Microsoft Azure BYOL Appliance Quick Start

Introduction

The Microsoft Azure BYOL instance is a 64-bit based VM that is based on Ubuntu LTS (Long Term Support) you can quickly launch on your Microsoft Azure account in order to get your VPN server up and running. To make it more convenient for you to deploy your server in the region closest to you, we currently offer the instance in all of Azure's publicly available regions.

Important notes about the BYOL licensing model

The BYOL (Bring Your Own License) licensing model is one that relies on your purchasing a software license key separately from our openvpn.net website and activating it on your Access Server installations. This locks the key to the current hardware/software configuration on the instance in question. Making changes to the instance like imaging and relaunching it, or changing the instance type, or enabling autoscaling, will result in the license key becoming invalid, requiring you to contact us for support on this. See our troubleshooting page regarding BYOL type license keys for more information.

It's also important to note here that when you launch the BYOL type instance with the instructions given below, then you do not actually need to provide a license key. If you do not provide a license key, the Access Server goes into a type of demonstration mode where all functions are available without time limit, but only 2 simultaneous VPN connections can be made at a time. To unlock more connections, you need to purchase and activate a license key on your Access Server installation.

Launching the VM

To get started, logon to the Microsoft Azure portal by going to https://portal.azure.com. After you are logged on, click the plus sign (+) on the left navbar, and type "OpenVPN Access Server" in the search box as indicated below:

Select the OpenVPN Access Server listing that appears, and click the Create button to start the instance creation process.

The following dialog should appear:

Name: Enter the name of your VPN server for identification purposes (this is only used on the Azure portal only).

VM disk type: For recommended instance types, you will need to select HDD as type as the recommended instance sizes are incompatible with the SSD (Premium) disks.

User name: Enter the username you would like to use to connect to your VM. This username would be used for SSH access to your VM only and would be separate from your VPN server admin credentials.

SSH public key / Password: We recommend that you use SSH public key authentication if you already have a public key generated from a tool like ssh-keygen or PuTTYgen. If you do not have this information already generated, select Password to use a secure password to connect to your instance using SSH. Similar to the User name field, this information only applies to SSH connectivity to the instance and will not have an impact on the VPN server itself.

Note: You will want to make sure you note the credentials you define here since you will need to use this information to connect to the instance at a later step.

Subscription: Select a subscription you would like to use for your VPN server. For assistance on Microsoft Azure subscriptions, please contact Microsoft directly for help.

Resource Group: Use the Create new option if you are starting a VPN network from scratch. If you already have a local network on Azure you would like to interface with, use the Use existing option in order to position the VPN server accordingly on the network.

Location: Select the appropriate location for your VPN server, if applicable.

After all of the requested information is filled out, click OK to continue with the resource manager wizard. The recommended sizes would then be displayed. Select one of the recommended sizes based on your needs, and then click Select on the bottom of the screen. If you have special needs for the VPN server, you can also click the View all link to view all the possible instance sizes for this VM. It is not necessary to make this change unless you have special needs on the server or otherwise directed by support.

After selecting the virtual machine size, click the Select button below to continue with your selection. The optional features page should appear. Most of the default options set are already optimal, although attention should be paid to the following attributes:

Virtual network: This should be pointed to a virtual network (Vnet) containing the computing resources you would like your VPN clients to have access to.

Subnet: This should be pointed to a subnet within the previously selected Vnet. Please note that while you are free to assign a different subnet to the VPN server, the VPN clients will not be able to assume addresses within this subnet due to Layer 3 routing. For this reason, it is recommended that you use the same subnet as the rest of the computing resources you intend to connect to with your VPN server.

Public IP address:  It's recommended that you use a Static IP allocation rather than a dynamic IP allocation, especially if you are planning to get a commercial SSL certificate that would be valid for your VPN administration portal. Selecting a static IP allocation also makes it easier for you to point your DNS records to the correct IP address if you are going to be using a custom domain name or FQDN for your VPN server.

Network security group (firewall): The rules have already been preconfigured for you so there is no need to create any additional rules in this section. You are welcome to make any adjustments here if necessary.

After the desired settings are configured, click OK to continue with the wizard. Review the summary screen for your instance info, then click Purchase to initiate the instance on your Azure cloud. Please note that you will not be charged by Azure for the use of the VPN software. If you require a software license for your VPN server, please visit www.openvpn.net for pricing and additional information. If you do not provide a license key for your VPN server, your VPN server will run in a limited 2 user concurrency mode.

Connecting to your instance

The OpenVPN Access Server appliance is a Linux based appliance that is managed via an SSH connection. You can connect to the instance by using an SSH client using the credentials you have used previously to initiate the instance. For more information on how to connect to your instance using SSH, please review the Microsoft Azure documentation available here.

Tip: The IP address of your VPN server can be found under the virtual machine dashboard under the section: Public IP address.

Running the OpenVPN Access Server Setup Wizard

Note: You will need to complete this setup wizard before your VPN server will become operational.

The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the sudo ovpn-init command in the terminal.

Read through the EULA, and enter yes to indicate your agreement.

> Will this be the primary Access Server node?
Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.

> Please specify the network interface and IP address to be used by the Admin Web UI:
Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.

> Please specify the port number for the Admin Web UI.
Explanation: This is the port you will use to access the web-based administration area. It is usually safe to leave this at the default port unless customization is desired.

> Please specify the TCP port number for the OpenVPN Daemon
Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT-based router. By default, the web-based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.

> Should client traffic be routed by default through the VPN?
Explanation: If you only have a small network you would like your remote users to connect to over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

> Should client DNS traffic be routed by default through the VPN?
Explanation: If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yes for this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless what you set for this option here.

> Use local authentication via internal DB?
Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.

> Should private subnets be accessible to clients by default?
Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients are able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.

> Do you wish to login to the Admin UI as "openvpn"?
Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your "lockout" administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.
> > Specify the username for an existing user or for the new user account:
Explanation: Enter the initial username you would like to use instead of the default 'openvpn'.
> Type the password for the 'user' account:
> Confirm the password for the 'user' account:
Explanation: Specify the password you would like to use for the account.

> > Please specify your OpenVPN-AS license key (or leave blank to specify later):
Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes.

Note: If you selected yes to the Do you wish to login to the Admin UI as "openvpn"? option in the setup wizard, you will need to define the password for this account by running:
sudo passwd openvpn
and press Enter.

Note: You will be given a URL containing your internal Vnet IP address. This will not work unless you are accessing this URL from another instance inside the same Vnet. To access the administration UI from the Internet, replace the internal IP address with the public IP address of your instance.

Changing Default Hostname

Since Microsoft Azure automatically uses an internal IP address for your instance, you will need to login to the Web Admin UI and configure the Hostname parameter manually (inside the Server Settings section). You may either use an IP address or a hostname here, although it is strongly recommended that you use a hostname since your clients will depend on this setting to be able to know where to connect to, and updating a DNS record is much easier than reinstalling all clients to update the IP address they need to connect to. Also, SSL certificates require a proper FQDN hostname in order to function properly.

Note: If you leave this setting as the default, NONE of your clients will be able to connect to your VPN server since by default it is set to a non-routable (private) IP address!

Tip: You may choose to configure an Azure supplied DNS hostname if you do not have a custom domain or FQDN. To do this, click the Configure link under the virtual machine instance properties below the DNS name heading.

Changing Default Timezone

The default timezone is set to UTC. If you reside at another timezone and you would like to set the timezone to reflect local time, run the following command (you will be asked what timezone you would like to set):

sudo dpkg-reconfigure tzdata

The system will show the new local time after this setting is configured.

Install NTP client for automatic time synchronization

This is recommended for all situations but especially for people that want to use Google Authenticator.

apt-get install ntp

Enabling IP Forwarding (required)

In order for your instance to function properly, IP forwarding will need to be turned on for your instance. You can do this by clicking on the instance on the Azure dashboard, then select Networking on the navigation bar.

Note: You will want to note the Private IP address that is displayed here for the next configuration step of this guide.

Afterward, click on the blue link right next to the text Network Interface. Select IP configurations from the newly created navigation bar, and click Enabled under IP forwarding to enable this option. Click Save to finalize the configuration.

Creating and assigning routing table (required)

It is necessary to create a routing table on Azure so that traffic to your VPN subnet is directed back to your VPN instance. To do this, click the add button on the left-hand navigation bar and enter route table as the desired item. Select the Route table from Microsoft when prompted.

When prompted, enter a name for the routing table to be used (you can choose any name you would like here), and then click on the Use existing radio box under the Resource group selection. Afterward, select the same resource group you have used previously to launch the VPN server (see below):

Click Create when done. Next, go back to your virtual machine dashboard, and then click on the blue link under the Virtual network/subnet heading, select Subnets from the navigation bar, and click on the subnet that is currently used by your computing resources. Click on the Route table option in the subnet properties, and select the newly created routing table from the list:

Click Save when finished. Repeat this step for any additional subnets you may have under the same Vnet that the VPN server needs to communicate with.

After the routing table is set, find the newly created routing table under the All resources button in the navigation bar, then select Routes in the new navigation bar that opens. Click Add to add a new route.

In the dialog that opens, enter the following information:

Address Prefix: 172.27.224.0/20
Next hop type: Virtual appliance
Next hop address: <enter the Private IP address you have noted from the previous step>

Click Save when done. Click Add again to add another record:

Address Prefix: 172.27.240.0/20
Next hop type: Virtual appliance
Next hop address: <enter the Private IP address you have noted from the previous step>

Click Save to complete the routing table configuration.

Warning: You will need to edit your routing table configuration if you decide to change your VPN subnets in the future in the administration UI of the VPN server.

Updating Operating System Software (recommended)

From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have become available. To make sure your appliance operating system is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

Further security recommendations

We also have some security recommendations that you should implement as well, which apply to all OpenVPN Access Server installations.