Securing any infrastructure means, amongst other things, protecting machines from unnecessary exposure, and restricting remote administration access. While having an SSH port open to the world is sometimes a necessary evil, a preferable approach is to restrict access, via a firewall or security group, to a smaller, more controlled network.
If you always administer your systems from a single location - home, office, etc - it is practical to simply whitelist those IP addresses. However, if you are ever working remotely it’ll become necessary to either manually add your current IP address, or use a VPN.
The VPN solution on Azure is the topic of this post. But more specifically, how to make it accessible from a Linux system. There are plenty of how-tos around about how to setup a VPN on Azure, so this post will focus on the specifics of making it compatible with Linux.
## VPN Selection
The first thing to understand is the different SKU for the VPN product, and what they mean:
|SKU||S2S/VNet-to-VNet Tunnels||P2S SSTP Connections||P2S IKEv2/OpenVPN Connections||Aggregate Throughput Benchmark||BGP||Zone-redundant|
|Basic||Max. 10||Max. 128||Not Supported||100 Mbps||Not Supported||No|
|VpnGw1||Max. 30*||Max. 128||Max. 250||650 Mbps||Supported||No|
|VpnGw2||Max. 30*||Max. 128||Max. 500||1 Gbps||Supported||No|
|VpnGw3||Max. 30*||Max. 128||Max. 1000||1.25 Gbps||Supported||No|
|VpnGw1AZ||Max. 30*||Max. 128||Max. 250||650 Mbps||Supported||Yes|
|VpnGw2AZ||Max. 30*||Max. 128||Max. 500||1 Gbps||Supported||Yes|
|VpnGw3AZ||Max. 30*||Max. 128||Max. 1000||1.25 Gbps||Supported||Yes|
Table 1: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
There are to Point-to-site (P2S) options:
- SSTP - Secure Socket Tunnelling Protocol
SSTP is a PPP over HTTPS protocol that is used primarily by Azure. It has official clients for Windows and OSX. There is a project to provide a Linux client, but it isn’t an out-of-the-box solution.
OpenVPN however, is a more widely available VPN solution, with out-of-the-box support in Linux.
As you can see in Table 1 OpenVPN is not supported using the Basic SKU. Therefore, if you want the easy ride, use one of the others.
To get started, install the Network Manager extensions for OpenVPN
apt install network-manager-openvpn-gnome network-manager-openvpn
Next, download the VPN Client Config from the Azure VPN Portal.
Now, extract the config zip file, and [import the config] (https://www.cyberciti.biz/faq/linux-import-openvpn-ovpn-file-with-networkmanager-commandline/)
sudo nmcli connection import type openvpn file OpenVPN/vpnconfig.ovpn
This will create the VPN configuration called vpnconfig in your Network Manager VPN screen.
Edit the connection, fixing up the name, and supplying your user certificates.
If SSTP becomes available in the main Debian/Ubuntu repos then it would also be a good option, but in terms of return on time investment, OpenVPN is the best current option for Linux admins using Azure.