IBM VPN Server Setup & Quick Start Guide

Abstract

The IBM Cloud VPN lets you quickly launch Access Server to get your VPN server up and running. Here's how.

Access Server provides an IBM Cloud VPN that you can get up and running within minutes.

Working with IBM Cloud, you choose from one of their services to run on virtualized hardware. By using the Access Server offering in their marketplace, you can launch a VPN hosted in the cloud with the following benefits:

Read on for your guide to getting started with your VPN server on the web.

Before you start

You need an SSH key to launch the VPC. You'll use this key to connect to the VPC's virtual console to complete Access Server's installation. To create the key:

Sign in to IBM Cloud.
Expand the navigation menu and click Infrastructure > Compute > SSH keys.
Click Create.
Fill out your details for the key and click Create.

Launch the VPC

To get started:

Find the Access Server option in the IBM Cloud catalog.
Sign in to the IBM Cloud account.
On the product details page, select the Product version.
Set up the Name, Location, Resource group, and Tags.

Define the required values:

Parameter	Description	Value
instance_profile	VM size and family profile (e.g., cx2-2x4).	Refer to IBM documentation for instance profiles information. Default: `cx2-2x4`.
region	IBM Cloud region name.	Select your region from the drop-down menu.
region_zone	Availability zone name within the specified region.	The availability zone within the region you selected.
ssh_public_key	Pre-created SSH public key name for instance access.	Enter your SSH public key's name created at the start.
prefix	Prefix added to the name of all resources that will be created.	Use a unique prefix for each new resource (like VPC, subnet, security group, gateway, floating, IP, etc.). Default: `openvpn-as`. Tip If you want to create one or more Access Server in the same region and zone with existing VPCs, use a unique `prefix` to avoid creating resources with the same names.

Define any optional variables you want:

Parameter	Description	Value
dns_domain_name	DNS domain name (e.g., example.com).	Define this if you will manage DNS on IBM.
dns_entry_name	DNS entry name (e.g., www).	Define this if you will manage DNS on IBM.
dns_responsible_person	Email address of the responsible person for the DNS entry	Define this if you will manage DNS on IBM.
vpc_existing_name	The name of the existing VPC to use.	Define this to launch an image on an existing VPC.

Check the license agreement and click Install.
After the cart is created successfully and the terraform commands run, you can push Generate plan to estimate costs.
Run Apply plan to create all needed resources.

Sign in to the Admin Web UI for the first time

Once the new image is launched, you can view all the needed info about it:

Expand the navigation menu.
Click Infrastructure > Compute > Virtual server instances.
The new instance details are displayed, such as name, status, and IP address.
Check the other created resources in these locations under Network:
- VPC
- Subnet
- Security groups
- Public Gateway
- Floating IP
Use the floating IP address to connect via terminal:
```
ssh -i /path/to/your/key.pem root@<floating_ip>
```

Find the temporary password you'll need to sign in to the Admin Web UI:

cat /usr/local/openvpn_as/init.log | grep -i '"openvpn" account with .* password'

Change host.name to be public facing so you can access it for signing in:

sacli ip  #check the public IP of the server
sacli -k "host.name" -v "PUBLIC_IP" configput
sacli start

Access The Admin Web UI via these URLs:
- Admin Web UI: https://PUBLIC_IP:943/admin
- Client Web UI: https://PUBLIC_IP:943/
You can now follow additional steps here: First-time setup.

Purchase and activate a subscription

You can start right away with two simultaneous connections to your VPN server. To add more connections, purchase a subscription from our site and activate it using the Admin Web UI: Subscription Activation.

Change default time zone

The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:

sudo dpkg-reconfigure tzdata

Install NTP client for automatic time synchronization

We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:

apt-get install ntp

Update operating system software

We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

Further Security Recommendations

Additional Security Steps You Can Take After Installation

We recommend you follow the tutorials below to improve your Access Server security after installation.

Note

Not every tutorial will apply to your installation. Follow the ones that do.

Increase security with these tutorials:

Tutorial: How to Secure the Root User Account on a Virtual Appliance — This tutorial applies to ESXi or Hyper-V appliances.
Tutorial: Keep Access Server Updated — We recommend everyone runs the latest Access Server version.
Tutorial: How to Replace the Legacy openvpn Administrative Account — This tutorial is for sysadmins upgrading from an older Access Server version.
Tutorial: How to Change the Password for Your New Administrative Account — This tutorial is for new installations with a temporary password.
Tutorial: How to Install a Valid Web SSL Certificate in Access Server — We recommend that everyone add a valid SSL certificate from a trusted CA.
Tutorial: Harden the Web Server Cipher Suite String — This is a security step where you can update the cipher suite string if you want.
Tutorial: How to Isolate Access Server's Web Services — This tutorial covers a narrow use case where you don't want the web UIs accessible online.

In this section: