Microsoft Azure BYOL appliance quick start guide


OpenVPN Access Server provides a Microsoft Azure Marketplace VPN that you can get up and running within minutes.

By using the OpenVPN Access Server virtual machine (VM) from the Azure Marketplace, you can launch a VPN hosted in the cloud, with the following benefits:

  • Quickly extend your Azure private networking to remote users and other sites.
  • Create hub-and-spoke network topology, site-to-site, user-to-cloud, and various other secure VPN connections.
  • Provide secure, remote access to applications deployed on Azure.

Read on for your guide to get started with your VPN server on the web.

Launch the VM

To launch a new VM with OpenVPN Access Server software:

  1. Select the OpenVPN Access Server VM from the Azure Marketplace and click Create.
  2. Enter a name and select the basic configuration options. We recommend using SSH for authentication.
  3. When you get to the Networking tab, you'll see that we've preconfigured the security groups for you.
  4. Review the configuration and click Create.
  5. Once the deployment completes, go to your resource and copy the public IP address.

Note: We used the default options for the quick start guide, which are already optimal. Feel free to configure settings as you see fit.

Connect to your VM

When your deployment is complete, you can click on Go to resource to open your virtual machine dashboard. You’ll find your IP address for your VPN server under Public IP address.

The OpenVPN Access Server appliance is a Linux-based appliance managed via an SSH connection. You can connect to the instance by using an SSH client and the credentials you previously used to initiate the instance. For more information on how to connect to your instance using SSH, refer to Microsoft Azure documentation.

We provide instructions on how to connect to a common use case for Windows OS users with the PuTTY SSH Client: Connect to Access Server via SSH using PuTTY.

Finish Access Server Installation

Note: You will need to complete this setup wizard before your VPN server will be operational.

The OpenVPN Access Server Configuration Tool runs automatically the first time you sign into the VM.

For this guide, we assume you choose the default values by pressing ENTER for each choice.

In the last step of the installation process, a randomly generated password for the ‘openvpn’ administrative accounts displays on the console (if you didn’t enter a password during the initial setup).

You can now connect to the Admin Web UI with that username and password. The URL will be along the pattern of https://[youripaddress]/admin/.

Replace "[youripaddress]" with the static IP address of your server.

Note: Ensure you use the public IP address of your server. The output from the configuration tool displays an internal IP address. This is because the Azure metadata doesn't provide the public IP address for the initial configuration to display so you see a private IP in the output.

Video Tutorial

Finish Configuration of Access Server

To complete configuration, refer to Finishing Configuration Of Access Server.

Once you've done that, we recommend a few additional steps, below.

Purchase and activate a subscription

You can start right away with two simultaneous connections to your VPN server. To add more connections, purchase a subscription from our site and activate it using the Admin Web UI: Purchasing And Activating A Subscription

Change default time zone

If you need to change the time zone of the instance, run this command:

sudo dpkg-reconfigure tzdata

The system shows the new local time after you configure this setting.

Install NTP client for automatic time synchronization

We recommend everyone set this up, but especially those using multi-factor authentication.

sudo apt-get install ntp

Enable IP forwarding (required for use with routing)

In order for your instance to function properly if you use “Routing” as your mode of operation inside Access Server instead of NAT, ensure you turn on IP forwarding:

  1. From the Azure portal, enter network interfaces in the search box at the top.
  2. Select Network interfaces from the search results.
  3. Select the network interface of your Access Server virtual machine.
  4. Click IP configurations.
  5. Click on the toggle to Enable IP forwarding.
  6. Click Save.
  7. The network interface change saves.

Take note of your Private IP address noted here as you will need it for creating and assigning a routing table, explained below.

Create and assign a routing table (required for use with routing)

When you use “Routing” for your Access Server instead of NAT, ensure you create a routing table on Azure so that traffic to your VPN subnet is directed back to your VPN instance.

Create a route table

  1. Click on Create a resource from your Azure portal.
  2. Search for "route table".
  3. Select the Route table from Microsoft when prompted and click Create.
  4. Select the Resource group with your VPN server.
  5. Enter a name for the routing table (choose any you would like).
  6. Click Review + Create then Create.

Attach route table to your VM

  1. Navigate to your Access Server virtual machine's dashboard.
  2. Under Networking and Virtual network/subnet click on the Vnet for your VM.
  3. Under Settings, click on Subnets.
  4. Click on the subnet used by your computing resources (may be called default).
  5. Click on the Route table drop-down and select your newly created routing table from the list.
  6. Click Save.
  7. Repeat this step for any additional subnets you may have under the same Vnet that the VPN server needs to communicate with.

Add routes

Now that the routing table is assigned, you need to add routes:

  1. Navigate to your new routing table.
  2. Under Settings of your route table, click Routes.
  3. Click Add.
  4. On the Add route page, enter a name, then the following:
    Address Prefix:
    Next hop type: Virtual appliance
    Next hop address: <enter the Private IP address you have noted from the previous step>
  5. Click OK when done.
  6. Click Add again to add a second record:
    Address Prefix:
    Next hop type: Virtual appliance
    Next hop address: <enter the Private IP address you have noted from the previous step>
  7. Click OK when done.

You've completed the routing table configuration.

Note: The 172 IP addresses above are private IP addresses used by Access Server as the internal DHCP system.

If you change your VPN subnets using the Admin Web UI, ensure you edit your routing table configuration as well.

From the time we've generated the appliance and the time you've downloaded and are using it, operating system updates might have become available. Ensure your appliance OS is up to date by running the following commands:

sudo apt-get update
sudo apt-get upgrade

Further security recommendations

We have additional security recommendations we suggest you implement, for all OpenVPN Access Server installations.