Deploying the Access Server appliance on Microsoft Hyper-V

Introduction

We deliver Access Server for Microsoft Hyper-V as a downloadable disk image that can be deployed on Hyper-V.

  • The Access Server Hyper-V appliance is based on Ubuntu 22.04 LTS.
  • The appliance includes Hyper-V guest support software.
  • We advise setting a minimum of 1GB of RAM for the virtual machine.
  • The appliance is delivered as a disk image to be attached to a new VM.
  • You must use a Generation 2 type VM with secure boot disabled.

This guide provides the steps to download the virtual hard disk (VHD) file, create a new virtual machine with the Hyper-V Manager, attach the VHD, and then get started with the Access Server web interface.

Download the Access Server virtual hard disk (VHD) image

Follow the steps below to download the Access Server Hyper-V .zip file, and unpack the .vhdx file inside to a suitable location for storing virtual machine hard disk images.

  1. Sign in to the Access Server portal on our website. If you don't have a free account, set one up.
  2. Click Get Access Server > Microsoft Hyper-V.
  3. Click the download button, Access Server Appliance.
  4. Extract the zip file. We recommend extracting it to a file location where you keep your VHD images.

Note: The VHD already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.

Create a new Generation 2 type virtual machine

Once you've downloaded the VHD, you can create a generation 2 type virtual machine (VM).

  1. Launch Hyper-V Manager.
  2. Ensure that Hyper-V has an external virtual network switch.
  3. Select to create a Generation 2 type virtual machine.
  4. Give this new VM at least 1GB of RAM.
  5. For the network interface select the external virtual network switch.
  6. For the virtual hard disk, choose Use an existing hard disk.
  7. Select the .vhdx file extracted earlier.
  8. Then complete the wizard.
  9. Edit the settings of the new VM and uncheck Enable secure boot.
  10. You can now start the VM and connect to the console.

Note: The Enable secure boot option can be turned off under the Security section or the Firmware section, depending on your Hyper-V version. Refer to Microsoft's documentation for Hyper-V virtual machines if needed.

Configure your Access Server

The next step is signing into the appliance console and configuring Access Server.

  1. You can access the console directly from Hyper-V Manager, or you can connect via SSH and use these credentials:
    • Username: root
    • Password: openvpnas
  2. Walk through the setup wizard until your Access Server's web interface addresses and login credentials display at the end.
  3. Set the correct timezone for your appliance deployment with this command:
    dpkg-reconfigure tzdata
  4. Refer to Finishing Configuration of Access Server to finalize configuration.

Note: We recommend setting a static IP address. Refer to Set A Static IP Address On An Ubuntu 18 Or Newer System.

Additional security improvement steps

We recommend the following steps to improve your security and detail each step below:

  • Change the password for the root user (console and SSH access for the root user is enabled by default).
  • Change the password for the Admin Web UI.
  • Perform software updates periodically.

Change the root user password

Ensure you change the default root password to one of your choosing.

  1. Connect to the appliance and sign in as the root user.
  2. Enter this command to change the root user password:
    passwd

Change the web interface account password

Change the initial password for the Admin Web UI:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Click More Settings for the administrative user.
  4. Enter a new password in the Local Password field.
  5. Click Save Settings and Update Running Server.

Update the Access Server appliance

The Access Server VHD is delivered as a starting point that you should update to get the latest security patches and Access Server release.

  1. Sign in to the Access Server appliance console as a root user.
  2. Run these commands one at a time:
    apt update
    apt upgrade
    apt upgrade openvpn-as
  3. We recommend that you reboot the appliance after installing updates to ensure they apply correctly.

Troubleshooting

Check these subsections if you need help.

IndexError: list index out of range

If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the wizard.

Why is there a degraded status on the network adapter?

This is normal behavior due to how the underlying operating system interacts with Hyper-V; this doesn't signify a defect. Your appliance works as expected.

Why doesn't my virtual machine have internet access?

There can be a couple of reasons for this. First, ensure you create an external virtual switch and that the VM is attached to this. You can do this from Hyper-V Manager.

If an IP is assigned to your Hyper-V host system but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem. 

In some networks, you may need to allow the Hyper-V host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the Hyper-V host network traffic and the virtual machine traffic go out through the same Hyper-V host’s network card.

Why doesn't my VM boot?

You may have left Secure boot on by default. It must be disabled for the Access Server appliance. Depending on your Hyper-V version, you can find this in the VM settings under the Firmware or Security section depending on your Hyper-V version. You can uncheck Enable secure boot there.

Another possibility is that you are using a generation 1 virtual machine. This is not supported. In this case, create a new virtual machine of generation 2 type, as you can't change the type after creation.

Why am I seeing /dev/sr0 read failure messages?

If you see read failure kernel messages complaining about an inability to read data from /dev/sr0, resolve this by either removing any virtual CD/DVD drive from the VM, or attaching an ISO image to that drive. If the error message is about a device other than /dev/sr0, please contact us for advice.

Why do I see failed to start OpenBSD Secure Shell server?

This is a one-time error message during initial startup just before the SSH host keys are automatically generated. Afterward, the SSH service functions normally.