Deploying the Access Server appliance on VMWare ESXi

Compatibility and other notes

Our appliance for VMWare ESXi is released as an OVA file with virtual hardware revision 8 (vmx-08). This means that it is compatible with ESXi 5.0 and higher. If you have an older ESXi version then this appliance is not suitable for your ESXi system. You have the option of upgrading your ESXi installation to make it compatible or you can choose to install a compatible Linux OS on a new or existing virtual machine on your ESXi server instead, and then perform an installation on Linux OS to get your Access Server setup and working on your older ESXi installation.

If you install OpenVPN Access Server on a Linux OS that you have installed you should also install the VMWare Tools or the open source equivalent so that shut down and restart commands can be issued through ESXi properly. Our appliance already comes with the tools installed that are compatible with ESXi and will listen to ESXi's shut down and restart commands.

VMWare Workstation and Fusion and even Player may also be compatible with the OVA file. We have heard reports of users doing this but we do not test for this ourselves. The image we create and offer on our website is meant for the VMWare ESXi product and that is what we test it on. It may be compatible with other products and virtualization solutions but that's not what we have intended or tested it for. The VMWare Converter tool may also be able to help in converting the appliance from one system to another if you wish to use one of VMWare's other virtualization platforms. However we can not provide support on this. We only support VMWare ESXi 5.0 and higher with our OVA appliance file.

Our appliance is currently based on Ubuntu 16.04 LTS x64 Linux operating system. As time progresses and newer versions of Ubuntu LTS (Long Term Support) are released we will upgrade accordingly.

Deployment using the VMWare vSphere Client

A series of screenshots has been prepared to guide you through the process. You can either just follow the text below, or click the line to reveal a screenshot.

Log on to your ESXi server with VMWare vSphere client

In the File menu select Deploy OVF Template...

Enter the URL: https://swupdate.openvpn.org/appliances/AS2.ova and click next.

An overview of the chosen appliance is shown. Click next.

Choose a friendly name for the appliance and click next.

Choose the resource pool, if any, and click next.

Choose the datastore to deploy on and click next.

Choose thick or thin provisioning method and click next.

Choose VM network to attach the appliance's network interface to and click next.

Check the Power on after deployment checkbox and click finish.

Now wait for deployment window to finish and close it when it's done.

Look up the virtual machine in the inventory and open the virtual console.

Deployment using the VMWare ESXi web interface

A series of screenshots has been prepared to guide you through the process. You can either just follow the text below, or click the line to reveal a screenshot. As preparation for deployment you should download the OVA file from our website and save it to your computer. The latest OVA can be downloaded here:
https://swupdate.openvpn.org/appliances/AS2.ova.

Whereas the vSphere Client can deploy straight from a website URL, the ESXi web interface appears not to have that functionality, so you need to have the OVA file saved to your hard drive before deploying it through ESXi's web interface.

Log on to the VMWare ESXi web interface.

Right click on Host and select Create/Register VM.

Select the Deploy a virtual machine from an OVF or OVA file option and click Next.

Enter a friendly name for the VM and select the AS2.ova file and click Next.

Select the datastore to deploy the appliance on, and click Next.

Select the VM network to connect the appliance to, and select thin or thick provisioning, and click Next.

Confirm settings and click Finish to start deployment.

Wait for deployment task to finish.

After finishing the task, look up the VM and open the virtual console.

Login to the Access Server appliance console

In rare cases the OpenVPN Access Server appliance is deployed on a network where there is no DHCP server to automatically assign the Access Server an IP address. This is a problem that can be resolved by setting a static IP address manually. This is a step we describe a little further down on this page - please continue following the steps.

By default the appliance is not set up to allow SSH connections. To be more accurate, the SSH service for remotely accessing the appliance over the network is running but the root user account cannot be used to log on by default and there are no other users configured that you can use to log in through SSH. To begin configuration you need to open the console of the virtual machine and log in with the following credentials. SSH access can be set up later.

  • User name: root
  • Password: openvpnas

Immediately upon logging in the installation wizard of OpenVPN Access Server will start asking you questions. We recommend you use the default settings and just press enter to accept them. You can adjust them at any point later on via the web interface. When you are asked for a license key you can simply press enter to continue installation if you do not have a license key and just want to test the product. If your appliance is deployed in a network where there is no DHCP service running your system will not have a valid IP address assigned. In such a case the installation wizard will fail with error IndexError: list index out of range. To resolve this you should set a static IP address on your appliance's network interface as described in the section below, and then simply log on to the appliance again to restart the wizard. We recommend that you set a static IP address anyways, as this will prevent any surprises if at some point in the future the IP address changes because of the nature of DHCP where addresses are assigned dynamically.

Setting a static IP address on the appliance

Now that you are logged on as root user on the console you can use the following steps to set a static IP address on the appliance. This is required if your appliance is deployed on a network where addresses are not dynamically assigned, and is recommend on a network where addresses are dynamically assigned, to ensure that it has no chance of changing in the future and possibly breaking things. Configuration of the network interface on Ubuntu is done with a text file that contains the necessary information. To open this configuration file in a text editor run this command:

Open /etc/network/interfaces in nano text editor:

nano /etc/network/interfaces

Locate this line:

iface eth0 inet dhcp

And change that line to:

iface eth0 inet static

Now add these lines directly underneath it and adjust the values to your network:

   address 192.168.47.222
   netmask 255.255.255.0
   network 192.168.47.0
   broadcast 192.168.47.255
   gateway 192.168.47.254
   # dns-* options are implemented by the resolvconf package, if installed
   dns-nameservers 192.168.47.254
   dns-search NETWERK

Press ctrl+x, then y, and then enter, to save and exit the file. Restart the appliance to let the new network settings take effect.

Next we recommend that you set up a password for the openvpn administrative user, and create an account for yourself to login with through SSH to manage the server via the network instead of having to use the virtual machine's console.

Set a password for the OpenVPN administrative user

The installation process will tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI. Usually the client UI is at the address of your server, for example https://192.168.70.222/. The admin UI is usually at the /admin/ address, for example https://192.168.70.222/admin/. Please note that the web services by default actually run on port TCP 943, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface.

Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:

passwd openvpn

You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like "Invalid certificate" or "Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the "passwd openvpn" command.

Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.

Setting up SSH access: add a sudoer user

A standard user account will be able to log on to the operating system over the network via SSH, or locally on the virtual machine's console, and with sudo privileges it will have the ability to gain root privileges which allows full access to the operating system to perform any task on the Linux operating system. To create such a user and to assign it sudo privileges, log on to the console as root user and run these 2 commands:

adduser superman
usermod -aG sudo superman

You can now access the operating system directly over the network via SSH using an SSH client like for example PuTTY on Windows using the user account superman in the example above, and gain root privileges by typing the command sudo su. You can then manage every aspect of the operating system through the command line. More importantly, this also allows you to use all of the command line tools available on OpenVPN Access Server.

Allow root user direct login through SSH (not recommended)

It is also possible to allow the root user to log in directly via SSH but this is generally frowned upon for security reasons. Whereas a user account with sudo privileges that you have created has a reasonably unique user name, the user name root is the same on just about every Linux operating system. Since access to the system is possible with user name and password, that means that if you allow access through SSH for the root user directly, hackers already have 50% of what they need to log on: user name and password. For that reason mainly it is recommended to leave the SSH service configured to not allow the root user to log in directly, but instead to go through a standard user account with sudo privileges instead. But if you want to, you can reconfigure the SSH service to allow the root user to log on directly. To do that edit the SSH daemon configuration file with nano and change one line:

Open SSH daemon configuration file

nano /etc/ssh/sshd_config

Find this line:

#PermitRootLogin prohibit-password

And change it to:

PermitRootLogin yes

Press ctrl+x, then y, and then enter, to save and exit the file. Restart the SSH service:

service ssh restart

Now you can use the root user account to log on to the operating system of the appliance directly. It would of course be very much recommended to change the default unsafe password openvpnas to something a lot more secure if you choose to do this. And of course we recommend that you do not do this, but instead use the sudoer user option described in the previous section instead.

Update the OpenVPN Access Server to the latest version

We do not do a complete rebuild of our appliance image whenever a release of OpenVPN Access Server is made. This means that when you deploy the appliance it may have a slightly older version than what is available. We therefore recommend that after deploying the appliance you additionally perform an in-place upgrade for this appliance to bring it up to date to the latest released version of Access Server. To do so check the Access Server installation package files for Ubuntu page and right-click the download link for the Ubuntu 16 x64 OS and select "Copy Link Address" or "Copy target" or such. The exact wording depends on the browser used. The goal is having the link to the installation package in your copy/paste buffer. Next go to the command line of the appliance you want to upgrade the OpenVPN Access Server program of and use wget to download the installation package file directly to the server. These steps assume you are logged on to the OpenVPN Access Server command line through an SSH session and have root access.

Please note that we don't update this documentation page every time we make a new release. So the example below mentions version 2.1.12 but the latest version may have a higher number than that. Please use common sense and update the numbers accordingly and don't just blindly copy and paste the commands below.

Type wget followed by the pasted URL:

wget <paste copied url>

For example for Ubuntu 16 x64 installation package, Access Server 2.1.12:

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.12-Ubuntu16.amd_64.deb

Optional step for advanced users: it is possible to use https:// for the connection instead if you prefer a secure connection, and you can verify if the package file you have downloaded has been correctly downloaded, and that it is in fact the package file that we are distributing and not somehow a tainted copy. This is all very unlikely but still you can check with the tool sha256sum, which creates a hash for the downloaded file. You can then compare it with the Access Server installation package sha256sum hash table on our website. Use command line "sha256sum openvpn-as-2.1.12-Ubuntu16.amd_64.deb" to generate the hash, and compare it to what is listed on the site. If they match you can be certain that you have the right file and it has downloaded correctly.

Now that the installation package file is downloaded to your system you can install it with the following command:

Install downloaded package on Debian/Ubuntu system:

dpkg -i openvpn-as-2.1.12-Ubuntu16.amd_64.deb

The upgrade process usually takes only a few seconds to complete. Your system is then up-to-date.

Update the appliance operating system

Between the time we have generated the appliance and the time you downloaded and deployed the OVA appliance file, a number of updates for the appliance's operating system may have been released. To ensure that your operating system is up to date the built-in package manager program can be used to retrieve the updates and install them. To do so on the Ubuntu operating system we use in our appliances use the commands when logged on to the Access Server as a root user:

apt-get update
apt-get upgrade

Change the timezone configuration and install NTP

The appliance is by default set to US (Pacific - Los Angeles). Since it's likely that you are not in this timezone you should update the timezone setting to the correct timezone. This is especially vital when you plan on using the Google Authenticator multi-factor authentication system, which relies on a time-based one time password system. The correct time on the server is therefore vital. Additionally we recommend you install the NTP (Network Time Protocol) client program so that the appliance can automatically retrieve the correct time and date from the Internet and keep itself perfectly aligned. The below commands run as a root user will do this.

To set the timezone:

dpkg-reconfigure tzdata

To install the NTP client:

apt-get install ntp