OpenVPN based Site-to-Site VPN between Azure and pfSense

In Azure terminology, a Site-to-Site (S2S) VPN is a VPN connection between two gateway devices. It allows communication between subnets on-prem and in an Azure virtual network. Gateway devices on-prem are usually firewalls, like pfSense in this post. In Azure, we can use Azure VPN gateway or we can set up our own virtual appliance for this purpose. A virtual appliance is nothing but a VM that can provide such security and filtering services.

OpenVPN Use Case

Azure VPN Gateway uses IKE/IPSEC. It requires a static public IP on the on-prem device. Officially, it does not support the device behind NAT but works if you forward UDP ports 500 and 4500 (NAT-T). It only supports one S2S tunnel/site when using PolicyBased VPN. Most open source firewalls only support PolicyBased VPNs.

On the other hand, OpenVPN is an SSL VPN and does not need any port forwarding on-prem. Public IP on-prem can be dynamic. It works even if the device is behind NAT or even double NAT, which is the case of cable network ISPs. OpenVPN client endpoint can also be configured on a Windows server if your firewall doesn’t support it natively.

In short, OpenVPN can provide a most compatible solution which can be very helpful when setting up hybrid labs.

Setup

Site 1:

PfSense firewall behind NAT.
Subnets: 172.20.2.0/24 (LAN) and 172.20.3.0/24 (DMZ)

Site 2:

PfSense firewall behind NAT.
Subnets: 172.22.2.0/24 (LAN) and 172.22.3.0/24 (DMZ)

Azure:

Virtual Network Address Space: 10.0.0.0/16
Subnets: 10.0.0.0/24 (LAN), 10.0.255.224/27 (OpenVPN)

Solution

OpenVPN-Azure

In OpenVPN terminology, we are setting up two Peer-to-Peer connections. A peer-to-peer connection is only between one client and one server. Since we have two sites, we will spin up two OpenVPN server endpoints on port 1194 and 1195 on our Windows Server. OpenVPN client endpoints from both sites will connect to each server endpoint.

Just like a normal pair of routers use a subnet between them, OpenVPN endpoints here will use subnets 10.99.91.0/24 and 10.99.92.0/24 for each site respectively.

It is also possible to set up one central multi-site OpenVPN server endpoint with multiple client endpoints connecting to it. But that requires PKI infrastructure. It is not possible to do that with static keys. That I may cover in a separate post.

Server Setup in Azure

Create Subnet for OpenVPN VM

Virtual appliances in Azure should always be on a separate subnet. It is recommended here to create a /27 subnet at the end of the address space. We are using 10.0.255.224/27.

Setup New Windows Server 2012 R2 VM

Assign a public IP to this VM. This is the IP OpenVPN client endpoints will be connecting to. Make it static so that it does not change. You can also use dynamic IP with dynamic DNS services.

Power on the VM and make the assigned private IP as static in Network Interfaces > IP Configuration. This is the IP that will act as next hop for the VMs in Azure to reach on-prem networks.

azure-static-private-ip

Enable IP forwarding

IP forwarding is required so that the VM can receive packets which are not intended for itself. This is an Azure setting and not a guest OS setting.

azure-ip-forwarding

Open TCP Port 1194 and 1195 in Network Security Group (NSG)

If you created an NSG or associated an existing NSG while creating the VM, open ports 1194 and 1195 for OpenVPN server endpoints as shown below. Additionally, create a rule for port 3389 as well for remote access.

azure-nsg-add azure-nsg-rule-addazure-nsg-associate

Open TCP 1194 and 1195 in Windows Firewall

Go to Windows Firewall->Advanced Settings->Inbound Rules and create a port rule.

firewall-openvpn-ports

Install OpenVPN Community on Server

Download and install OpenVPN from here (.exe).

Add Additional TAP adapters

TAP adapters are virtual NICs that are used by OpenVPN endpoints to assign tunnel IPs. OpenVPN will add one TAP adapter when installed. However, since we are setting up two OpenVPN server endpoints we need to add one more TAP adapter. Run “C:\Program Files\TAP-Windows\bin\addtap.bat” to add one. You should see two adapters in network connections now.

openvpn-tap-add

Generate Static Keys

"c:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret site1.key
"c:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret site2.key

Enable IP Routing on Server

This is necessary so that the packets coming on server’s private IP interface can be forwarded to OpenVPN interfaces. Set this registry key to 1 and reboot the server.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRoute

OpenVPN Server Config for Site 1

Create file azure-server-site1.ovpn in OpenVPN config directory (Program Files\OpenVPN\config) with the following config. Copy site1.key file from bin directory to config directory. Replace x.x.x.x in line 3 with private IP of the server.

# Site 1 P2P Server Config

local 10.0.255.228
port 1194
proto tcp-server
dev tun

ifconfig 10.99.91.1 10.99.91.2

route 172.20.0.0 255.255.0.0

secret site1.key 
cipher AES-128-CBC
auth SHA1

comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

verb 1

OpenVPN Server Config for Site 2

Create file azure-server-site2.ovpn in OpenVPN config directory with the following config. Copy site2.key file from bin directory to config directory. Replace x.x.x.x in line 3 with private IP of the server.

# Site2 P2P Server Config

local 10.0.255.228
port 1195
proto tcp-server
dev tun

ifconfig 10.99.92.1 10.99.92.2

route 172.22.0.0 255.255.0.0

secret site2.key 
cipher AES-128-CBC
auth SHA1

comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

verb 1

Enable OpenVPN Windows Service

Set startup of “OpenVpnService” to Automatic and start the service. This will spin up two endpoints of OpenVPN server and create two log files in log directory (Program Files\OpenVPN\Log) with the same name as config files.

Check Logs to Verify Setup

Check both log files to make sure there are no errors and it is listening for incoming TCP connections.

Add User Defined Routes (UDRs) in Azure

An UDR is a route like you normally add to a routing table on a router or server. However, in Azure, UDRs are added to routing table resource which is then associated with subnets in Azure. Any traffic flowing out of that subnet is routed as per that routing table. The VMs in that subnet continue to pass traffic to their default gateway which is in the Azure fabric.

For our requirement, we will create a routing table and add routes for our on-prem networks and associate it with our LAN subnet in Azure.

Create a Routing Table

azure-routingtable-add

Add UDRs

azure-route-add-site1

Associate with LAN Subnet

azure-routingtable-associate

On-Prem Client Setup on pfSense

Add an OpenVPN Client endpoint from VPN->OpenVPN->Clients as shown below.

pfsense-openvpn-client-setting1 pfsense-openvpn-client-setting2 pfsense-openvpn-client-setting3

Once added check status under Status->OpenVPN

Same way add a client for site 2. Remember to change server port, static key and tunnel network for site 2.

Finally

Windows Firewall

Add a rule on every machine to Allow Traffic between Networks. Use group policy for domain joined machines.

firewall-corporate-subnets

Testing

Now we should be able to ping to and from VMs in either network.

Troubleshooting

  • Check logs on server and pfSense
  • Ping OpenVPN tunnel IPs
  • Ping other VMs
About Dinesh Sharma

Experienced system architect, programmer, and trainer. This blog is a way of giving back and helping the community. So feel free to ask a question or to leave a comment.