How to configure the OpenVPN Access Server

Introduction

We are assuming that you are now the proud owner of a working installation of OpenVPN Access Server! And now you are looking to configure specific settings, install a valid SSL certificate to get rid of the security warning on the web service, to add user accounts, set up access control, and so on. We have prepared a number of pages on this site that will explain how to perform the most common tasks with configuration examples.

If you have only just launched your Access Server we suggest you check the security recommendations page to learn how to tighten down security on some aspects of the OpenVPN Access Server after initial installation. If you've already done so please read on.

The Client UI

This section of the OpenVPN Access Server's web server is available at the standard URL of the Access Server (https://yourserveraddress/) and provides an interface for your users to login and retrieve a personalized copy of the OpenVPN Connect Client. The user can login at this interface, then install the OpenVPN Connect Client, with personalized bundled user profile configuration, and they can then connect to the VPN server using the system tray icon of the installed client program.

The Admin UI

This section of the OpenVPN Access Server's web server is available at the directory /admin on the Access Server (https://yourserveraddress/admin/) and provides a technical interface for the administrator of the OpenVPN Access Server to configure access rights, routing rules and create/edit users as well as switching on functions like LDAP/RADIUS authentication. For the OpenVPN administrator, this is the place where you will be configuring most of the settings of the OpenVPN Access Server.

The admin UI is protected by a user name/password combination. By default the Access Server sets up a user by the name of "openvpn". Right after installing the OpenVPN Access Server for the first time, you are required to set a password for the "openvpn" user at the command line interface with the command passwd openvpn and then use that to login at the Admin UI. If you have forgotten the password for this user on your OpenVPN Access Server you can reset the password for the "openvpn" user on the command line with passwd openvpn. Please note that you can not and should not use the "root" user credentials to login at the Admin UI.

The CLI - Command Line Interface

When we say command line interface we mean of course the console of the server, or an SSH session to the server. In general you probably will not need to have to use the CLI on your OpenVPN Access Server much. However, the CLI does offer access to advanced functions that are not available through the client UI and the admin UI. There is also the possibility here of creating your own shell scripts to automate certain tasks like creating new users with certain custom settings or implementing custom authentication options.

Server Status

This section shows you whether the VPN Server is currently ON or OFF. Based on the current status, you can either Start the Server or Stop the Server with the button you see there. Note that this will stop/start the OpenVPN daemons, but the AWS will still remain online at the address and port it is configured to listen at. TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/). However, by pressing the "Stop the Server" button you are stopping the OpenVPN daemon and the internal routing will cease to function, and so you ought to use port TCP 943 instead.

Active Configuration

The Active Configuration section displays a few basic important configuration settings of your OpenVPN Access Server.

Current VPN Users

A complete list of all currently connected users is presented here.  "Common Name" is the user's login name and "Real Address" shows the IP where they are connecting from. "VPN Address" shows the internal address they were assigned by the OpenVPN Access Server. "Bytes Received" and "Bytes Sent" refers to the information (in bytes) received from and sent to the connected user through the OpenVPN tunnel. "Connected Since" indicates when the currently active connection was last (re)connected. The [X] button allows an administrator to block that particular user, denying him/her access. You can also set this from the "User Permissions" panel. You must use the "User Permissions" panel to remove the block (deny access checkbox).

Search by Name or IP Address

If your Access Server has many users connected, it may be useful to use this search box to filter only on parts of a username or a specific username. Reset shows all users again.

Querying the log database

The Log Reports section allows you to either view the log in your browser or download it as a comma separated values (CSV) file which you could then import into log analyzing programs or into Excel to visualize what goes on. When you view it in the browser you also see the complicated forms you see in the screenshot above. These forms allow you to create a custom query, to customize the report you're seeing. You could for example choose to only see information on a user called "johan" for the last 10 hours. The options available ought to be quite clear so experiment with them and see what results you get.

Please note that there is a CLI interface for the log database as well, a script called logdba. With it you can also extract information from the log database and export it and then do with it as you please. Filtering the results with queries such as the ones you can do in the AWS is also possible in the CLI.

Log query results

These are the results of the query you have performed on the log reports system. The following is an explanation of the columns shown in the screenshot above.

  • Node - this is the name of the OpenVPN Access Server itself. In the case of a multi-server setup, the node name could be different for each server/node.
  • Username - this is the username of the OpenVPN client as authenticated by the OpenVPN Access Server.
  • Start Time - the moment a specific connection (attempt) was made.
  • Duration - the time elapsed before the connection (attempt) ended.
    Please note that when a user's connection is interrupted momentarily and reestablishes, it becomes a new session and is logged separately.
  • Service - can be one of three items: VPN, WEB_CLIENT or WEB_ADMIN.
    • VPN - clients connecting via the OpenVPN daemon, so via an OpenVPN client.
    • WEB_CLIENT - clients connecting to the CWS (Client Web Server interface) using a browser.
    • WEB_ADMIN - clients connecting to the AWS (Admin Web Server interface) using a browser.
  • Real IP - this shows the real IP address of the client connected to the OpenVPN Access Server.
  • VPN IP - this shows the IP address assigned to the OpenVPN client by your OpenVPN Access Server.
  • Proto - this shows the protocol used for the OpenVPN tunnel itself. In general UDP is the better choice here.
  • Port - this shows what port the client connected on. The default ports are TCP 443 and UDP 1194.
  • Bytes In - the amount of bytes that were sent from the client to the OpenVPN Access Server are shown here.
  • Bytes Out - the amount of bytes that were sent from the OpenVPN Acces Server to the client are shown here.
  • Error - Any error messages are shown here, usually in very short and technical phrases. Search the FAQ for more information on these errors.

Overview