Azure Point to Site VPN from Linux

Posted on September 21, 2019
Tags: azure, linux, cloud

Securing any infrastructure means, amongst other things, protecting machines from unnecessary exposure, and restricting remote administration access. While having an SSH port open to the world is sometimes a necessary evil, a preferable approach is to restrict access, via a firewall or security group, to a smaller, more controlled network.

If you always administer your systems from a single location - home, office, etc - it is practical to simply whitelist those IP addresses. However, if you are ever working remotely it’ll become necessary to either manually add your current IP address, or use a VPN.

The VPN solution on Azure is the topic of this post. But more specifically, how to make it accessible from a Linux system. There are plenty of how-tos around about how to setup a VPN on Azure, so this post will focus on the specifics of making it compatible with Linux.

## VPN Selection

The first thing to understand is the different SKU for the VPN product, and what they mean:

SKU S2S/VNet-to-VNet Tunnels P2S SSTP Connections P2S IKEv2/OpenVPN Connections Aggregate Throughput Benchmark BGP Zone-redundant
Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
VpnGw1 Max. 30* Max. 128 Max. 250 650 Mbps Supported No
VpnGw2 Max. 30* Max. 128 Max. 500 1 Gbps Supported No
VpnGw3 Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported No
VpnGw1AZ Max. 30* Max. 128 Max. 250 650 Mbps Supported Yes
VpnGw2AZ Max. 30* Max. 128 Max. 500 1 Gbps Supported Yes
VpnGw3AZ Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported Yes

Table 1: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

There are to Point-to-site (P2S) options:

  • SSTP - Secure Socket Tunnelling Protocol
  • IKEv2/OpenVPN

SSTP is a PPP over HTTPS protocol that is used primarily by Azure. It has official clients for Windows and OSX. There is a project to provide a Linux client, but it isn’t an out-of-the-box solution.

OpenVPN however, is a more widely available VPN solution, with out-of-the-box support in Linux.

As you can see in Table 1 OpenVPN is not supported using the Basic SKU. Therefore, if you want the easy ride, use one of the others.

## Setup

To get started, install the Network Manager extensions for OpenVPN

apt install network-manager-openvpn-gnome network-manager-openvpn

Next, download the VPN Client Config from the Azure VPN Portal.

Now, extract the config zip file, and [import the config] (https://www.cyberciti.biz/faq/linux-import-openvpn-ovpn-file-with-networkmanager-commandline/)

sudo nmcli connection import type openvpn file OpenVPN/vpnconfig.ovpn

This will create the VPN configuration called vpnconfig in your Network Manager VPN screen.

Edit the connection, fixing up the name, and supplying your user certificates.

## Conclusion

If SSTP becomes available in the main Debian/Ubuntu repos then it would also be a good option, but in terms of return on time investment, OpenVPN is the best current option for Linux admins using Azure.