Tutorial: Change the Web Service Forwarding Settings
Access Server uses service forwarding to redirect web browser requests. This tutorial shows how to change this setting.
Overview
The OpenVPN TCP daemon and the web services are connected. This is done with service forwarding which internally redirects web browser requests made to the OpenVPN TCP daemon, running on the default HTTPS port TCP 443, to where the web services are actually running.
You have the option to disable service forwarding by following this tutorial.
An installed Access Server.
Console access and the ability to get root access.
A new Access Server installation includes the following default configurations:
The OpenVPN TCP daemon on port TCP 443.
The web services on port TCP 943.
The Client and Admin Web UIs available on the same port (with /admin for the Admin Web UI).
An internal, automatic redirection for web browser requests on TCP 443 to point to where the web services run.
Tip
This means you can find the web service at an example address like https://vpn.yourserver.com/ without specifying the port such as https://vpn.yourserver.com:943/.
Important
If you change the interface or port settings where the web services listen but leave service forwarding enabled, you can continue to access the web services on the interface and port where the OpenVPN TCP daemon is listening.
However, if you change settings related to where the OpenVPN TCP daemon is listening, you may lose connection to the web services, depending on your configuration, unless you include the interface and port in the URL.
Connect to the console and get root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Run your desired command based on the service forwarding you want to change:
Disable service forwarding for the Admin Web UI, but leave it enabled for the Client Web UI only:
./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "client" ConfigPut ./sacli start
Disable service forwarding for the Client Web UI, but leave it enabled for the Admin Web UI only:
./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "admin" ConfigPut ./sacli start
Tip
When you set the Admin Web UI forwarding on but disable it for the Client Web UI, you no longer need to include /admin at the end of the URL. That is because two services are no longer co-existing on the same web service.
Disable service forwarding for both the Admin and Client Web UIs:
./sacli --key "vpn.server.port_share.enable" --value "false" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "custom" ConfigPut ./sacli start
Enable service forwarding for both the Admin and Client Web UIs (default):
./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "admin+client" ConfigPut ./sacli start
Configure a custom redirection — only works with IP addresses on the server itself, nothing external:
./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "custom" ConfigPut ./sacli --key "vpn.server.port_share.ip_address" --value <LOCAL_IP> ConfigPut ./sacli --key "vpn.server.port_share.port" --value <PORT> ConfigPut ./sacli start
Affecting server-locked profiles
If you make the Client Web UI completely unreachable for your users (such as by disabling service forwarding and blocking access to the port where the web services run, TCP 943), server-locked profiles will no longer work.
Users will receive a message about the XML-RPC interface being unreachable, and they can't authenticate and connect.
Ensure you keep the Client Web UI reachable for your users to use server-locked profiles.
Example use case
Using this tutorial, you might run the OpenVPN TCP daemon on port TCP 443, have the Access Server web services on its standard port TCP 943, and at the same time serve pages from an Apache2 or Nginx web server (or other SSL-capable web server) through port TCP 443 via service forwarding. Technically, if you really wanted to, you can make service forwarding to an external address possible by using iptables to redirect a port on a local interface to an external system.