KB: Route Based Site-to-Site VPN with OpenWRT/LEDE and Ubuntu VM in Azure

Azure VM Confugruation

  • OS: Ubuntu Server 17, etc
  • Virtual Network/Subnet: 10.0.0.0/24
  • Private IP: 10.0.0.4
  • Public IP: 51.x.x.x
  • Inbound security rules
    • Allow UDP 500
    • Allow UDP 4500

Enable IP forwarding

  • Edit /etc/sysctl.conf and enable the followings
    net.ipv4.ip_forward=1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0
    
  • Apply settings
    sudo sysctl -p
    

Install StrongSwan

sudo apt-get install strongswan

Config IPSec – /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2

conn 41D
        auto=add
        type=tunnel
        aggressive=no
        ike=aes256-sha1-modp1024,3des-sha1-modp1024
        esp=aes256-sha1,3des-sha1
        mark_in=42
        mark_out=42

        left=10.0.0.4
        leftsubnet=0.0.0.0/0
        leftid=51.x.x.x
        leftauth=psk
        leftfirewall=yes

        right=59.x.x.x
        rightsubnet=192.168.5.0/24
        rightauth=psk
        rightfirewall=yes

Config IPSec – /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
59.x.x.x 51.x.x.x : PSK "secret"

Config IPSec – /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Config IPSec – Reconnect

ipsec restart
ipsec statusall

Config VTI

ip tunnel add vti0 local 10.0.0.4 remote 59.x.x.x mode vti key 42
ip link set vti0 up

Config Routing

ip route add 192.168.5.0/24 dev vti0

Config SNAT and DNS Forwarding

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j SNAT --to-source 10.0.0.4

OpenWRT/LEDE Configuration

Install StrongSwan and VTI packages

strongswan-minimal
ip-full
kmod-ip-vti
vtiv4

Config IPSec – /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2

conn UKGW
        auto=start
        closeaction=restart
        type=tunnel
        aggressive=no
        ike=aes256-sha1-modp1024,3des-sha1-modp1024
        esp=aes256-sha1,3des-sha1
        mark_in=42
        mark_out=42
        left=59.x.x.x
        leftsubnet=192.168.3.0/24
        leftid=59.x.x.x
        leftauth=psk
        leftfirewall=yes

        right=51.x.x.x
        rightsubnet=0.0.0.0/0
        rightid=51.x.x.x
        rightauth=psk
        rightfirewall=yes

Config IPSec – /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
59.x.x.x 51.x.x.x : PSK "secret"

Config IPSec – /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Config IPSec – Reconnect

ipsec restart
ipsec statusall

Config VTI

ip tunnel add vti0 local 59.x.x.x remote 51.x.x.x mode vti key 42
ip link set vti0 up

Config Routing 1

ip route add 10.0.0.0/24 dev vti0

Config Routing 2 – set subnet default route to Azure VM

ip rule add from 192.168.3.0/24 table 1000
ip route add 0.0.0.0/0 dev vti0 table 1000
ip route show table 1000

iptables -A PREROUTING -p udp -s 192.168.3.0 --dport 53 -j DNAT --to 10.0.0.4
iptables -A PREROUTING -p tcp -s 192.168.3.0 --dport 53 -j DNAT --to 10.0.0.4

Others

  • Add interface and zone for vti0. Allow transfer to/from LAN.
  • Enable MSS Clamping for VTI interface.

