Site-to-Site Azure VPN with a Windows RRAS Server

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video I demonstrate how to set up a VPN tunnel between a routing and remote access server and Azure hello everyone my name is Travis and this is Ciraltos I set up a VPN connection between a VNet gateway in Azure and a routing and remote access, or RRAS server last year to connect my home lab with my network at the time my home lab was just a VMware Workstation running a couple VMs on a desktop my lab has grown and most of my VMs are now running on a hyper-v server with the exception of that routing a remote access server in this video I go over deploying a new RRAS server and connecting it to and Azure gateway the process is not limited to home labs it could be used for small office or an environment where a site-to-site VPN to Azure is required also if you plan to take an Azure certification such as the AZ 103 walking through this example with me will give you some good hands-on experience without having to purchase a VPN appliance before I get started please take a second to subscribe and click the bell icon to get alerts on new content also click the like button that helps support this channel let's get started there are a lot of different configurations that this will work with for example I currently have a single subnet on my home network the RRAS server sits behind a cable modem and VPN traffic is forwarded to that RRAS server in this configuration I have to set a static gateway to the internal RRAS server for any servers that need to connect to Azure but I have a couple teenagers in the house and with all their devices and Smart TVs and home automation my subnet is getting stretch there's not many IP's left for servers my new configuration will look something like this the plan is to have one subnet on the hyper-v server for my home lab the RRAS server will act as a gateway for that subnet this will free up ip's on my home network and isolate my lab traffic on its own subnet I put this project in this video offer a while because it wasn't sure how to address the local networking aspect there are so many different configuration options I couldn't possibly address all in this video so I'm just gonna say that any device that needs to connect to Azure over the VPN will need the rad server set as its default gateway I suspect most people watching this video will know how to set DHCP or a static IP entry and make that happen but for this video I'm gonna focus more on creating that VPN tunnel between the two endpoints and not so much on the actual networking behind it there are a couple things needed to get this set up first a Windows server to host the routing and remote access role I'm using the server 2019 in this example but 2016 would work also the server will have ports open to the Internet so will not be domain joined my current setup is running server core but I had some issues with configuration settings so I'm using the full desktop in this example the server has an internal and external NIC attached connected to the internal and external subnet I also have an azure subscription and A VNet set up in that subscription I have admin rights to the firewall with the option of port forwarding on that firewall you do not need a static public IP but one that's relatively consistent will help a lot I'll dive into that later the last item is cost using a basic gateway this setup cost me about $25 per month your cost will vary depending on traffic and the size of the Gateway selected it's not possible to deallocate gateways like you can with a VM so as long as it's on your subscription you're getting charged for it that's a good reason to set up budgets and cost alerts on your subscription I have just the video for that I'll share it above here's an overview of how this will look once finished if I had an enterprise firewall I could just handle the VPN termination there but I don't so instead I'm forwarding IPSec ports UDP 500 and UDP 4500 to the RRAS server as stated this setup requires that you forward inbound traffic you'll need to verify that your modem ISP or any other device is not blocking that inbound traffic it's possible that some of you may have a modem that's also a firewall you'll have to figure out how to forward ports in that situation as I said before there are a lot of options and I can't cover everything to get this to work in whatever setup those two ports will need to be forwarded to the routing and remote access server here's the steps we're going to go over in the demo we're gonna add the routing a remote access role to the server we're gonna create an azure network gateway we're gonna create a local network gateway and edger we're going to configure the routing remote access for the VPN and we're going to create the connection and then test let's get started here I am logged into the routing a remote access server I'm going to go to manage add roles and features I'll click Next to step through the wizard selecting the local server under server roles select remote access and click Next click Next at features this will take you to remote access under role services select direct access and VPN at the screen that opens select add features next select routing under role service and click Next continue by clicking next on the confirmation pages and then install it'll take a few minutes to finish once done open routing and remote access to verify it installed the service will show stopped we'll come back and finish configuration shortly ok to get started the first thing I'm gonna do is create a gateway subnet this is a subnet in the VNet with the named GatewaySubnet it has to have that GatewaySubnet name you do have the option to set this up when you deploy the Gateway but I didn't want to set it up in advance so we can see the whole process so the first thing I'm going to do is go into my VNet and go to subnets and I'm gonna create a gateway subnet I'm gonna change this to 10.0.200.0 and really you can use any subnet you'll want for this I'm just picking 200 kind of at random and I'm gonna put a /27 minimum is a / 28 but I'll just add /27 so there's a couple extra IP addresses in there and the rest can be left as is I'll click OK and now it's creating that subnet there so we can go in and see that gateway subnet it has the IP addresses of 10.0 dot 200 0.31 and the rest can be left as it is now I'm gonna go back to my network resource group next I'm gonna create the virtual network gateway I do that by creating a resource and I'll search for a virtual network gateway and here it is I'll select virtual network gateway and create I'll leave the subscription is pay-as-you-go I need a name for this and I'll call it LabGW for gateway one you may notice that the resource group will be the resource group of the virtual network that you select later on so I'm gonna select the same location as my virtual network the Gateway type is VPN and the VPN type is route based route based gateways direct traffic based on the routing information in the routing table and forward packets to the proper tunnel interface the packets are encrypted and decrypted in and out of that tunnel policy based on the other hand encrypts and directs packets based on the IPSec policy configuration with a combination of address prefixes between your on-premises network and the azure VNet this is available only for basic gateways and is limited to one tunnel so I'm just gonna leave this as route based the SKU is going to be a basic and the only option is generation 1 the basic skew is considered a legacy skew and has some feature limitations but it is the cheapest and it works well for a lab I'm just gonna select my virtual network and you can see next it's gonna pull that gateway subnet address that we already configured I'm gonna create a new public IP address and I'm gonna give this the public IP name of let's see here LabGW_PIP and I'll leave enable active active mode and configure BGP as disabled next is the tags I'm just gonna give this let's see here Department and I'll give it IT review and crate the validation past so I'm gonna get crate next and I'll wait for it to finish this will take sometimes up to 45 minutes to finish so I'm just gonna let it go I'll pause here and I'll be back once it's finished I'm back in the virtual network gateway has finished it did take quite some time but let's move on so the next thing I'm going to do is create a local gateway so what this is is it's a representation of your VPN endpoint in Azure this is where it gets some of its configuration information and how it knows what to connect to so let's create a resource and search for local gateway or a local network gateway there it is and I'll hit crate so I'll give it a name I'll just call it homelab now the IP address is the IP address of the endpoint so this would be my local and again local refers to local to me not to Azure so it's my home network external IP address and I like to use a tool called IP Chicken to find this you can use any tool you want to but IPChicken.com will give you your public IP address so I'll come back copy that and paste it in okay so next is address space so what it's asking for is what are the address spaces or the subnets on that remote network and in my case I'm only gonna have one but you could have multiple okay so my remote network is gonna be 192.168.200.0 source group I like to put all my networking objects at least for a specific region in one resource group they're easier to find that way I'll leave the location to central US and next I'm going to click create next thing I'm going to do is hop back to my local remote routing an access server and finish the configuration on that so here you can see I have two network cards I've got an internal that's connected to an internal hyper-v switch so I can route traffic from anything within that hyper-v hosts and the host itself over that interface and that doesn't need to be a static IP address because that's the gateway for anything on that 200 Network so external in this case is just external to the internal network I guess so that's going to be connected to the 192 168 254 network again that's just the same network as all of my household appliances are on and then that's going to proxy to the connection out over the internet connection but anyway in this little environment external is just external to that internal network and that's what's going to connect to the internet so now I'm going to go into routing and remote access services and I'm going to right click and configure and enable routing and remote access so I'll click Next at the wizard for the configuration I'm going to use secure connection between two private networks I'll click Next and I'll leave dial demand as yes and my clients are gonna get an IP address automatically so I look like yes and I'm can leave that as is and just click finish and we'll let it get the services started and it's gonna prompt me for another wizard here in a second ok here is the demand dial interface wizard so I'm going to click Next and I'll give this interface a name and this is the interface that's going to actually connect to the VPN endpoint in Azure so I'm gonna call it AzureGW and I'll click Next and I'm going to connect using a VPN and for the VPN type I will select IKEv2 now it's asking me for the remote IP address of the host I'll find that located in the public IP information on that gateway let's hop back to the azure portal and we'll get that information we'll go to resource groups and everything is in my network RG resource group and labGW1 PIP for public IP and I'm just going to copy that that is the IP address it's going to connect to I'm going to leave this as route IP packets here wants me to configure a static route so what this does is it tells the routing and remote access server anytime it gets an IP bound for a specific IP address to send it out the VPN interface so in order to do this I have to add I have to add a destination Network and what I'm gonna do let's just hop back to a sure because we really didn't talk about this if I go to Network RG I'm gonna go into my virtual network under address spaces there's the address base that that v-net will host in this case it's 10.0.0.0 /16 so anything within that address space could exist in this VNet and that's further cut down into subnets so that's what we actually assign next to but here it's saying that anything in the 10.0.0.0 / 16 could exist on this me net so I'm gonna go back and add 10.0.0.0 / 16 is 255 255 0 0 and for the metric I will just put 10 so there it is and then i'll click next and for this dialog credentials I can leave that blank for now and finish ok let's review that to make sure it's set up ok there it goes so network interfaces here's the azureGW dial demand and it's enabled but it's disconnected which is what I would expect and let's go into ipv4 general dial demand there's nothing showing there static routes now I actually had a problem with this and I thought it was going maybe a little bit nuts but so under static routes here for ipv4 and ipv6 there's nothing and the problem is we just set that up but it's not here so I'm not sure if that was for something different or what's going on but you do have to add a new static route this is a repeat of what we did before but all I'm doing is having that same destination and the metric I'll change that back to 10 so although I thought I set this up when I deployed the network interface it didn't take so this you can see here it's gonna use this route to initiate the demand I'll connection and I'll click OK there now our static route is in there that is important this won't work without having the static route in and again that IP address is the address space on the VNet in Azure okay so that's setup but we still have to go back to Azure here we go I'm gonna go back into my network resource group I'm going to go into the home lab local network gateway and under connections I'm going to add a connection so a connection is the representation of the actual VPN tunnel this is where it's gonna get some VPN information and shared key so I'm gonna call this lab connection I'm gonna select lab gateway one for the virtual network gateway so that's the gateway and azure home lab is already selected for the local network gateway so again that's the endpoint the VPN endpoint on my local network and then a pre shared key I'm gonna call this new key 1 2 3 and of course that will be changed by the time you see this I'll leave it IKEv2 and the rest is the same I'm gonna click ok I'll give it a second to create it there it is it's updating if we come back when we come back in a couple minutes it'll say it's trying to connect I'm gonna hop back to the server and see what's going on there let's see network interfaces it's disconnected now there's one more thing I need to do before this will connect I'm gonna go back to my web browser and I'm not sure how much I'll actually show you of this but this is a dated firewall that I use on my network but what I want to show is that under virtual servers in port forwarding I have two ports forwarded they're UDP 500 and UDP 4500 and the right now they're going to 192 168 254 200 thats my old server that I had set up let's go back to my server I'm just going to run command here here the external interface which is going to connect to that subnet is 201 so I need to go back and I need to update this so I'm going to change it from 200 to 201 okay that's saved but this router will not take that configuration until it's rebooted so I'm gonna reboot it real quick and then come back and finish up while we're waiting for that to reboot it each router is gonna have a different configuration as I said before maybe you have a cable modem or DSL modem and firewall combined I happen to have them on two separate devices so it could be there could be a lot of options and how to configure port forwarding if you're having problems I'd suggest standing up IIS or Apache server on that network and hosting a simple website on port 80 and configure a router to route external traffic to that once you're able to forward traffic to a web server you should be able to use that same configuration as guidance to forward traffic to the 4500 and 500 UDP ports it's just a little bit easier to troubleshoot if you can see that ports are actually being forwarded correctly okay so that's done I'm gonna go back to the server and I have one more thing to do I'm going to go into this gateway I'm gonna go into properties security and I have to add that passphrase so there it is and I'll click OK now let's go back to the portal that is saying updating let me just refresh it okay so that's set to connecting but it's not connected yet and the azure GW interface still shows disconnected this is a demand dial interface meaning it actually has to get some traffic before it'll connect so let me just ping something on the azure subnet and see if I can get that connection to get established okay that failed but let me go back do a refresh there it says it's connected I'm gonna refresh this still says connecting okay there we go now it's connected and just to let you know I did have to restart my router a second time not quite sure why that is but that was a issue on my end not with the RRAS server or with Azure let's come back and we can see we've got some traffic getting past let me try pinging again creating a ping from this computer initiated a demand dialing session and connected the problem is is the traffic is still coming from a 192 168 254 IP address not the 200 which was defined in the local gateway so what I did is I just added a server here so this is the IP address of 192 168 220 here you can see and what I'm going to do is simply try to ping that server in Azure there we go now we're getting a reply back and I can show that here we go to the home lab and we go into let's see here configuration you can see I have an address space of 192 168 200 0 so that's telling the Gateway and the VPN connection that that subnet exists on the other side of that VPN connection but what I don't have in here is 192 168 254 which is the IP address of that routing a remote access server so it's not going to return traffic to there but it will return traffic where it matters and that's anything on that internal dot 200 subnet now if I minimize this and come back to the routing and remote access server we can see that we have the demand dial is passing traffic in both directions ok so we can connect to a server that is located in the azure subnet but one problem we have is I can't really connect to anything else so for example if I try to simply ping a DNS server it won't work and that's because we haven't configured the routing remote access server to act as like proxy server so let's go back here and we're gonna go into NAT so this is going to configure the network address translation so everything in that internal subnet is going to be masked or an added behind the external interface so we do that by adding a new interface I'm gonna pick internal I notice I have two of them here could be because of some of my testing or maybe you'll have two as well I'm just going to pick the first one and see if that works and that's going to be the private interface so internal is the private it's the only option here anyway and then I'll click OK and next I'm going to add another new interface this time is external I'll click OK and I'm going to change this to public interface that's connected to the Internet and I'm going to enable network address translation on this interface so I'll click apply and ok and now let's go back and see if I can ping that server yep that works let's just see let's see what IP chicken says there it is so that is now working these servers can get to the internet and they can also get to the subnet in Azure ok one more thing before we go what happens when your isp changes your public IP address so you would notice that this would break this wouldn't work so what would you do you would go back into Azure you would find what your new external IP address is using IP chicken or something like that and then come in and find your home lab configuration and update the IP address in configuration to the new IP address and that should take care of it that is a downside to having a home lab behind dynamically assigned public IP address but to be honest I've done this and I don't think I've had to change it once just because my internet connection is always on and even if it restarts it normally gets the same IP address back but I'm sure all ISPs are different some people may be changing that more frequently okay so I think that covers it for the demo we added the routing and remote access service role we got our public IP address for the local network we created a gateway in Azure and the Gateway subnet we created a local network gateway and then we created a connection we finished configuring the routing and remote access server that included changing the port forwarding on my firewall we created a connection and then we finish it all up then we tested it by running a ping command from a server on that internal network that's it for the demo that does it for this video if you found it helpful please subscribe and click the bell icon Thanks for watching!

Info

Channel: Travis Roberts

Views: 10,537

Rating: 4.9652176 out of 5

Keywords: Home lab, home, lab, VPN, IKE, IKEv2, IPSec, Port, port forwarding, Azure, Azure VPN, RRAS, Routing and Remote Access, Server2019, Server 2016, Microsoft, Windows, Network Gateway, Local Gateway, External IP, AZ-103, Azure Certification, certification, S2S, Site to Site, site-to-site

Id: QQ40gxxxT8Y

Channel Id: undefined

Length: 25min 14sec (1514 seconds)

Published: Fri Jan 03 2020