Exploring Microsoft Tunnel (Part 1)

Microsoft Tunnel is a VPN solution provided by Microsoft that provides connectivity back to the datacenter or on-premises network from mobile devices. All of these features are deployed via Microsoft Intune (MDM).

This feature has always existed with Intune. VPN profiles can be configured in Intune which enables Always-On or per-app VPN connectivity with your firewall of choice. Microsoft Tunnel however makes it easier to configure and deploy a VPN solution as it does not depend on major changes to a companys networking/firewall/vpn solution. Customers moving from away from MobileIron and AirWatch have asked for this type of solution where they can open their mobile app and establish connectivity back home but it’s always been a challenge to get it working with enterprise network appliances.

The Microsoft solution is implemented on a Linux machine utilizing container technology. Looking under the covers, Microsoft is leveraging OpenVPN technology for the implementation. The approach is a bit confusing since Microsoft also has Always-On-VPN option using Windows Server which it touts as the modern way to use VPN and is compatible with conditional access policies.

As part of this blog post, I’ll explore the installation, configuration and troubleshooting steps. The problem that I’m trying to solve is to have my phone automatically connect to VPN when accessing my video camera application. This way, I don’t have to manually connect to VPN and access my cameras when I am outside of my home network.

To get started, run the install using the MS provided script. The only prequisite that I had to install was the following:
Install Docker CE

Since I didn’t want to pay for any certificates, I decided to use my internal Windows Certificate Authority.

On the Intune side, you willl have to create a server, site & server configuration. This will be covered in part two of the post

Create the CSR on the Server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
openssl req -new -sha256 -nodes -days 1095 -out \site.csr -newkey rsa:2048 -keyout \site.key -config <(

cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
L=Texas
CN = mstunnel.jenujose.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 99.76.16.241
EOF
)

Generate a Certificate from the issuing CA

This was a tricky one and had to do a bit of googling to remember the commands to issue a certiicate via certutil.

1
2
3
certutil -submit -attrib "CertificateTemplate:SSLWebServer"

**Note that the name of the certificate template needs to be typed in without any spaces. Client AUthentication key is what you will need for this to work.

Import the Cert into Linux box alongside bundle of certs

Since I have a two tier certificate authority, I had to bundle up the certificates into a CER file first.

1
2
3
4
5
6
7
8
cat rootcab.cer intermediatecab.cer > bundle1.cer

sudo openssl pkcs12 -export -out site.pfx -inkey site.key -in site.cer -certfile bundle1.cer

-out switch is the certificate bundle supported by MSTunnel.
-inkey switch is the private key that was generated when the CSR was generatd
-in key.cer - Certificate
-certfile - Root & Intermediate CA

Copy cert to MStunnel directory

Before the setup can be run, the PFX file needs to be copied to MStunnel directory

1
sudo cp site.pfx /etc/mstunnel/private/site.pfx

In the next part of the blog post, I will go over the setup on the Intune side to be able to deploy the solution to mobile devices.