Skip to main content

Quick Start: Deploy Access Server with Access Server Link

Abstract

Learn how to use Access Server Link in OpenVPN Access Server 3.2.0 to automate DNS, SSL, and remote access with a secure hostname and centralized management.

Overview

Access Server Link is a feature introduced in Access Server 3.2.0 that simplifies the deployment and management of OpenVPN Access Server on AWS, Azure, and GCP. Instead of manually configuring DNS records and SSL certificates, Access Server Link automates these steps and provides a stable, trusted URL for accessing your Admin and Client Web UI from day one.

Access Server Link benefits:Β 

  • A free, secure hostname (example: yourcompany.openvpn.com) with an automated SSL certificate β€” no manual SSL certificate setup required afterward.

  • A central place in the Access Server Hub to manage subscriptions and deployments.

  • Automatic DNS record updates if your server's public IP address changes.

  • Automatic reporting and status monitoring of your Access Server.

Note

VPN traffic isn't proxied through Access Server Link. VPN connections go directly to your Access Server via a separate VPN DNS record (example: def456.access-server.cloud).

Prerequisites

  • Access Server 3.2.0 or newer.

  • An active OpenVPN account. Create one if you don't have one yet.

  • An active account in one of the supported cloud providers: AWS, Azure, or GCP.

πŸ”‘ Purchase a subscription

  1. Sign in to your OpenVPN account and navigate to the Access Server product.

  2. Select one of the following:

    • Start 14-Day Free Trial: Enter the number of VPN connections you want (default is 10), provide billing information, and complete the trial setup. Billing begins after the 14-day trial ends.

    • Try Free Version: A free subscription with two VPN connections is created automatically. No billing information is required.

    • Existing subscription: Click Activation Keys to purchase an additional subscription or use an existing one.

πŸ“œ Claim your hostname in the Access Server Hub

  1. In the Access Server Hub, click Installation in the left panel.

  2. Under Launch faster With Access Server Link, enter your desired hostname (yourcompany). This becomes your Access Server Link URL for the Admin and Client Web UI (example: yourcompany.openvpn.com).

  3. Click Create Hostname and Continue.

    Note

    Your hostname is reserved exclusively for your account once claimed. It can't be used by anyone else.

  4. Under Select A Cloud Service Provider, AWS, Azure, or GCP, then follow the steps for your provider below.

πŸš€ Deploy on your cloud provider

βš™οΈ If you select AWS

  1. Select the nearest AWS region from the drop-down.

  2. Under Set Your Credentials > Password, enter a password for the openvpn user. You'll use this to sign in to the Admin Web UI after deployment.

  3. Click Confirm and Deploy on AWS.

    • You are directed to AWS CloudFormation.

  4. Complete the Quick create stack:

    Field

    Description

    Stack name

    Name for your CloudFormation stack. Default: openvpn-accessserver.

    ActivationKey

    Pre-populated with the AWS PAYG license key.

    VpcId

    Select the VPC for your instance.

    SubnetId

    Select a public subnet.

    InstanceName

    Name for the instance. Default: OpenVPNAccessServer.

    InstanceType

    Select an instance type. Default: t3.small.

    KeyName

    Select an existing EC2 key pair for SSH access.

  5. Acknowledge that AWS CloudFormation will create IAM resources, then click Create stack.

πŸ–₯️ Gather Admin Web UI info from stack output

Important

The system requires up to five minutes for complete initialization. Once initialization is complete, you can sign in successfully.

Once the stack completes, you can find your connection details for the Admin Web UI in the stack output.

Here's how to access the Admin Web UI after the stack is complete:

  1. On the CloudFormation status page, click the Outputs tab. One output is displayed:

    • AdminPortal: The Access Server Link URL to access the Admin Web UI (Example: https://yourcompany.openvpn.com/admin).

  2. Open your web browser and navigate to the Admin Web UI using the AdminPortal URL.

  3. Enter the username (openvpn) and the password created in the previous steps.

βš™οΈ If you select Azure

  1. Under Set Your Credentials > Password, enter a password for the openvpn user. You'll use this to sign in to the Admin Web UI after deployment.

