VMWare ESXi Virtual Appliance Quick Start Guide

We deliver Access Server for VMware ESXi as an OVA archive file that can be deployed on ESXi.

The Access Server ESXi appliance is based on Ubuntu 22.04 LTS.
The appliance includes ESXi-compatible guest support software.
It is preconfigured for 2GB of RAM, 50GB disk, and 2 vCPUs.
The appliance is delivered as an open virtual appliance (OVA).
Requires ESXi 6.5 or newer (virtual hardware version 13).

This guide provides the steps to deploy the open virtual appliance (OVA) on an ESXi hypervisor server and then start using the Access Server web interface.

Notice

Other virtualization solutions that support OVA may also work but we haven't tested them and can't guarantee they'll function properly.

Download the Access Server open virtual appliance (OVA)

Follow the steps below to download the Access Server ESXi OVA file that can be deployed on your ESXi server.

Sign in to the Access Server portal on our website. If you don't have a free account, create one.
Click Get Access Server > Virtual Appliance > VMWare ESXi.
Click the download button, Download OVA.
Download the OVA file.

Note

The OVA already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.

Deployment using the VMWare ESXi web interface

Below is a series of screenshots of a typical deployment process on an ESXi server. These are based on ESXi 6.5. If you have a newer version the process may be slightly different.

Right-click Host and select Create/Register VM:

Click Deploy a virtual machine from an OVF or OVA file and click Next:

Enter a friendly name for the VM then select the OVA file and click Next:

Select the datastore to deploy the appliance on and click Next:

Select the VM network to connect the appliance and click Next:

Confirm settings and click Finish to start deployment:

Wait for the deployment task to complete:

After finishing the task, look up the VM and open the virtual console:

Configure your Access Server

The next step is signing into the appliance console and configuring Access Server.

You can access the console directly from Hyper-V Manager, or you can connect via SSH and use these credentials:
- Username: root
- Password: openvpnas
Walk through the setup wizard until your Access Server's web interface addresses and login credentials display at the end.
Set the correct time zone for your appliance deployment with this command:
- dpkg-reconfigure tzdata
Expand the section below for configuration details.

Important

We recommend setting a static IP address. Refer to Set A Static IP Address On An Ubuntu 18 Or Newer System.

Finish Access Server configuration

Now that you've installed Access Server, follow these next steps.

Find the URLs for your web server

When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.

+++++++++++++++++++++++++++++++++++++++++++++++ 
Access Server 2.14.0 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log

Access Server Web UIs are available here:
Admin UI: https://198.51.100.130:943/admin
Client UI: https://198.51.100.130:943 
Login as "openvpn" with "RR4ImyhwbFFq" to continue
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++

Admin UI

The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/.

When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts.

Client UI

The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example.

Tip

The web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out.

First time signing into the Admin Web UI

Administrative User

For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.

On Access Server versions older than 2.9, you must manually set the password for the openvpn user with this command:

passwd openvpn

You can now open a browser and enter your Admin Web UI address.

Invalid Certificate

Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.

By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.

Activating a subscription

The first time you sign into the Admin Web UI, Access Server displays the Activation page so you can easily get an activation key:

Click Get Activation Key.
- This takes you to the Access Server portal.
Sign in with your openvpn.com account if needed.
Click Activation Keys.
Click Purchase A New Key.
Select the number of concurrent connections for your subscription.
- For a free subscription with two connections, select the free option.
- For five or more connections, select the standard option.
Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
Return to your Admin Web UI.
Paste the subscription key in the text field.
Click Activate.

Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on the Access Server portal by clicking Access Server Information.

Setting up a hostname

We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.

Refer to Setting up your Access Server Hostname and follow the steps.

Setting up authentication

Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.

Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer to Access Server’s User Authentication System for more information.

First time connecting to the VPN server

With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.

Option to connect	Procedure
Download a bundled VPN client to connect	A user follows these steps to download a pre-configured OpenVPN Connect app: Navigate to the Client Web UI in a browser. Sign in with user credentials. Choose the OpenVPN Connect app for their operating system. After it downloads, install the software. Open the app and click on the connection profile. The user connects to Access Server.
Download a connection profile	A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect: Navigate to the Client Web UI in a browser. Sign in with their user credentials. Click on the link under Available Connection Profiles. After the connection profile downloads, upload the file to a VPN client.
Admin provides users with ways to connect	Alternatively, as an admin, you can use these ways to connect your users: Have your users install OpenVPN Connect from our website, then download a connection profile from the Admin Web UI and distribute it to users. Create an OpenVPN Connect installer from the Access Server command-line interface and distribute it to users.

Tip

Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.

Additional security improvement steps

We recommend the following steps to improve your security and detail each step below:

Change the password for the root user (console and SSH access for the root user is enabled by default).
Change the password for the Admin Web UI.
Perform software updates periodically.

Change the root user password

Ensure you change the default root password to one of your choosing.

Connect to the appliance and sign in as the root user.
Enter this command to change the root user password:
- passwd

Change the web interface account password

Change the initial password for the Admin Web UI:

Sign in to the Admin Web UI.
Click User Management > User Permissions.
Click More Settings for the administrative user.
Enter a new password in the Local Password field.
Click Save Settings and Update Running Server.

Update the Access Server appliance

The virtual appliance is delivered as a starting point that you should update to get the latest security patches and Access Server release.

Sign in to the Access Server appliance console as a root user.
Run these commands one at a time:
- apt update
- apt upgrade
- apt upgrade openvpn-as
We recommend that you reboot the appliance after installing updates to ensure they apply correctly.

Troubleshooting

Check these subsections if you need help.

Problems after adding a second network interface

We have encountered problems with using VMXNET2/3 type network interfaces so the appliance comes configured with an E1000 interface. When adding a second network interface you should make this an E1000 interface as well, to avoid unexpected reordering of network interface names.

IndexError: list index out of range

If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the wizard.

Why doesn't my virtual machine have internet access?

There can be a couple of reasons for this. First, ensure that the virtual network switch that the VM is attached to is correctly configured and gives access to the Internet.

If an IP is assigned to your ESXi hypervisor but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem.

In some networks, you may need to allow the ESXi hypervisor host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the ESXi hypervisor host network traffic and the virtual machine traffic may be going out through the same ESXi hypervisor host’s network card.

In this section: