Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1097026%22%20slang%3D%22en-US%22%3EConfiguring%20Azure%20Linux%20VM%20to%20work%20with%20VPN%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097026%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20we%20move%20towards%20a%20more%20secure%20world%20Virtual%20Private%20Networks%20(VPNs)%20has%20become%20more%20popular%20as%20people%20try%20to%20protect%20their%20data%20going%20over%20the%20internet.%20But%20installing%20a%20VPN%20client%20on%20the%20OS%20level%20of%20an%20Azure%20Linux%20Virtual%20Machine%20(VM)%20can%20be%20tricky%20and%20frustrating.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20covers%20a%20solution%20to%20a%20common%20scenario%20with%20Azure%20Linux%20VMs%20and%20VPN%20Clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22scenario%22%20id%3D%22toc-hId-1061442711%22%20id%3D%22toc-hId-1061442711%22%3EScenario%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20have%20a%20Linux%20VM%20on%20Azure%2C%20you%20install%20a%20VPN%20client%2C%20configure%20it%20and%20connect%20to%20VPN%20server%2C%20all%20of%20a%20sudden%20you%20can%20no%20longer%20SSH%20to%20VM%20or%20access%20service%20on%20the%20VM.%20This%20happens%20because%20the%20VPN%20tunnel%20is%20now%20the%20default%20route%2C%20as%20it%20with%20most%20VPN%20Client.%3C%2FP%3E%0A%3CP%3ESolution%20below%20will%20allow%20the%20VM%20to%20communicate%20as%20normal%20while%20VPN%20client%20is%20connected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESteps%20below%20are%20done%20on%20an%20Ubuntu%2016.04%20LTS%20VM%20on%20Azure%20this%20might%20be%20different%20on%20other%20distribution%20or%20version%20but%20the%20principal%20are%20the%20same.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--746011752%22%20id%3D%22toc-hId--746011752%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22solution%22%20id%3D%22toc-hId-1741501081%22%20id%3D%22toc-hId-1741501081%22%3ESolution%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%20step%20is%20to%20get%20network%20information%20from%20VM%20before%20the%20VPN%20Client%20connection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CCODE%3Ecurl%20ipinfo.io%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Ehannel%40VPN-VM1%3A~%24%20curl%20ipinfo.io%0A%7B%0A%20%20%22ip%22%3A%20%2252.246.250.69%22%2C%0A%20%20%22city%22%3A%20%22Quincy%22%2C%0A%20%20%22region%22%3A%20%22Washington%22%2C%0A%20%20%22country%22%3A%20%22US%22%2C%0A%20%20%22loc%22%3A%20%2247.2343%2C-119.8525%22%2C%0A%20%20%22org%22%3A%20%22AS8075%20Microsoft%20Corporation%22%2C%0A%20%20%22postal%22%3A%20%2298848%22%2C%0A%20%20%22timezone%22%3A%20%22America%2FLos_Angeles%22%2C%0A%20%20%22readme%22%3A%20%22https%3A%2F%2Fipinfo.io%2Fmissingauth%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3Eroute%20-n%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Ehannel%40VPN-VM1%3A~%24%20route%20-n%0AKernel%20IP%20routing%20table%0ADestination%20%20%20%20%20Gateway%20%20%20%20%20%20%20%20%20Genmask%20%20%20%20%20%20%20%20%20Flags%20Metric%20Ref%20%20%20%20Use%20Iface%0A0.0.0.0%20%20%20%20%20%20%20%20%2010.0.0.1%20%20%20%20%20%20%20%200.0.0.0%20%20%20%20%20%20%20%20%20UG%20%20%20%200%20%20%20%20%20%200%20%20%20%20%20%20%20%200%20eth0%0A10.0.0.0%20%20%20%20%20%20%20%200.0.0.0%20%20%20%20%20%20%20%20%20255.255.255.0%20%20%20U%20%20%20%20%200%20%20%20%20%20%200%20%20%20%20%20%20%20%200%20eth0%0A168.63.129.16%20%20%2010.0.0.1%20%20%20%20%20%20%20%20255.255.255.255%20UGH%20%20%200%20%20%20%20%20%200%20%20%20%20%20%20%20%200%20eth0%0A169.254.169.254%2010.0.0.1%20%20%20%20%20%20%20%20255.255.255.255%20UGH%20%20%200%20%20%20%20%20%200%20%20%20%20%20%20%20%200%20eth0%0Ahannel%40VPN-VM1%3A~%24%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20the%20output%20take%20note%20of%20the%20interface%2C%20IP%20Addresses%2C%20Subnet%20and%20Gateway.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22figure%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fi.imgur.com%2F7YJcbnn.png%22%20border%3D%220%22%20alt%3D%22Routes%22%20%2F%3E%0A%3CP%20class%3D%22caption%22%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3EBackup%20route%20table%20and%20add%20a%20VPNBypass%20to%20existing%20table.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Esudo%20su%0Acp%20%2Fetc%2Fiproute2%2Frt_tables%20%2Fetc%2Fiproute2%2Frt_tables_orig%0Aecho%20%22250%20%20%20vpnbypass%22%20%26gt%3B%26gt%3B%20%2Fetc%2Fiproute2%2Frt_tables%0Aexit%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20%3CCODE%3Ecat%20%2Fetc%2Fiproute2%2Frt_tables%3C%2FCODE%3E%20to%20confirm%20bypass%20entry%20in%20%3CCODE%3Ert_table%3C%2FCODE%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20the%20entry%20is%20%3CCODE%3Ert_table%3C%2FCODE%3E%20before%20you%20proceed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUpdate%20the%20%3CSTRONG%3Evpnbypass%3C%2FSTRONG%3E%20table%20to%20bypass%20VPN%20for%20subnet%20communication%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20i%20am%20using%20the%20subnet%20and%20Ethernet%20name%20to%20add%20the%20rule%20to%20the%20vpnbypass%20table%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Esudo%20ip%20rule%20add%20from%2010.0.0.0%2F24%20table%20vpnbypass%20%23Allow%20communication%20from%20Subnet%0Asudo%20ip%20rule%20add%20to%2010.0.0.0%2F24%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Subnet%0Asudo%20ip%20rule%20add%20to%20169.254.169.254%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Metadata%20Service%0Asudo%20ip%20rule%20add%20to%20169.63.129.16%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Azure%20Fabric%0Asudo%20ip%20route%20add%20table%20vpnbypass%20to%2010.0.0.0%2F24%20dev%20eth0%20%23Selecting%20route%20for%20vpnbypass%20table%0Asudo%20ip%20route%20add%20table%20vpnbypass%20default%20via%2010.0.0.1%20dev%20eth0%20%23selecting%20gateway%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20now%20connect%20to%20VPN%20Client%20and%20it%20should%20not%20interrupted%20your%20current%20connectivity%20but%20any%20communication%20doing%20outside%20of%20VM%20(outside%20of%20subnet)%20will%20use%20the%20VPN%20connection%2C%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3Bto%20confirm%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CCODE%3Ecurl%20ipinfo.io%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Ehannel%40VPN-VM1%3A~%24%20curl%20ipinfo.io%0A%7B%0A%20%20%22ip%22%3A%20%22141.101.166.130%22%2C%0A%20%20%22city%22%3A%20%22San%20Francisco%22%2C%0A%20%20%22region%22%3A%20%22California%22%2C%0A%20%20%22country%22%3A%20%22US%22%2C%0A%20%20%22loc%22%3A%20%2237.7749%2C-122.4194%22%2C%0A%20%20%22org%22%3A%20%22AS46562%20Total%20Server%20Solutions%20L.L.C.%22%2C%0A%20%20%22postal%22%3A%20%2294103%22%2C%0A%20%20%22timezone%22%3A%20%22America%2FLos_Angeles%22%2C%0A%20%20%22readme%22%3A%20%22https%3A%2F%2Fipinfo.io%2Fmissingauth%22%0A%7D%3C%2FCODE%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3EConfirm%20Azure%20Metadata%20is%20also%20working%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CCODE%3Ecurl%20-H%20Metadata%3Atrue%20%22%3CA%20href%3D%22http%3A%2F%2F169.254.169.254%2Fmetadata%2Finstance%2Fnetwork%2Finterface%2F0%2Fipv4%2FipAddress%2F0%2FpublicIpAddress%3Fapi-version%3D2017-08-01%26amp%3Bformat%3Dtext%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2F169.254.169.254%2Fmetadata%2Finstance%2Fnetwork%2Finterface%2F0%2Fipv4%2FipAddress%2F0%2FpublicIpAddress%3Fapi-version%3D2017-08-01%26amp%3Bformat%3Dtext%3C%2FA%3E%22%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Ehannel%40VPN-VM1%3A~%24%20curl%20-H%20Metadata%3Atrue%20%22http%3A%2F%2F169.254.169.254%2Fmetadata%2Finstance%2Fnetwork%2Finterface%2F0%2Fipv4%2FipAddress%2F0%2FpublicIpAddress%3Fapi-version%3D2017-08-01%26amp%3Bformat%3Dtext%22%0A40.65.109.128%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOPTIONALLY%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20VPN%20Client%20connection%20at%20startup%2C%20you%20can%20edit%20the%20%3CCODE%3Erc.local%3C%2FCODE%3E%20file%20to%20make%20sure%20rules%20are%20applied%20on%20reboot.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CCODE%3Esudo%20vi%20%2Fetc%2Frc.local%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3E%3CCODE%3E%3C%2FCODE%3E%3C%2FP%3E%0A%3CP%3EAdd%20the%20following%20lines%20to%20the%20file%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CCODE%3Esudo%20ip%20rule%20add%20from%2010.0.0.0%2F24%20table%20vpnbypass%20%23Allow%20communication%20from%20Subnet%0Asudo%20ip%20rule%20add%20to%2010.0.0.0%2F24%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Subnet%0Asudo%20ip%20rule%20add%20to%20169.254.169.254%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Metadata%20Service%0Asudo%20ip%20rule%20add%20to%20169.63.129.16%20table%20vpnbypass%20%20%23Allow%20communication%20to%20Azure%20Fabric%0Asudo%20ip%20route%20add%20table%20vpnbypass%20to%2010.0.0.0%2F24%20dev%20eth0%20%23Selecting%20route%20for%20vpnbypass%20table%0Asudo%20ip%20route%20add%20table%20vpnbypass%20default%20via%2010.0.0.1%20dev%20eth0%20%23selecting%20gateway%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1097026%22%20slang%3D%22en-US%22%3E%3CP%3EFrustrated%20with%20configuring%20VPN%20Client%20on%20an%20Azure%20Linux%20VM%3F%3F%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1097026%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHannel%20Hazeley%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

As we move towards a more secure world Virtual Private Networks (VPNs) has become more popular as people try to protect their data going over the internet. But installing a VPN client on the OS level of an Azure Linux Virtual Machine (VM) can be tricky and frustrating.

 

This article covers a solution to a common scenario with Azure Linux VMs and VPN Clients.

 

Scenario

 

You have a Linux VM on Azure, you install a VPN client, configure it and connect to VPN server, all of a sudden you can no longer SSH to VM or access service on the VM. This happens because the VPN tunnel is now the default route, as it with most VPN Client.

Solution below will allow the VM to communicate as normal while VPN client is connected.

 

Steps below are done on an Ubuntu 16.04 LTS VM on Azure this might be different on other distribution or version but the principal are the same.

 

Solution

 

First step is to get network information from VM before the VPN Client connection.

 

curl ipinfo.io

hannel@VPN-VM1:~$ curl ipinfo.io
{
  "ip": "52.246.250.69",
  "city": "Quincy",
  "region": "Washington",
  "country": "US",
  "loc": "47.2343,-119.8525",
  "org": "AS8075 Microsoft Corporation",
  "postal": "98848",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
}

route -n

hannel@VPN-VM1:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
168.63.129.16   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
169.254.169.254 10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
hannel@VPN-VM1:~$

 

From the output take note of the interface, IP Addresses, Subnet and Gateway.

 

Routes

 

Backup route table and add a VPNBypass to existing table.

 

sudo su
cp /etc/iproute2/rt_tables /etc/iproute2/rt_tables_orig
echo "250   vpnbypass" >> /etc/iproute2/rt_tables
exit

 

Use cat /etc/iproute2/rt_tables to confirm bypass entry in rt_table.

 

Make sure the entry is rt_table before you proceed.

 

Update the vpnbypass table to bypass VPN for subnet communication

 

Note that i am using the subnet and Ethernet name to add the rule to the vpnbypass table

 

sudo ip rule add from 10.0.0.0/24 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.0.0.0/24 table vpnbypass  #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass  #Allow communication to Metadata Service
sudo ip rule add to 169.63.129.16 table vpnbypass  #Allow communication to Azure Fabric
sudo ip route add table vpnbypass to 10.0.0.0/24 dev eth0 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.0.0.1 dev eth0 #selecting gateway

 

You can now connect to VPN Client and it should not interrupted your current connectivity but any communication doing outside of VM (outside of subnet) will use the VPN connection, to confirm;

 

curl ipinfo.io

hannel@VPN-VM1:~$ curl ipinfo.io
{
  "ip": "141.101.166.130",
  "city": "San Francisco",
  "region": "California",
  "country": "US",
  "loc": "37.7749,-122.4194",
  "org": "AS46562 Total Server Solutions L.L.C.",
  "postal": "94103",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
}

Confirm Azure Metadata is also working

 

curl -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-ve..."

hannel@VPN-VM1:~$ curl -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text"
40.65.109.128



OPTIONALLY

 

If you have VPN Client connection at startup, you can edit the rc.local file to make sure rules are applied on reboot.

 

sudo vi /etc/rc.local

Add the following lines to the file

 

sudo ip rule add from 10.0.0.0/24 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.0.0.0/24 table vpnbypass  #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass  #Allow communication to Metadata Service
sudo ip rule add to 169.63.129.16 table vpnbypass  #Allow communication to Azure Fabric
sudo ip route add table vpnbypass to 10.0.0.0/24 dev eth0 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.0.0.1 dev eth0 #selecting gateway