Skip to main content

Subscribe to Access Server on Microsoft Azure — Pay As You Go

Abstract

Create an Access Server VPN server with Microsoft Azure, where you pay as you go. This quick start guide helps you launch the PAYG offering.

Access Server provides an Azure VPN that you can get up and running within minutes.

From the Azure Marketplace, you can launch Access Server. This VPN, hosted in the cloud, has the following benefits.

📄 Deploy Access Server on Microsoft Azure

  1. Sign in or create an OpenVPN account.

  2. Click to install Access Server and select Microsoft Azure.

  3. Under Option 1, click the Azure SaaS subscription link.

  4. Sign in with your Microsoft account.

  5. Select your Plan from the drop-down based on desired connections.

  6. Click Subscribe.

  7. Enter your Project details:

    Subscription

    This autopopulates.

    Resource group

    Select your group from the drop-down to assign this new image.

    Name

    Enter a name for your image.

    Contract duration

    Select between monthly and yearly.

    Aut-renew

    Select whether to set your plan to auto-renew.

  8. Click Review + subscribe.

  9. Review the product and plan details, then click Subscribe.

    • The SaaS subscription is in progress and will display a successful subscribed message when complete.

🔑 Configure your Azure account

  1. Click Configure your account.

    • The login displays to Link Your Azure Account to OpenVPN.

  2. Enter your OpenVPN account email and password.

  3. Click Sign In.

  4. Enter your account details and click Confirm.

    • The page Deploy on Azure marketplace using our Azure Launcher displays.

  5. Click Azure SaaS Subscriptions in the side navigation.

    • Your Azure SaaS subscription details display.

🖥️ Gather Admin Web UI info from virtual machine output

  1. From the Azure deployment, click Outputs.

    • The URL for the Admin Web UI is displayed in the adminPortal field, along with the temporary password.

  2. Open your web browser and navigate to the Admin Web UI using the provided IP address, such as:

    • https://<public_ip_of_instance>/admin

    Note

    Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.

  3. Enter the admin username, openvpn, and your temporary password displayed in the output.

  4. Once signed in, we recommend changing the password for the openvpn user account in the Admin Web UI.

🛠️ Finish Access Server configuration

We suggest some of these next steps for finishing setup:

Setting up a hostname

We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.

Refer to Hostname and follow the steps.

Setting up authentication

Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication, where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.

Access Server supports using multiple authentication systems simultaneously. Refer to Authentication System for more information.

First time connecting to the VPN server

With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.

Option to connect

Procedure

Download a bundled VPN client to connect

A user follows these steps to download a pre-configured OpenVPN Connect app:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with user credentials.

  3. The OpenVPN Connect app is displayed for download for their operating system.

  4. After it downloads, install the software.

  5. Open the app and click on the connection profile.

    • The user connects to Access Server.

Download a connection profile

A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with their user credentials.

  3. Click on the link under Available Connection Profiles.

  4. After the connection profile downloads, upload the file to a VPN client.

Admin provides users with ways to connect

Alternatively, as an admin, you can use these ways to connect your users:

  1. Have your users install OpenVPN Connect from our website, then download a connection profile from the Admin Web UI and distribute it to users.

  2. Create an OpenVPN Connect installer from the Access Server command-line interface and distribute it to users.

Tip

Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.

Enable IP forwarding (required for use with routing)

In order for your instance to function properly if you use “Routing” as your mode of operation inside Access Server instead of NAT, ensure you turn on IP forwarding:

  1. From the Azure portal, enter network interfaces in the search box at the top.

  2. Select Network interfaces from the search results.

  3. Select the network interface of your Access Server virtual machine.

  4. Click IP configurations.

  5. Click on the toggle to Enable IP forwarding.

  6. Click Save.

  7. The network interface change saves.

Take note of your private IP address noted here as you will need it for creating and assigning a routing table, explained below.

Create and assign a routing table (required for use with routing)

When you use “Routing” for your Access Server instead of NAT, ensure you create a routing table on Azure so that traffic to your VPN subnet is directed back to your VPN instance.

Create a route table

  1. Click on Create a resource from your Azure portal.

  2. Search for "route table".

  3. Select the Route table from Microsoft when prompted and click Create.

  4. Select the Resource group with your VPN server.

  5. Enter a name for the routing table (choose any you would like).

  6. Click Review + Create then Create.

Attach route table to your VM

  1. Navigate to your Access Server virtual machine's dashboard.

  2. Under Networking and Virtual network/subnet click on the Vnet for your VM.

  3. Under Settings, click on Subnets.

  4. Click on the subnet used by your computing resources (may be called default).

  5. Click on the Route table drop-down and select your newly created routing table from the list.

  6. Click Save.

  7. Repeat this step for any additional subnets you may have under the same Vnet that the VPN server needs to communicate with.

Add routes

Now that the routing table is assigned, you need to add routes:

  1. Navigate to your new routing table.

  2. Under Settings of your route table, click Routes.

  3. Click Add.

  4. On the Add route page, enter a name, then the following:

    Address Prefix: 172.27.224.0/20

    Next hop type: Virtual appliance

    Next hop address: <enter the Private IP address you have noted from the previous step>

  5. Click OK when done.

  6. Click Add again to add a second record:

    Address Prefix: 172.27.240.0/20

    Next hop type: Virtual appliance

    Next hop address: <enter the Private IP address you have noted from the previous step>

  7. Click OK when done.

You've completed the routing table configuration.

Note

The 172.x.x.x IP addresses above are private IP addresses used by Access Server as the internal DHCP system.

Important

If you change your VPN subnets using the Admin Web UI, ensure you edit your routing table configuration as well.

🔒 Further Security Recommendations

Additional Security Steps You Can Take After Installation

In this section:

Access Server's web server used by the administrator to configure the VPN server.