  2. Click Confirm and Deploy on Azure.

    • You're directed to the Azure Custom deployment page.

  3. Complete the Custom deployment form:

    Field

    Description

    Subscription

    Select the Azure subscription where you'll be billed.

    Resource group

    Select an existing resource group where your instance, security groups, virtual networks, etc., will be deployed, or create a new one.

    Region

    Select the nearest Azure region.

    Virtual machine name

    Name for the instance. Default: OpenVPNAccessServer.

    Virtual machine size

    Select a VM size.

    Admin Username

    SSH username. Default: azureuser.

    SSH public key source

    Select an existing key pair, or create one.

    Virtual network

    Select your virtual network.

    Subnet

    Select your subnet.

  4. Click Review + create.

  5. Click Create.

πŸ–₯️ Gather Admin Web UI info from deployment output

Important

The system requires up to five minutes for complete initialization. Once initialization is complete, you can sign in successfully.

Once the deployment completes, you can find your connection details for the Admin Web UI in the Outputs tab.

Here's how to access the Admin Web UI after the deployment is complete:

  1. After the deployment is complete, click the Outputs tab. One output is displayed:

    • adminPortal: The Access Server Link URL to access the Admin Web UI (Example: https://yourcompany.openvpn.com/admin).

  2. Open your web browser and navigate to the Admin Web UI using the adminPortal URL.

  3. Enter the username (openvpn) and the password created in the previous steps.

βš™οΈ If you select GCP

  1. Select the nearest GCP region from the drop-down.

  2. Select your Google Project ID. Hover over the tooltip for help finding it.

  3. Under Set Your Credentials > Password, enter a password for the openvpn user. You'll use this to sign in to the Admin Web UI after deployment.

  4. Click Generate Deployment URL, and the Deployment URL will be generated.

  5. Copy the Deployment URL to your clipboard, and then click Confirm and Deploy.

    Important

    Before proceeding, copy and save your Deployment URL, Username, and Password from the confirmation prompt.

  6. Click Continue to GCP.

    • You're directed to Google Cloud Infrastructure Manager.

  7. Complete the deployment form:

    Field

    Description

    Deployment ID

    A unique name for this deployment within your project.

    Region

    Select the nearest GCP region.

    Service account

    Select your service account.

    Source of Terraform configuration

    Select GCS.

    Source *

    Paste the Deployment URL generated previously.

  8. Click Continue.

  9. Click Create deployment.

πŸ–₯️ Gather Admin Web UI info from deployment output

Important

The system requires up to five minutes for complete initialization. Once initialization is complete, you can sign in successfully.

Once the deployment completes, you can find your connection details for the Admin Web UI in the Outputs tab.

Here's how to access the Admin Web UI after the deployment is complete:

  1. After the deployment is completed, click the Outputs tab. The following values are displayed:

    • admin_url: The Access Server Link URL to access the Admin Web UI (Example: https://yourcompany.openvpn.com/admin).

    • admin_user: Username (openvpn) to access the Admin Web UI.

    • site_url: The Access Server Link URL to access the Client Web UI (Example: https://yourcompany.openvpn.com/).

  2. Open your web browser and navigate to the Admin Web UI using the admin_url URL.

  3. Enter the username (openvpn) and the password created in the previous steps.

βš™οΈ How Access Server Link works

When Access Server Link is enabled, your Access Server sends the following information to the Access Server Link backend in its status report:

  • Certificate Fingerprint

  • Node URL

  • Public IP address

  • Linux hostname

  • Admin Web UI Port

DNS records are kept up to date automatically. If your server's public IP address changes, the DNS record is updated within approximately 15-20 minutes.

The Admin and Client Web UI are reachable securely via your Access Server Link URL (yourcompany.openvpn.com), with identity verified by certificate fingerprint. VPN connections go directly to your Access Server via a separate VPN DNS record (example: def456.access-server.cloud). VPN traffic isn't proxied.

Note

The Node URL and VPN DNS Record follow this pattern: [32 random characters].access-server.cloud.

πŸ–±οΈ Verify Access Server Link

After deployment, confirm that Access Server Link is active and reporting correctly.

Status indicators

Status

Meaning

🟒 Operating normally

Everything is working correctly.

πŸ”΄ Errors found

Access Server Link is enabled, but a required configuration value (node identifier or subscription) is missing. The server cannot report its status.

🟑 Warnings found

Admin Web UI port and Client Web UI port are set to different values. The server is still reporting, but the proxy may only be able to reach the Admin Web UI.

From the Access Server Hub

  1. Go to the Access Server Hub and refresh the page to update the Access Server Link Status.

  2. Click My Access Servers in the left panel.

  3. Confirm that Server status shows 🟒 Online.

  4. Optionally, click Open Admin Web UI or Open Client Web UI to verify both are reachable.

From this page, you can see the following information:

Under Subscription Details:

  1. You can click Upgrade Subscription if you want to scale up your Subscription.

  2. Subscription Name: The name of your Subscription.

  3. Subscription ID: Subscription identifier.

  4. Connections in use: Number of VPN users connected to the Access Server.

Under Overview:

  1. Access Server URL: This is the Access Server Link URL.

  2. Mode: If you’re using Standalone or Cluster.

  3. Access Server version: Current version of your Access Server.

  4. Operating system: Access Server Linux operating system

Also, if you click View Server Details, you can see the following info:

  1. Node name: Instance hostname.

  2. Status: Access Server Link status.

  3. IP Address: Public IP of your instance.

  4. Node URL: Internal identifier used for API communication.

  5. Server ID: Unique identifier for this deployment.

  6. Connections: Number of VPN users connected to the Access Server.

  7. Last Seen: The last time that the Access Server Link backend checks the Access Server node.

From the Access Server Admin Web UI

  1. Sign in to the Access Server Admin Web UI using the Access Server Link URL.

  2. Go to Web Services β†’ Access Server Link.

  3. Confirm that Access Server Link is toggled On.

  4. Check that the Status shows 🟒 Operating normally.

From there, you can also check under Details:

  1. Admin Web UI URL: This is the Access Server Link URL used to log in to the Admin Web UI. Example: https://yourcompany.openvpn.com/admin

  2. Client Web UI URL: This is the Access Server Link URL used to log in to the Client Web UI. Example: https://yourcompany.openvpn.com

  3. Server ID: Unique identifier for this deployment to differentiate the Access Server from others using the same Subscription.

  4. Node URL: Internal identifier used for API communication. Example: abc123.access-server.cloud

  5. VPN DNS Record: Hostname used to connect to the VPN tunnel. Example: def456.access-server.cloud

πŸ–₯️ Connect to your new Access Server instance via SSH

Important

SSH isn't required for normal operation, as you have a fully functional Access Server using Access Server Link. SSH is useful for troubleshooting and for tasks that require console access.

  1. Open a terminal or SSH client.

  2. Connect using the appropriate SSH username for your cloud provider:

    Cloud provider

    Default SSH username

    AWS

    ubuntu

    Azure

    azureuser (or the username you configured during deployment)

    GCP

    Configured when adding SSH keys after VM creation. See Google Cloud Documentation.

  3. Run the following command:

    ssh -i /path/key-pair-name.pem ssh-username@instance-public-ipv4-address

    Replace /path/key-pair-name.pem with your private key, <ssh-username> with your SSH username, and <instance-public-ipv4-address> with your instance's public IP.

    Tip

    See Β Connect to Access Server via SSH using PuTTYΒ for steps to connect with the PuTTY SSH client from a Windows computer.

πŸ› οΈ Disabling and re-enabling Access Server Link

To turn off Access Server Link from the Admin Web UI:

  1. Sign in to the Admin Web UI.

  2. Go to Web Services β†’ Access Server Link.

  3. Toggle Access Server Link to Off.

  4. Click Save & Restart.

  5. Click Turn Off Access Server Link.

Once disabled, your Access Server Link URL and VPN DNS record will no longer route to your server. Your Admin and Client Web UI and VPN will be reachable via your instance's public IP instead.

Notice

If you try to access the Admin Web UI from the Access Server Link URL when it's disabled, the following message displays:

Status: Offline

Important

Disabling Access Server Link will affect existing VPN clients. Connection profiles (.ovpn files) that reference the VPN DNS record will stop working. Users will need to download new client profiles to reconnect.

Additionally, if you use SAML authentication configured, update your IdP configuration with the new public IP or domain after disabling Access Server Link, and update the SAML settings in Access Server.

To re-enable Access Server Link:

  1. Sign in to the Admin Web UI.

  2. Go to Web Services β†’ Access Server Link.

  3. Toggle Access Server Link to On.

  4. Click Save & Restart.

  5. Click Turn On Access Server Link.

    • Changes may take a few minutes to take effect.

🌍 Using a custom domain and SSL certificate with Access Server Link

You can configure a custom domain name and SSL certificate for your web services alongside Access Server Link. Access Server Link uses a separate SNI-based certificate for API communication and can coexist with custom certificates.

  • Configure a custom domain: VPN Server β†’ Network Settings β†’ Server Address.

  • Configure a custom certificate: Certificate Management β†’ Web Server Certificate.

You can also use the built-in ACME client to install certificates. Custom certificates and Access Server Link are fully compatible.

βš™οΈ Troubleshooting

IP address changes

If your Access Server's public IP changes (for example, after a restart on an ephemeral IP), Access Server Link detects the change and updates DNS records automatically. The maximum expected downtime during an IP change is approximately 15-20 minutes.

Admin or Client Web UI unreachable

If the Admin Web UI is reachable via its public IP, but not responding via Access Server Link URL:

  • The system marks the server as unreachable after 10 minutes of failed connection attempts.

  • Check that your Access Server is running and that your cloud provider's security group or firewall allows inbound traffic on TCP port 943 (or your configured Admin Web UI Port).

  • Ensure the Admin and Client Web UI ports are set to the same value. A warning appears in the Admin Web UI if they differ.

"Untrusted Node Detected" error in Access Server Hub

This warning appears when the proxy detects a certificate fingerprint that doesn't match the one registered for your deployment. Common causes:

  • The deployment script was run a second time, generating a new key pair.

  • The server was reinitialized (for example, using ovpn-init).

  • The certificate was manually replaced.

When this error occurs, the Access Server Link URL won't route to your server, and the following message is displayed: Status: Offline.

To resolve:

  1. Sign in to the Access Server Hub.

  2. Click My Access Servers in the left panel.

  3. Select your deployment and click Manage.

  4. Click View Server Details.

  5. Click the three-dot menu, then click Verify and Make Active Node.

  6. Click Send Verification Code.

    • A 6-digit code is sent to your email address.

  7. Enter the code in the prompt, then click Verify.

    • If successful, your Access Server will return to Active and Online status in the hub.

Important

This is only available if the certificate's common name matches your registered node identifier. You need to perform this action manually. An unexpected certificate will never be auto-trusted for security reasons.

For security, verify that the certificate fingerprint (base64) shown in step 5 matches the certificate fingerprint (base64) from your Access Server.

To verify this, you can follow the following steps in your Access Server:

  1. Connect to the console and get root privileges.

  2. Run the following command:

    sacli SubscriptionStatus | grep "'certfp'" | awk -F"'" '{print $6}'

    • Example output:

      yWc5w42MV6PrlY72oSpjIqfSjCZlEZrrrbGuihss3jA=

Verify that the output of this command matches the value under SHA-256 Fingerprint (base64) in the prompt shown in step 5.

Admin UI port change

If you change the Admin Web UI port in your Access Server settings, the Admin Web UI will be temporarily unreachable via the Access Server Link URL for approximately 3-4 minutes while the change propagates. Access is restored automatically after this period.

Tip

When changing the Admin Web UI port, ensure your cloud provider's security group or firewall allows inbound HTTPS traffic on the newly configured port.

OpenVPN Connect v2 compatibility

Access Server Link uses the REST API only β€” XML-RPC isn't supported. As a result, OpenVPN Connect v2 import from server and server-locked v1 profiles aren't compatible with Access Server Link. Use OpenVPN Connect v3 for all new deployments.

In this section:

Access Server's web server used by the administrator to configure the VPN server.