Skip to main content

Reset the Default openvpn Account Admin Access

The administrative account, which is by default called openvpn, may be either a bootstrap account in the operating system or an administrative account within Access Server's internal local authentication system. We recommend a local account, which has been the default since Access Server 2.10.

Important

If you are not currently using the latest version of Access Server, we recommend reading the notes on older versions in the section below.

Common openvpn account problems

These are common administrative user login problems:

  • Lost username or password.

  • The account is tied to a defunct external authentication system.

  • The account has the deny login flag set.

  • There is an MFA requirement, and the secret key is lost.

  • The account is (temporarily) locked after multiple failed logins.

Commands to reset the openvpn account

You can execute the following commands as a root user from the command-line interface (CLI) to create or reset the local administrator account using the username openvpn. It accounts for all of the above cases and should provide you with a local openvpn administrative account that you can use to sign in to the Admin Web UI.

//Create or reset the openvpn administrative local account with specified password

cd /usr/local/openvpn_as/scripts
./sacli --user "openvpn" --key "prop_superuser" --value "true" UserPropPut
./sacli --user "openvpn" --key "user_auth_type" --value "local" UserPropPut
./sacli --user "openvpn" --new_pass=<PASSWORD> SetLocalPassword
./sacli start
//Disable the deny login flag and reset MFA if required for the account

./sacli --user "openvpn" --key "prop_deny" --value "false" UserPropPut
./sacli --user "openvpn" --key "prop_google_auth" UserPropDel
./sacli --user "openvpn" --lock 0 GoogleAuthRegen
./sacli start
//Reset the password lockout policy just in case it was triggered

./sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./sacli start
sleep 2
./sacli --key "vpn.server.lockout_policy.reset_time" ConfigDel
./sacli start

Try signing in to the Admin Web UI again with openvpn and the specified password. If you still cannot sign in, read the details in the next section. For further assistance, you can contact us on our support ticket system.

Notes on older Access Server versions

The behavior of the openvpn admin account has changed from that of older versions. We recommend running the latest Access Server version. If you have an older version, refer to the notes here for help.

Also, some behavior changes can occur when upgrading, as covered here.

Access Server 2.9 and older

On Access Server 2.9 and older, the default openvpn administrative account is of the bootstrap account type specified in the as.conf file and exists in the operating system as a PAM authenticated user. This unique account type is automatically granted administrative login rights in Access Server, bypasses the post_auth script, bypasses MFA requirements, bypasses the password lockout policy, and always authenticates via PAM to the operating system.

We recommend that you upgrade your Access Server and move away from this type of bootstrap account. However, if you don't want to upgrade, you can edit the as.conf file to specify a bootstrap user and set the password in the operating system. You can then sign in to the Admin Web UI using that account.

To use the bootstrap account, the as.conf file must contain a line like this:

boot_pam_users.0=openvpn
//Reset the password on that account

passwd openvpn
//Restart the Access Server service for the changes to take effect

service openvpnas restart

For installations upgraded from Access Server 2.9 and older

The old bootstrap account converts to a regular admin account after upgrading an older Access Server to version 2.10 or newer. Bootstrap accounts defined in the as.conf file will be reset to authenticate via PAM using the user_auth_type user property each time Access Server starts up, so the behavior of these accounts to sign in via PAM remains.

Suppose you've upgraded from an older version to Access Server 2.10 or newer and still have a bootstrap user account. In that case, we recommend removing it and then using the commands above to reset the openvpn account as a local administrative account. To remove the bootstrap account, you can follow the steps below.

//Comment out the bootstrap openvpn account from the as.conf file

# boot_pam_users.0=openvpn
//Remove the bootstrap account from your operating system

deluser openvpn
//Restart the Access Server service for the changes to take effect

service openvpnas restart

If you're using other bootstrap accounts, you can similarly handle them.

Finally, go to the section at the top to ensure you have a local administrative openvpn account to sign in to the Admin Web UI.

In this section: