Easy and Free 2FA enabled Secure VPN solution in Azure
Long have I looked for a secure and easy to setup alternative for a "Jumpbox" or bastion server solution in Azure. Secure access always seems to add a lot of management overhead and cost to a project. Either you have to create a separate RDS server and pay for the licenses or you have to use the Client VPN solution in Azure that is limited.
Luckily, Pritunl has a great opensource VPN product which you can use to limit your exposure to the outside world. Under the hood Pritunl is built on the OpenVPN protocol which we all know and love, and you can easily enable 2FA with minimal setup.
To setup Pritunl, simply create a new Ubuntu VM image from the Azure marketplace. I used the latest 18.04-LTS image, but all other flavors of Linux will work as shown in the Installation documentation.
There really isn't much to the setup, I simply ran the "Ubuntu Bionic" commands listed on their documentation:
sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list << EOF
deb https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt bionic main
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo apt-get update
sudo apt-get --assume-yes install pritunl mongodb-server
sudo systemctl start pritunl mongodb
sudo systemctl enable pritunl mongodb
Once that was completed, I simply opened the SSH, HTTP / HTTPs and VPN ports required, limiting them to only my IP range: Please note that your VPN port may change when setting up the server.
When browsing to the web console, you're asked to provide a key for MongoDB - you can use the "sudo pritunl setup-key" command to retrieve this.
After this - you're prompted to login - the command "sudo pritunl default-password" will provide the default username and password for accessing the web console, you will be prompted to change it.
Once you're in - you will need to setup an organization, users, and a server.
As an example, I will setup an organization named "Bastion"
Next, add myself as a user- note the warning regarding the PIN number that is required.
You will need to then attach the server to the organization and start the server from the console.
Finally, you can add & attach a route for the subnet that your Azure resources are on as shown below. Note you will have to stop and start the VPN for this to take place.
Easy! Now you will need to configure things from the client side.
To do so, I would recommend the option to create temporary profile links - as I have outlined below. These links can be shared and will allow users to download the VPN client, the VPN profile, change their PIN and setup two factor authentication.
After downloading the client opening the profile you'll be securely connected via VPN with unbridled access to the routes you specified. It's fast, easy and secure.
No need to spend a bunch of money on products like Duo or Pulse Secure - instead i'd recommend checking out their other paid offerings as they are reasonably priced :)