Skip to main content

Official Raspberry Pi VPN Server with Access Server

Abstract

How to install Access Server on a Raspberry Pi single-board computer. Launch a VPN server with an easy, web-based management GUI.

You can install Access Server on a Raspberry Pi single-board computer. This quick start guide takes you through the steps to launch it. You can also use these steps as a reference for installing Access Server on other single-board computers on the ARM64 platform, such as Orange Pi or Rock Pi.

Tip

Access Server performance highly depends on your platform's CPU and network capabilities.

What's covered

  • How to create a bootable microSD card with Ubuntu Server 22.04.

  • How to install and launch Access Server.

  • How to sign in to the Admin Web UI.

  • How to connect VPN clients.

Before you begin

Access Server is available for Ubuntu 20.04 LTS ARM64, Ubuntu 22.04 LTS ARM64, and Ubuntu 24.04 LTS ARM64. Note that the Raspbian OS is not supported.

You'll need:

  1. A microSD card (8 GB or more recommended — 4 GB is possible).

  2. A computer with a microSD or an SD card drive and a microSD card adapter.

  3. A Raspberry Pi 5, Raspberry Pi 4, 400, or CM4 (A Raspberry Pi 3 will be fairly slow, and Raspberry Pi 2 and older can’t run 64-bit software and aren't compatible).

  4. Internet access.

  5. A monitor with an HDMI input (optional).

  6. A microHDMI-HDMI cable (optional).

  7. A USB keyboard (optional).

Step 1: Install the Ubuntu image on the SD card

Start by installing an Ubuntu image:

Warning

The steps given in the tutorial will erase all existing content on your microSD card. You can skip the tutorial if you already have Ubuntu 22.04 LTS ARM64 running on your Raspberry Pi board.

Step 2: Boot the Ubuntu server on the Raspberry Pi

Next, you'll boot the Ubuntu server. (Step 4 in the Ubuntu installation tutorial instructs you to “Boot Ubuntu Server.” This step 2 repeats some of that information.)

Refer to the appropriate section for your setup. You can choose between connecting directly with a keyboard and monitor or connecting to a headless server.

Option 1: Connect directly with a keyboard and monitor

  1. Before turning on your Raspberry Pi, ensure the keyboard is plugged in, and the monitor is connected using the mini-HDMI port.

  2. Insert the SD card into your Raspberry Pi and switch it on.

    • Watch the boot process on screen. Before signing in, you must wait for the cloud-init tool to complete its configuration during the first boot.

  3. Once cloud-init finishes, sign in using “ubuntu” as both the login ID and the password.

  4. At the prompt, change the password to something more secure.

Option 2: Connect remotely (headless)

  1. Insert the SD card into your Raspberry Pi and switch it on. To connect, you’ll need:

    1. The IP address of the Raspberry Pi on your local network.

    2. An SSH client.

  2. To determine the Raspberry Pi's IP address, look at your router’s DHCP client list to identify the device, or run the arp command to locate the device using its network interface MAC address.

    • On Ubuntu and macOS:

      arp -na | grep -i "[beginning of MAC address]"

    • On Windows:

      arp -a | findstr [beginning of MAC address]

  3. For the MAC address, depending on the Raspberry Pi version, you can try to use one of the following:

    • "b8"

    • "dc"

    • "e4"

  4. The output should return the IP address of your Raspberry Pi.

  5. Connect to your Raspberry Pi with an SSH session:

    • On Ubuntu and macOS, use the installed SSH client. Open a terminal and run the following command:

      ssh ubuntu@[Raspberry Pi IP address]

    • On Windows 10, if you don’t already have an SSH client, you can use PuTTY or OpenSSH. (The steps for PuTTY or bash are below.)

  6. Once connected, enter "ubuntu" for the login ID and the password.

  7. At the prompt, set a new password and then reconnect with the SSH command and the new password.

To connect with PuTTY:

  1. Open the PuTTY app.

  2. Enter the IP address of the Raspberry Pi in Host Name (or IP address).

  3. (Optional) Enter a name for the connection in Saved Sessions and click Save.

  4. Click Open.

  5. Read through the security prompt and click Yes to add the server host key to the registry cache.

To connect with bash (Ubuntu) on Windows:

  1. Open the bash app.

  2. Run the SSH command:

    ssh ubuntu@[Raspberry Pi IP address]

Step 3: Install Access Server

Set a time zone

First, you must set the time zone on your Raspberry Pi. The time and date on your server must be accurate for any certificate generation and verification and the time-based functionality of Google multi-factor authentication (MFA).

To set the date and time, run these commands with root privileges:

apt update
apt -y install tzdata
dpkg-reconfigure tzdata

Provide internet access

Access Server can function entirely within an environment without internet access. However, VPN clients cannot connect over the internet without such access. This document assumes you connect the Raspberry Pi to a private network with internet access through a router.

We recommend using a firewall with your network setup. Access Server requires ports TCP 443, TCP 943, TCP 945, and UDP 1194 to be forwarded from the public internet to the private IP address of the Access Server on your Raspberry Pi behind the firewall.

Install your Access Server package using the OpenVPN repository

Sign in to the Access Server portal on our site or create a new account to add the Access Server repository to your Raspberry Pi:

  1. Click Get Access Server.

  2. Click Linux Software Package.

  3. Click the Ubuntu icon.

  4. Choose Ubuntu 22, ARM64 from the drop-down.

  5. Install via repository with the commands provided.

After installing the openvpn-as package, the initial configuration runs. When it completes, take note of the Admin UI and Client UI addresses and the randomly generated password for your admin user, openvpn.

For more details, see Finish Access Server configuration.

Step 4: Sign in to the Admin Web UI

Use your Admin UI address to connect to the Admin Web UI. Typically, the Admin Web UI is located at the address of your Raspberry Pi with /admin/ appended, for example, https://192.0.2.222/admin/.

Enter the URL in a web browser and click through the security message. The security message appears because Access Server uses a self-signed certificate. Later, you can load your own valid certificate in the web interface.

Sign in with the openvpn user and password. After reading and accepting the EULA, the first screen is Activation, where you can paste your subscription key.

You can use up to two concurrent connections to test every Access Server feature for free.  Grab a free activation key from our website. Then, paste the key and click Activate. When you’re ready for more connections, increasing your connections on our site is easy, and the change reflects automatically on your Access Server.

The next step is to set up a fully qualified domain name (FQDN), such as vpn.example.com, which resolves to the public internet IP address of your Access Server. See Hostname.

Step 5: Connecting VPN clients

The final step is to connect VPN clients to your Raspberry Pi running Access Server. Download the pre-configured clients directly from the Access Server’s Client Web UI:

  1. Enter your server's IP address or FQDN into a web browser.

  2. Sign in as a user.

  3. Download and install the OpenVPN Connect app for your OS.

OpenVPN Connect is our free VPN client. Your Client Web UI provides pre-configured OpenVPN Connect apps to download. You can also download only a connection profile and import it into a VPN client such as OpenVPN Connect or any other compatible OpenVPN client program.

Once you download and install the app, open it and click the user profile to connect.

In this section: