificate files, you can also copy and paste the contents to the configuration file. Paste the text between the BEGIN and END lines as shown below:
<ca>
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
</ca>
<cert>
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
</cert>
<key>
—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
</key>