Setting up a Windows VPN Server on Azure

June 8, 2014 Leave a comment

I recently decided that I wanted to secure all of my network traffic using a VPN. Just search for Edward Snowden and you will come up with a few reasons why a VPN connection is a good idea these days. I am going to set mine up in Azure – just because. If you want to get a VPN connection, I would recommend buying a monthly service instead because it will be cheaper probably offers more features as well. In fact, there was a slickdeals deal just a couple of days ago for ~$5/month. The VPN server I will be setting up in Azure will run you about ~$67/month and so its really a no-brainer. This also gave me an opportunity to learn more about Azure features. So, here goes.

Setting Up A Virtual Network

The VPN server you will create later in the tutorial will be placed inside this network and the network will act as the private address space for VPN clients.

    1. Login to Azure and click on the Networks tab in the menu.
    2. Click New->Network Services->Virtual Network->Quick Create
    3. Enter the settings that you would like for the network. Here’s a look at mine.

virtual_network

Launch a Windows Server

Now we’ll setup the Windows machine that will act as the VPN server.

  1. Start by going to the Virtual Machines tab and click on New->Compute->Virtual Machine->From Gallery.
  2. Select Windows Server 2012 R2 Datacenter for the image
  3. In the first VM configuration page, give the server a name and set a username and password to remote desktop to the server. I am going to setup my server as an A1 size image. You can choose a bigger size if needed.
    vm_config
  4. In the second VM configuration page, there are a few settings that you need to change.
  5. For Region/Affinity Group/Virtual Network, choose the virtual network that we created earlier. I will choose the testVpnNetwork that I created.
  6. Add a new endpoint to the server. Name it SSTP and allow TCP port 443. This is required because we will be using the SSTP protocol for the VPN connection.
  7. Your page should look something like this.
    vm_config2
  8. Click the check box to create the server.
  9. Wait until the server is up and running and then click on connect and open the rdp file to remote desktop to the server.

Setting Up Remote Access on Windows Server

Setup Remote Access just like you would on any other windows server. It is well documented and this blog was helpful when I was setting this up. I’ll go through the important steps here.

  1. Add the Remote Access role to the server. On the Server Manager dashboard, select Add Roles and Features.
  2. Click Next until you hit the Server Roles page. Check Remote Access and click Next.
  3. In the Roles Services page, click Direct Access and VPN(RAS). Click Add Features on the popup window. Also check Routing.
  4. Then continue clicking Next and finally Install.

While you are waiting for that to finish, you need to setup the SSL certificate that will be used to secure the VPN connection. Azure automatically provisions a certificate on each VM and installs it in the personal certificate store of the Local Machine. It is a self signed certificate but it is good enough for our purposes. But since it is self-signed, it won’t be trusted by your windows client PC and so you will need to copy the cert and install it on your windows PC as a trusted certificate. We’ll do that now.

  1. Open MMC by clicking start and typing mmc.exe.
  2. Add the certificates snap in. File->Add/Remove Snap in and choose certificates and Computer Account.
  3. If you look in the Personal certificates store, there should be a single certificate there and it will have the same name that you gave your cloud service in Azure when you were setting up the server. My certificate is named testWinVpnServer.cloudapp.net.
  4. Right click on the certificate and choose All Tasks->Export. Export as a cer and save the file. You need to transfer it to your local windows pc by emailing it to yourself or transfer the file through remote desktop itself.
  5. Once the file is on your local machine, double click on it and click on Install certificate. Install it into the Local Machine and select Place all certificates in the following store and choose Trusted Root Certification Authorities. Click Next and Finish.

Go back to the Remote Access installation wizard and hopefully it is now complete. Click on the Open Getting Started Wizard to configure Remote Access.

Configuring Remote Access

  1. Choose Deploy VPN only. DirectAccess makes it easy such that your corporate website request goes through the VPN network and your netflix stream goes through your local internet. We want everything to go through the VPN network and so we will deploy only VPN.
  2. In the Routing and Remote Access windows that opened, right click on the server and select Configure and Enable Routing and Remote Access.
  3. Choose custom configuration and check VPN access and NAT. Then Finish.
  4. Hit Start Service to start the service
  5. Once its running, right click on the server name again and choose Properties. Then under the security tab, under SSL certificate binding, choose the certificate ending in cloudapp.net.
  6. Click on the IPv4 tab. Here you will setup the VPN server to assign IP addresses to clients from a static pool since there is not DHCP server available.
  7. Under IPv4 address assignment, choose Static address pool and click on Add.
  8. Enter an IP address range that is within the subnet you configured in Azure. I’ll choose 10.0.0.100 to 10.0.0.200.
  9. Hit OK and you may need to restart the service.
  10. Now right click on the NAT option under the Server Name and select New Interface.
  11. Select Ethernet2. Then choose Public Interface connected to the Internet and check Enable NAT on this interface. I chose Ethernet2 here since that is the network that is connected to the internet on my server. On your server, it might be named something else but most probably not.
  12. Hit OK.
  13. You need to give the Adminstrator user permission to connect using VPN. You can do that in MMC. Open it my searching for mmc.exe.
  14. Click Add/Remove Snap-in and select Local Users and Groups.
  15. Select the users tab and then right click on your user and select properties.
  16. Select the Dial-in tab and under Network Access Permission, select Allow Access.
  17. You now have the server setup. Let’s get the client setup as well.

Setting Up Windows 8.1 Client for VPN

  1. Open the Network and Sharing center. Just open start and search for it.
  2. Click Setup a new connection or network.
  3. Choose Connect to a workplace.
  4. Click Use my internet connection.
  5. Enter the cloud app service url. For me it is, testWinVpnServer.cloudapp.net. Go to Azure->Cloud services to find out the url.
  6. Give the connection a name and click Create.
  7. Click on change adapter settings from the Network and Sharing Center.
  8. Find the VPN adapter you just created.
  9. Click on the Security tab.
  10. Select Secure Socket Tunneling Prototol (SSTP) for Type of VPN.
  11. Select Require Encryption for Data Encryption.
  12. Hit OK.
  13. You can right click on the adapter and choose Connect to connect to the server. You will need to enter the same credentials you used to login to the server.
  14. Here’s look at my settings.

client_settings

And there you have it. You are now connected to your very own VPN service. You can test it by searching whatismyip on bing and verify that the IP address matches the Virtual IP of the VPN server. Note that using a VPN server can drastically impact your network speeds. Here’s a comparison on my home network.

norm_speedvpn_speed

 

That’s right! Whooping >50% slower. Maybe I won’t have it connected all the time…hmm.

An Ode to Portland

February 18, 2014 Leave a comment

As I get ready to say goodbye to Portland, I wanted to recollect the things that I love about this city where I’ve lived for the past 3 years. To begin with, I can’t say that I ever actually liked Portland. Even before I moved here, I felt like it was only going to be temporary and that feeling never changed in all the time here. What has changed is that I’ve come to know Portland as a very quirky, fun and naturally stunning city instead of the hippy town that I was led to believe.

Just this week, I saw an article that rated Portland as the #1 best place to live. I’m not sure that I agree with a #1 rating, but they do bring up a lot of good things about Portland esp. the food. The food here is absolutely amazing. I’ve tried more ethnic foods in 3 years in Portland than in all my time in Texas. Part of the reason might be that I’m no longer a broke college student but Portland offers so much more options in terms of cuisine. When I was in Texas, the options were more or less BBQ and Tex-mex although that’s changing for the better. And there’s a lack of chain restaurants in Portland which is a really good thing. Almost all the places are local mom n pop shops and the food tastes absolutely authentic that you really believe this must be what they make at home. They don’t try to cater the food to the audience’s palate which was a refreshing change coming from Texas. Gyro House and Salt n Straw are two places that I’ll definitely miss about Portland:( but here’s a quite incomplete list of some more places you should definitely go if you ever find yourself in Portland: bete lukas, screen door, mother’s, tasty n sons, nicholas, pine state biscuits.

When I was first driving through Oregon, I got a bit frustrated that the drivers were going so slow. Virtually no one was speeding and even then at most 5 miles over. I’ve then had this conversation with many people in Oregon and they all agree that Oregonians just generally drive slow. 5 under seems to be the general speed whereas in most other places, traffic is going at 5 over speed limit. Its not that they are trying to be extra cautious or anything because of the rain or coz the roads are wet. I think its because they ain’t got anywhere they need to be by speeding. They are just driving slow and taking in the sights. If ever there were a people that stopped and smelled the roses, then these are it. The laid back attitude was a bit unnerving at first but you’ll start to enjoy it too. There is an openness of mind and acceptance of every idiosyncrasy that’s quite refreshing.

The other thing I noticed is that most everyone is in pretty good shape physically and the urge to be physically active is contagious. You move here and in a few months, you’ll be starting some regular physical activity guaranteed.  After moving here, I started hiking, rode a bike to work couple of times, climbed an actual mountain, went fishing, freshwater rafting, snowshoeing, snowboarding, skydiving..its truly amazing the things I’ve gotten the chance to do since moving here. I would’ve never imagined doing half of these things in my lifetime. I went skydiving within two months of moving here. I think the natural beauty of Oregon just invites you to be outdoors and just do something even if its simply to go for a run.

There are two things that I will absolutely miss about Portland: chicken gyros from Gyro House and the friends that I made here. There is no better. In the end though, I never quite felt at home in Portland. There was something missing. Part of the reason might be that I didn’t have any family here. Maybe I couldn’t get used to the weather when I’ve lived all my life in fairly warm climates. Or maybe its just fate because even though there are so many individual pieces that I like about Portland, I never liked the whole when you put it all together and I’m not quite sure why. There was some feng shui missing. But I do know that Portland certainly deserves to be on that best places to live list.

Tags: , ,

Using the AWS flow framework in a Maven project

September 18, 2013 2 comments

Recently, I’ve had to use the SWF flow framework for Java for an existing project using Maven. The developer guide and online examples only talk about using Eclipse and Ant and so I had to do some googling to find out how.

I wasted a lot of time looking into Aspect Oriented Programming (AOP) and finding out that Netbeans doesn’t support it and then trying to use the maven-processor-plugin. But in the end it turned out pretty simple and easy. The solution was more or less given in this stack overflow answer. But that goes into more background detail than necessary. I just wanted to get the basic steps to get going and I’ve copied it here.

        1. Install the AWS JAVA SDK – download from http://aws.amazon.com/sdkforjava/
        2. Install the flow framework jar with maven using the following command. You must run this command from the lib folder of the AWS SDK installation folder which will contain the aws-java-sdk-flow-build-tools jar file.
          mvn install:install-file -Dfile=aws-java-sdk-flow-build-tools-<version>.jar -DgroupId=com.amazonaws -DartifactId=aws-java-sdk-flow-build-tools -Dversion=<version> -Dpackaging=jar 
        3. Add the following dependencies to your project pom. Note that I’ve put the versions that I’m currently using. If you’ve moved to a newer version, then use that version number. The versions here have been tested as working.
          <dependency>
           <groupId>junit</groupId>
           <artifactId>junit</artifactId>
           <version>4.11</version>
           <scope>test</scope>
           </dependency>
           <dependency>
           <groupId>com.amazonaws</groupId>
           <artifactId>aws-java-sdk</artifactId>
           <version>1.5.5</version>
           </dependency>
           <dependency>
           <groupId>org.aspectj</groupId>
           <artifactId>aspectjrt</artifactId>
           <version>1.7.3</version>
           </dependency>
           <dependency>
           <groupId>com.amazonaws</groupId>
           <artifactId>aws-java-sdk-flow-build-tools</artifactId>
           <version>1.5.5</version>
           </dependency>
           <dependency>
           <groupId>org.freemarker</groupId>
           <artifactId>freemarker</artifactId>
           <version>2.3.18</version>
           </dependency>
           <dependency>
           <groupId>log4j</groupId>
           <artifactId>log4j</artifactId>
           <version>1.2.17</version>
           </dependency>
          
        4. The last piece of the puzzle is to put together the build so that the aspject weaving takes place at the right build step. Configure your pom build section like so:
              <build>
                  <plugins>
                      <plugin>
                          <groupId>org.codehaus.mojo</groupId>
                          <artifactId>apt-maven-plugin</artifactId>
                          <version>1.0-alpha-5</version>
                          <executions>
                              <execution>
                                  <goals>
                                      <goal>process</goal>
                                  </goals>
                              </execution>
                          </executions>
                      </plugin>
                      <plugin>
                          <groupId>org.codehaus.mojo</groupId>
                          <artifactId>aspectj-maven-plugin</artifactId>
                          <version>1.5</version>
                          <configuration>
                              <aspectLibraries>
                                  <aspectLibrary>
                                      <groupId>com.amazonaws</groupId>
                                      <artifactId>aws-java-sdk</artifactId>
                                  </aspectLibrary>
                              </aspectLibraries>
                              <complianceLevel>1.6</complianceLevel>
                              <showWeaveInfo>true</showWeaveInfo>
                              <verbose>true</verbose>
                              <sources>
                                  <source>
                                      <basedir>${basedir}/target/generated-sources/annotations</basedir>
                                  </source>
                                  <source>
                                      <basedir>src/main/java</basedir>
                                      <includes>
                                          <include>**/*WorkflowImpl.java</include>
                                          <include>**/*ActivitiesImpl.java</include>
                                      </includes>
                                  </source>
                              </sources>
                          </configuration>
                          <executions>
                              <execution>
                                  <goals>
                                      <goal>compile</goal>
                                      <goal>test-compile</goal>
                                  </goals>
                              </execution>
                          </executions>
                      </plugin>
          
                  </plugins>
              </build>
          
        5. And that’s it. You are done!

I use Netbeans and netbeans automatically takes care of showing the generated source files as part of the IDE and adding them to the buildpath.

A little back story

I followed through pretty much the instructions on the stack overflow answer and that was enough to get me started. Then I added an activity and tried to use the ExponentialRetry annotation and things started failing. I also noticed that asynchronous methods in my test weren’t exactly being called asynchronously. I searched through the aws forums and stumbled upon this gem that led me to the current build configuration that I have now. Basically what it means is that the auto generated classes need to be generated first before the aspectj weaving takes place and you have make sure to include the autogenerated sources as part of your aspjectj weave as you can see by looking at the sources for the aspectj plugin. Also, I’m selecting my activities and workflow classes using the wildcard * selector based on my filename naming convention. You may need to change it to fit your project.

Now when you compile your project, you should see an additional step [aspectj:compile] and it will tell you which files were found to have the annotations and which annotations were processed.

GoodBye Google Reader

March 13, 2013 Leave a comment

Update: Switched to Feedly instead. It automatically syncs all of your google reader subscriptions. Easiest transition ever.

Google Reader has been one of those apps that I used several times every day. You’ll be missed. Looking for alternatives but Pulse looks very interesting and has a chrome plugin.

My stats from 5 years. Suddently realized I read a lot of news!

 

Image

Tags: , ,

How a good day turns bad

July 18, 2011 Leave a comment

I’m in Seattle for a 4-day training course on AWS at Amazon and the weather here is a sunny 75 degrees. Today was the first day of training, I learned a lot of good information, had a good lunch and walked back to hotel. For dinner, coworkers and I decide to walk to the nearest Thai restaurant. Everything was going great. I ordered a Tum Kha soup. After eating the worst Thai food I’ve ever had, we walk back to hotel while foolishly looking at South Lake Union and not at the path ahead.

I entered the hotel elevator and another guy in the elevator walks away from me to the back wall of the elevator. Then I look down at the floor and notice something there. I lift my shoe up and aaah, there is what can only be human feces all over it. It couldn’t be dog shit cause there was just too much of it. I limped over to my room and spent the next half hour cleaning up the shoe.

Now I sit here washing down this day with some good lemon tea and musing about the piece of shit that’s still lying on the floor of the hotel elevator. I should really call the front desk and tell them about it. I now also regret not paying tip yesterday at the dirty Indian restaurant where I ate dinner; at least their food tasted okay.

Here’s hoping the rest of the trip will be more uneventful – Manchester United vs. Sounders!!

Tags: ,

WikiPublisher plugin for jenkins

March 27, 2011 Leave a comment

Sometimes, folks other than the developers are interested in the finding out about the different builds and the components (upstream projects) that are in a build. These other folks might be managers or non-programming types that don’t have access to Jenkins or are not interested in looking up things on Jenkins. They prefer to just see a website with all builds listed. This plugin attempts to satisfy that need.

We have an internal wiki site for sharing useful information and that seems as good a place as any to share information about current builds of projects. So, I’ve written the wiki publisher plugin that publishes your build name along with the names of all of its upstream builds to a wiki page you’ve configured. The names are also linked back to their corresponding build on Jenkins so that you can go from wiki to Jenkins to download artifacts or lookup changes.

This plugin is modeled after the Confluence Publisher plugin that is available for Jenkins. There are two separate configuration pages. In the global configuration page, you need to setup your list of wiki sites that you would like to publish to. I expect most will only have one site setup here but its nice to know you can add more. If your wiki site uses authentication, then you need to setup your username, password, domain for the user that Jenkins will use to publish to the wiki site. Make sure that this user has edit permission on the wiki pages. Also, I’ve only tested it against a wiki that authenticates against LDAP server. So there’s the possibility that it won’t work on other setups. One additional note of caution. Your wiki site may be using https but only use a self signed certificate. In that’s the case, then do not check the “use https” link or it won’t work.

Now that you have your wiki site setup, its time to configure your project to publish to the wiki site. Open up your project configuration page and you will see a new section to publish build results to a wiki. Here, select the wiki site your setup previously and enter the name of the page where the results are to be published. The plugin won’t create the page itself and you must go to your wiki and setup an empty page before running any builds.

This plugin uses the jwbf library for publishing to the wiki and that library has a dependency on log4j 1.2.14 or above. Unfortunately, Jenkins uses an older version and so on your Jenkins machine, you must setup the “java.endorsed.dirs” environment variable to point to a directory that contains log4j 1.2.14 or above.

Let me know if this plugin has been useful to you and thanks to the excellent Jenkins build tool.

Tags: ,

major.minor plugin for Jenkins

March 27, 2011 Leave a comment

Recently, I’ve been tasked with setting up a build environment at work and we decided to go with Hudson and now Jenkins. I think the best part of Jenkins is its extensibility in the form of writing plugins to make it do exactly what you want. So my first plugin was to change the build numbers that Jenkins uses like #1, #2 etc. to something more meaningful for our scenario and so was born the major.minor plugin.

The premise of the plugin is quite simple. In our projects, we would like to see build names of the form major.minor.revision. We use subversion for source code management and so the revision number here refers to the svn revision number. The major and the minor numbers are configured when the build is initially setup and are initialized to 1 and 00 respectively. So, the first build name might be something like 1.00.23 if the svn revision at that point happened to be 23.

At some point down the line in the project cycle, we might like to increment the minor or major number and this can be done manually after a build by using already Jenkins feature to edit the build name. Since the plugin picks up the major and minor part of the build name from the previous build of the project, subsequent builds will now have the correct major and minor sections.

Now that the build name has been changed, when you browse through the builds directory for your project, it will be hard for you to figure out which build is what because Jenkins only creates directories using the build number like #2, #3 etc. and the date/time when the build was executed. To make it easier, the plugin also creates a new symbolic link with the build name in the builds directory. Now the Jenkins UI and builds directory matches and its easier for you to get to the right build.

When you enable this plugin, you get a new configuration section for your project. In this section, you will configure a regex to match build names against. I’ve made it a regex so that it is a little bit more flexible and can be still be used even if your organization does not use a major.minor.revision format for naming builds. The important thing is that you add a capturing group in your build name regex which is used to insert the new revision number into the build name. Note that if you don’t use svn for scm, the plugin still works and inserts the build number in place of the revision number. The other configuration is for setting the initial build name for your project like 1.00.00.

The plugin also makes available a BUILD_NAME environment variable for any scripts that might need it.

Hope this plugin helps anyone looking for nicer build names and thanks to the Jenkins project for a great build tool.

The plugin source is available on Github and you are free to fork and tinker with it suit your needs.

Tags: ,
Follow

Get every new post delivered to your Inbox.

Join 81 other followers

%d bloggers like this: