Absolutely on the Virtual WAN topic - would love a video on that. Maybe include some thoughts on ExpressRoute Global Reach as well? Thanks! Your videos are excellent!
Thanks for the feedback! I will start working on Virtual WAN. Great idea on Global Reach...I need to figure out how to do this without an ExpressRoute in my environment... :-)
Thanks for the video. I know how to add my online DNS server in the azure VPN config file. Is it the same enry in the openvpn config file or different?
Technically it’s different. The Azure DNS entries will come down to the VPN client when you connect, additional DNS entries can be manually added in your OpenVPN config…but technically not needed
I saw that you also did not get a Gateway IP assigned. How can you configure the P2S VPN to route all internet network traffic through the VPN as there is no way to modify the server conf?
first of all this was an update video...I already had a VPN gateway - ruclips.net/video/OTAjPrfKS5U/видео.html At 3:27 in the video you can see my gateway resources, and the one call AA-vnet-GW-PIP is my public IP for the gateway. So you do need a public IP for your gateway...if you didn't get one, then create one and associate it to the gateway. the gateway won't do routing for you...for that you need a router. In Azure we route traffic with the User Defined Route (UDR) on prem you should have physical or software routers.
Hi Dean, I currently need a VPN Solution for WAH agents to log in from their personal computers to VPN and be able to access our ON PREM network and be able to RDP to the Desktops on site. Would this be the solution? Thank you before hand.
Very nice video Dean!! As always love the way you deliver the content and in very simple language. Would love to see guidance around Virtual WAN and if you could record a video around authenticating via AD while connecting to P2S instead certs Thank You ~Ganesh
Thanks Ganesh! Interesting idea on the P2S with AD Auth. Is there a reason you prefer that over certificate auth? I originally chose it because it is a seamless user experience. I will start working on Virtual WAN...stay tuned
Azure Academy I feel AD authentication would be much secure as it will have to be authenticated via some DC in your infrastructure. What flaw I see in certificate is if someone try’s to grab my cert which is not protected with private key and installs it in his machine can get access to my network subject to if he has the vpn package of mine
@@jadhav44 Also interested in that as the native Azure AD support in Azure VPN GW requires the Azure VPN App for Win 10 what unfortunately excludes Non-Windows OS from connecting to the network
I have a Ad running in azure and I need to integrate azure AD in openvpn which is running in OCI. I am getting SSL error while verfrying the authorization checks from openvpn server to azure ad.
@@AzureAcademy Yup I also don't know But I followed the OpenVPN official documented procedure to create the cert and uploaded it with sure LDAP in Azure.
Hm…not sure about that one…I haven’t read that doc in a while, and secure ldap wasn’t there as far as I know when I did read it. My suggestion is to create a cert exactly like I did in the video…if that works then we KNOW something is not right in your ldap cert
Hi, Great video.One question Native azure vpn client need local admin privilages to connect vpn this will not be possible in enterprice domain environment. So can we use this open vpn as an alternative to this one
Thank you very much for the video!! Very illustrative. I do have a question: I'm trying to skip the charges of the VpnGws that are currently bleeding out my budget, is it possible to have OpenVPN server in a VM that acts as a gateway between the vnet and the vpn clients?
Great question, I know openVPN works on mobile devices, but I never tried using my windows config file on my phone. I don’t think it works, but give it a try and let me know! 🤔
Hi Dean, great tutorial! Once the vpnconfig.ovpn file has been edited and saved. Can I share it amongst all the users that need to connect, or do we need to run the script on a per user basis? Regards Brendan.
yes, you create the OpenVPN Config on one system then you can copy the cert and config files to the other clients docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients
I am currently trying to set up a P2S VPN in a virtual HUB using open VPN with Radius Authentication. So fare, I am failing miserably. A video to do this would help a lot.
@@AzureAcademy It is the only way to use the P2S for Mobile Devices. I am a Fan of the Azure VPN Client App. its on Mac OS and Windows. I have yet to see it on iOS. I am not a Android user at the moment so I don't know if its available for Them.
I am working on a virtual WAN video. Is there anything specific you are looking for? You also mention hub and spoke, can you provide more details on that?
@@AzureAcademy E.g. By enabling S2S VPN, On-prem traffic goes to Azure Virtual Wan (hub) from Virtual Wan to production VNet (spokeA) from production VNet to Devlopment VNet (spokeB). Here how to define routes for Vnet(Spokes) ? In this case Virtual Wan shouldn't peer directly to Spokes(A&B)
Not that I know of, but maybe if you deploy the OpenVPN from the Azure marketplace...it is a full open VPN Server. It might have a site to site in there
Hey Da Great AND powerful Ryan! great question. Not that I know of...what would the purpose be, What problem are you trying to solve with a Point to Site VPN where a device should always have the same IP? Generally in the cloud we don't get concerned with the specific names of devices or ip addresses because we treat them as disposable...if we don't need them, delete them. rather then pets, were we care about them, maintain them, give them names etc. So I am interested in WHY you want this...if it is a great reason I can talk to the Product group about adding the feature! Thanks!
@@AzureAcademy I'm trying to install a Directory Server for my Company where it requires a Network Interface Controller (NIC) that locks on to a single IP, since I'm trying to install it on the VPN, there might be issues since the IP's issued are dynamic. I DM'd you on facebook, if we could talk more that would really be super, thanks for the quick reply!
by directory server I assume you mean an Active Directory Domain Controller. This is NOT something you would want to setup on a Point to Site or client based VPN. They do not have the bandwidth that is generally needed to have multiple servers and clients talking to it at once. You WOULD want to use a Site to Site VPN for this, or host the DC in Azure. Here is my video on Site to Site VPNs...and you can do it with your DC - ruclips.net/video/9CCZ6I3DRqM/видео.html
If this is at your home Your client computer has a local IP address And your router will also have a public IP address Then when you use the VPN client you will get a new IP Address that will connect you to Azure. Does that help?
Can you do a video where we can create a function to start the server when its in use and automatically shut down when not in use? Is this even possible?
for Open VPN server running in Azure, you can use the Dev Test Labs function to stop the VM automatically. It powers down the VM at the same time every day. no functions needed.
Do you mean CAN you get to the internet through a VPN...yes, kinda...but generally NO, because you need internet access to get to your VPN, but what you can do is force DNS settings over VPN to control what they can get to on the internet...does that make sense?
@@AzureAcademy I need the user who is on HomeOffice to connect to Azure and use an Azure internet, for example, to access a web page released by public IP, because users have dynamic IP in their homes.
@@MACHADOPPO In order for them to get to Azure, they need internet access...VPN doesn't work without internet. If you need them to get to a public web page but you ONLY allow access from specific IP Addresses, then I would change the Allowed addresses to include your entire VPN subnet...for example 172.18.0.0/21 So ANYONE who is on the VPN can get to the web page, but no one else...then you don't need to know the specific IP of each person.
@@AzureAcademy Yes, I know that to access the VPN he needs internet .... What I want him to do when he is connected to the P2S VPN is to use the Public IP to access a WEB page with routing through the Virtual Network gateway, All HomeOffice users have a single Azure Public IP to reach the Web page released by the Azure public IP. Sorry if my English is not very explanatory, I am Brazilian and I have little fluency in the language. Thk very Much :)
no worries @@MACHADOPPO You are better than I am...I only speak english. 😉 The web page already has a public ip address...and customers all over the internet who go to your page would be routed to that IP address because of global DNS. This has nothing to do with a P2S VPN The P2S VPN purpose is to get the external user onto your internal network. but when they browse the internet they would still use their own Gateway. What you MIGHT be able to do is use a proxy. if you included a proxy pac in your P2S VPN then while they are connected to the VPN the internet traffic would go through the proxy but look into that and see if a proxy is right for you.
The only time I have seen that is when the client wasn’t configured with the cert and it didn’t know where to connect to. Did you configure the OpenVPN client with each step as I showed in the video?
You have made this very complicated. Where did the profileinfo.txt suddenly come from? You mention chocolatery and you said it's an installer, but I didn't see it install anything or its relationship to openVPN, if that's what it installed. It's not clear why you created a temp root. I though all you need to do is create a rootcert.cer for Azure (that's straight forward) and clientcert.pfx like you do for the Azure SSTP(SSL) VPN client, or .cer if you what to extract and put into the .ovpn. What is the openssl.cnf needed for?
Thanks for the feedback! I am working on Virtual WAN, but not sure how many or if I will be able to cover 3rd party solutions. You normally need those solutions, and I just have an Azure subscription...so we will see
You rock !!! awesome video and great explnation
Thanks for the feedback!
Great video! your channel is on my favorites list!
Thanks, please share the channel with others, goal to reach 100K subscribers this year!
Absolutely on the Virtual WAN topic - would love a video on that. Maybe include some thoughts on ExpressRoute Global Reach as well? Thanks! Your videos are excellent!
Thanks for the feedback!
I will start working on Virtual WAN.
Great idea on Global Reach...I need to figure out how to do this without an ExpressRoute in my environment...
:-)
great insider info on Azure! thank you Dean! great video also btw. as always!
Thanks for the feedback!
In 2022, Still You're awesome.
Thanks 👍👍
Super explanation
Thanks! Let me know what other videos I can make for you ☺️
Hi Dean, for azure open VPN the client should be domain joined? When you took rdp for DC I believe it was cuz already the client was domain joined
Domain joining is not required for the open vpn client solution to work. My home computer is not Domain Joined at all
Thanks for the video. I know how to add my online DNS server in the azure VPN config file. Is it the same enry in the openvpn config file or different?
Technically it’s different. The Azure DNS entries will come down to the VPN client when you connect, additional DNS entries can be manually added in your OpenVPN config…but technically not needed
I saw that you also did not get a Gateway IP assigned. How can you configure the P2S VPN to route all internet network traffic through the VPN as there is no way to modify the server conf?
first of all this was an update video...I already had a VPN gateway - ruclips.net/video/OTAjPrfKS5U/видео.html
At 3:27 in the video you can see my gateway resources, and the one call AA-vnet-GW-PIP is my public IP for the gateway. So you do need a public IP for your gateway...if you didn't get one, then create one and associate it to the gateway.
the gateway won't do routing for you...for that you need a router. In Azure we route traffic with the User Defined Route (UDR) on prem you should have physical or software routers.
Hi Dean, I currently need a VPN Solution for WAH agents to log in from their personal computers to VPN and be able to access our ON PREM network and be able to RDP to the Desktops on site. Would this be the solution? Thank you before hand.
YES openVPN can help you do all that. ☺️
Hey Dean, could it be possible to set this OpenVPN for device-based tunnels?
You mean for site to site VPN…sure, but you need OpenVPN Server on the on prem side or the VPN appliance you have needs to support it
Which transport protocol the openvpn uses in this type of configuration?, is it the UDP or TCP?,
TCP
Very nice video Dean!! As always love the way you deliver the content and in very simple language. Would love to see guidance around Virtual WAN and if you could record a video around authenticating via AD while connecting to P2S instead certs
Thank You
~Ganesh
Thanks Ganesh!
Interesting idea on the P2S with AD Auth.
Is there a reason you prefer that over certificate auth? I originally chose it because it is a seamless user experience.
I will start working on Virtual WAN...stay tuned
Azure Academy I feel AD authentication would be much secure as it will have to be authenticated via some DC in your infrastructure. What flaw I see in certificate is if someone try’s to grab my cert which is not protected with private key and installs it in his machine can get access to my network subject to if he has the vpn package of mine
@@jadhav44 Also interested in that as the native Azure AD support in Azure VPN GW requires the Azure VPN App for Win 10 what unfortunately excludes Non-Windows OS from connecting to the network
I would not say more secure...but differently secure. AD and The method I showed BOTH use certificates...just differently
correct...you need a windows client to use the AD VPN right now
I have a Ad running in azure and I need to integrate azure AD in openvpn which is running in OCI. I am getting SSL error while verfrying the authorization checks from openvpn server to azure ad.
where did you get the cert?
@@AzureAcademy I have created from my local PC and uploaded on azure ad to enable secure ldap
@@nimesis124 it may not be the right type of certificate. Not sure what Azure AD secure ldap requires
@@AzureAcademy Yup I also don't know But I followed the OpenVPN official documented procedure to create the cert and uploaded it with sure LDAP in Azure.
Hm…not sure about that one…I haven’t read that doc in a while, and secure ldap wasn’t there as far as I know when I did read it.
My suggestion is to create a cert exactly like I did in the video…if that works then we KNOW something is not right in your ldap cert
so i have my vnet and my v-gw created under the same resource group. why is that i cant ping any vms tied into my vnet? vpn shows connected
Depends on how you are trying to ping.
Ping isn’t a protocol that Azure generally controls. The VMs May have the windows firewall blocking ping.
Good Explanation!
Thanks Voval!
Hi,
Great video.One question
Native azure vpn client need local admin privilages to connect vpn this will not be possible in enterprice domain environment. So can we use this open vpn as an alternative to this one
I run it on my local computer and my account is a standard user...so from my experience, YES
@@AzureAcademy ok thanks for your reply. So we can create a openvpn profile and share it to n number of domain users .am i right?
If you build it like I did...as cert based...YES, if you use Password auth...then that is specific to each user.
this is cool
👍 Thanks 👍
Thank you very much for the video!! Very illustrative.
I do have a question: I'm trying to skip the charges of the VpnGws that are currently bleeding out my budget, is it possible to have OpenVPN server in a VM that acts as a gateway between the vnet and the vpn clients?
Yes, there is an OpenVPN server in the Azure Market place you can deploy.
Additionally you can create your own VM and install Open VPN server on it
@@AzureAcademy splendid!! Cheers mate!
@@AzureAcademy that sounds like a great idea, do you mind elaborating more on that?
I can...but can you tell me on what exactly I should elaborate?
Hello It's a awesome video but can i use the file openvpn in a Android or IOS?
Great question, I know openVPN works on mobile devices, but I never tried using my windows config file on my phone. I don’t think it works, but give it a try and let me know! 🤔
Hi Dean, great tutorial! Once the vpnconfig.ovpn file has been edited and saved. Can I share it amongst all the users that need to connect, or do we need to run the script on a per user basis? Regards Brendan.
Yes, you need the certs and the .ovpn config file on the client devices before you can connect
@@AzureAcademy Hi Dean, so I only run the script on one PC, then just distribute the files in the VPN folder to all the other endusers?
yes, you create the OpenVPN Config on one system then you can copy the cert and config files to the other clients
docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients
I am currently trying to set up a P2S VPN in a virtual HUB using open VPN with Radius Authentication. So fare, I am failing miserably. A video to do this would help a lot.
I will see what I can do…why do you want to use Radius?
@@AzureAcademy It is the only way to use the P2S for Mobile Devices. I am a Fan of the Azure VPN Client App. its on Mac OS and Windows. I have yet to see it on iOS. I am not a Android user at the moment so I don't know if its available for Them.
Got it…I haven’t set up my VPN for mobile yet…so good to know
when i run this script i dont get this file called profileinfo.txt ?
...hmm, what does happen?
I am intrested in knowing more about Virtual WAN in hub and spoke model please.. and this video is a very good explanatory thanks.
I am working on a virtual WAN video. Is there anything specific you are looking for?
You also mention hub and spoke, can you provide more details on that?
@@AzureAcademy E.g. By enabling S2S VPN, On-prem traffic goes to Azure Virtual Wan (hub) from Virtual Wan to production VNet (spokeA) from production VNet to Devlopment VNet (spokeB). Here how to define routes for Vnet(Spokes) ? In this case Virtual Wan shouldn't peer directly to Spokes(A&B)
Perfect...I will get to work on that...stay tuned
hi, exist vpn site to site in openvpn??
Not that I know of, but maybe if you deploy the OpenVPN from the Azure marketplace...it is a full open VPN Server. It might have a site to site in there
YES on VWAN Virutal Wan
Working on Virtual WAN...stay tuned!
Great Tutorial! But is there a way to make the assigned IP static?
Hey Da Great AND powerful Ryan! great question. Not that I know of...what would the purpose be, What problem are you trying to solve with a Point to Site VPN where a device should always have the same IP?
Generally in the cloud we don't get concerned with the specific names of devices or ip addresses because we treat them as disposable...if we don't need them, delete them.
rather then pets, were we care about them, maintain them, give them names etc.
So I am interested in WHY you want this...if it is a great reason I can talk to the Product group about adding the feature!
Thanks!
@@AzureAcademy I'm trying to install a Directory Server for my Company where it requires a Network Interface Controller (NIC) that locks on to a single IP, since I'm trying to install it on the VPN, there might be issues since the IP's issued are dynamic. I DM'd you on facebook, if we could talk more that would really be super, thanks for the quick reply!
by directory server I assume you mean an Active Directory Domain Controller.
