VMware ESXI VPN Server Appliance Quick Start Guide
How to deploy an open virtual appliance (OVA) on an ESXi hypervisor server and then start using the Access Server VPN web interface.
We deliver Access Server for VMware ESXi as an OVA archive file that can be deployed on ESXi.
The Access Server ESXi appliance is based on Ubuntu 22.04 LTS.
The appliance includes ESXi-compatible guest support software.
It is preconfigured for 2GB of RAM, 50GB disk, and 2 vCPUs.
The appliance is delivered as an open virtual appliance (OVA).
Requires ESXi 6.5 or newer (virtual hardware version 13).
This guide provides the steps to deploy the open virtual appliance (OVA) on an ESXi hypervisor server and then start using the Access Server web interface.
Notice
Other virtualization solutions that support OVA may also work but we haven't tested them and can't guarantee they'll function properly.
Follow the steps below to download the Access Server ESXi OVA file that can be deployed on your ESXi server.
Sign in to the Access Server portal on our website. If you don't have a free account, create one.
Click Get Access Server > Virtual Appliance > VMWare ESXi.
Click the download button, Download OVA.
Download the OVA file.
Note
The OVA already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.
Below is a series of screenshots of a typical deployment process on an ESXi server. These are based on ESXi 6.5. If you have a newer version the process may be slightly different.
Sign in to the VMWare ESXi web interface:
Right-click Host and select Create/Register VM:
Click Deploy a virtual machine from an OVF or OVA file and click Next:
Enter a friendly name for the VM then select the OVA file and click Next:
Select the datastore to deploy the appliance on and click Next:
Select the VM network to connect the appliance and click Next:
Confirm settings and click Finish to start deployment:
Wait for the deployment task to complete:
After finishing the task, look up the VM and open the virtual console:
The next step is signing into the appliance console and configuring Access Server.
You can access the console directly from the ESXi web interface, or you can connect via SSH and use these credentials:
Username: root
Password: openvpnas
Walk through the setup wizard until your Access Server's web interface addresses and login credentials display at the end.
Set the correct time zone for your appliance deployment with this command:
dpkg-reconfigure tzdata
Expand the section below for configuration details.
Important
We recommend setting a static IP address. Refer to Set A Static IP Address On An Ubuntu System.
Now that you've installed Access Server, follow these next steps.
When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.
Admin UI | The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/. When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts. |
Client UI | The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example. TipThe web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out. |
Administrative User
For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.
On Access Server versions older than 2.9, you must manually set the password for the openvpn user with this command:
passwd openvpn
You can now open a browser and enter your Admin Web UI address.
Invalid Certificate
Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.
By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.
The first time you sign into the Admin Web UI, Access Server displays the Activation page so you can easily get an activation key:
Click Get Activation Key.
This takes you to the Access Server portal.
Sign in with your openvpn.com account if needed.
Click Activation Keys.
Click Purchase A New Key.
Select the number of concurrent connections for your subscription.
For a free subscription with two connections, select the free option.
For five or more connections, select the standard option.
Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
Return to your Admin Web UI.
Paste the subscription key in the text field.
Click Activate.
Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on the Access Server portal by clicking Access Server Information.
We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.
Refer to Hostname and follow the steps.
Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.
Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer to Authentication System for more information.
With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.
Option to connect | Procedure |
---|---|
Download a bundled VPN client to connect | A user follows these steps to download a pre-configured OpenVPN Connect app:
|
Download a connection profile | A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:
|
Admin provides users with ways to connect | Alternatively, as an admin, you can use these ways to connect your users:
|
Tip
Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.
We recommend the following steps to improve your security and detail each step below:
Change the password for the root user (console and SSH access for the root user is enabled by default).
Change the password for the Admin Web UI.
Perform software updates periodically.
Ensure you change the default root password to one of your choosing.
Connect to the appliance and sign in as the root user.
Enter this command to change the root user password:
passwd
Change the initial password for the Admin Web UI:
Sign in to the Admin Web UI.
Click User Management > User Permissions.
Click More Settings for the administrative user.
Enter a new password in the Local Password field.
The virtual appliance is delivered as a starting point that you should update to get the latest security patches and Access Server release.
Sign in to the Access Server appliance console as a root user.
Run these commands one at a time:
apt update
apt upgrade
apt upgrade openvpn-as
We recommend that you reboot the appliance after installing updates to ensure they apply correctly.
Check these subsections if you need help.
We have encountered problems with using VMXNET2/3 type network interfaces so the appliance comes configured with an E1000 interface. When adding a second network interface you should make this an E1000 interface as well, to avoid unexpected reordering of network interface names.
If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the wizard.
There can be a couple of reasons for this. First, ensure that the virtual network switch that the VM is attached to is correctly configured and gives access to the Internet.
If an IP is assigned to your ESXi hypervisor but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem.
In some networks, you may need to allow the ESXi hypervisor host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the ESXi hypervisor host network traffic and the virtual machine traffic may be going out through the same ESXi hypervisor host’s network card.