Before we start, lets set a few expectations first.
- We are not building a VPN service! If you plan to build a subscription service with a bunch of servers, please look else where.
- The traffic will go out from Azure Datacenter. If the website/app you are browsing/using blacklist Microsoft's Azure datacenter IP addresses, this will not work for you.
If you want to build your own VPN server for personal use, i.e. travelling, visiting a site that your country blocks, VPN on your mobile phone, care about your data privacy, don't trust other VPN host/app, too much Azure credits, this is the article that will interest you. Bonus: you get a Windows 10 machine that sits in the cloud which you can connect via mobile phones, cyber café desktops, your neighbour's laptop or anything that has internet access with RDP(remote desktop) capability.
So lets start
Here are a couple of things that you must have.
- Azure subscription (check out my other posts if you're a startup applying for BizSpark).
- Azure subscription that have credits to provision virtual machines.
- 30 minutes of your life (maybe longer depending on skillz)
You can get an Azure subscription with various programs. Like Azure passes(normally from Microsoft events), MSDN Subscription, Visual Studio Dev Essentials(apply here), BizSpark subscription, Azure trial, or other subscriptions that allows you to use compute services or virtual machines.
Overview of things
We are using Softether an open-source multi-protocol free VPN server software to host the service(Kudos to the university that develops it). It will be on Azure cloud sitting in a virtual machine(Windows 10). You can connect to the VPN server via mobile phones(iPhones, Android, Windows) or desktops(Mac, Windows, Linux). This tutorial is using OpenVPN client (easier for both phones and desktops).
Let's really start
First we'll have to provision a virtual machine on Azure. To do this, go to portal.azure.com and hit the '+' on your left. Click on compute. Click 'see all'. Search for 'Windows 10 Enterprise N'.
Click the blue create button (you might need to scroll down to find it). You'll be presented with a few settings. Give your VM a name, give a user login name and password, give a resource group name(any name will do), choose a location your VM is gonna be at.
Next, choose a size. You can choose one that suits you. Normally a small instance will do if you don't have to much users. If you're sharing with friends and family, you might want to choose a bigger one.
Next would be configuring the network stuff. I would recommend going for manage disk for easier management, but storage account works fine(just choose managed disk if you are not sure what am I talking about). For public ip addresses, I like to use a static one(easy to manage because the IP address will not change). Rest of settings just leave it.
Step 4 is checking all info is valid. Continue with deployment and wait for the machine to provision itself. It will normally take 5-10mins.
Installing VPN portion
After the machine is done provisioning, we will have to
- Login to the machine (clean up the services we do not need)
- Install the VPN server
As shown in screenshot above, press the connect button. It will download an rdp file. Just open it, key in your username and password to login to your machine in the cloud. You can say 'yes' to all the certificate prompt. Do not worry, you are not agreeing to sell your soul.
Once you are in the virtual machine, search for 'program and features'. Once in, click 'turn on and off windows features'
- Check .NET Framework 3.5
- Uncheck Microsoft Print to PDF
- Uncheck Print document and services
- Uncheck XPS services
- Uncheck XP viewer
Click OK and download the framework from Windows Update. Once that's done, you can go ahead and restart the machine.
*This is to save resources in our VM. If your VM is a powerful one and you do not care about resources and cost, you can skip this step.
Once restarted, go back into the machine. Fire up 'Internet Explorer' (Ok, I know. You can use Chrome or Edge too), search for softether VPN. Once you're in the site, go to the download page. You can choose to download the beta or stable version. It does not really matter which one you choose. Download 'Softether VPN Server Manager for Windows' and install it. Install Softether VPN server. Finish and launch the VPN Server Manager.
Configuring VPN portion
At VPN Server Manager, click 'Connect' and give a password. After that, check the options as shown in screenshot below.
Give a VPN name or stick to default. When ask for dynamic hostname, give it a name of your choice.
Exit the config and check the next config that pops up as shown in screenshot below.
Click 'Create User' and give it a username and password. This is your user that is going to connect to your VPN server. If you want to add more friends or family to your VPN server, this is the place to do it.
Set local bridge to Microsoft Ethernet adapter as shown in screenshot.
Create a port for your clients/devices to connect to your VPN. I like to use a custom port. Some organizations block VPN ports, using a custom one might just bypass that. In my example I use 9201. You can use other ports other than 9201.
Next go to the OpenVPN configuration page.
Remember to change the port to the one you configured earlier. After that generate a openvpn config file. This file is the settings you need to give to your client/devices for it to connect back here. Just click generate, save the zip file somewhere, extract the zip file, open the 'remote access.opvn' file (as shown as screenshot) with notepad.
Two things to change here.
- Proto tcp
- Make sure the port is the one you specify
Leave everything else on default. Save this and send this file to your client/device. This will be the setting they need to connect to this server.
Last thing to configure is NAT. Without this, your client will not be able to authenticate and connect back to this server. To do this. Click 'Manage Virtual Hub', 'Virtual NAT and Virtual DHCP' then enable it.
Configuring the last step on Azure
To make the connection work, your machine in the cloud(this virtual machine) will need to accept connection via the port you specify. By default Azure doesn't allow random ports to connect. You will need to whitelist the port(allow the port to accept connection). To do that, go back to Azure Portal (you can do it outside the virtual machine).
Go to network interfaces, click into your network interface as shown in screenshot below.
Go to network security group, click in your network security group as shown in screenshot below.
Go to inbound security rule, click add as shown in the screenshot below.
Give the rule a name and key in the port you specify. Click ok to apply the rule.
Making it work on phone
If you are still following, congratulations! We are all done with configuration. Now we just need to send the .ovpn file to our client/device and connect from there. I am showing an example on the iPhone. This will work with Android or desktop as long as you have OpenVPN app/client installed.
First is to get the client. On the phone, just go to the App Store to download OpenVPN.
Next is to get the .opvn file to the phone. This, you can be creative on how to do it. You can use a cloud drive(in my case OneDrive), email, iTunes transfer to OpenVPN app or any other way you can think of to send the file to OpenVPN app.
I'm using OneDrive app(really awesome, you should check it out too). Login to your OneDrive, go to the file, click on 'open in another app', choose OpenVPN.
Press the '+' button to save the configuration file, input in your username and password you have created on your VPN server. After that, press the slider button to connect. If you do everything right, this is how it looks like.
CONGRATULATIONS! You have created your very own VPN service!
To confirm, turn off the VPN. Go to whatismyipaddress.com. It will show your current IP location. For mine it is in Malaysia. Now try again with the VPN on. It shows me I am now in Redmond, Washington, USA.
To recap what we have done, we had provisioned a virtual machine on Microsoft Azure, installed a VPN server, configured the VPN server and Azure to accept connection, connect via OpenVPN to our server with the configuration file. Again, you've created a VPN service from scratch.
WITH GREAT POWER COMES GREAT RESPONSIBILITY
Now with your own VPN server, your connection will be private. You can now access sites blocked by your country. You can bypass geo-restrictions set by some apps/websites(like watching Hulu out of US, watching Chinese TV shows out of China). You are also now more secured compared to the person sitting next to you on public Wi-Fi at the coffee shop. While you are enjoying all this benefits, please do not break any laws like downloading pirate content or surf the dark web for services. Whatever we do online can be traced one way or another 🙂
Have fun and enjoy the freedom 😎