This is NOT something you would want to setup on a Point to Site or client based VPN.
They do not have the bandwidth that is generally needed to have multiple servers and clients talking to it at once. You WOULD want to use a Site to Site VPN for this, or host the DC in
Azure. Here is my video on Site to Site VPNs...and you can do it with your DC - ruclips.net/video/9CCZ6I3DRqM/видео.html
It did not change my public IP address as other VPNs do.
Is it possible?
If this is at your home
Your client computer has a local IP address
And your router will also have a public IP address
Then when you use the VPN client you will get a new IP Address that will connect you to Azure.
Does that help?
@@AzureAcademy I want that when i connect with "Azure VPN client" on my local machine, it should change my public IP address as well. Is it possible?
No it won’t change your public IP, but it will open a VPN tunnel which will give you a new IP on the VPN network
Can you do a video where we can create a function to start the server when its in use and automatically shut down when not in use?
Is this even possible?
for Open VPN server running in Azure, you can use the Dev Test Labs function to stop the VM automatically.
It powers down the VM at the same time every day.
no functions needed.
Great!!
Thanks for the feedback!
Access Internet through Azure Point to site VPN?
Do you mean CAN you get to the internet through a VPN...yes, kinda...but generally NO, because you need internet access to get to your VPN, but what you can do is force DNS settings over VPN
to control what they can get to on the internet...does that make sense?
@@AzureAcademy I need the user who is on HomeOffice to connect to Azure and use an Azure internet, for example, to access a web page released by public IP, because users have dynamic IP in their homes.
@@MACHADOPPO In order for them to get to Azure, they need internet access...VPN doesn't work without internet.
If you need them to get to a public web page but you ONLY allow access from specific IP Addresses, then I would change the Allowed addresses to include your entire VPN subnet...for example 172.18.0.0/21
So ANYONE who is on the VPN can get to the web page, but no one else...then you don't need to know the specific IP of each person.
@@AzureAcademy Yes, I know that to access the VPN he needs internet .... What I want him to do when he is connected to the P2S VPN is to use the Public IP to access a WEB page with routing through the Virtual Network gateway, All HomeOffice users have a single Azure Public IP to reach the Web page released by the Azure public IP. Sorry if my English is not very explanatory, I am Brazilian and I have little fluency in the language. Thk very Much :)
no worries @@MACHADOPPO You are better than I am...I only speak english. 😉
The web page already has a public ip address...and customers all over the internet who go to your page would be routed to that IP address because of global DNS.
This has nothing to do with a P2S VPN
The P2S VPN purpose is to get the external user onto your internal network.
but when they browse the internet they would still use their own Gateway.
What you MIGHT be able to do is use a proxy.
if you included a proxy pac in your P2S VPN then while they are connected to the VPN the internet traffic would go through the proxy
but look into that and see if a proxy is right for you.
I got error message while iam connecting with vpn as request has been cancelled by end user. Why?
no idea...what is the exact error message?
@@AzureAcademy "Dialing VPN Connection xxxxxx. Status = The operation was canceled by the user."
@@Riya-nz4xq have you validated your certificate?
@@AzureAcademy yes
The only time I have seen that is when the client wasn’t configured with the cert and it didn’t know where to connect to.
Did you configure the OpenVPN client with each step as I showed in the video?
You have made this very complicated. Where did the profileinfo.txt suddenly come from? You mention chocolatery and you said it's an installer, but I didn't see it install anything or its relationship to openVPN, if that's what it installed. It's not clear why you created a temp root. I though all you need to do is create a rootcert.cer for Azure (that's straight forward) and clientcert.pfx like you do for the Azure SSTP(SSL) VPN client, or .cer if you what to extract and put into the .ovpn. What is the openssl.cnf needed for?
It was used to edit the open VPN files so they can be configured correctly.
The profile info.txt file is part of the open VPN package.
can you install directly to my router ....
On some...yes but it depends on your router
😊
This is awesome. Pls create virtual wan. azure native and also how it can integrate with third party solution like SDWAN < Citrix or Velocloud >
Thanks for the feedback!
I am working on Virtual WAN, but not sure how many or if I will be able to cover 3rd party solutions.
You normally need those solutions, and I just have an Azure subscription...so we will see