Enable Azure Active Directory SSO for OpenVPN Cloud

This is the third post in the OpenVPN Cloud series aimed at lab use. In the previous post we created user accounts in the portal but in this step we are going to enable SSO with Azure so we don’t have to create users manually in the OVPN portal.

1) Log onto the OpenVPN Cloud by browsing to your portal URL. This is set to “YourOpenVPNID.openvpn.com”. Log in with the account you signed up with (owner account).

2) Go to Settings section and click on the User Authentication tab and click Edit on the top right corner.

Click on the Configure button under the SAML option

This will open a new window with the SAML configuration details. Keep this window open as you’ll need these details to setup SSO in Azure. 

Now to create an enterprise application in Azure.

3) Log onto Azure Active Directory and create a Group with members who you want to have access to OpenVPN Cloud.

4) Back on Azure AD click on the “Enterprise applications” blade on the left

Click on New Application

And then click on Create your own application.

5) Give you app a name and choose the option “Integrate any other application you don’t find in the gallery (Non-gallery)”

Click Create

6) Under Getting Started click on “Assign users and groups” and go ahead and add the group of users you created earlier

7) Click on “Set up single sign on” on the left and then click on SAML.

8) Click on Edit next to Basic SAML Configuration

9) Refer back to the SAML details provided in the window opened in the OpenVPN Cloud portal and enter the following details.

For Identifier enter the Issuer name.

For Reply URL enter the SSO URL provided.

10) Scroll down to SAML Signing Certificate and copy the App Federation Metadata URL. You’ll need this in a bit.

11) Now back on the OpenVPN Cloud page with the SAML details, click on Next

12) Enter a name for the identity provider and paste in the App Federation Metadata URL from the SAML Signing Certificate section of the enterprise app in Azure.

Click Next and Finish.

13) Head back into Settings and then click on User Authentication and click on Edit on the top right

Select SAML and click on the Update button and the Confirm.

That’s it. The next time you browse to your OpenVPN Cloud portal url you will see a Sign in button which will redirect you to the Azure sign in screen.

OpenVPN Cloud Endpoint Testing

So in the last post we stopped at the point of creating additional users who you want to give VPN access to. I also explained that the connection from the RRAS server to the OpenVPN Cloud counts as 1 out of 3 connections so you are left with two connections for your endpoints/users.

Now let’s get the connector installed on our endpoint device and our users connected.

Just a quick reminder that the portal address is “youropenvpncloudId.openvpn.com”

1) Log into your OpenVPN web portal and add your end users. Note that the email address here must be valid for this to work. Since this is intended for lab use just enter your own for testing.

2) Build a VM with Windows 10 installed. The virtual network adapter must be connected to the Internal switch to join the domain and verify you can ping the domain and maybe access a file share or something.

3) Now change the virtual network adapter so it’s bound to the External switch instead to simulate offsite access. Verify that you cannot ping the domain.

4) On this VM log into the email address you provided for the user which has instructions on how to install the connector app. It’s just a standard MSI so go ahead and install it.

5) Open the connector app and enter your OpenVPN Cloud portal URL.

Sign in with the user account ID you created earlier.

Choose your Region and click Connect. It should only take a few seconds to establish the VPN connection.

Verify that you can ping your domain and access file shares.

You can, of course, install the endpoint connector on a physical domain-joined laptop and connect to your Wi-Fi (assuming your lab is on a Internal/Private network) to test this.

In the next post I will go through instructions on how to enable Azure SSO so you don’t have to manually create the user accounts in the portal and better simulate a production environment.

Split Tunnel VPN with OpenVPN Cloud

I wanted to set up VPN split tunnelling for my home lab to simulate my workplace (which uses a commercial VPN solution ) to build a proof of concept of Windows AutoPilot with on-premise domain access from Azure AD joined devices.

I came across OpenVPN Cloud which provides you with 3 connections for free/personal use.

A couple of notes on my setup:

My host server has one Internal switch and one External switch. I installed RRAS on a Windows server VM in my lab running Windows Server 2016 with two virtual network adapters, one connected to the Internal switch and the other on the External switch. Both have DHCP enabled. Now for the instructions:

1) Install RRAS on a Windows server box (mine is on Windows Server 2016) with two virtual network adapters as mentioned above.

2) Enable routing on the server and follow the rest of these instructions on this RRAS server

3) Sign up for a free personal account and create your OpenVPN ID.

3) Once logged in, click on Networks on the left and and select “Remote Access” and follow the rest of the wizard.

Give your network a name.

Give the connector a name and select your region. This is the RRAS server on which you will have a OpenVPN connector (agent) running.

Add your lab subnet under Private Subnets.

4) Next select where to deploy the connector. I chose Windows, downloaded the connector and installed it on my RRAS server mentioned above.

5) Open the OpenVPN Connector on the RRAS server, sign in with the user account/email address you signed up with and you should see a connection established.

Back on the OpenVPN web portal click Next and wait for the connection to be shown as established on that end too.

6) Next add your internal DNS to the web portal.

7) Click on Users and add a second user. This is the user who will be signing into VPN from an endpoint device over WAN/off-site. You can, of course, create more users here if you wish.

This completes the setup of the OpenVPN Cloud on the server side. I will soon write a follow up post on how to get endpoint devices connected via VPN.

Note that the connector which you installed on the RRAS server and the connection that it established with OpenVPN Cloud is counted as 1 of the 3 free connections you get with the free account. So you actually have only two connections for your endpoint devices. However, for quick POCs and lab use this is more than enough.