Using the Client Web UI
This section explains how to use the Client Web UI.
During Access Server installation, the administrator receives an output in the command-line interface that displays information about the Admin and Client Web UIs. This first output typically displays the IP address where the administrator can sign in and start configuring Access Server for their network.
Important
Some servers, such as AWS, Azure, Hyper-V, and VMWare, may not display a public IP address in the console output.
You can find the Admin and Client Web UIs available at addresses formatted with the public IP address of the server in this way:
Admin Web UI: https://198.51.100.130/admin/
Client Web UI: https://198.51.100.130/
The IP address is the public-facing IP address of the server. 198.51.100.130 is our example IP address.
We recommend that the administrator set up a hostname to access the UIs. It's easier for users to sign in with a domain such as vpn.example.com than to use an IP address. Refer to our tutorial, Setting up your Access Server Hostname, and follow the steps.
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24
, 198.51.100.0/24
, and 203.0.113.0/24
.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
Access Server hosts the UIs with a self-signed certificate. This allows the administrator to sign in immediately after launching and use the Admin Web UI to configure their server.
However, the self-signed certificate causes web browsers to display security warnings. You can click through these warnings to access both the Admin and Client Web UIs, and we recommend that the administrator install valid SSL certificates using the Access Server Admin Web UI.
To sign in to the Client Web UI, follow these steps:
Open a browser window.
Enter the hostname or IP address for the Client Web UI.
Enter the appropriate username.
Enter the password.
Click Sign In.
What if you don't know your username?
If you don't know your username, you can contact your administrator. The username may depend on the authentication method used:
For local users, the administrator creates the users and manages them in the Admin Web UI. They provide users with their credentials.
For LDAP users, the administrator configures Access Server to authenticate against an LDAP server. You use the same credentials as you use for your LDAP identity provider.
For RADIUS users, the administrator configures Access Server to authenticate using a RADIUS server. You use the same credentials as the RADIUS identity provider.
For SAML users, refer to the next section.
What if you don't know your password?
If you don't know your password, you can contact your administrator for help.
When an administrator configures Access Server with SAML as an authentication method, the Client Web UI includes a button: Sign In via SAML.
Open a browser window.
Enter the hostname or IP address for the Client Web UI.
Click Sign In via SAML, and the browser redirects to the identity provider.
Sign in with the identity provider credentials.
After signing in, the user is connects to the Client Web UI.
When an administrator configures Access Server with the additional step using TOTP MFA, the Client Web UI displays the additional authentication steps.
TOTP MFA enrollment
For the first time signing in, follow these steps to enroll with a TOTP device or app:
Open a browser window.
Enter the hostname or IP address for the Client Web UI.
Enter the username.
Enter the password.
Click Sign in, and the TOTP enrollment window displays.
Scan the QR code or enter the enrollment code into a device or app compatible with TOTP MFA.
Once enrolled with the device or app, enter the 6-digit code the device or app provides.
Click Confirm Code.
You're signed in.
TOTP MFA authentication
After you've set up your TOTP device or app, you follow these steps to sign in:
Open a browser window.
Enter the hostname or IP address for the Client Web UI.
Enter the username.
Enter the password.
Click Sign in.
Enter your 6-digit code from your TOTP device or app.
Click Confirm Code.
You're signed in.
After the user signs in to the Client Web UI, they can download bundled OpenVPN Connect apps.
A bundled OpenVPN Connect app includes the OpenVPN Connect software and a connection profile specific to that user's permissions for their Access Server.
To download OpenVPN Connect apps:
After signing in, links display for OpenVPN Connect apps.
Click on the first icon to download OpenVPN Connect for the platform of the user's device.
Click the Windows icon to download OpenVPN Connect for Windows.
Click the mac icon to download OpenVPN Connect for macOS.
Click the Linux icon to open a web page with instructions on connecting to Access Server with the openvpn3 Linux client.
Click the Android icon to open a web page with instructions on connecting to Access Server with the Android app (available in the Google Play store).
Click the iOS icon to open a web page with instructions on connecting to Access Server with the iOS app (available in the Apple App store).
You can reset your password in the Client Web UI:
After signing in, scroll down to find the Change Password button.
Click the button.
Enter your current password.
Enter your new password.
Enter it again to confirm your new password.
Click Continue.
You've changed your password.
Tip
The administrator can enable password strength checking. If that's enabled, then your new password must meet the following requirements: it must be at least eight characters and must contain a digit, an uppercase letter, and a symbol from !@#$%^&'()+,-/[\]_{|}~<>.
If you don't see Change Password in the Client Web UI, the administrator has disabled the user's ability to change their password, or the user authenticates with LDAP, RADIUS, SAML, or PAM.
Change Password only displays for local authentication users.
On the Client Web UI, you can also download a connection profile. Then, you can import that profile into your VPN client, whether it's OpenVPN Connect or another compatible app.
The following connection profile types may be available:
User-locked: can only be used with credentials for that specific user.
Auto-login: does not require credentials to establish the VPN tunnel.
Server-locked: requires credentials for any valid user on the server.
Note
Refer to Connection Profiles for more information.
A connection profile may include TLS Crypt v2, which secures the control channel by using a unique key per connection profile to sign and verify packets.
Connection profiles contain unique private keys and client certificates. The latest versions of Access Server support multiple connection profiles for users.
An administrator can manage these user profiles from the Admin Web UI.
In the Client Web UI, users can manage their specific user profiles.