VPN to Azure on PI

From coolscript.org
Jump to navigation Jump to search



This is howto setup an OpenVPN between your Home-LAN and Azure in less than 15 Minutes!!!



Introduction

This Tutorial is about to create a VPN running OpenVPN between your Home-LAN (On-premises) and Azure.

The Setup allows you to route any traffic from your Home-LAN into Azure and vice versa.

The setup is using SNAT on both VPN Server which is the quickest way to solve routing and security issues (eg NSG) and is therefore less secure and has a lower performance because of NAT, but depending on the proposed solution it is possible to skip the SNAT / Netfilter setup.

Optional it is possible to use the Home-OpenVPN Server as default gateway for Home-Clients, this way the home client is adapting the Azure Public IP Address. This is very useful if a public IP address is needed within another country. Note that this configuration requires SNAT for sure. Also note that this can result in a high traffic usage for which you get charged extra by Azure.

The setup is using Port 443 to communicate between the VPN Server because this port is almost alwyas open on WLans but any other port can be chosen too.




Requirements

  • Your Home LAN with internet
  • Raspberry-PI or alternative another Linux Server
  • Azure Subscription
  • Azure CLI Tools installed somewhere
  • Logged on terminal into AZ





Quick installations steps

  • The following steps are needed to setup the VPN:
    • Create an Azure Network using the Azure CLI
    • Create Routing between the networks using the Azure CLI
    • Create VM using the Azure CLI
    • Install OpenVPN on a VM within Azure
    • Setup both OpenVPN Server
    • Setup Home LAN
    • Setup the Home LAN routing





Overview




Openvpn2azure.png





Azure

Create a custom Resurce-ID

Create the Resource-ID VPN-Test. This Resource-ID is used through all command samples below.

az group create --name VPN-Test --location eastus
[email protected]:~# az group create --name VPN-Test --location eastus
{
  "id": "/subscriptions/727d7068-94e3-494a-965a-xxxxx/resourceGroups/VPN-Test",
  "location": "eastus",
  "managedBy": null,
  "name": "VPN-Test",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"
}

Setup Vnet

Create a Custom Virtual Net

Create the Virtual-Net VNet01. This Name is used through all command samples below.

az network vnet create --name VNet01 \
--resource-group VPN-Test \
--location eastus \
--address-prefix 10.0.0.0/16
[email protected]:~# az network vnet create --name VNet01 --resource-group VPN-Test --location eastus --address-prefix 10.0.0.0/16
{
"newVNet": {
  "addressSpace": {
    "addressPrefixes": [
      "10.0.0.0/16"
    ]
  },
  "bgpCommunities": null,
  "ddosProtectionPlan": null,
  "dhcpOptions": {
    "dnsServers": []
  },
  "enableDdosProtection": false,
  "enableVmProtection": false,
  "etag": "W/\"38ff6021-dede-4633-a431-de744603f625\"",
  "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/virtualNetworks/VNet01",
  "ipAllocations": null,
  "location": "eastus",
  "name": "VNet01",
  "provisioningState": "Succeeded",
  "resourceGroup": "VPN-Test",
  "resourceGuid": "ab5d3b7d-4c7e-4243-aba5-a30a72017666",
  "subnets": [],
  "tags": {},
  "type": "Microsoft.Network/virtualNetworks",
  "virtualNetworkPeerings": []
 }
}






Vnet01.png


Create a Subnet SN01

az network vnet subnet create \  
--address-prefix 10.0.1.0/24 \
--name SN01 \
--resource-group VPN-Test \
--vnet-name VNet01 
[email protected]:~# az network vnet create --name VNet01 --resource-group VPN-Test --location eastus --address-prefix 10.0.0.0/16
{
 "newVNet": {
   "addressSpace": {
     "addressPrefixes": [
       "10.0.0.0/16"
     ]
   },
   "bgpCommunities": null,
   "ddosProtectionPlan": null,
   "dhcpOptions": {
     "dnsServers": []
   },
   "enableDdosProtection": false,
   "enableVmProtection": false,
   "etag": "W/\"38ff6021-dede-4633-a431-de744603f625\"",
   "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/virtualNetworks/VNet01",
   "ipAllocations": null,
   "location": "eastus",
   "name": "VNet01",
   "provisioningState": "Succeeded",
   "resourceGroup": "VPN-Test",
   "resourceGuid": "ab5d3b7d-4c7e-4243-aba5-a30a72017666",
   "subnets": [],
   "tags": {},
   "type": "Microsoft.Network/virtualNetworks",
   "virtualNetworkPeerings": []
 }
}






Vnet01-SN01.png

Create a Subnet SN02

az network vnet subnet create \  
--address-prefix 10.0.2.0/24 \
--name SN02 \
--resource-group VPN-Test \
--vnet-name VNet01 
[email protected]:~# az network vnet subnet create --address-prefix 10.0.2.0/24 --name SN02 --resource-group VPN-Test --vnet-name VNet01
{
 "addressPrefix": "10.0.2.0/24",
 "addressPrefixes": null,
 "delegations": [],
 "etag": "W/\"1930d1f7-7d54-4642-bc87-c73173238b76\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/virtualNetworks/VNet01/subnets/SN02",
 "ipAllocations": null,
 "ipConfigurationProfiles": null,
 "ipConfigurations": null,
 "name": "SN02",
 "natGateway": null,
 "networkSecurityGroup": null,
 "privateEndpointNetworkPolicies": "Enabled",
 "privateEndpoints": null,
 "privateLinkServiceNetworkPolicies": "Enabled",
 "provisioningState": "Succeeded",
 "purpose": null,
 "resourceGroup": "VPN-Test",
 "resourceNavigationLinks": null,
 "routeTable": null,
 "serviceAssociationLinks": null,
 "serviceEndpointPolicies": null,
 "serviceEndpoints": null,
 "type": "Microsoft.Network/virtualNetworks/subnets"
}






Vnet01-SN02.png

Create a Route Table

az network route-table create \
 --name MyRouteTable \
--resource-group VPN-Test
[email protected]:~# az network route-table create \
>  --name MyRouteTable \
>  --resource-group VPN-Test
{- Finished ..
 "disableBgpRoutePropagation": false,
 "etag": "W/\"3fca8554-5b01-4201-9ed2-1c55dc55244d\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/routeTables/MyRouteTable",
 "location": "eastus",
 "name": "MyRouteTable",
 "provisioningState": "Succeeded",
 "resourceGroup": "VPN-Test",
 "routes": [],
 "subnets": null,
 "tags": null,
 "type": "Microsoft.Network/routeTables"
}






Vnet01-RouteTable.png



Create VPN Route


az network route-table route create \ 
 --name ToVPNTun \ 
 --resource-group VPN-Test \ 
 --route-table-name myRouteTable \  
 --address-prefix 10.9.0.0/24 \ 
 --next-hop-type VirtualAppliance \ 
 --next-hop-ip-address 10.0.1.4 
[email protected]:~# az network route-table route create \
>   --name ToVPNTun \
>   --resource-group VPN-Test \
>   --route-table-name myRouteTable \
>   --address-prefix 10.9.0.0/24 \
>   --next-hop-type VirtualAppliance \
>   --next-hop-ip-address 10.0.1.4

{- Finished ..
 "addressPrefix": "10.9.0.0/24",
 "etag": "W/\"00429bd4-3e32-440d-8163-c543d9781c56\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/routeTables/myRouteTable/routes/ToVPNTun",
 "name": "ToVPNTun",
 "nextHopIpAddress": "10.0.1.4",
 "nextHopType": "VirtualAppliance",
 "provisioningState": "Succeeded",
 "resourceGroup": "VPN-Test",
 "type": "Microsoft.Network/routeTables/routes"
}






Vnet01-RouteVPN.png

Create Home Route

az network route-table route create \
 --name ToPrivateSubnet \
 --resource-group VPN-Test \
 --route-table-name myRouteTable \
 --address-prefix 192.168.178.0/24 \
 --next-hop-type VirtualAppliance \
 --next-hop-ip-address 10.0.1.4
[email protected]:~# az network route-table route create \
>   --name ToPrivateSubnet \
>   --resource-group VPN-Test \
>   --route-table-name myRouteTable \
>   --address-prefix 192.168.178.0/24 \
>   --next-hop-type VirtualAppliance \
>   --next-hop-ip-address 10.0.1.4

{- Finished ..
 "addressPrefix": "192.168.178.0/24",
 "etag": "W/\"6f85a76c-1969-4f9e-9190-ba419c7f4436\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/routeTables/myRouteTable/routes/ToPrivateSubnet",
 "name": "ToPrivateSubnet",
 "nextHopIpAddress": "10.0.1.44",
 "nextHopType": "VirtualAppliance",
 "provisioningState": "Succeeded",
 "resourceGroup": "VPN-Test",
 "type": "Microsoft.Network/routeTables/routes"
}






Vnet01-RouteHome.png

Associate Subnet SN01

az network vnet subnet update \ 
 --name SN01 \ 
 --vnet-name Vnet01 \ 
 --resource-group VPN-Test \ 
 --route-table MyRouteTable 
[email protected]:~# az network vnet subnet update \
>   --name SN01 \
>   --vnet-name Vnet01 \
>   --resource-group VPN-Test \
>   --route-table MyRouteTable
{
 "addressPrefix": "10.0.1.0/24",
 "addressPrefixes": null,
 "delegations": [],
 "etag": "W/\"437692a4-54c5-4cb9-b9c5-8216f36ed6da\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/virtualNetworks/Vnet01/subnets/SN01",
 "ipAllocations": null,
 "ipConfigurationProfiles": null,
 "ipConfigurations": [
   {
     "etag": null,
     "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/networkInterfaces/vm-az-vpngw01VMNic/ipConfigurations/ipconfigvm-az-vpngw01",
     "name": null,
     "privateIpAddress": null,
     "privateIpAllocationMethod": null,
     "provisioningState": null,
     "publicIpAddress": null,
     "resourceGroup": "VPN-Test",
     "subnet": null
   }
 ],
 "name": "SN01",
 "natGateway": null,
 "networkSecurityGroup": null,
 "privateEndpointNetworkPolicies": "Enabled",
 "privateEndpoints": null,
 "privateLinkServiceNetworkPolicies": "Enabled",
 "provisioningState": "Succeeded",
 "purpose": null,
 "resourceGroup": "VPN-Test",
 "resourceNavigationLinks": null,
 "routeTable": {
   "disableBgpRoutePropagation": null,
   "etag": null,
   "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/routeTables/MyRouteTable",
   "location": null,
   "name": null,
   "provisioningState": null,
   "resourceGroup": "VPN-Test",
   "routes": null,
   "subnets": null,
   "tags": null,
   "type": null
 },
 "serviceAssociationLinks": null,
 "serviceEndpointPolicies": null,
 "serviceEndpoints": null,
 "type": "Microsoft.Network/virtualNetworks/subnets"
}






Vnet01-SubnetAssociateSN01.png

Associate Subnet SN02

az network vnet subnet update \
 --name SN02 \
 --vnet-name Vnet01 \
 --resource-group VPN-Test \
 --route-table MyRouteTable
[email protected]:~# az network vnet subnet update \
>   --name SN02 \
>   --vnet-name Vnet01 \
>   --resource-group VPN-Test \
>   --route-table MyRouteTable

{
 "addressPrefix": "10.0.2.0/24",
 "addressPrefixes": null,
 "delegations": [],
 "etag": "W/\"1fa47832-5492-4c2b-b7e4-ea0a7a4e2e7e\"",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/virtualNetworks/Vnet01/subnets/SN02",
 "ipAllocations": null,
 "ipConfigurationProfiles": null,
 "ipConfigurations": [
   {
     "etag": null,
     "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/networkInterfaces/vm-sn02-client01VMNic/ipConfigurations/ipconfigvm-sn02-client01",
     "name": null,
     "privateIpAddress": null,
     "privateIpAllocationMethod": null,
     "provisioningState": null,
     "publicIpAddress": null,
     "resourceGroup": "VPN-Test",
     "subnet": null
   }
 ],
 "name": "SN02",
 "natGateway": null,
 "networkSecurityGroup": null,
 "privateEndpointNetworkPolicies": "Enabled",
 "privateEndpoints": null,
 "privateLinkServiceNetworkPolicies": "Enabled",
 "provisioningState": "Succeeded",
 "purpose": null,
 "resourceGroup": "VPN-Test",
 "resourceNavigationLinks": null,
 "routeTable": {
   "disableBgpRoutePropagation": null,
   "etag": null,
   "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/routeTables/MyRouteTable",
   "location": null,
   "name": null,
   "provisioningState": null,
   "resourceGroup": "VPN-Test",
   "routes": null,
   "subnets": null,
   "tags": null,
   "type": null
 },
 "serviceAssociationLinks": null,
 "serviceEndpointPolicies": null,
 "serviceEndpoints": null,
 "type": "Microsoft.Network/virtualNetworks/subnets"
}







Vnet01-SubnetAssociateSN02.png

Setup the OpenVPN Port (443) to our Azure Gateway

az vm open-port --resource-group VPN-Test \
 --name  vm-az-vpngw01 \
 --port 443 \
 --priority 910
[email protected]:~# az vm open-port --resource-group VPN-Test --name  vm-az-vpngw01 --port 443 --priority 910
{- Finished ..
 "defaultSecurityRules": [
   ....
   ....

   {
     "access": "Allow",
     "description": null,
     "destinationAddressPrefix": "*",
     "destinationAddressPrefixes": [],
     "destinationApplicationSecurityGroups": null,
     "destinationPortRange": "443",
     "destinationPortRanges": [],
     "direction": "Inbound",
     "etag": "W/\"5373a937-ddaf-4392-b364-5a720fdf3723\"",
     "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Network/networkSecurityGroups/vm-az-vpngw01NSG/securityRules/open-port-443",
     "name": "open-port-443",
     "priority": 910,
     "protocol": "*",
     "provisioningState": "Succeeded",
     "resourceGroup": "VPN-Test",
     "sourceAddressPrefix": "*",
     "sourceAddressPrefixes": [],
     "sourceApplicationSecurityGroups": null,
     "sourcePortRange": "*",
     "sourcePortRanges": [],
     "type": "Microsoft.Network/networkSecurityGroups/securityRules"
   }
 ],
 "subnets": null,
 "tags": {},
 "type": "Microsoft.Network/networkSecurityGroups"
}






Vnet01-Allow443.vsdx.png

Create Virtual Machines

Create vm-az-vpngw01 with Static Public IP

Note that this sample includes a static public IP address


az vm create --resource-group VPN-Test \ 
 --name vm-az-vpngw01 --location eastus \ 
 --image "Debian:debian-10:10:latest" \ 
 --vnet-name VNet01 \ 
 --subnet SN01 \ 
 --admin-username azadmin --admin-password xxxxxxxxx \ 
 --size Standard_B2s \ 
 --public-ip-address myPublicIpAddress \ 
 --public-ip-address-allocation static 


[email protected]:~# az vm create --resource-group VPN-Test \
>  --name vm-az-vpngw01 --location eastus \
>  --image "Debian:debian-10:10:latest" \
>  --vnet-name VNet01 \
>  --subnet SN01 \
>  --admin-username azadmin --admin-password xxxxxxxxxx \
>  --size Standard_B2s \
>  --public-ip-address myPublicIpAddress \
>  --public-ip-address-allocation static
{- Finished ..
 "fqdns": "",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Compute/virtualMachines/vm-az-vpngw01",
 "location": "eastus",
 "macAddress": "00-0D-3A-8C-CC-FB",
 "powerState": "VM running",
 "privateIpAddress": "10.0.1.4",
 "publicIpAddress": "52.188.151.230",
 "resourceGroup": "VPN-Test",
 "zones": ""
}






Vnet01-vm-az-vpngw01.png

Create a Client within SN02. No Static Public IP

Note that this sample does not includes a public IP address


 az vm create --resource-group VPN-Test \ 
 --name vm-sn02-client01 --location eastus \ 
 --image "Debian:debian-10:10:latest" \ 
 --vnet-name VNet01 \ 
 --subnet SN02 \ 
 --admin-username azadmin --admin-password xxxxxxxx \ 
 --size Standard_B2s \ 
 --public-ip-address  ""
[email protected]:~# az vm create --resource-group VPN-Test \
>  --name vm-sn02-client01 --location eastus \
>  --image "Debian:debian-10:10:latest" \
>  --vnet-name VNet01 \
>  --subnet SN02 \
>  --admin-username azadmin --admin-password xxxxxxxxxxx \
>  --size Standard_B2s \
>  --public-ip-address 
{- Finished ..
 "fqdns": "",
 "id": "/subscriptions/727d7068-94e3-494a-965a-XXXXX/resourceGroups/VPN-Test/providers/Microsoft.Compute/virtualMachines/vm-sn02-client01",
 "location": "eastus",
 "macAddress": "00-0D-3A-8B-C7-33",
 "powerState": "VM running",
 "privateIpAddress": "10.0.2.4",
 "publicIpAddress": "",
 "resourceGroup": "VPN-Test",
 "zones": ""
}







