In this guide we will setup a “Debian 9(stretch)” virtual machine on our Microsoft Azure account and configure a OpenVPN server.
Let’s begin by navigating to our Azure home page.
Now we start with the settings under the ‘Basics’ tab.
Now we will move onto the Networking tab. We only need to change one setting on this page in order to create a security group. We will use the security group later to add rules and control access to our server.
Select Advanced as the ‘NIC network security group’.
Finally we navigate to the ‘Review + create’ tab and go over the settings to make sure everything is configured properly and click on the ‘Create’ button on the bottom to create the machine.
Once the instance has been deployed we need to set our security policies in order to allow traffic to it. Let’s move to the instance by clicking on the ‘Go to resource’ option.
We will move to the Networking option under the Settings in the left menu. Now let’s start by clicking the ‘Add inbound port rule’ to add a new inbound rule to allow ssh access to the machine from Public IP’s that we need.
We select ‘IP Address’ as the ‘Source’ and provide a comma separated list od Public IP’s that will have access to the instance over ssh.
The Destination port is set as the default ssh port.
Make sure that the rule priority is set to a number lower than the last ‘DenyAllInbound’ rule so that it may take effect.
Now we can add a rule allowing access to the machine on a port that will be used to connect to the VPN.
The default OpenVPN port is 1194 but we will use a different port as an extra precaution.
Since the instance will only be used as a VPN server we can select any port between 1024-65535; except for the port for ssh(22).
Keep the port used in mind as we will need it while configuring the VPN.
With the Inbound rules configured we can move to the Outbound rules tab.
Here we will add a rule to allow all outbound traffic from to allow the machine access.
We set the priority for the rule as the highest possible custom rule priority. As this is a rule that allows all traffic we want to be able to add rules above it later to have them override this rule.
Having set up the machine and its security rules we can now start installing OpenVPN and configuring it. Start by connecting to the machine over ssh. Once connected:
sudo su cd
wget https://git.io/vpn -O openvpn-configuration.sh chmod +x openvpn-configuration.sh
Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.
Next we choose to use TCP as the base connection type for our VPN.
Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.
The DNS option can be set as preferred.
Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.
Welcome to this OpenVPN road warrior installer! I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are ok with them. This server is behind NAT. What is the public IPv4 address or hostname? Public IPv4 address / hostname [22.214.171.124]: Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol : 2 What port do you want OpenVPN listening to? Port : Which DNS do you want to use with the VPN? 1) Current system resolvers 2) 126.96.36.199 3) Google 4) OpenDNS 5) Verisign DNS : Finally, tell me a name for the client certificate. Client name [client]: 1234 Okay, that was all I needed. We are ready to set up your OpenVPN server now. Press any key to continue...
With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.
We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.
Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 1 Tell me a name for the client certificate. Client name: test2 Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Generating a RSA private key .......................................................................+++++ ...........+++++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9' ----- Using configuration from ./safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'test2' Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client test2 added, configuration is available at: /root/test2.ovpn
On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 2 Select the existing client certificate you want to revoke: 1) client 2) test2 Select one client: 2 Do you really want to revoke access for client test2? [y/N]: y Using configuration from ./safessl-easyrsa.cnf Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88. Data Base Updated Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Using configuration from ./safessl-easyrsa.cnf An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem Certificate for client test2 revoked!
Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.
Users can then connect to the VPN server using their ovpn certificate files.