Tutorial: How to Replace the Legacy openvpn Administrative Account

Abstract

Replace the legacy openvpn admin account from your updated Access Server to improve security. This tutorial steps you through.

Overview

Access Server 2.10 and older use a default, openvpn administrative account that exists in the operating system as a PAM authenticated user. This unique account type is automatically granted administrative login rights in Access Server, bypasses any post-auth scripts, bypasses MFA requirements, bypasses the password lockout policy, and always authenticates via PAM to the operating system. We recommend you upgrade to the latest Access Server version, remove this bootstrap openvpn account, and create a local administrative account. This results in a more secure administrative account that isn't in the operating system and adheres to MFA and lockout policies.

Tip

Even when you update an older Access Server to version 2.10 or newer, the bootstrap openvpn administrative account is retained. You must follow this tutorial to replace it with a local administrative account.

Prerequisites

An Access Server installation that started with a version older than 2.10.

Important

If you started with Access Server 2.10 and newer, the openvpn administrative account created is a locally authenticated administrative account, which is more secure than the bootstrap account. Thus, this tutorial doesn't apply to your Access Server installation.

Step 1: Update your Access Server version

Start by upgrading your Access Server to the latest version: Tutorial: Update Your Access Server Version.

Tip

Signing in to the Admin Web UI is an easy way to check your Access Server version. The version is displayed in the side navigation and on the status overview page.

Step 2: Delete the bootstrap account

The next step is to delete the bootstrap openvpn account. This account is also a bootstrap account specified in the as.conf file, in addition to being a user on the Linux operating system.

Sign on to your console or connect via SSH.
Edit the as.conf file:
```
nano /usr/local/openvpn_as/etc/as.conf
```
Comment out the bootstrap openvpn account. The line will look like this:
```
# boot_pam_users.0=openvpn
```
Save and exit.
Remove the bootstrap account from your operating system:
```
deluser openvpn
```
Restart the Access Server service for the changes to take effect:
```
service openvpnas restart
```

Tip

You may want to test this by attempting to sign in to your Admin Web UI with this account. You should no longer be able to authenticate.

Step 3: Create a local administrative account

Create a new local administrative account:

Run these commands to create a new openvpn local administrative account with a specified password:

cd /usr/local/openvpn_as/scripts
./sacli --user "openvpn"1 --key "prop_superuser" --value "true" UserPropPut
./sacli --user "openvpn" --key "user_auth_type" --value "local" UserPropPut
./sacli --user "openvpn" --new_pass=<PASSWORD>2 SetLocalPassword
./sacli start

1	This sets the username, openvpn. You can set a different name if you prefer.
2	This sets the password.

Step 4: Sign in to the Admin Web UI with the new account

You should now be able to sign in to the Admin Web UI with the new local administrative account and the specified password.

Open a web browser and navigate to the Admin Web UI.
Enter your new admin user's credentials.
- You should successfully sign in.

Tip

You can contact support for further assistance if you can't sign in.

In this section: