Trying to deploy a app into a ILB ASE trough a VPN connection (OpenVPN) on azure

Question

Soo i have 2 vnets that are peered. One contains my vpn gateway and the other one contains my ILB ASE. I connect to the vpn gateway via a github actions worker sucsessfully but cant deploy code into the web app.

For the deployment i've used the following curl command so i could use the private ip of the ILB ASE

• name: Connect to VPN run: | sudo openvpn --config vpnconfig.ovpn & sleep 30
• name: Verify VPN connection run: | until ip a show tun0 up; do sleep 5 done
• name: Wait for VPN connection stabilization run: sleep 30
• name: Get VPN interface name run: | INTERFACE_NAME=$(ip addr show | grep -E "tun[0-9]+" -o | head -n 1) echo "INTERFACE_NAME=$INTERFACE_NAME" >> $GITHUB_ENV
• name: Deploy to ASE run: | curl --interface "${{ env.INTERFACE_NAME }}" -X POST 'https://10.1.1.4/api/deploy'
  -H 'Authorization: Bearer ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}'
  -H 'Host: "my-web-app-name"' -H 'Content-Type: application/zip'
  --data-binary '@/home/runner/work/"my-repo-name"/"my-repo-name"/"my-app-name"/bin/Release/net6.0/"my-app-name".zip'

But as you guessed it it doesn't reach the ILB ASE. So i've simplified the situation and connected to the vnet holding the VPN gateway with my own PC via OpenVPN GUI and i've added a test ILB ASE in that network aswell. And as you've probably guessed it I can't reach it (via cmd ping to the ILB ASE ip). Not sure if the ILB ASE can't be pinged or what's really wrong.

I have configured my .ovpn as they say in the azure docs for p2s vpn conn ( https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-linux#cli ).

For my actual use case (2 vnets peered, one for VPN gateway, one holding the ILB ASE) i've also configured:

Route tables: VPN vnet -> from 10.3.0.0/24 (VPN adress pool) to virtual network w/o next hop ip adress and assignet it to the gateway subnet (10.2.0.0/24) ASE vnet -> from 10.3.0.0/24 to virtual network and assigned it to the ase subnet Vnet peering: on both sides allowing all traffic both sides and using this virtual network's gateway or route server for the vnet gateway or route server option

I've tried both locally and in the worker and it doesn't work

Answer 1

I have created an azure app service environment and peering with a virtual network like below:

In the virtual network gateway create the self-signed root certificate like below:

Then in linux openvpn command is executed successfully like below:

sudo apt-get install openvpn
openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libpkcs11-helper1
Suggested packages:
  resolvconf openvpn-systemd-resolved easy-rsa
The following NEW packages will be installed:
  libpkcs11-helper1 openvpn
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 521 kB of archives.
After this operation, 1345 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://azure.archive.ubuntu.com/ubuntu focal/main amd64 libpkcs11-helper1 amd64 1.26-1 [44.3 kB]
Get:2 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 openvpn amd64 2.4.7-1ubuntu2.20.04.4 [476 kB]
Fetched 521 kB in 1s (803 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libpkcs11-helper1:amd64.
(Reading database ... 58768 files and directories currently installed.)
Preparing to unpack .../libpkcs11-helper1_1.26-1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.26-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.4.7-1ubuntu2.20.04.4_amd64.deb ...
Unpacking openvpn (2.4.7-1ubuntu2.20.04.4) ...
Setting up libpkcs11-helper1:amd64 (1.26-1) ...
Setting up openvpn (2.4.7-1ubuntu2.20.04.4) ...
 * Restarting virtual private network daemon.                                                                    [ OK ]
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Processing triggers for systemd (245.4-4ubuntu3.20) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.9) ...

Then try to export the client certificate as a private key

Install the exported certificate and open your vpnconfig.ovpn file and profileinfo.txt

In vpnconfig.ovpn file you can see the root cert along with pre-shared key are generated in the profileinfo file copy the private key file and paste in vpnconfig file like below:

# P2S client certificate
# please fill this field with a PEM formatted cert
<cert>
$CLIENTCERTIFICATE
</cert>

Then in profileinfo file scroll down you can see client cert certificate copy and replace top over the client cert like below:

# P2S client root certificate private key
# please fill this field with a PEM formatted key
<key>
$PRIVATEKEY
</key>

And save now OpenVPN file is config and open VPN GUI will be installed when installing the open vpn client

When I try to connect the open vpn file its connected successfully like below:

Can able to ping ip address of internal load balancer

If still the issue persists, Check ILB ASE isin running state and appropriate endpoint with backend pools, and try to ping the private IP address of the ILB ASE. The VPN and ILB ASE route tables are set up correctly to allow traffic and NSG rules are allowed within two subnet

You can make use of different VPN clients connect to the VPN gateway using OpenVPN GUI such as the built-in VPN client in Windows

Reference: Generate and export certificates for P2S: PowerShell - Azure VPN Gateway | Microsoft Learn

Configure a Point-to-Site VPN connection via Openvpn on Azure — mecdata.it