Skip to main content

Tutorial: Initialize or Reset Access Server with ovpn-init

Abstract

Initialize or reset OpenVPN Access Server using ovpn-init. Learn how to run interactive and batch setups, configure cloud environments, and safely perform factory resets.

Overview

ovpn-init is an initialization-only command-line tool included with OpenVPN Access Server. It's used to perform the initial configuration of a new installation or to reset an existing installation to factory defaults.

Use ovpn-init when:

  • Setting up Access Server for the first time on a cloud provider instance.

  • Performing a deliberate factory reset of an existing installation.

Warning: Destructive command

Running ovpn-init wipes all Access Server configuration settings, certificates, and user/group properties. This action can't be undone. Always back up your configuration before use. Active fixed license keys aren't removed.

Prerequisites

  • A running instance of Access Server.

  • Console access with the ability to get root privileges.

  • A backup of your configuration (for resets).

  • For batch mode: Review and accept the EULA (ovpn-init --view-eula).

Step 1: Review the EULA (required for batch mode)

Tip

This command is safe to run. It only displays the End User License Agreement (EULA) and doesn't perform any initialization, reset, or configuration changes.

  1. Connect to the console and get root privileges.

  2. Run the following command:

    ovpn-init --view-eula

  3. Review the End User License Agreement.

    Note

    Using --batch in any command indicates that you agree to the EULA.

Step 2: Initialize or reset Access Server

  1. Connect to the console and get root privileges.

  2. Run the command appropriate for your environment:

    • Cloud provider initialization (interactive):

      AWS EC2:

      ovpn-init --ec2

      Google Cloud Platform:

      ovpn-init --gcp

      Microsoft Azure:

      ovpn-init --azure

      Oracle Cloud:

      ovpn-init --oracle

    • Factory reset (generic VM or non-cloud environment):

      ovpn-init --force

      Note

      Cloud-specific flags apply recommended defaults for each platform and launch the interactive setup wizard.

Step 3: Complete the setup wizard

  1. After running ovpn-init, follow the prompts in the terminal.

  2. Provide required configuration values when prompted.

    Tip

    Unless you're setting up a failover server, accept the default settings and adjust them later in the Admin Web UI. When prompted for an activation key, you can press Enter to add it later.

Step 4: (Optional) Use batch mode for automated setup

  1. Connect to the console and get root privileges.

  2. Ensure you have reviewed the EULA:

    ovpn-init --view-eula

  3. Run the command appropriate for your environment:

    • Cloud provider initialization (interactive):

      AWS EC2:

      ovpn-init --ec2 --batch --force

      Google Cloud Platform:

      ovpn-init --gcp --batch --force

      Microsoft Azure:

      ovpn-init --azure --batch --force

      Oracle Cloud:

      ovpn-init --oracle --batch --force

    • Factory reset (generic VM or non-cloud environment):

      ovpn-init --batch --force

      Warning

      Don't use --batch unless you've reviewed the EULA. Batch mode skips all prompts and runs non-interactively.

Step 5: View available options

  1. Run:

    ovpn-init --help

  2. Review available flags and usage details.

Reference: Available flags

Table 1. Available flags

Flag

Description

Cloud provider

--ec2

Configure using Amazon EC2 user-defined metadata.

--gcp

Configure using Google Cloud user-defined metadata.

--azure

Configure using Microsoft Azure user-defined metadata.

--oracle

Configure using Oracle Cloud user-defined metadata.

Reset and initialization behavior

--force

Re-initialize Access Server and wipe all databases. Required for factory resets.

--batch

Run non-interactively; Access Server will not prompt for TTY input. Using this flag indicates agreement with the EULA. See --view-eula.

--view-eula

Display the End User License Agreement before running.

--no_start

Do not automatically start the Access Server daemon after the script completes.

--verbose

Generate verbose output during initialization.

Server configuration

--host=HOST

Set the fully qualified domain name (FQDN) of this server for internet access.

--secondary

Configure this node as a secondary (backup or standby) node.

--local_auth

Use local authentication via Access Server's internal database.

--license=LICENSE

Optionally specify an Access Server license key during initialization.

Routing defaults

--no_reroute_gw

Client traffic will not be routed through the VPN by default.

--no_reroute_dns

Client DNS traffic will not be routed through the VPN by default.

--no_private

Private subnets will not be accessible to VPN clients by default.

Cryptography

--key_algorithm=ALGORITHM

Key algorithm for OpenVPN profiles and certificates. Valid values: rsa, or an EC curve name such as ed25519 or secp256r1.

--web_key_algorithm=ALGORITHM

Key algorithm for self-signed web certificates. Uses the same valid values as --key_algorithm.

--key_size=SIZE

RSA key size for OpenVPN profiles and certificates. Use 2048 or larger.

--web_key_size=SIZE

RSA key size for self-signed web certificates. Use 2048 or larger.



In this section: