OpenVPN Point to Site with Azure ARM VM
I put this together before Point to Site was an option/supported in ARM. This gives you an option if you just need a Point to site for a small number of people.
Required:
OpenVPN complete Install on server. Including the RSA to allow us to build our own certs for connection of tunnel.
Routing and Remote Access. This is required in the LAN Router Configuration. This will allow our traffic from OpenVPN to hit the Vnet.
Azure VM of any size with at least 1 network adaptor.
To Begin we’ll need to provision our VM. I’m including the script. I use Powershell ISE. This needs to be updated as needed for your environment.
#Update the values below inside the single quotes to set their value for your subscription and VM.
#This script does not create a storage or resource group. It assumes you have one created. If you would
$location='AzureDCLocation'
$RG='ResourceGroupName'
$NetworkName='VirtualNetworkName'
$SubnetName='SubnetNameForVM'
#This Value is optional. Simply add -AvailabilitySetId $AvailabilitySet.Id to line 32 and uncomment line 26.
#$NewAVSetName='AvailabilitySet(optional)'
$StorageName='StrorageAccountName'
$PIPName='PublicIPName'
$Nic1Name='NetworkCard1Name'
#Network Card 2 is optional. See requirements for 2+Nic machines here https://azure.microsoft.com/en-us/blog/multiple-vm-nics-and-network-virtual-appliances-in-azure/
#Uncomment the NIC below and line 36 to enable multiple NICs.
#$Nic2Name='NetworkCard2Name'
$VMName='VM Name For Portal'
$VMComputerName='VM ComputerName'
$VHDName='Name for VHD'
$PIPDNSName='Public IP DNS Name'
#Update the VM size to whatever VM you would like. I use Standard_D1, but you can use anything.
$VMSize='Standard_D1'
$PrivateIP='InternalIP Address'
$network=Get-AzureRmVirtualNetwork -Name $NetworkName -ResourceGroupName $RG
$subnet=Get-AzureRmVirtualNetworkSubnetConfig -Name $SubnetName -VirtualNetwork $network
#$AvailabilitySet=New-AzureRmAvailabilitySet -ResourceGroupName $RG -Name $NewAVSetName -Location $location
$Cred=Get-Credential
$Stor=Get-AzureRmStorageAccount -ResourceGroupName $RG -Name $StorageName
$pip=New-AzureRmPublicIpAddress -Name $PIPName -ResourceGroupName $RG -Location $location -DomainNameLabel $PIPDNSName -AllocationMethod Dynamic
$nic1=New-AzureRmNetworkInterface -Name $Nic1Name -ResourceGroupName $RG -Location $location -SubnetId $subnet.Id -EnableIPForwarding -PublicIpAddressId $pip.Id -PrivateIpAddress $PrivateIP
$nic2=New-AzureRmNetworkInterface -Name $Nic2Name -ResourceGroupName $RG -Location $location -SubnetId $subnet.Id -EnableIPForwarding
$VM=New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize
$VM=Set-AzureRmVMOperatingSystem -Windows -ComputerName $VMComputerName -Credential $Cred -EnableAutoUpdate -ProvisionVMAgent -VM $VM
$VM=Set-AzureRmVMSourceImage -VM $VM -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"
$VM=Add-AzureRmVMNetworkInterface -Id $nic1.id -VM $VM -Primary
#$VM=Add-AzureRmVMNetworkInterface -Id $nic2.Id -VM $VM
$OSDiskUri=$Stor.PrimaryEndpoints.Blob.ToString() + 'vhds/' +$VHDName +'.vhd'
$VM=Set-AzureRmVMOSDisk -Name $VHDName -VhdUri $OSDiskUri -Caching ReadWrite -CreateOption fromImage -VM $VM
New-AzureRmVM -ResourceGroupName $RG -Location $location -VM $VM
$P2SVPNAddressSpace='Point to Site address space example 10.0.0.0/23'
$InternalNICIP='Internal NIC IP'
$RouteTableName='Name of the Route Table'
$RouteConfigName='Name of this Route Configuration'
$VNetSubnetPrefix=$subnet.AddressPrefix
$RouteConfig=New-AzureRmRouteConfig -Name $RouteConfigName -AddressPrefix $P2SVPNAddressSpace -NextHopType VirtualAppliance -NextHopIpAddress $InternalNICIP
New-AzureRmRouteTable -Name $RouteTableName -ResourceGroupName $RG -Location $location -Route $RouteConfig
$RT=Get-AzureRmRouteTable -ResourceGroupName $RG -Name $RouteTableName
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $network -Name $subnet.Name -RouteTableId $RT.Id -AddressPrefix $VNetSubnetPrefix
Now that we have our VM and route created/defined we can move onto installing OpenVPN and RRAS.
Download OpenVPN from https://openvpn.net/index.php/open-source/downloads.html.
Install selecting all options.
Once install is completed we walk through the documentation to create our server and client certs as well as the CA for the connections.
Here are the instructions: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide.
Once we have created all the files needed, we have to update our config file to have our address space we are going to use for the point to site.
If defaults were used this can be found in C:\Program Files\OpenVPN\config\server.ovpn
In there we can find the line server 10.8.0.0 255.255.255.0 and replace the 10.8.0.0 255.255.255.0 with our address space we want to have clients assigned out.
Then we need to find the following lines:
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
We will remove the ; and update the address to the Vnet’s Address space in Azure. If we only have 1 address space or want to limit traffic we can add/remove a line or leave it commented out with the ;.
Now that we have our server configuration file, we can try to start the server by right clicking the file and Start OpenVPN on this config file. This should launch a command window and give us any errors we may have in our configuration or build the tunnel up. If the tunnel is working we can start the service which will use this config, or we can continue with this for our test. The client files will have to be copied to the client test machine.
Next we will need to get Routing and Remote access enabled on our server so that we can do LAN routing.
In Server manager add Roles and Features.
Then step through till Roles and Select Remote Access.
Continue through accepting any pop ups. Once on the Role Services select Routing. Accept the Prompt. Then click next until you see Install and click Install.
Once this is complete you can launch the wizard and tell it to configure routing or launch Routing and Remote access out of mmc or from the start menu.
Once in routing and remote Access right click the server and “Configure an Enable Routing and Remote Access. You will select Custom for the type and then just check the box “LAN Routing”
Click next and finish it will ask you if you want to start tell it yes.
You are done with the server, and will now just need to build out client configuration files to deploy.
Have fun!