|
|
|
|
 Collapse all Answers
|
What is OpenVPN Access Server (OpenVPN-AS)?
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.
|
What is a typical deployment of an Access Server?
An OpenVPN Access Server deployment always consists of one VPN server, many VPN clients and many users in a star network topology. Each client machine in this topology gains access to the Access Server and the private IP network(s) connected to it (if present) through the VPN. The Client Web Server and Admin Web UI are other important components of the remote access solution, and these services run on the Access Server host.
|
What is a client configuration file?
A client configuration file contains all of the necessary information required for the client to make a secure connection to the Access Server. User credentials are not included in the client configuration.
The Access Server includes a Windows Client installer which contains an embedded client configuration file that is pre-configured for the user that downloaded it from the Client Web Server. Once the installer is run on the user’s Windows machine, there is no further configuration needed for the installed VPN Client to connect to the VPN Server component of the Access Server.
|
Which operating systems can be used to host the Access Server software?
Currently, the Access Server software must be run on a Linux host. The software is released in the form of binary package files for particular Linux distributions. At this time, RPM packages are released for hosts running 32-bit amd 64-bit installations of CentOS 4, 5 or Fedora 8, 9, 10, and Debian packages are released for hosts running 32-bit and 64-bit installations of Ubuntu 8, 9.
Support for RedHat Enterprise Linux is coming soon. Additional Unix platforms may be supported in the future.
|
How is user authentication and management supported?
OpenVPN Access Server does not create or manage its own user credential database. Instead, it integrates with one of a number of user authentication systems. The currently supported authentication systems are:
-
PAM: the user local database on the Access Server Unix host
-
LDAP, including Active Directory
-
RADIUS
The user authentication system may reside on the same server as the Access Server (as is always the case when PAM is chosen). Alternatively, it can reside on a separate server, as long as it is reachable by the Access Server via either the private or public network.
|
How are VPN clients deployed and configured?
A user’s VPN client configuration is automatically created when the users logs in to the Client Web Server. This process takes place without any need for interaction from the administrator. Once the user has successfully authenticated at the Client Web Server login page, the user can download a customized VPN client configuration file or a pre-configured Windows GUI installer.
If a user is blocked (by the Access Server administrator) or deleted from the user authentication database, the user’s VPN client also becomes disabled due to the fact that each client configuration is user-locked; i.e., it only allows that particular user to connect to the VPN.
|
|
How to replace the Access Server private key and certificate?
|
What are the Known Issues For OpenVPN-AS?
SELinux incompatibility Information:
If you have SELinux running on your machine and try to install OpenVPN Access Server you will receive this message:
-WARNING: It appears you have SELinux enabled currently.
-SELinux must be disabled for proper operation of OpenVPN Access Server. Before continuing with the Access Server, disable SELinux by -changing the SELINUX line in /etc/selinux/config to read:
-SELINUX=disabled
Compatibility with SELinux is on our to-do list and will be implemented at one point in the future.
Mutated Vowel support incomplete:
Our support right now for non-ascii username/password character sets (mutated vowels) is not as complete as it should be. We are still in the process of implementing this into OpenVPN Access Server.
|
|
How do I configure Access Server to authenticate using Active Directory?
|
|
Can I run Access Server on a VPS container?
|
|
How do I prevent Access Server from modifying iptables rules on my Linux host?
|
How do I setup OpenVPN Access Server to use site-to-site?
 If you want to have two access servers connected to each other via site-to-site you will need to have gateway functionality enabled somewhere on the network of one of your Access Servers. · I will refer to the two access servers we want to connect as AS1 (Access Server 1) and AS2 (Access Server 2). · Now in order to get a tunnel established between AS1 and AS2 we will need to setup a gateway client on one of the LAN'S for either AS1 or AS2. · By setting up the gateway client it will connect to a remote access server (AS1) and push the routes from the access server(AS1) to the LAN(AS2) and push its LAN's(AS2) routes to the remote Access Server(AS1). · If you want an access server on the LAN(AS2) of the gateway client to connect to the remote access server(AS1) you will need to make sure your explicitly state in the User Permissions area of the user that the gateway client connects to the access server(AS1) to push the route of the private subnet of the access server(AS2). · It will be much easier if you run the gateway client on the same machine as the access server (AS2).
*There are future plans to have site-to-site available in the Admin UI |
How much do license keys cost?
You can purchase license keys for $5 (five US dollars) per concurrent user, with a minimum allocation of 10 concurrent users (for a cost of $50 US). For questions regarding license pricing, contact sales@openvpn.net.
|
What support is included when one purchases a license key?
Included with the license purchase is access to OpenVPN support center.
|
How do I purchase license keys?
License keys can be purchased on-line with a Credit Card or Paypal. For large orders contact sales@openvpn.net.
To purchase a license key
-
You must first login. (Register for a free account to get a login.)
-
Then navigate to the license key page and click on the "Purchase License Key".
-
Select the number of concurrent users you need and then click on "add to cart".
-
Select Payment by Credit Card or Paypal.
-
Enter your Payment Information.
For Credit cards enter the account information.
For Paypal you will be redirected to pay on the paypal site with confirmation back on our site.
-
Now confirm your order amount and click on "confirm order"
-
Once our servers receive confirmation of payment we will issue a new key and e-mail it to you. You can also find the order status and new key on the license key page.
Depending on how you pay for you order, confirmation is usually less than a minute.
|
Default Password for VMware and VHD Appliance
The default username and password for the VMware and Windows VHD virtual appliance's are:
Default Username: root
Default Password: openvpnas
*Note: The credentials are case sensitive!
|
How do I make the virtual appliance accessible by clients on the Internet?
