Skip to main content

Microsoft Hyper-V Virtual Appliance Quick Start Guide

We deliver Access Server for Microsoft Hyper-V as a downloadable disk image that can be deployed on Hyper-V.

  1. The Access Server Hyper-V appliance is based on Ubuntu 22.04 LTS.

  2. The appliance includes Hyper-V guest support software.

  3. We advise setting a minimum of 1GB of RAM for the virtual machine.

  4. The appliance is delivered as a disk image to be attached to a new VM.

  5. You must use a Generation 2 type VM with secure boot disabled.

This guide provides the steps to download the virtual hard disk (VHD) file, create a new virtual machine with the Hyper-V Manager, attach the VHD, and then get started with the Access Server web interface.

Download the Access Server virtual hard disk (VHD) image

Follow the steps below to download the Access Server Hyper-V .zip file, and unpack the .vhdx file inside to a suitable location for storing virtual machine hard disk images.

  1. Sign in to the Access Server portal. If you don't have a free account, create one.

  2. Click Get Access Server > Virtual Appliance > Microsoft Hyper-V.

  3. Click the download button.

  4. Extract the zip file.

    Tip

    We recommend extracting it to a file location where you keep your VHD images.

Important

The VHD already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.

Create a new Generation 2 type virtual machine

Once you've downloaded the VHD, you can create a generation 2 type virtual machine (VM).

  1. Launch Hyper-V Manager.

  2. Ensure that Hyper-V has an external virtual network switch.

  3. Select to create a Generation 2 type virtual machine.

  4. Give this new VM at least 1GB of RAM.

  5. For the network interface select the external virtual network switch.

  6. For the virtual hard disk, choose Use an existing hard disk.

  7. Select the .vhdx file extracted earlier.

  8. Then complete the wizard.

  9. Edit the settings of the new VM and uncheck Enable secure boot.

  10. You can now start the VM and connect to the console.

Tip

The Enable secure boot option can be turned off under the Security section or the Firmware section, depending on your Hyper-V version. Refer to Microsoft's documentation for Hyper-V virtual machines if needed.

Configure your Access Server

The next step is signing into the appliance console and configuring Access Server.

  1. You can access the console directly from the ESXi web interface, or you can connect via SSH and use these credentials:

    • Username: root

    • Password: openvpnas

  2. Walk through the setup wizard until your Access Server's web interface addresses and login credentials display at the end.

  3. Set the correct time zone for your appliance deployment with this command:

    • dpkg-reconfigure tzdata

  4. Expand the section below for configuration details.

Important

We recommend setting a static IP address. Refer to Set a static IP address on an Ubuntu system.

Finish Access Server configuration

Now that you've installed Access Server, follow these next steps.

Find the URLs for your web server

When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.

Admin UI

The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/.

When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts.

Client UI

The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example.

Tip

The web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out.

First time signing into the Admin Web UI

Administrative User

For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.

On Access Server versions older than 2.9, you must manually set the password for the openvpn user with this command:

passwd openvpn

You can now open a browser and enter your Admin Web UI address.

Invalid Certificate

Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.

By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.

Activating a subscription

The first time you sign into the Admin Web UI, Access Server displays the Activation page so you can easily get an activation key:

  1. Click Get Activation Key.

    • This takes you to the Access Server portal.

  2. Sign in with your openvpn.com account if needed.

  3. Click Activation Keys.

  4. Click Purchase A New Key.

  5. Select the number of concurrent connections for your subscription.

    • For a free subscription with two connections, select the free option.

    • For five or more connections, select the standard option.

  6. Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.

  7. Return to your Admin Web UI.

  8. Paste the subscription key in the text field.

  9. Click Activate.

Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on the Access Server portal by clicking Access Server Information.

Setting up a hostname

We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.

Refer to Setting up your Access Server Hostname and follow the steps.

Setting up authentication

Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.

Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer to Access Server’s User Authentication System for more information.

First time connecting to the VPN server

With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.

Option to connect

Procedure

Download a bundled VPN client to connect

A user follows these steps to download a pre-configured OpenVPN Connect app:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with user credentials.

  3. Choose the OpenVPN Connect app for their operating system.

  4. After it downloads, install the software.

  5. Open the app and click on the connection profile.

    • The user connects to Access Server.

Download a connection profile

A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with their user credentials.

  3. Click on the link under Available Connection Profiles.

  4. After the connection profile downloads, upload the file to a VPN client.

Admin provides users with ways to connect

Alternatively, as an admin, you can use these ways to connect your users:

  1. Have your users install OpenVPN Connect from our website, then download a connection profile from the Admin Web UI and distribute it to users.

  2. Create an OpenVPN Connect installer from the Access Server command-line interface and distribute it to users.

Tip

Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.

Additional security improvement steps

We recommend the following steps to improve your security and detail each step below:

  • Change the password for the root user (console and SSH access for the root user is enabled by default).

  • Change the password for the Admin Web UI.

  • Perform software updates periodically.

Change the root user password

Ensure you change the default root password to one of your choosing.

  1. Connect to the appliance and sign in as the root user.

  2. Enter this command to change the root user password:

    • passwd

Change the web interface account password

Change the initial password for the Admin Web UI:

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Permissions.

  3. Click More Settings for the administrative user.

  4. Enter a new password in the Local Password field.

Update the Access Server appliance

The virtual appliance is delivered as a starting point that you should update to get the latest security patches and Access Server release.

  1. Sign in to the Access Server appliance console as a root user.

  2. Run these commands one at a time:

    • apt update

    • apt upgrade

    • apt upgrade openvpn-as

  3. We recommend that you reboot the appliance after installing updates to ensure they apply correctly.

Troubleshooting

Check these subsections if you need help.

IndexError: list index out of range

If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the wizard.

Why is there a degraded status on the network adapter?

This is normal behavior due to how the underlying operating system interacts with Hyper-V; this doesn't signify a defect. Your appliance works as expected.

Why doesn't my virtual machine have internet access?

There can be a couple of reasons for this. First, ensure you create an external virtual switch and that the VM is attached to this. You can do this from Hyper-V Manager.

If an IP is assigned to your Hyper-V host system but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem.

In some networks, you may need to allow the Hyper-V host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the Hyper-V host network traffic and the virtual machine traffic go out through the same Hyper-V host’s network card.

Why doesn't my VM boot?

You may have left Secure boot on by default. It must be disabled for the Access Server appliance. Depending on your Hyper-V version, you can find this in the VM settings under the Firmware or Security section depending on your Hyper-V version. You can uncheck Enable secure boot there.

Another possibility is that you are using a generation 1 virtual machine. This is not supported. In this case, create a new virtual machine of generation 2 type, as you can't change the type after creation.

Why am I seeing /dev/sr0 read failure messages?

If you see read failure kernel messages complaining about an inability to read data from /dev/sr0, resolve this by either removing any virtual CD/DVD drive from the VM, or attaching an ISO image to that drive. If the error message is about a device other than /dev/sr0, please contact us for advice.

Why do I see failed to start OpenBSD Secure Shell server?

This is a one-time error message during initial startup just before the SSH host keys are automatically generated. Afterward, the SSH service functions normally.

In this section: