Introducing OpenVPN Cloud beta
Apply Here

Access Server Deployment

ON THIS PAGE

Compatible Linux Operating Systems

Access Server can be installed on any supported Linux operating system. These operating systems include but are not limited to:

  • Local Linux Servers
  • Amazon Web Services AS AMI
  • Microsoft Azure VM
  • Google Cloud Platform
  • Digital Ocean Droplet

Virtual appliances are also supported:

  • Microsoft Hyper-V
  • VMWare ESXi

Access Server Deployment Terms

These terms listed below are commonly used when referring to topics related to Access Server:

Terminology

Term Definition
OpenVPN Access Server

The OpenVPN server daemon along with the Access Server’s configuration and maintenance software running on a server computer.

User

An individual attempting remote access to private network resources via the public Internet.

Client

A computer (operated by a user) running OpenVPN client software in order to gain access to private network services via the OpenVPN Access Server.

User Credentials

A username and password used to authenticate a user.

Client Configuration File

A file which contains the required information for an OpenVPN client to securely connect to the OpenVPN server. User credentials are not included in the client configuration.

Connect Client

A client running on the Access Server which delivers client configuration files and/or pre-configured Windows client installer files to authenticated users. The Connect Client also allows for a user to login and connect through the browser.

Admin Web UI

A Web server running on the Access Server which is used by the administrator to configure the settings of the Access Server.

Default Ports 

The ports listed below are default and can be altered via the Admin Web UI.

Default Services and Ports

Service Protocol Default Ports
Access Server TCP and/or UDP TCP/443 UDP/1194
Connect Client TCP 943

Sample Topologies 

Access Server within a Private Network with Client Routing 

A limitation of NAT routing is that it is unidirectional. In order to have communication from the private network to the VPN, client routing must be used. With this method, packets are not altered in any way. To view how to configure these settings, please click here.

Routed Site-to-Site Setup 

A site-to-site setup is where two (or more) different networks are connected together using one OpenVPN tunnel. In this connection model, devices in one network can reach devices in the other network and vice versa. For this configuration, one site will contain the OpenVPN Access Server and the other site will have an OpenVPN Gateway Client configured. With this setup, you are not limited to a single site. Access Server can be connected to multiple sites through VPN tunnels. For more information regarding Site-to-Site routing, please read Site-to-Site VPN Routing Explained in Detail

Direct connection to Access Server within a Private Network

With minimal configuration to the Access Server, users can connect to a private network and access resources within the network. This is ideal for users away from the office who may need access to a shared NAS, network, databases, web servers, etc. Access Server accomplishes the routing by carrying out Source Network Address Translation (SNAT) on incoming packets from the VPN tunnel. They are routed appropriately throughout the private network. To the network, traffic appears local and is sent to the proper destination. Since it is all local traffic, the target machine can respond without additional static routes being set up. This is the default action of Access Server when installed.

Deployment Overview 

1. Determine the network configuration and IP address for the server 

You need to ensure that clients on the Internet can connect to the Access Server (either via public IP address on the Access Server or via forwarding from a border firewall) and that the Access Sever is connected to the private network if one is to be used. See the Typical Network Configurations page for descriptions of typical network configurations.

2. Obtain a license key

Register and sign into www.openvpn.net to obtain an Access Server license key. If you are evaluating this product, we have already allocated a two-user test key to the Access Server. 

3. Download and install the OpenVPN Access Server package file  

From our software packages download page, choose the Linux operating system name and version number for your server. From the instructions in the modal window that pops up, copy and paste the commands to your server’s command line. This will set up the software repository for you. It will also download and install the latest Access Server version.

4. Run ovpn-init to set initial configuration settings

For any version after 1.5.6, the default ovpn-init tool runs after the package installation. If you still feel the need to run the tool again (to configure more advanced settings) you can run the tool again. NOTE: Do not run the ovpn-init script on an Access Server that is already installed and in use.

Run ovpn-init (without command-line arguments) using the bash shell:

/usr/local/openvpn_as/bin/ovpn-init --force

The ovpn-init utility asks a few questions regarding what IP address and port should be used for the Access Server Admin Web UI, what user credentials should be used to log on to the Admin Web UI to administer the Access Server, information about licensing, and whether you are setting this up as a primary or secondary node (you will usually select primary unless using a failover or cluster setup).

5. Administrator uses Admin Web UI to complete configuration

The administrator uses a Web browser to open the URL of the OpenVPN Access Server. The administrator logs in with the root username and password of the machine, and adjusts settings on the pages of the Admin Web UI. At a minimum, the administrator enters the license key on the License page and then starts the VPN Server.

6. User authenticates to the Connect Client 

The user uses a Web browser to open a URL specified by Access Server that asks for the user’s credentials. Once the user is authenticated, the Client UI provides installation options for Linux, Windows, macOS, Android, and iOS client installations. A user may also download a configuration file directly to their computer with the link provided. When the user installs their client using these installations, they are pre-configured with the necessary connection details. The user can simply install the client and connect without any further configuration.
 

7. User connects to VPN 

After the user has authenticated against the VPN Server, the client software will initiate a connection. Depending on the Connect Client software used, the user may see the connection status in their browser. After the connection has been established, the browser window will show the connection status and list the address of the server the user is connected to along with the amount of data that has been transferred between the users client and the VPN server. The systray icon may also show the connection status and will display a status message informing the user they are connected after the connection has been established.