Initially, the virtual appliance uses DHCP to dynamically obtain an IP address during appliance startup. For clients on the Internet to connect to your Access Server virtual appliance, you will probably need to use a static IP address. See the information on the "How to change the IP address and other network settings of the Access Server appliance?" question of the FAQ.
You also need the the appliance's IP address to be reachable by clients on the Internet. Typically this involves either using a public IP address (e.g., an address provided by an Internet Service Provider), or configuring your Internet gateway/router to perform port forwarding. For the latter option, consult the instructions from your ISP or gateway/router on how to configure port forwarding.
|
What are the URLs of the Web interfaces?
Appliance Management Interface:
https://vmware_appliance_ip_address:5480
Use the Appliance Management Interface to reboot, shut down or change the network settings of the appliance.
Access Server Admin Web UI:
https://vmware_appliance_ip_address:943/admin
Use the Admin Web UI to configure the OpenVPN Access Server settings.
Client Web Server:
https://vmware_appliance_ip_address:5480
Users (typically non-administrative users) log in to the Client Web Server to download a pre-configured Windows Client GUI installers and/or an OpenVPN client configuration file.
Note: The vmware_appliance_ip_address is seen on the inital Welcome screen (with blue background) once the virtual appliance boots up. |
How to change the appliance root password?
At the bottom of the appliance Welcome screen (with blue background), there is a menu item with the choices "Login", "Configure Network", and "Set Timezone". Login into the virtual appliance root shell by selecting "Login", then log in with the username "root" and the current root password. At the shell prompt ("#"), type:
passwd
You will then be prompted to enter a password and confirmation.
Enter new UNIX password:
Retype new UNIX password:
After you return to the "#" prompt, you can type "exit" to log out (and return to the Welcome screen).
|
How to add authorized users to the VPN?
Initially, the Access Server virtual appliance uses PAM (Pluggable Authentication Modules) to authenticate VPN client users. This means that a VPN user must have a valid account (username and password) on the virtual Linux appliance. To add a user account to the appliance, use the Linux shell:
- At the appliance Welcome screen (with blue background), select the "Login" option from the menu at the bottom of the screen.
- Log in to the Linux shell with the username "root" and the current root password.
- Use the "useradd" command to create the new account. E.g., for a new username of "thelonious", enter the following command at the shell prompt ("#):
useradd thelonious
- Set the password for the new user account using the "passwd" shell command:
passwd thelonious
- You are then prompted to enter a password twice (for confirmation):
Enter new UNIX password:
Retype new UNIX password:
- Enter "exit" to leave the Linux shell and return to the Welcome screen.
Alternatively, if your virtual appliance is running on a Windows host (e.g., using VMware Player) and your Windows system uses Active Directory, you can configure the Access Server to use LDAP authentication with the Access Server. See the "Help" page in the "LDAP" page of the Access Server Admin Web UI for more information. |
How to shutdown or reboot the virtual appliance?
Using the Appliance Management web interface:
Log in to the Appliance Management web interface using the URL:
https://vmware_appliance_ip_address:5480
Then click on the "Reboot" or "Shutdown" buttons.
Using the shell from the appliance Welcome screen:
At the Welcome screen (with blue background), select "Login". Enter the username "root" and the root password. Then at the shell prompt ("#"), enter one of the following commands:
shutdown -h 0 (shutdown the appliance)
shutdown -r 0 (reboot the appliance)
|
How to change the IP address and other network settings of the Access Server appliance?
Using the Appliance Management web interface:
Log in to the Appliance Management web interface using the URL:
https://vmware_appliance_ip_address:5480
Then click on the "Network Tab" and then on "Address". Enter the new network properties.
Using the appliance Welcome screen:
At the Welcome screen (with blue background), select "Config Network". Enter the new network properties. Advanced users may also edit the VMware appliance configuration directly (consult the VMware documentation for how to do so). It is stored in the OpenVPN-AS-Appliance.vmx file that you selected to start the virtual appliance. Note: In order for network settings changes to take effect, the virtual appliance must be rebooted (see the FAQ section concerning shutdown/reboot). Also, to ensure that Access Server clients can find the access server, log in to the Access Server Admin Web UI, go to the "Server Network Settings" page, and edit the "Hostname or IP Address" field to refer to the new appliance IP address. |
How to upgrade the virtual appliance to a new version of the Access Server?
You can upgrade the OpenVPN Access Server software running on the Virtual Appliance by downloading the new Access Server package onto the appliance. At the Welcome screen (with blue background), select "Login". Enter the username "root" and the root password. Then at the shell prompt ("#"), enter the following commands (assuming the new Access Server version is "1.3.1"):
wget URL_of_new_package
dpkg -i openvpn-as-version-Ubuntu8.i386.deb
Where the URL_of_new_package is obtained using the Access Server Downloads page and choosing the package for the Ubuntu8 32-bit platform (requires logging in to the website using your registered account). Use the full URL path including http:// in the wget command. Replace version with the new Access Server version number, such as 1.3.1. The package is updated while preserving the configuration (including license information and all keys/certificates) from the previous Access Server installation. |
How to back up the Access Server virtual appliance?
All of the state and settings of the Access Server are stored in the directory you expanded when you originally unzipped the virtual appliance .ZIP file. This directory can be backed up by shutting down the virtual appliance and making a copy of the directory. This directory is relatively large, since it contains the entire virtual appliance distribution.
It is also possible to back up only the Access Server database files themselves, though doing so requires some knowledge of Linux: log in into the virtual appliance root shell, and back up the /usr/local/openvpn_as/etc directory.
|
|
