Introduction
Thank you for choosing Access Server.
This manual provides information for the commercial Access Server's Admin Web UI, a web-based administration portal for configuring your VPN server, with or without Linux knowledge. You can download and install Access Server for free with a maximum of two simultaneous VPN connections.
Refer to our website for additional product information.
You can install Access Server on any supported Linux operating system. Refer to system requirements for the compatible operating systems.
Glossary of terms
We commonly use these terms listed below when referring to topics related to OpenVPN Access Server:
- Access Server
The software solution for your self-hosted OpenVPN server with integrated certificate management, internal and external authentication systems, and bundled client software.
The VPN server allows access to your network resources via an encrypted VPN tunnel using the OpenVPN tunnel.
- Admin Web UI
A web service running on Access Server which is used by the administrator to configure settings and manage user access.
- Client Web UI (CWS)
A web service running on Access Server which a user can access to obtain connection profiles and pre-configure OpenVPN Connect apps.
- Connection Profile
A file containing the required information for a VPN client to security connect to the OpenVPN server. It doesn't include user credentials.
- Multi-Factor Authentication (MFA)
Usually, a time-based one-time password (TOTP) generated on a separate user device that regularly changes.
A code required for authentication in addition to account name and password.
- OpenVPN Connect
A VPN client program available for Windows, macOS, Android, and iOS, that establishes the OpenVPN connection.
For Linux and other operating systems, there are open-source programs available.
- User
An account name in Access Server for authentication and access control.
The person using the solution to get access to resources.
- User Credentials
A set of account name and password for authenticating a user. This can optionally include MFA codes.
The ports below are default; you can change them from the Admin Web UI.
Service | Protocol | Default Port |
|---|---|---|
OpenVPN daemons | UDP | 1194 |
OpenVPN daemons | TCP | 443 (shared) |
Web services | TCP | 443 (shared) |
Web services | TCP | 943 |
Clustering API | TCP | 945 |
Below, we provide three commonly supported network configurations. Depending on your needs, these configurations may be good starting points. After deploying your VPN server, Access Server creates a VPN IP subnet for easy routing and grants further protection when you enable access to private networks.
Use your Access Server to set up secure access to your private network behind a firewall. With this configuration, you deploy the Access Server on your internal corporate network. Users outside the network gain access using the VPN. In this configuration, Access Server has one network interface to the private network.
Note
Other interfaces may be present on the system that aren't utilized by Access Server.
For this configuration, the internet gateway forwards TCP/UDP port traffic from the public-facing IP address to Access Server's private IP address. At least one TCP port (typically port 443) is forwarded. That port can carry both the VPN tunnel traffic and the web client server/Connect client traffic.
Use your Access Server on your internal corporate network with its own public IP address. Access Server communicates with clients outside the corporate network via its public IP interface. It uses another network interface to communicate with hosts on the private IP network and to propagate packets between VPN tunnels and the private network.
Use Access Server in a data center to create a virtual IP network to which all VPN clients can connect to communicate with services deployed on the server itself.
Accessing resources on a private network via Access Server
You can provide your users access to resources in your private network by establishing an OpenVPN tunnel from the user’s device to an Access Server installed on your private network. This is ideal for users away from the office who may need access to a shared NAS, network, databases, web servers, and more. Access Server, by default, integrates easily into your network by carrying out Source Network Address Translation (SNAT) on incoming packets.
Access Server within a private network with routing
Access Server provides access to connected VPN clients using NAT by default. This allows for easy integration into an existing private network. A limitation of NAT is that it is unidirectional. Communications initiated by the VPN clients to resources on your private network will be unimpeded, but to initiate communication directly from the private network to the VPN clients, you need to use routing. Refer to routing for an overview of configuring these settings.
Routed site-to-site-setup
You can connect two (or more) different networks together using a site-to-site setup with OpenVPN Access Server.
More use cases
We provide additional information about the following use cases: secure IoT communication, secure remote access, protecting access to SaaS, and enforcing zero trust access.
Refer to our getting started topic when you're ready.