How to setup an OpenVPN server on Azure?

In this guide we will setup a “Debian 9(stretch)” virtual machine on our Microsoft Azure account and configure a OpenVPN server.

Creating a Debian 9 Instance

Let’s begin by navigating to our Azure home page.

  • From the menu in the top left; select the “Create a Resource” option to navigate to the Azure Marketplace.
  • Search for “Debian 9” in the search bar and select the “Debian Linux” option from the search results.
  • Select the ‘Debian 9 “Stretch” with backports kernel’ option and click create.

Basic Settings

Now we start with the settings under the ‘Basics’ tab.

  • Select an appropriate Subscription plan from the first drop down.
  • Choose the Resource group to group the new instance with or create a new one.
  • Selecting a Region that is in close proximity is the optimal choice.
  • Click on the ‘change size’ option under “Size” option.
    • OpenVPN needs at least 1 GiB of RAM to operate.
  • Choose between the ‘B1ms’ or the ‘B1s’ option as a start.
    • Machines can be scaled up after creation if need be.
  • We recommend using SSH as the authentication option for it’s Security benefits. (# add a link to a page explaining ssh key creation on platforms)
  • Select None for ‘Public inbound ports’.

Network Settings

Now we will move onto the Networking tab. We only need to change one setting on this page in order to create a security group. We will use the security group later to add rules and control access to our server.

Select Advanced as the ‘NIC network security group’.

Finally we navigate to the ‘Review + create’ tab and go over the settings to make sure everything is configured properly and click on the ‘Create’ button on the bottom to create the machine.

Security Policies

Once the instance has been deployed we need to set our security policies in order to allow traffic to it. Let’s move to the instance by clicking on the ‘Go to resource’ option.

We will move to the Networking option under the Settings in the left menu. Now let’s start by clicking the ‘Add inbound port rule’ to add a new inbound rule to allow ssh access to the machine from Public IP’s that we need.

We select ‘IP Address’ as the ‘Source’ and provide a comma separated list od Public IP’s that will have access to the instance over ssh.

The Destination port is set as the default ssh port.

Make sure that the rule priority is set to a number lower than the last ‘DenyAllInbound’ rule so that it may take effect.

Now we can add a rule allowing access to the machine on a port that will be used to connect to the VPN.

The default OpenVPN port is 1194 but we will use a different port as an extra precaution.

Since the instance will only be used as a VPN server we can select any port between 1024-65535; except for the port for ssh(22).

Keep the port used in mind as we will need it while configuring the VPN.

With the Inbound rules configured we can move to the Outbound rules tab.

Here we will add a rule to allow all outbound traffic from to allow the machine access.

We set the priority for the rule as the highest possible custom rule priority. As this is a rule that allows all traffic we want to be able to add rules above it later to have them override this rule.

Configuring OpenVPN

Having set up the machine and its security rules we can now start installing OpenVPN and configuring it. Start by connecting to the machine over ssh. Once connected:

  • Change to the root user and moving to the default root directory.
sudo su
  • Now we can download a script to help us install and configure the OpenVPN server. Download the script and make it executable.
wget -O
chmod +x
  • We can run the script and start configuring the vpn server.

Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.

Next we choose to use TCP as the base connection type for our VPN.

Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.

The DNS option can be set as preferred.

Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.

Welcome to this OpenVPN road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname []:

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 2

What port do you want OpenVPN listening to?
Port [1194]:

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]:

Finally, tell me a name for the client certificate.
Client name [client]: 1234

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...

Adding/Removing VPN Clients

With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.

We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.

Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 1

Tell me a name for the client certificate.
Client name: test2

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Generating a RSA private key
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9'
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test2'
Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Client test2 added, configuration is available at: /root/test2.ovpn

On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 2

Select the existing client certificate you want to revoke:
     1) client
     2) test2
Select one client: 2

Do you really want to revoke access for client test2? [y/N]: y
Using configuration from ./safessl-easyrsa.cnf
Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88.
Data Base Updated

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Using configuration from ./safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem

Certificate for client test2 revoked!

Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.

Users can then connect to the VPN server using their ovpn certificate files.