KB: Connecting OpenWRT/LEDE router to Azure Virtual Network Gateway (IKEv2)

 

Step1: Install StrongSwan and other packages

  • strongswan-minimal
  • ip-full
  • kmod-ip-vti
  • vtiv4

Step 2: Config IPSec

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn LONDON
auto=start
type=tunnel
aggressive=no
ike=3des-sha1-modp1024
esp=3des-sha1
mark=42
mark_in=42
mark_out=42
left={router WAN IP}
leftsubnet=192.168.1.0/24
leftid={router WAN IP}
leftauth=psk
leftfirewall=yes

right={Azure Virtual Network Gateway public IP}
rightsubnet={Azure Virtual Network, e.g. 10.1.0.0/24}
rightid={Azure Virtual Network Gateway public IP}
rightauth=psk
rightfirewall=yes

/etc/ipsec.secret

# /etc/ipsec.secrets - strongSwan IPsec secrets file
{router WAN IP} {Azure Virtual Network Gateway public IP} : PSK "your_secret"

/etc/strongswan.conf

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf

 

Step 3: Config VTI interface for routing

ip tunnel add vti0 local {router IP} remote {Azure gateway public IP} mode vti key 42
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.1.0.0/24 dev vti0

 

Other useful commands:

ipsec restart
ipsec statusall
ip -s xfrm state
ip route list table 220


Uncomment the followings in /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Apply changes
sysctl -p

KB: Copy Blob between Azure Storage Accounts

Step 1: Set source storage context

$src = New-AzureStorageContext -StorageAccountName “storage account name” -StorageAccountKey “storage account key

Step 2: Set destination storage context

$dest = New-AzureStorageContext -StorageAccountName “storage account name” -StorageAccountKey “storage account key

Step 3: Start async copy

Start-AzureStorageBlobCopy -SrcUri “source blob URI” -SrcContext $src -DestContainer “destination container name” -DestContext $destContext -DestBlob “destination blob name

Step 4: Check completion status

Get-AzureStorageBlobCopyState -Blob “destination blob name” -Container “destination container name” -Context $dest

KB: Create Azure VM with Powershell

New-AzureVMConfig -Name {VM_name} -InstanceSize Small -ImageName “image_name” | Add-AzureProvisioningConfig -Windows -AdminUsername {admin_username} -Password {admin_password} -DisableAutomaticUpdates -NoWinRMEndpoint | Set-AzureSubnet {subnet_name} | New-AzureVM -ServiceName {VM_Name} -AffinityGroup {affinityGroup_name} -VNetName {virtual_net_name}

KB: How to create a Windows 7/Windows 8 Azure VM

Step 1: Prepare the Windows 7/Windows 8 .vhd image

  1. Install Windows 7 on a Hyper-V virtual machine
    1. [IMPORTANT] Create .vhd virtual hard disk insteadl of .vhdx. Azure VM doesn’t support .vhdx.
    2. [IMPORTANT] Install Enterprise edition so the image can be activated when provisioned in Azure.
    3. [IMPORTANT] Enable Remote Desktop (Updated 2013/10/3: It will be enabled by default when provisioning.)
    4. [IMPORTANT] Create an admin account with password. Otherwise cannot login through Remote Desktop.
  2. SYSPREP the Windows 7/Windows 8 VM
    1. Run C:\WINDOWS\system32\sysprep\sysprep.exe
    2. Select the following options:

    3. Press OK and wait until the VM shutdown.

Step 2: Create the Azure Storage Account (if not exist)

Step 3: Prepare the client machine for uploading the .vhd (if necessary)

  1. Download and install Windows Azure Powershell – http://go.microsoft.com/?linkid=9811175&clcid=0x409
  2. Install the Azure management certificate and private key to User Personal cert store.
  3. Get the Azure subscription ID from the “My Bill” page of the Azure Portal.
  4. Start Windows Azure Powershell
  5. Run Set-AzureSubscription –SubscriptionName YourSubcriptionName –Certificate “file path of the management certificate .cer file” – SubscriptionId YourSubscriptionID

Step 4: Upload the .vhd to Azure Storage

  1. Run Select-AzureSubscription –SubscriptionName YourSubcriptionName
  2. Run Add-AzureVhd -Destination http://{YourAzureStore}.blob.core.windows.net/{YourContainer}/{YourVhd}.vhd -LocalFilePath “file path of the .vhd

Step 5: Create Virtual Machine Image

Step 6: Create Virtual Machine from My Image Gallery