UPDATE 2018-03-02: Streisand project now allows fully automatic creation of
VPN server instances at Azure. Hurray!
I’ve ran into some problems recently while trying to setup multiple instances
of Streisand VPN. It seems that on Microsoft Azure there’s no easy
way to copy or export/import firewall (Network Security Group - NSG)
configuration between different resource groups using Azure Portal.
Fortunately, Azure has a CLI (version 2.0 now) available which
can be used to setup network security groups in an automated fashion.
Choosing subscription to use with CLI
If you use Azure, chances are you have multiple subscriptions associated with
your account. With Azure CLI, you have to choose upfront which subscription will
be used for subsequent commands. To list subscriptions available in your account
use:
$ az account list --output table
This will produce output like this:
$ az account list --output table
Name CloudName SubscriptionId State IsDefault
------------------------------------ ----------- ------------------------------------ ------- -----------
Visual Studio Professional with MSDN AzureCloud XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX Enabled True
Visual Studio Enterprise with MSDN AzureCloud XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX Enabled
To choose default subscription run:
$ az account set --subscription "Visual Studio Enterprise with MSDN"
This won’t produce any output, rerun az account list --output table
and look
at IsDefault
column if you want to make sure subscription context has been
changed successfully.
Setting up Network Security Group rules
The following script sets up all the rules needed by the current (April 2017)
version of Streisand VPN. Assign VM’s resource group name to RG_NAME
and its security group name to NSG_NAME
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
#!/bin/sh
RG_NAME=phalanx-rg
NSG_NAME=phalanx-nsg
# HTTPS (Streisand Gateway)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-https \
--priority 1010 \
--destination-port-range 443 \
--protocol Tcp
# L2TP-IPSEC
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-l2tp-ipsec-1 \
--priority 1021 \
--destination-port-range 500 \
--protocol Udp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-l2tp-ipsec-2 \
--priority 1022 \
--destination-port-range 1701 \
--protocol Udp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-l2tp-ipsec-3 \
--priority 1023 \
--destination-port-range 4500 \
--protocol Udp
# OpenVPN
# (not adding DNS rule)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-openvpn-1 \
--priority 1031 \
--destination-port-range 636 \
--protocol Tcp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-openvpn-2 \
--priority 1032 \
--destination-port-range 8757 \
--protocol Udp
# OpenConnect / Cisco AnyConnect
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-openconnect \
--priority 1040 \
--destination-port-range 4443 \
--protocol '*'
# Shadowsocks
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-shadowsocks \
--priority 1050 \
--destination-port-range 8530 \
--protocol Tcp
# Stunnel
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-stunnel \
--priority 1060 \
--destination-port-range 993 \
--protocol Tcp
# Tor
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-tor-1-bridge \
--priority 1071 \
--destination-port-range 8443 \
--protocol Tcp
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-tor-2-obsf4 \
--priority 1072 \
--destination-port-range 9443 \
--protocol Tcp
# WireGuard
# (not adding DNS rule)
az network nsg rule create --resource-group $RG_NAME --nsg-name $NSG_NAME \
--name allow-wireguard \
--priority 1080 \
--destination-port-range 51820 \
--protocol Udp
|
You can find all the code from this post in this Gist. If you have any
comments, About page has some info on how to reach me.
If you like this post, send me a postcard!