OpenVPN is among the best VPN solutions, especially when you need a cross-platform (Windows, Mac, Linux, Android, iOS) solution that just works. It is best suited for point to site (P2S) or "road warrior" setups where users access internal resources using a VPN client when on the road.
When setting up OpenVPN server in Azure you have several options at your disposal:
- Set up your own open source OpenVPN 2 server
- Set up Access Server, the commercial version OpenVPN server
- Deploy Azure VPN Gateway that supports OpenVPN
There are other options as well, but these are probably the main contenders, with each having their own pros and cons.
If you're not afraid of getting your hands dirty then the cheapest option is #1, setting up your own OpenVPN server. The benefit is that you have full control over the configuration and can make it match your needs exactly. On the flip side that means you need to create all the advanced features yourself. For example, you need to manage your own CA (e.g. with easy-rsa) and handle client configuration generation yourself (e.g. with easy-tls). In addition if lots of traffic will be passing through your VPN connection you may have to setup several servers to handle the load. Note that OpenVPN 2 is single-threaded and does not scale to multiple processor cores. Also, the user space-kernel space context switching in OpenVPN 2 reduces performance. Linux (ovpn-dco) and Windows (ovpn-dco-win) kernel modules that remove this bottleneck are under heavy development, but not production-ready yet as of November 2021.
If you're looking for the best out of the box features and are not afraid of managing a VPN server yourself then you should consider Access Server, the commercial version of OpenVPN. It features lots of advanced features out of the box, such as load-balancing across multiple processor cores, possibility for clustering for high-availability and self-service client and configuration file download portal for users. Although Access Server greatly simplifies OpenVPN 2 server setup with its nice web-based GUI, you still need to have some knowledge of IP networking to be able to make use of it. And if you know what you're doing, you can tweak the Access Server quite a bit to fit your needs. The license cost includes support, so you can get support if you need it.
If you want something "native" to Azure and don't wish to maintain a server yourself, then your only option is Azure VPN Gateway that supports OpenVPN. While multiple authentication methods are supported, you'll probably have to end up using certificate-based authentication alongside Azure AD authentication. This is because certificate-based authentication works across all major desktop and mobile operating systems and OpenVPN clients. Azure AD authentication only works with the official Azure VPN client. Azure VPN Gateway does not support LDAP authentication, even though turning on LDAP in Azure AD itself is possible. Another thing to note is that the basic version of Azure VPN gateway ("Basic") does not support OpenVPN at all. The cheapest supported VPN Gateway ("VpnGw1") is not an active-active setup, but active-standby, which is probably ok for most environments. VPN Gateway does not have client and configuration download self-service portal like Access Server, so management of client configurations adds some overhead for admins. As Azure VPN Gateway includes a reimplemention of the OpenVPN protocol there are a couple of annoying limitations you should account for:
- It does not support providing static IPs for OpenVPN (P2S) clients (see here). This can be a major problem, or not a problem at all, depending on your use case.
- The implementation lags behind the official OpenVPN 2.x/3.x implementations. As of writing this (August 2023) the Azure VPN Gateway does not work with OpenVPN 2.6+ clients. Getting this fixed will probably take a lot of time as they have the old incompatible code deployed all over the place.
The fixed costs are as follows at the time of writing in North Europe region in Azure:
|Concurrent connections||Deployment||Cost / year|
|Access Server||20||2xB2s + DB||1973€|
|Azure VPN Gateway||128||Active-standby||1440€|
|Azure VPN Gateway||128||Active-active||2700€|
|OpenVPN 2||No limit||1xB2s||336€|
Note that work is not factored in and with vanilla OpenVPN 2 you will spend a lot more time setting up the VPN. If your concurrent connection count rises above 20 then Access Server starts costing considerably more than the VPN Gateway, even though the license price per connection drops as well.
To pick between the three we suggest thinking about the following statements:
- I want flexibility and to be in full control: pick OpenVPN 2
- I want features and I'm not afraid to manage a VPN server myself: pick Access Server
- I don't want to manage a VPN server: pick Azure VPN Gateway
With the expection of the Access Server you will have the additional overhead of managing a certificate authority and client certificates, especially in a cross-platform client environment where Azure AD authentication can't be used for everyone.