DIY: Build your own VPN with Microsoft Azure #OSS


Before we start, lets set a few expectations first.

  1. We are not building a VPN service! If you plan to build a subscription service with a bunch of servers, please look else where.
  2. The traffic will go out from Azure Datacenter. If the website/app you are browsing/using blacklist Microsoft's Azure datacenter IP addresses, this will not work for you.

If you want to build your own VPN server for personal use, i.e. travelling, visiting a site that your country blocks, VPN on your mobile phone, care about your data privacy, don't trust other VPN host/app, too much Azure credits, this is the article that will interest you. Bonus: you get a Windows 10 machine that sits in the cloud which you can connect via mobile phones, cyber café desktops, your neighbour's laptop or anything that has internet access with RDP(remote desktop) capability.


So lets start

Here are a couple of things that you must have.

  1. Azure subscription (check out my other posts if you're a startup applying for BizSpark).
  2. Azure subscription that have credits to provision virtual machines.
  3. 30 minutes of your life (maybe longer depending on skillz)

You can get an Azure subscription with various programs. Like Azure passes(normally from Microsoft events), MSDN Subscription, Visual Studio Dev Essentials(apply here), BizSpark subscription, Azure trial, or other subscriptions that allows you to use compute services or virtual machines.


Overview of things

We are using Softether an open-source multi-protocol free VPN server software to host the service(Kudos to the university that develops it). It will be on Azure cloud sitting in a virtual machine(Windows 10). You can connect to the VPN server via mobile phones(iPhones, Android, Windows) or desktops(Mac, Windows, Linux). This tutorial is using OpenVPN client (easier for both phones and desktops).


Let's really start

First we'll have to provision a virtual machine on Azure. To do this, go to portal.azure.com and hit the '+' on your left. Click on compute. Click 'see all'. Search for 'Windows 10 Enterprise N'.

1

 

Click the blue create button (you might need to scroll down to find it). You'll be presented with a few settings. Give your VM a name, give a user login name and password, give a resource group name(any name will do), choose a location your VM is gonna be at.

2

 

Next, choose a size. You can choose one that suits you. Normally a small instance will do if you don't have to much users. If you're sharing with friends and family, you might want to choose a bigger one.

Next would be configuring the network stuff. I would recommend going for manage disk for easier management, but storage account works fine(just choose managed disk if you are not sure what am I talking about). For public ip addresses, I like to use a static one(easy to manage because the IP address will not change). Rest of settings just leave it.

 

3

 

Step 4 is checking all info is valid. Continue with deployment and wait for the machine to provision itself. It will normally take 5-10mins.


Installing VPN portion

After the machine is done provisioning, we will have to

  1. Login to the machine (clean up the services we do not need)
  2. Install the VPN server

4

As shown in screenshot above, press the connect button. It will download an rdp file. Just open it, key in your username and password to login to your machine in the cloud. You can say 'yes' to all the certificate prompt. Do not worry, you are not agreeing to sell your soul.

Once you are in the virtual machine, search for 'program and features'. Once in, click 'turn on and off windows features'

  1. Check .NET Framework 3.5
  2. Uncheck Microsoft Print to PDF
  3. Uncheck Print document and services
  4. Uncheck XPS services
  5. Uncheck XP viewer

Click OK and download the framework from Windows Update. Once that's done, you can go ahead and restart the machine.

*This is to save resources in our VM. If your VM is a powerful one and you do not care about resources and cost, you can skip this step.

1

Once restarted, go back into the machine. Fire up 'Internet Explorer' (Ok, I know. You can use Chrome or Edge too), search for softether VPN. Once you're in the site, go to the download page. You can choose to download the beta or stable version. It does not really matter which one you choose. Download 'Softether VPN Server Manager for Windows' and install it. Install Softether VPN server. Finish and launch the VPN Server Manager.

2


Configuring VPN portion

At VPN Server Manager, click 'Connect' and give a password. After that, check the options as shown in screenshot below.

3

Give a VPN name or stick to default. When ask for dynamic hostname, give it a name of your choice.

4-1

Exit the config and check the next config that pops up as shown in screenshot below.

5

Click 'Create User' and give it a username and password. This is your user that is going to connect to your VPN server. If you want to add more friends or family to your VPN server, this is the place to do it.

6

Set local bridge to Microsoft Ethernet adapter as shown in screenshot.

7

Create a port for your clients/devices to connect to your VPN. I like to use a custom port. Some organizations block VPN ports, using a custom one might just bypass that. In my example I use 9201. You can use other ports other than 9201.

8

Next go to the OpenVPN configuration page.

9

Remember to change the port to the one you configured earlier. After that generate a openvpn config file. This file is the settings you need to give to your client/devices for it to connect back here. Just click generate, save the zip file somewhere, extract the zip file, open the 'remote access.opvn' file (as shown as screenshot) with notepad.

10

11

Two things to change here.

  1. Proto tcp
  2. Make sure the port is the one you specify

Leave everything else on default. Save this and send this file to your client/device. This will be the setting they need to connect to this server.

13-1

Last thing to configure is NAT. Without this, your client will not be able to authenticate and connect back to this server. To do this. Click 'Manage Virtual Hub', 'Virtual NAT and Virtual DHCP' then enable it.


Configuring the last step on Azure

To make the connection work, your machine in the cloud(this virtual machine) will need to accept connection via the port you specify. By default Azure doesn't allow random ports to connect. You will need to whitelist the port(allow the port to accept connection). To do that, go back to Azure Portal (you can do it outside the virtual machine).

Go to network interfaces, click into your network interface as shown in screenshot below.

5

Go to network security group, click in your network security group as shown in screenshot below.

6

Go to inbound security rule, click add as shown in the screenshot below.

7-1

Give the rule a name and key in the port you specify. Click ok to apply the rule.

8

 


Making it work on phone

If you are still following, congratulations! We are all done with configuration. Now we just need to send the .ovpn file to our client/device and connect from there. I am showing an example on the iPhone. This will work with Android or desktop as long as you have OpenVPN app/client installed.

First is to get the client. On the phone, just go to the App Store to download OpenVPN.

img_4887

Next is to get the .opvn file to the phone. This, you can be creative on how to do it. You can use a cloud drive(in my case OneDrive), email, iTunes transfer to OpenVPN app or any other way you can think of to send the file to OpenVPN app.

I'm using OneDrive app(really awesome, you should check it out too). Login to your OneDrive, go to the file, click on 'open in another app', choose OpenVPN.

img_4888       img_4889

Press the '+' button to save the configuration file, input in your username and password you have created on your VPN server. After that, press the slider button to connect. If you do everything right, this is how it looks like.

img_4890

CONGRATULATIONS! You have created your very own VPN service!

To confirm, turn off the VPN. Go to whatismyipaddress.com. It will show your current IP location. For mine it is in Malaysia. Now try again with the VPN on. It shows me I am now in Redmond, Washington, USA.

before-after

To recap what we have done, we had provisioned a virtual machine on Microsoft Azure, installed a VPN server, configured the VPN server and Azure to accept connection, connect via OpenVPN to our server with the configuration file. Again, you've created a VPN service from scratch.

WITH GREAT POWER COMES GREAT RESPONSIBILITY

Now with your own VPN server, your connection will be private. You can now access sites blocked by your country. You can bypass geo-restrictions set by some apps/websites(like watching Hulu out of US, watching Chinese TV shows out of China). You are also now more secured compared to the person sitting next to you on public Wi-Fi at the coffee shop. While you are enjoying all this benefits, please do not break any laws like downloading pirate content or surf the dark web for services. Whatever we do online can be traced one way or another 🙂

Have fun and enjoy the freedom 😎

Peace~ V

Comments (10)

  1. Jorge15241 says:

    Great article! I have 4 people in my family, can all 4 of us use this VPN server at the same time? Thank you for the article and in advance for your reply.

    1. ChengBinTham says:

      Yes they can.. you can give them a unique user & pass or they can use the same one. There is basically no limit to how many users

  2. Bela Zsir says:

    Hi, excellent article! However I need some more advice.
    Can I connect using strictly IPv6 to this Azure VPN Server, and have beyond the VPN both IPv4 and IPv6 public addresses?
    The problem I would like to solve:
    My Internet provider moved me to a so-called DS-Lite (Dualstack-Lite) service. This means I have a permanent public IPv6 address but not an own public IPv4 address, when I visit IPv4 sites (most of the websites are still IPv4) all my traffic goes thru the provider’s NAT Server that apparently gets congested very often, so sometimes I get very poor IPv4 service (up to total packet losts). There is no problem with the IPv6 traffic at the same time.
    My plan is to connect to my VPN server via IPv6 (to avoid my provider’s NAT Server at all) and from there to have both IPv6 and IPv4 service.
    Is it doable with Azure, and could you give me some clues for the configuration?

    1. ChengBinTham says:

      I have seen ipv6 configuration on Softether but have not personally tried it out. You may want to play around. Your concept is correct 🙂

  3. Din says:

    Hi Cheng Bin Tham, it seems I could not deploy the vm and I’ve gotten a message error like this:

    {“error”:{“code”:”ImageNotFound”,”target”:”imageReference”,”message”:”The platform image ‘MicrosoftVisualStudio:Windows:10-Enterprise:latest’ is not available. Verify that all fields in the storage profile are correct.”}}

    FYI, I’m using MSDN subcriber acc via BizSpark, and it does have Windows 10 N Enterprise in my list.

    How can i trouble shoot this? Cant find answer anyway.

    Thanks in advance!

    1. ChengBinTham says:

      You will unfortunately need a MSDN, BizSpark or Visual Studio Developer Subscription moving forward. If you would like to test out VM, register a 30 day trial account. It will allow you to create a VM

  4. solobromo says:

    I’m stuck at the beginning with the blue button. It says “Looks like you need an MSDN subscription”. I thought any of those subs you listed would do. What am I missing and is any of this free?

    1. ChengBinTham says:

      Unfortunately you need a MSDN subscription, Visual Studio Developer Subscription or BizSpark subscription.

  5. Sergey Sagan says:

    I followed all of the steps, but in the end I get “OpenVPN Authentication failed” in the client (Android phone). On the server it shows that I had Nom Logins of 0, but Last Login of just now… any clues?

    1. ChengBinTham says:

      You may want to check the port on your Azure VM. Whatever port on Softether you have defined must be opened on Azure end.

Skip to main content