Current appliance version is: 2.1.3
Last updated: September 16, 2016
OpenVPN Access Server is available as a VMware ESXi virtual appliance for deployment on VMWare ESXi 4.0 or greater. To use the virtual appliance, you must download the virtual machine and import it using the VMWare vSphere Client.
The virtual appliance is distributed as a .OVA file that can be imported into your current virtual machine repository. To import the appliance, launch the VMWare vSphere Client and login to your VMWare Infrastructure server with your credentials.
After logging in to your server with an account that has the permission to create/import a new virtual machine, click the File menu, and then select Deploy OVF Template....
Please note that your VM must be 64-bit capable:
Follow the Deploy OVF Template wizard to complete the import of your new appliance.
The appliance downloaded from this website comes depersonalized and must be personalized before it can be used. Please follow the instructions below in order to customize your OpenVPN Access Server appliance.
Upon the initial startup of the appliance, you will be asked to login to the console of the appliance.
To do so, use the following credentials:
The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the ovpn-init command in the terminal.
Read through the EULA, and enter yes to indicate your agreement.
> Will this be the primary Access Server node?
Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.
> Please specify the network interface and IP address to be used by the Admin Web UI:
Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.
> Please specify the port number for the Admin Web UI.
Explanation: This is the port you will use to access to the web based administration area. It is usually safe to leave this at the default port unless customization is desired.
> Please specify the TCP port number for the OpenVPN Daemon
Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT based router. By default the web based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.
> Should client traffic be routed by default through the VPN?
Explanation: If you only have a small network you would like your remote users to connect over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.
> Should client DNS traffic be routed by default through the VPN?
Explanation: If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yesfor this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless what you set for this setting here.
> Use local authentication via internal DB?
Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.
> Should private subnets be accessible to clients by default?
Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients is able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.
> Do you wish to login to the Admin UI as "openvpn"?
Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your "lock out" administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.
> > Specify the username for an existing user or for the new user account:
Explanation: Enter the initial username you would like to use instead of the default 'openvpn'.
> Type the password for the 'user' account:
> Confirm the password for the 'user' account:
Explanation: Specify the password you would like to use for the account.
> > Please specify your OpenVPN-AS license key (or leave blank to specify later):
Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes.
After you complete the setup wizard, you can access the Admin Web UI area to configure other aspects of your VPN. The URL for the Admin Web UI area is displayed upon the completion of the setup wizard. As mentioned previously, you will be able to access the Admin Web UI on both the VPN port and the Admin port unless you disable this behavior in the Admin Web UI.
Note: If you selected yes to the Do you wish to login to the Admin UI as "openvpn"? option in the setup wizard, you will need to define the password for this account by running:
and press Enter.
The root password is the equivalent of an administrator password in the Windows environment. Anyone who has this password would also have full control over the appliance. Becuase this is set to a default password of 'openvpnas', it should be changed to something secure, especially if you plan to use this appliance in production environments.
To do so, execute the follow command (you will be asked for your new root password):
The appliance by default automatically obtains networking information from DHCP. If your network has no DHCP server and/or you would like to manually assign an IP address to your Access Server appliance, please follow the steps below:
For example, if you would like to configure your appliance to have an IP address of 192.168.0.100, and subnet mask of 255.255.255.0, a gateway of 192.168.0.1, and nameservers of 126.96.36.199 and 188.8.131.52, your configuration will look like this:
# The primary network interface
iface eth0 inet static
dns-nameservers 184.108.40.206 220.127.116.11
Once you are done, press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor.
To activate the new configuration, run the following command: ifdown eth0 && ifup eth0.
The default timezone is set to US (Pacific - Los Angeles). If you reside at another timezone and you would like to change this setting, run the following command (you will be asked what timezone you would like to set):
The system will show the new local time after this setting is configured.
In the setup wizard, you were prompted to create an initial username and password that allowed you to login to the Admin Web UI. This username and password combination will always be active disregarding its status in the "User Permissions" area. This might be undesirable if your server is facing the Internet since anyone who has this username and password combination will have full administrator rights to change any setting on your Access Server Admin Web UI. After you have created a secondary administrator account in the Admin Web UI, you may disable this lock out account by following the steps below:
You may choose to reenable this feature at any time by removing the # sign from the aformentioned file and restarting Access Server.
From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have became available. To make sure your appliance operating system is up to date, execute the following command:
apt-get update && apt-get upgrade