Setup a VPN Connection into an ARO Cluster with OpenVPN
Authors:
Kevin Collins,
Ricardo Martins
Last Editor:
Dustin Scott
Published Date:
29 March 2023
Modified Date: 25 May 2023
When you configure an Azure Red Hat OpenShift (ARO) cluster with a private only configuration, you will need connectivity to this private network in order to access your cluster. This guide will show you how to configute a point-to-site VPN connection so you won’t need to setup and configure Jump Boxes.
Prerequisites
- a private ARO Cluster
- git
- openssl
Create certificates to use for your VPN Connection
There are many ways and methods to create certificates for VPN, the guide below is one of the ways that works well. Note, that whatever method you use, make sure it supports “X509v3 Extended Key Usage”.
Clone OpenVPN/easy-rsa
git clone https://github.com/OpenVPN/easy-rsa.gitChange to the easyrsa directory
cd easy-rsa/easyrsa3Initialize the PKI
./easyrsa init-pkiEdit certificate parameters
Uncomment and edit the copied template with your values
vim pki/varsset_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit"Uncomment (remove the #) the folowing field
#set_var EASYRSA_KEY_SIZE 2048Create the CA:
./easyrsa build-ca nopassGenerate the Server Certificate and Key
./easyrsa build-server-full server nopassGenerate Diffie-Hellman (DH) parameters
./easyrsa gen-dhGenerate client credentials
./easyrsa build-client-full azure nopassSet environment variables for the CA certificate you just created.
CACERT=$(openssl x509 -in pki/ca.crt -outform der | base64)
Set Envrionment Variables
AROCLUSTER=<cluster name>
ARORG=<resource group the cluster is in>
UNIQUEID=$RANDOM
LOCATION=$(az aro show --name $AROCLUSTER --resource-group $ARORG --query location -o tsv)
VNET_NAME=$(az network vnet list -g $ARORG --query '[0].name' -o tsv)
GW_NAME=${USER}_${VNET_NAME}
GW_SUBNET_PREFIX=e.g. 10.0.7.0/24 choose a new available subnet in the VNET your cluster is in.
VPN_PREFIX=172.18.0.0/24
Create an Azure Virtual Network Gateway
Request a public IP Address
az network public-ip create \ -n $USER-pip-$UNIQUEID \ -g $ARORG \ --allocation-method Static \ --sku Standard \ --zone 1 2 3 pip=$(az network public-ip show -g $ARORG --name $USER-pip-$UNIQUEID --query "ipAddress" -o tsv)Create a Gateway Subnet
az network vnet subnet create \ --vnet-name $VNET_NAME \ -n GatewaySubnet \ -g $ARORG \ --address-prefix $GW_SUBNET_PREFIXCreate a virtual network gateway
az network vnet-gateway create \ --name $GW_NAME \ --location $LOCATION \ --public-ip-address $USER-pip-$UNIQUEID \ --resource-group $ARORG \ --vnet $VNET_NAME \ --gateway-type Vpn \ --sku VpnGw3AZ \ --address-prefixes $VPN_PREFIX \ --root-cert-data pki/ca.crt \ --root-cert-name $USER-p2s \ --vpn-type RouteBased \ --vpn-gateway-generation Generation2 \ --client-protocol IkeV2 OpenVPN
go grab a coffee, this takes about 15 - 20 minutes
Configure your OpenVPN Client
Retrieve the VPN Settings
From the Azure Portal - navigate to your Virtual Network Gateway, point to site configuration, and then click Download VPN Client.
This will download a zip file containing the VPN ClientCreate a VPN Client Configuration
Uncompress the file you downloaded in the previous step and edit the OpenVPN\vpnconfig.ovpn file.
Note: The next two commands assume you are still in the easyrsa3 directory.
In the vpnconfig.ovpn replace the $CLIENTCERTIFICATE line with the entire contents of:
openssl x509 -in pki/issued/azure.crtMake sure to copy the —–BEGIN CERTIFICATE—– and the —–END CERTIFICATE—– lines.
also replace $PRIVATEKEY line with the output of:
cat pki/private/azure.keyMake sure to copy the —–BEGIN PRIVATE KEY—– and the —–END PRIVATE KEY—– lines.
add the new OpenVPN configuration file to your OpenVPN client.
mac users - just double click on the vpnserver.ovpn file and it will be automatically imported.
Connect your VPN.
