Microsoft Azure VPN Quick Start Guide for Access Server
The Microsoft Azure BYOL instance lets you quickly launch on your Microsoft Azure account to get your VPN server up and running. Here's how.
Access Server provides a Microsoft Azure Marketplace VPN that you can get up and running within minutes.
By using the Access Server virtual machine (VM) from the Azure Marketplace, you can launch a VPN hosted in the cloud, with the following benefits:
Read on for your guide to get started with your VPN server on the web.
To launch a new VM with Access Server software:
Select the Access Server VM from the Azure Marketplace and click Create.
Enter a name and select the basic configuration options. We recommend using SSH for authentication.
When you get to the Networking tab, you'll see that we've preconfigured the security groups for you.
Review the configuration and click Create.
Once the deployment completes, go to your resource and copy the public IP address.
Note
We used the default options for the quick start guide, which are already optimal. Feel free to configure settings as you see fit.
When your deployment is complete, you can click on Go to resource to open your virtual machine dashboard. You’ll find your IP address for your VPN server under Public IP address.
The Access Server appliance is a Linux-based appliance managed via an SSH connection. You can connect to the instance by using an SSH client and the credentials you previously used to initiate the instance. For more information on how to connect to your instance using SSH, refer to Microsoft Azure documentation.
We provide instructions on how to connect to a common use case for Windows OS users with the PuTTY SSH Client: Connect to Access Server via SSH using PuTTY.
The initial Access Server configuration tool runs automatically the first time you sign into the instance.
For this guide, we assume you choose the default values by pressing ENTER for each choice.
You can now connect to the Admin Web UI with ‘openvpn’ and the generated password with the URL https://[youripaddress]/admin.
Tip
Replace "[youripaddress]" with the static IP address of your server.
Now that you've installed Access Server, follow these next steps.
When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.
Admin UI | The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/. When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts. |
Client UI | The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example. TipThe web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out. |
Administrative User
For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.
On Access Server versions older than 2.9, you must manually set the password for the openvpn user with this command:
passwd openvpn
You can now open a browser and enter your Admin Web UI address.
Invalid Certificate
Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.
By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.
The first time you sign into the Admin Web UI, Access Server displays the Activation page so you can easily get an activation key:
Click Get Activation Key.
This takes you to the Access Server portal.
Sign in with your openvpn.com account if needed.
Click Activation Keys.
Click Purchase A New Key.
Select the number of concurrent connections for your subscription.
For a free subscription with two connections, select the free option.
For five or more connections, select the standard option.
Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
Return to your Admin Web UI.
Paste the subscription key in the text field.
Click Activate.
Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on the Access Server portal by clicking Access Server Information.
We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.
Refer to Hostname and follow the steps.
Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.
Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer to Authentication System for more information.
With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.
Option to connect | Procedure |
---|---|
Download a bundled VPN client to connect | A user follows these steps to download a pre-configured OpenVPN Connect app:
|
Download a connection profile | A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:
|
Admin provides users with ways to connect | Alternatively, as an admin, you can use these ways to connect your users:
|
Tip
Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.
You can start right away with two simultaneous connections to your VPN server. To add more connections, purchase a subscription from our site and activate it using the Admin Web UI: Purchasing And Activating A Subscription.
The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:
sudo dpkg-reconfigure tzdata
We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:
apt-get install ntp
In order for your instance to function properly if you use “Routing” as your mode of operation inside Access Server instead of NAT, ensure you turn on IP forwarding:
From the Azure portal, enter network interfaces in the search box at the top.
Select Network interfaces from the search results.
Select the network interface of your Access Server virtual machine.
Click IP configurations.
Click on the toggle to Enable IP forwarding.
Click Save.
The network interface change saves.
Take note of your private IP address noted here as you will need it for creating and assigning a routing table, explained below.
When you use “Routing” for your Access Server instead of NAT, ensure you create a routing table on Azure so that traffic to your VPN subnet is directed back to your VPN instance.
Create a route table
Click on Create a resource from your Azure portal.
Search for "route table".
Select the Route table from Microsoft when prompted and click Create.
Select the Resource group with your VPN server.
Enter a name for the routing table (choose any you would like).
Click Review + Create then Create.
Attach route table to your VM
Navigate to your Access Server virtual machine's dashboard.
Under Networking and Virtual network/subnet click on the Vnet for your VM.
Under Settings, click on Subnets.
Click on the subnet used by your computing resources (may be called default).
Click on the Route table drop-down and select your newly created routing table from the list.
Click Save.
Repeat this step for any additional subnets you may have under the same Vnet that the VPN server needs to communicate with.
Add routes
Now that the routing table is assigned, you need to add routes:
Navigate to your new routing table.
Under Settings of your route table, click Routes.
Click Add.
On the Add route page, enter a name, then the following:
Address Prefix: 172.27.224.0/20
Next hop type: Virtual appliance
Next hop address: <enter the Private IP address you have noted from the previous step>
Click OK when done.
Click Add again to add a second record:
Address Prefix: 172.27.240.0/20
Next hop type: Virtual appliance
Next hop address: <enter the Private IP address you have noted from the previous step>
Click OK when done.
You've completed the routing table configuration.
Note
The 172.x.x.x IP addresses above are private IP addresses used by Access Server as the internal DHCP system.
Important
If you change your VPN subnets using the Admin Web UI, ensure you edit your routing table configuration as well.
We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:
sudo apt-get update sudo apt-get upgrade