Vnet01-vm-sn02-client.png

Setup the Azure OpenVPN Gateway

Install

Vm-az-vpngw01.png

Install and setup

Install openvpn, nftables and other required tools

# apt-get install openvpn nftables mc dnsutils net-tools dnsutils curl lynx

Setup IP Forward

  • Allow IP Forward next to other features. Edit /etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.ip_forward=1
  • Run sysctl to apply the above changes
sysctl -p

Setup Nftables

#!/usr/sbin/nft -f

flush ruleset

table ip filter_v4 {
      chain INPUT {
              type filter hook input priority 0; policy accept;
      }

      chain OUTPUT {
              type filter hook output priority 0; policy accept;
      }

      chain FORWARD {
              type filter hook output priority 0; policy accept;
      }
}

table ip nat {
 
      chain PREROUTING {
              type nat hook prerouting priority -100; policy accept;
      }

      chain POSTROUTING {
              type nat hook postrouting priority 100; policy accept;
              ip saddr 10.9.0.0/24 oifname "eth0" counter snat to 10.0.1.4  comment "SNAT for TUN"
              ip saddr 192.168.178.0/24 oifname "eth0" counter snat to 10.0.1.4  comment "SNAT for HOME"
      }
}
  • Alternative you could set masquerade which is easier to configurate but has a less performance than snat
              ip saddr 10.9.0.0/24 oif "eth0" counter masquerade comment "VPN Masq Rule"
              ip saddr 192.168.178.0/24 oif "eth0" counter masquerade comment "Home Masq Rule"

Start/Stop/Enable Nftables

  • Run to manual start (apply) the script:
nft -f /etc/nftables.conf
  • Run to manual stop nft:
nft flush ruleset
  • To enable at system start run:
systemctl enable nftables

Setup OpenVPN

Server Key

Get the existing static key file or create a new one using:

openvpn --genkey --secret /etc/openvpn/static.key

Configuration

  • Setup the configuration in /etc/openvpn/server.conf
dev tun
proto tcp-server
port 443
ifconfig 10.9.0.1 10.9.0.2
route 192.168.178.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
keepalive 10 60
persist-key
persist-tun
secret /etc/openvpn/static.key
log /var/log/openvpn.log
verb 6

Apply the new configuration to systemctl

systemctl daemon-reload 

Restart OpenVPN

systemctl restart openvpn
  • Key permissions must be 600 depending on the running user which is root in our case
[email protected]:/etc/openvpn# ls static.key -all
-rw------- 1 root root 636 Nov 14 19:37 static.key
  • Ifconfig after openvpn has been started, see tun0
[email protected]:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 10.0.1.4  netmask 255.255.255.0  broadcast 10.0.1.255
       inet6 fe80::20d:3aff:fe8c:ccfb  prefixlen 64  scopeid 0x20<link>
       ether 00:0d:3a:8c:cc:fb  txqueuelen 1000  (Ethernet)
       RX packets 3997  bytes 1924662 (1.8 MiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 4123  bytes 835293 (815.7 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1000  (Local Loopback)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 0  bytes 0 (0.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.9.0.1  netmask 255.255.255.255  destination 10.9.0.2
       inet6 fe80::6243:a0d0:cf55:78f7  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 0  bytes 0 (0.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Setup the Raspery-PI OpenVPN Gateway

Install

Rb01.png

Install and setup

Install openvpn, nftables and other required tools

sudo apt-get install openvpn nftables mc dnsutils net-tools dnsutils curl lynx

Setup IP Forward

  • Allow IP Forward next to other features. Edit /etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.ip_forward=1
  • Run sysctl to apply the above changes
sysctl -p

