Access Server Deployment

Compatible Linux Operating Systems

Access Server can be installed on any supported Linux operating system. These operating systems include but are not limited to:

  • Local Linux Servers
  • Amazon Web Services AS AMI
  • Microsoft Azure VM
  • Google Cloud Platform
  • Digital Ocean Droplet
  • Oracle Cloud Platform

Virtual appliances are also supported:

  • Microsoft Hyper-V
  • VMWare ESXi

Access Server Deployment Terms

These terms listed below are commonly used when referring to topics related to Access Server:


OpenVPN Access ServerThe OpenVPN server daemon along with the Access Server's configuration and maintenance software running on a server computer.

An individual attempting remote access to private network resources via the public Internet.

A computer (operated by a user) running OpenVPN client software in order to gain access to private network services via the OpenVPN Access Server.

User Credentials

A username and password used to authenticate a user.

Client Configuration File

A file which contains the required information for an OpenVPN client to securely connect to the OpenVPN server. User credentials are not included in the client configuration.

Connect Client

A client running on the Access Server which delivers client configuration files and/or pre-configured Windows client installer files to authenticated users. The Connect Client also allows for a user to login and connect through the browser.

Admin Web UIA Web server running on the Access Server which is used by the administrator to configure the settings of the Access Server.

Default Ports

The ports listed below are default and can be altered via the Admin Web UI.

Default Services and Ports

ServiceProtocolDefault Ports
Access ServerTCP and/or UDPTCP/443 UDP/1194
Connect ClientTCP943

Sample Topologies

Access Server within a Private Network with Client Routing

A limitation of NAT routing is that it is unidirectional. In order to have communication from the private network to the VPN, client routing must be used. With this method, packets are not altered in any way. To view how to configure these settings, please click here.

Routed Site-to-Site Setup

A site-to-site setup is where two (or more) different networks are connected together using one OpenVPN tunnel. In this connection model, devices in one network can reach devices in the other network and vice versa. For this configuration, one site will contain the OpenVPN Access Server and the other site will have an OpenVPN Gateway Client configured. With this setup, you are not limited to a single site. Access Server can be connected to multiple sites through VPN tunnels. For more information regarding Site-to-Site routing, please read Site-to-Site VPN Routing Explained in Detail

Direct connection to Access Server within a Private Network

With minimal configuration to the Access Server, users can connect to a private network and access resources within the network. This is ideal for users away from the office who may need access to a shared NAS, network, databases, web servers, etc. Access Server accomplishes the routing by carrying out Source Network Address Translation (SNAT) on incoming packets from the VPN tunnel. They are routed appropriately throughout the private network. To the network, traffic appears local and is sent to the proper destination. Since it is all local traffic, the target machine can respond without additional static routes being set up. This is the default action of Access Server when installed.

Deployment Overview

1. Determine the network configuration and IP address for the server

You need to ensure that clients on the Internet can connect to the Access Server (either via public IP address on the Access Server or via forwarding from a border firewall) and that the Access Sever is connected to the private network if one is to be used. See the Typical Network Configurations page for descriptions of typical network configurations.

2. Obtain a activation key

Register and sign into to obtain an activation key. If you are evaluating this product, we have already allocated two free connections to test the Access Server.

3. Download and install the OpenVPN Access Server package file

From our download page, choose the option that suits your needs, from Linux operating systems to cloud deployments or virtual machines. For a Linux OS, copy and past the commands from the modal window into your server’s command line. This will set up the software repository for you. It will also download and install the latest Access Server version. For the cloud deployments and virtual machines, we have quick start guides available.

4. Run the initial configuration

After package installation, the default ovpn-init tool runs, which steps you through the configuration of your Access Server and allows you to accept the default options if you’d like. If for some reason you need to run the tool again (to reconfigure settings), you can do so, but please note: do not run the ovpn-init script on an Access Server that is already in use. It will reset your configurations.

Run ovpn-init (without command-line arguments) using the bash shell:

/usr/local/openvpn_as/bin/ovpn-init --force

The ovpn-init utility asks a few questions regarding what IP address and port should be used for the Access Server Admin Web UI, what user credentials should be used to log on to the Admin Web UI to administer the Access Server, information about an activation key, and whether you are setting this up as a primary or secondary node (you will usually select primary unless using a failover or cluster setup).

5.Set a password for the openvpn admin account

After completing the configuration with the ovpn-init tool, you need to set a password for the default admin user, openvpn. You will use this to login to the Admin Web UI for the first time. To do so, run the following command:

passwd openvpn

6. Complete configuration in Admin Web UI

Launch a web browser to open the URL of the OpenVPN Access Server and login with the openvpn user and the password you defined. You’ll be prompted with the End User License Agreement. After reading and accepting that, you can manage your settings within the Admin Web UI.

7. User authenticates to the Connect Client

The user uses a Web browser to open a URL specified by Access Server that asks for the user's credentials. Once the user is authenticated, the Client UI provides installation options for Linux, Windows, macOS, Android, and iOS client installations. A user may also download a configuration file directly to their computer with the link provided. When the user installs their client using these installations, they are pre-configured with the necessary connection details. The user can simply install the client and connect without any further configuration.

8. User connects to VPN

After the user has authenticated against the VPN Server, the client software will initiate a connection. Depending on the Connect Client software used, the user may see the connection status in their browser. After the connection has been established, the browser window will show the connection status and list the address of the server the user is connected to along with the amount of data that has been transferred between the user's client and the VPN server. The systray icon may also show the connection status and will display a status message informing the user they are connected after the connection has been established.