Setting up OpenVPN on Azure

In this blog post, I describe how to set up an OpenVPN server on an Ubuntu 14.04 VM running on Azure. This blog post is an adaptation of "How To Set Up an OpenVPN Server on Ubuntu 14.04"[1] originally posted on the Digital Ocean blog.

By the end of this blog post, you'll have an OpenVPN server (available with two client configurations) that can be connected to securely.

We'll use Azure CLI 2.0[2] to set this up. If you haven't installed it yet, install using the install instructions available here.

Once installed, we can log in to our Azure subscription.

$ az login
To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code A11AAAAAA to authenticate.

Now, we create a resource group for our resources.
For this demo, we use southeastasia.
You can also opt to reuse a resource group you may already have if you wish.

$ az group create -n my-vpn-rg -l southeastasia
{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-vpn-rg",
  "location": "southeastasia",
  "managedBy": null,
  "name": "my-vpn-rg",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null
}

Soon we'll create our VM but first, below is a cloud-init[3] script that we'll use to install OpenVPN on the VM and get things set up for us.

This script is a modification of another OpenVPN cloud-init script[4]. The modifications I made: allow the script to get the IP address of the VM; change the OpenVPN cipher from BF-CBC to AES-256-CBC[5], output two OpenVPN client configurations.

Now, we can create a VM in the region we desire and include the cloud-init script that will run when the VM gets created.

$ az vm create -g my-vpn-rg --image Canonical:UbuntuServer:14.04.4-LTS:latest -n openvpn1 --location southeastasia --size Basic_A0 --storage-sku Standard_LRS --custom-data ~/Dev/open-vpn-init.yml
{
  "fqdns": "",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-vpn-rg/providers/Microsoft.Compute/virtualMachines/openvpn1",
  "location": "southeastasia",
  "macAddress": "00-0D-3A-A0-09-EC",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "52.187.182.125",
  "resourceGroup": "my-vpn-rg"
}

Once the script is created, in the background, the script will be run on the VM. Whilst this is happening, we should open the port required by OpenVPN.

$ az vm open-port --port 1194 -g my-vpn-rg -n openvpn1

Finally, we can download the client configurations.
It can take ~5 minutes for the files to be available as the cloud-init script may not yet be complete.

$ scp <IP_ADDRESS>:/home/openvpn/client1.ovpn ~/Downloads/southeastasia1.ovpn
$ scp <IP_ADDRESS>:/home/openvpn/client2.ovpn ~/Downloads/southeastasia2.ovpn

Now you can import your .ovpn file into the OpenVPN client of your choice.


  1. How To Set Up an OpenVPN Server on Ubuntu 14.04 - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 ↩︎

  2. Azure CLI 2.0 - https://github.com/azure/azure-cli ↩︎

  3. Cloud-init - http://cloudinit.readthedocs.io/en/latest/index.html ↩︎

  4. Digital Ocean open-vpn.yml script - https://github.com/digitalocean/do_user_scripts/blob/master/Ubuntu-14.04/network/open-vpn.yml ↩︎

  5. OpenVPN and SWEET32 - https://community.openvpn.net/openvpn/wiki/SWEET32 ↩︎