Skip to main content

Vultr VPN Server Setup & Quick Start Guide

Abstract

Deploy OpenVPN's Access Server software on Vultr's AI-first cloud with the Vultr Marketplace listing. Here's how.

Access Server provides a Vultr Marketplace App that you can get up and running within minutes.

Working with Vultr, you use their appliances, which are Linux-based virtual machines running on virtualized hardware. By using the Access Server offering in the Vultr Marketplace, you can launch a VPN hosted in the cloud with the following benefits:

Follow this quick start guide to launch your VPN server in the cloud.

🚀 Launch the server

To launch a new VM with Access Server software:

  1. Sign in to the Access Server portal on our site or create a new account.

  2. Click Deploy Access Server and click the Vultr option.

  3. Click Launch from Vultr Marketplace and sign in to your Vultr account if necessary.

  4. On the Vultr marketplace listing page, click Deploy.

  5. Configure step 1 for Location & Plan:

    Parameter

    Description

    Choose Type

    Select the server type that best fits your expected performance needs from Dedicated CPU, Cloud GPU, Shared CPU, or Bare Metal.

    Location

    Select the location closest to you.

    Plan

    Select a plan that fits your expected performance needs based on vCPU, memory, storage, and price per hr options. Ensure the plan uses Local NVMe storage (not Block Storage), as this is required for Access Server to be available in the Vultr Marketplace.

  6. Click to configure step 2 for Configure Software & Deploy Instance:

    Parameter

    Marketplace Apps

    Switch to the Marketplace Apps tab, search for, and select the OpenVPN Access Server (BYOL) app.

    Server Settings

    • SSH Key: Select an SSH key for SSH access to the instance.

      Tip

      If you don't have a key configured, click the drop-down near your name at the top, click SSH keys → Add SSH Key and add your public SSH key to your instance.

    • Startup Script: Leave blank.

    • Firewall Group: Leave blank.

    Server Hostname and Label

    • Server 1 Hostname: (Optional) Configure the hostname of your instance, such as openvpnas.

    • Server 1 Label: Leave blank.

    Instance Connectivity

    Select Instance(s) with Public IP. Then, select or add a VPC Network.

  7. Click Deploy.

    Note

    We used the default options for the quick start guide, which are already optimal. Feel free to configure settings as you see fit.

đź’» Connect to your VM

When your deployment is complete, the Instance Status will show as Running.

  1. Click on your instance in the Vultr dashboard.

  2. Under Overview, note the following for Location:

    • IP address

    • Username

    • Password

By default, Vultr instances are created with SSH access using a username and password. You can connect with your server immediately using those credentials.

If you enabled SSH Keys during deployment, you have two ways to connect:

  • SSH with password (default)

  • SSH with SSH keys (optional, more secure)

Recommendation:

While password authentication is available by default on Vultr, we strongly recommend using SSH keys for improved security.

The Access Server appliance is a Linux-based appliance managed via SSH. You can connect using any SSH client:

  • Use the username and password shown in the Overview tab, or

  • Use your SSH key if you configured it during deployment.

For detailed instructions, refer to:

We provide instructions on how to connect to a common use case for Windows OS users with the PuTTY SSH Client: Connect to Access Server via SSH using PuTTY.

Important

Vultr is unique in that it enables SSH password authentication by default, while also allowing SSH keys as an additional option. Other cloud providers typically require choosing one method or the other. Using SSH keys helps protect your server from unauthorized access and is considered best practice.

⚙️ Finish Access Server installation

The initial Access Server configuration tool runs automatically the first time you sign into the instance.

  1. Click on your instance in the Vultr dashboard.

  2. Under the Overview tab, scroll down to App Instructions.

  3. Locate the Admin UI URL, openvpn username, and generated password.

  4. Open the Admin Web UI in your browser (https://[youripaddress]/admin) and sign in with the credentials.

    Tip

    Replace "[youripaddress]" with the static IP address of your server.

🛠️ Finish Access Server configuration

Now that you've installed Access Server, follow these next steps.

Find the URLs for your web server

When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.

Admin UI

The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/.

When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts.

Client UI

The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example.

Tip

The web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out.

First time signing into the Admin Web UI

Administrative User

For the first use of the Admin Web UI, sign in with the openvpn user created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.

You can now open a browser and enter your Admin Web UI address.

Invalid Certificate

Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommend adding your own SSL certificate in the Admin Web UI to resolve this.

By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.

Activating a subscription

Setting up a hostname

We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.

Refer to Hostname and follow the steps.

Setting up authentication

Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication, where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.

Access Server supports using multiple authentication systems simultaneously. Refer to Authentication System for more information.

First time connecting to the VPN server

With your VPN server configured, your users can get connected. Choose one of the options below to connect to the server.

Option to connect

Procedure

Download a bundled VPN client to connect

A user follows these steps to download a pre-configured OpenVPN Connect app:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with user credentials.

  3. The OpenVPN Connect app is displayed for download for their operating system.

  4. After it downloads, install the software.

  5. Open the app and click on the connection profile.

    • The user connects to Access Server.

Download a connection profile

A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:

  1. Navigate to the Client Web UI in a browser.

  2. Sign in with their user credentials.

  3. Click on the link under Available Connection Profiles.

  4. After the connection profile downloads, upload the file to a VPN client.

Admin provides users with ways to connect

Alternatively, as an admin, you can use these ways to connect your users:

  1. Have your users install OpenVPN Connect from our website, then download a connection profile from the Admin Web UI and distribute it to users.

  2. Create an OpenVPN Connect installer from the Access Server command-line interface and distribute it to users.

Tip

Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configure split-tunnel traffic, their IP address remains the same for internet traffic.

đź•’ Change default time zone

The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:

sudo dpkg-reconfigure tzdata

⏰ Install NTP client for automatic time synchronization

We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:

apt-get install ntp

🔄 Update operating system software

We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

🛡️ Further Security Recommendations

Additional Security Steps You Can Take After Installation

In this section:

Access Server's web server used by the administrator to configure the VPN server.