1. Use the script from http://www.cron.dk/easy-certificate-generation-for-openvpn/ to create the keys/certificates etc (attached in case the link is no longer valid):

I think I had to chmod +x to make the file executable, and possibly sudo -i to elevate permissions (and of course replace all of the placeholders with my desired values).

2. Enter configuration mode and add the following entries (or do it through the UI);

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.100.10.0/24
set interfaces openvpn vtun0 server push-route 10.10.10.10/24
set interfaces openvpn vtun0 server name-server 10.10.10.10
set interfaces openvpn vtun0 tls ca-cert-file /config/openvpn/ca.pem
set interfaces openvpn vtun0 tls cert-file /config/openvpn/tickett.net.crt
set interfaces openvpn vtun0 tls key-file /config/openvpn/tickett.net.key
set interfaces openvpn vtun0 tls dh-file /config/openvpn/dh.pem

set service dns forwarding listen-on vtun0
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description openvpn
set firewall name WAN_LOCAL rule 60 destination port 1194
set firewall name WAN_LOCAL rule 60 protocol udp

You will need to change the;

  • server subnet you want to be used by the VPN clients
  • the push-route (ip ranges) you want the VPN clients to have access to
  • the name-server (most likely the ip of the router itself)- make sure this is within one of the ip ranges you previously set
  • you may also need to change the rule id (from 60) if that rule is already in use

At this point you should be able to download the .ovpn file to a client and connect (using solely the certificate for authentication).

That’s the easy bit, now let’s tackle the tricky bit!

3. Login to https://portal.azure.com/ and select Azure Active Directory, App Registrations then New Registration.

From the Authentication tab enable the “Treat application as a public client” option.

From the API Permissions tab click Add Permission and select Azure Active Directory Graph from the bottom (Supported legacy APIs) section then Directory.Read.All.

4. Download my modified version of openvpn-azure-ad-auth.py from https://github.com/ltickett/openvpn-azure-ad-auth/blob/master/openvpn-azure-ad-auth.py to /config/openvpn

5. Create /config/openvpn/openvpn-azure-ad-auth.yaml following the instructions in README.md)- I strongly recommend NOT enabling token_cache as it allowed me to connect to the VPN without a password in certain scenarios.

6. Add the debian repositories to package manager;

set system package repository stretch components 'main contrib non-free'
set system package repository stretch distribution stretch
set system package repository stretch url http://http.us.debian.org/debian

The install the prerequisites by running;

sudo apt-get update
sudo apt-get install python-pyparsing
sudo apt-get install python-six
sudo apt-get install python-appdirs
sudo apt-get install python-yaml
sudo apt-get install python-requests
sudo apt-get install python-adal
sudo apt-get install python-pbkdf2

Activate the script by running;

./openvpn-azure-ad-auth.py --consent

And follow the on-screen instructions.

7. Finally tweak the EdgeRouter config to use the python script;

set interfaces openvpn vtun0 openvpn-option "--duplicate-cn"
set interfaces openvpn vtun0 openvpn-option "--auth-user-pass-verify /config/openvpn/openvpn-azure-ad-auth.py via-env"
set interfaces openvpn vtun0 openvpn-option "--script-security 3"

And you should be good to go!

If you experience any issues later, set the log_level to debug and check /config/openvpn/openvpn-azure-ad-auth.log (you can also try issuing show log | grep openvpn)