Typical Network Configurations

About the page

There are many different network configurations supported by the flexibility of Access Server. Below you’ll find the three most commonly supported network configurations used with OpenVPN Access Server deployments. Depending on your requirements, these configurations are good starting points for how you configure your VPN. After deployment, Access Server will create a VPN IP subnet for ease of routing and grants a further layer of protection when access to private networks is enabled. The following sections describe the three most common network configurations and the automatic VPN IP subnet configuration.

Basic Setup: One Network Interface on a Private Network Behind the Firewall

Use Access Server to set up secure access to a private network behind a firewall. With this configuration Access Server resides in an internal corporate network. Users outside the network gain access using the VPN. In this configuration the Access Server has one network interface to the private network. NOTE: other interfaces may be present on the system that are not utilized by the Access Server.

For this configuration, the Internet Gateway forwards TCP/UDP port traffic from the public-facing IP address to the Access Server’s private IP address. At a minimum, one TCP port (typically port 443) is forwarded. That TCP port can carry both the VPN tunnel traffic and the Web Client Server/Connect Client traffic. Optionally, the VPN tunneling can be separated from the Web Client Server traffic, in which case an additional TCP or UDP port (e.g., UDP port 1193) is forwarded for the VPN tunnel.

A variation on this network configuration has the Access Server with one interface attached to a DMZ network provided by the firewall. As mentioned above, the same forwarding of client traffic is required. Additionally, you may need to configure the firewall to allow traffic between the Access Server and the private network behind the firewall.

Two Network Interfaces: One Public and One Private

This configuration is most commonly seen when the Access Server resides in an internal corporate network but it also has its own public IP address. The Access Server communicates with clients outside the corporate network via its public IP interface. It uses another network interface to communicate with hosts on the private IP network and to propagate packets between VPN tunnels and the private network.

One Network Interface on a Public Network

This configuration is most commonly seen when the Access Server is located in the data center and its purpose is to create a virtual IP network to which all VPN clients can connect in order to communicate with services deployed on the server itself.

After Deployment: Virtual VPN Subnet Configuration

When deployed, the Access Server creates an independent, virtual VPN IP subnet on which each of the connected VPN clients is assigned an IP address. If access to private networks is enabled by the administrator, the Access Server will also set up a NAT or internal routing system to allow VPN clients from the VPN subnet to reach the private network via the server’s private IP address. Access Server may configure two virtual networks: one for “static” VPN IP addresses (i.e. the admin assigns specific VPN IP address to particular users) and on for “dynamic” VPN IP addresses.