Setup Nftables

#!/usr/sbin/nft -f

flush ruleset

table ip filter_v4 {
      chain INPUT {
              type filter hook input priority 0; policy accept;
      }

      chain OUTPUT {
              type filter hook output priority 0; policy accept;
      }

      chain FORWARD {
              type filter hook output priority 0; policy accept;
      }
}

table ip nat {
 
      chain PREROUTING {
              type nat hook prerouting priority -100; policy accept;
      }

      chain POSTROUTING {
              type nat hook postrouting priority 100; policy accept;
              ip saddr 10.0.0.0/16 oifname "eth0" counter snat to 10.0.1.4  comment "SNAT for Azure VNet01"
      }
}


  • Alternative you could set masquerade which is easier to configurate but has a less performance than snat
ip saddr 10.0.1.0/24 oif "eth0" counter masquerade comment "SN01 Masq Rule"
ip saddr 10.0.2.0/24 oif "eth0" counter masquerade comment "SN02 Masq Rule"

Start/Stop/Enable Nftables

  • Run to manual start (apply) the script:
nft -f /etc/nftables.conf
  • Run to manual stop nft:
nft flush ruleset
  • To enable at system start run:
systemctl enable nftables

Setup OpenVPN

Server Key

Get the existing static key file or create a new one using:

openvpn --genkey --secret /etc/openvpn/static.key

Configuration

Setup the configuration in /etc/openvpn/server.conf


remote 52.188.151.230
proto tcp-client
port 443
dev tun
ifconfig 10.9.0.2 10.9.0.1
cipher AES-256-CBC
comp-lzo
keepalive 10 60
persist-key
persist-tun
secret /etc/openvpn/static.key
log /var/log/openvpn.log
verb 6
#Default Routing
route 10.0.1.0 255.255.255.0
route 10.0.2.0 255.255.255.0

Apply the new configuration to systemctl

systemctl daemon-reload 

Restart OpenVPN

systemctl restart openvpn

Setup Routing

The quickest way to setup routing within the Home-LAN is to do this on your ISP Router, the following is showing the static route table on a Fritz Box
Fritz-gwconf.png

Standard Route

Home-LAN RB01

The standard route allows the HOME-LAN clients to access the Azure Subnet01 and Subnet01 via RB01, all other packages will pass the default gateway of 192.168.179.1.
This setup will work without SNAT in most cases.
Within the OpenVPN configuration it is needed to define the routing like this:

[email protected] ~ # cat /etc/openvpn/server.conf  | grep route
route 10.0.1.0 255.255.255.0
route 10.0.2.0 255.255.255.0
[email protected] ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.178.1   0.0.0.0         UG    0      0        0 eth0
10.0.1.0        10.9.0.1        255.255.255.0   UG    0      0        0 tun0
10.0.2.0        10.9.0.1        255.255.255.0   UG    0      0        0 tun0
10.9.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
Home-LAN VM-WIN01
  • Within the standard setup the windows home-client keeps his default gateway
C:\Windows\system32>route print
 
===========================================================================
Persistent Routes:
 Network Address          Netmask  Gateway Address  Metric
         0.0.0.0          0.0.0.0  192.168.178.1         1
===========================================================================
  • The standard setup alows the Windows Home-Client to reach machines within AZ SN1
C:\Windows\system32>tracert 10.0.2.4

Tracing route to 10.0.2.4 over a maximum of 30 hops

 1    <1 ms    <1 ms    <1 ms  FRITZ-NAS [192.168.178.1]
 2     1 ms   219 ms   118 ms  10.9.0.1
 3   111 ms   108 ms   107 ms  10.0.2.4

Trace complete.


Obtain your public IP Address, it should be the one from your ISP Router

C:\Windows\system32>curl ipconfig.io
37.x.y.z

Route through Azure

Home-LAN RB01

This setup allows the Home-LAN VPN Server to become a default gateway for clients,
to do this setup the redirect-gateway autolocal option and remove the static route options

[email protected] ~ # cat /etc/openvpn/server.conf  | grep gateway
#route 10.0.1.0 255.255.255.0
#route 10.0.2.0 255.255.255.0
redirect-gateway autolocal

Then restart openvpn (# systemctl restart openvpn) and see the kernel route:

[email protected] ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.9.0.1        0.0.0.0         UG    0      0        0 tun0
10.9.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

Changing the default route on the Home-LAN Windows client:

C:\Windows\system32> route -p change 0.0.0.0 mask 0.0.0.0 192.168.178.201

Obtain again your public IP Address, it should now be the one from Azure

C:\Windows\system32>curl ipconfig.io
52.188.151.230