Skip to main content

Commonly Asked Technical Questions

Abstract

Here are the commonly asked technical questions we receive regarding the deployment of Access Server. Please review this before contacting support.

1. What is DNS?

DNS (Domain Name System) resolves domain names like openvpn.net to IP addresses like 192.0.2.0, facilitating human-friendly web navigation.

2. How do I set HTTP Strict Transport Security?

Refer to our tutorial: How to Set Up HTTP Strict Transport Security (HSTS) on Access Server.

3. What is the lockout policy on Access Server?

The lockout policy prevents brute-force attacks by blocking user accounts after multiple failed login attempts. Versions 2.10 and newer lockout accounts after five failed attempts for 15 minutes. This can be adjusted via command line tools. The admin account on versions older than 2.10 is exempt from this policy. For more details, refer to our lockout policy documentation.

4. How do I unlock users that are locked out now?

To reset lockouts, briefly change the expiration timeout and revert the settings. Follow the steps for either the Admin Web UI or CLI:

Manually unlock a locked-out user account

If you wish to unlock a locked-out user manually, follow the steps below.

Tip

You can't unlock a single, specific user. The steps below allow you to set the automatic lockout reset period to one second and then revert it back to the default value.

Manually unlock a user from the Admin Web UI

Access Server 2.10.2 and newer configures the lockout policy in the Admin Web UI. To manually unlock users, follow these steps:

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Under Password Lockout Policy, take note of your current value for the Lockout release timeout in seconds.

  4. Set the value to 1.

  6. Wait two seconds.

  7. Set the value back to your initial value.

    Tip

    Access Server's default lockout is set to 900 seconds, or 15 minutes.

    • The locked-out user can sign in again.

Manually unlock a user from the CLI

  1. Connect to your Access Server console and get root privileges.

  2. Change your directory to use the sacli tool.

    cd /usr/local/openvpn_as/scripts/

  3. Run these commands to set the lockout to one second, wait two seconds, and then set it back to the default value of 15 minutes. (If desired, modify the command for your preferred lockout time.)

    ./sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./sacli start
sleep 2
./sacli --key "vpn.server.lockout_policy.reset_time" --value "900" ConfigPut
./sacli start
service openvpnas restart

  4. The locked-out user can sign in again.

5. How can I set a static IP address on my Linux server?

Refer to this tutorial: Set a Static IP Address on an Ubuntu System.

6. What is IP forwarding, and how do I enable it on Linux?

IP forwarding allows a system to route traffic between networks. An example use is a system sitting between two different networks that needs to pass traffic between them.

Important

Access Server always ensures IP forwarding is enabled by default, so it is unnecessary to implement this on the Access Server installation itself.

On most Linux systems, you can turn on IP forwarding by editing the /etc/sysctl.conf file. For example, follow these steps on Ubuntu/Debian:

  1. Connect to the console and get root privileges.

  2. Open the sysctl.conf file in the nano text editor:

    nano /etc/sysctl.conf

  3. Uncomment or add this line:

    net.ipv4.ip_forward=1

  4. Press CTRL_x, Y, then ENTER to save and exit the file.

  5. Run this command:

    sysctl -p

    • You've turned on IP forwarding.

7. How to route to an additional separate gateway and subnet?

Add a route in your server's routing table for traffic to go through the additional gateway. Configure client access permissions and use NAT or routing as needed. In complex setups with additional gateways and subnets, these steps ensure connectivity:

  1. Add a route: If Access Server can ping the gateway but not the subnet behind it, add a route in the server's OS routing table. This route should direct traffic for the target subnet through the additional gateway.

  2. VPN client access:

    1. Using NAT: If routing works from the server to the target subnet, NAT can be used to grant VPN clients access. Ensure the correct permissions are set for users and groups.

    2. Using routing: If using routing, ensure the target subnet knows how to route traffic back to the VPN client subnet. Add a route back to the VPN client subnet in the target network's routing table, using the Access Server’s IP as the gateway.

  3. User permissions: Specify additional subnets in the user and group permissions on the Access Server to grant access to these subnets.

  4. Symmetrical routing: Ensure routing is symmetrical; it must work both ways to allow proper communication.

By following these steps, traffic should flow correctly from VPN clients to the target subnet and back.

8. Why does OpenVPN use UDP and TCP?

OpenVPN uses UDP for optimal performance but supports TCP for compatibility with restrictive networks. TCP 443 is used to mimic HTTPS traffic, often allowed through firewalls.

9. What is TCP Meltdown?

TCP Meltdown occurs when TCP traffic is tunneled over TCP, causing performance issues due to overcompensating retransmissions. Use UDP for the tunnel to avoid this issue.

10. What is the OSI Layer model?

The OSI model describes network functions across seven layers. Access Server operates on Layer 3 (Network) by default, allowing routed traffic control. It can also operate in Layer 2 (Data Link) bridging mode if needed.

11. Why does Access Server have multiple network interfaces?

Multiple interfaces (e.g., as0t0, as0t1) are created to allow multiple OpenVPN daemons to run concurrently, improving performance on multi-core systems.

The OpenVPN 2 codebase operates on a single-thread, using one CPU core. To address this performance limitation on multi-core servers, Access Server spawns multiple daemons—one TCP and one UDP daemon per CPU core by default. A simple load-balancing system using iptables directs incoming VPN connections to the least loaded daemon.

Each daemon uses its own network interface, named as0t0, as0t1, etc., and receives a portion of the subnet defined in the Access Server settings. The system ensures seamless communication between clients connected to different daemons by routing traffic through the operating system’s routing table.

12. Why is the subnet smaller than I specified?

Each OpenVPN daemon requires its own subnet, so the total subnet is divided among the daemons.

13. Can I run Access Server on a Raspberry Pi?

Yes, refer to the Raspberry Pi installation topic.

14. How can I reach VPN clients from my network?

For direct access, disable NAT and use routing, ensuring the private network knows the VPN client subnet's gateway address. More details are available in this tutorial: Reach OpenVPN Clients Directly from a Private Network.

15. What are SSL web certificates, and how do they work?

SSL certificates secure web traffic and verify server identity. They use a public-private key pair and are issued by trusted certificate authorities. For more details, see our SSL certificate topic.

In this section: