Skip to main content

VPN Server

The VPN Server section allows you to configure core network and security settings for your Access Server deployment. This includes how your VPN clients connect, how IP addresses are assigned, and how traffic is encrypted and handled.

You'll find several configuration tabs here that align with common deployment needs, including clustering, encryption policies, and advanced networking features.

πŸ”§ Network Settings

Configure how your server communicates with VPN clients and what interface and protocols it uses.

Server Address

This is the name or IP address that VPN clients use to access the VPN server. It must be a public IP address or a fully qualified domain name (FQDN). We strongly recommend using an FQDN for this setting.

Interface

This configures the interface where Access Server listens to VPN server requests. If clients can't access the interface listed, they can't connect to the server.

OpenVPN daemons

You can change the number of TCP or UDP daemons and their port numbers with these fields.

Protocols

You can choose TCP and UDP, TCP, or UDP as the protocol options.

Tip

The OpenVPN protocol functions best over the UDP protocol. By default, Access Server's downloaded connection profiles are pre-programmed to try UDP first and then TCP if that fails. However, you may need TCP or both for specific networks that block certain types of traffic.

For example, only traffic for protocols such as HTTP, HTTPS, FTP, SMTP, POP3, and IMAP is allowed on a public network. Most of those are TCP-only. Supporting TCP connections is helpful for connections through such a network. By default, we choose port TCP 443, the same port as HTTPS traffic, which is usually allowed even on restrictive networks.

We consider TCP less ideal due to the possibility of the TCP meltdown phenomenon, which occurs when one transmission protocol is stacked on top of another (such as TCP traffic transported within an OpenVPN TCP tunnel). The underlying layer may encounter a problem and attempt to correct or compensate for it, but the layer above overcompensates, resulting in delays and additional issues.

OpenVPN UDP Daemon

You can adjust the number of UDP daemons and their port numbers with these fields.

OpenVPN TCP Daemon

You can adjust the number of TCP daemons and their port numbers with these fields.

πŸ—ΊοΈ Subnets

Manage the IP address ranges assigned to connected VPN clients and user groups.

Default VPN client address pool

Set the dynamic IP address range that clients receive when connecting. Access Server pulls IP addresses from this subnet unless predefined for specific users.

Static IP address pool

Set up a unique subnet that Access Server uses for static IP address assignment. This is an optional setting.

Default group address pool

When a group doesn't have a specific dynamic IP address pool, the group references this subnet list to allocate client IP addresses.

  • For NAT, use the default global group subnet.

  • For routing, assign unique node global group subnets.

  • Specify a list of node subnets, one per line.

  • Remove all values from this field to revert to the default global subnets.

πŸ” Clustering & Failover

Set up Access Server for high availability and scalability.

Create A New Cluster

Form a multi-node cluster for load balancing and shared configuration. Click New Cluster to begin the setup process for Access Server's high-availability deployment using a shared MySQL database and internal node communication.

Note

Joining a cluster triggers a restart of Access Server. After joining, all locally defined users on the node become invalid, as the cluster relies on a shared user database.

πŸ–₯️ Node Name

Specifies a unique identifier for the node within the cluster. This name is used to distinguish the node in the Admin Web UI and in logs.

πŸ—„οΈ MySQL Settings

Defines the database connection parameters for the shared MySQL-compatible database used by all nodes in the cluster.

  • MySQL hostname or IP address: The address of the MySQL database server.

  • MySQL Port: The database server port (default is typically 3306).

  • MySQL Username and Password: Credentials for an account with appropriate permissions to manage Access Server data.

πŸ” Inter-Node Communication Settings

Configures the internal communication channel between nodes in the cluster. The Hostname or IP address is the internal address used by this node to communicate with other cluster nodes.

🌐 Global Cluster Client Connection Endpoint

Specifies the client-facing connection endpoint used for VPN access in a clustered environment. This typically points to a round-robin DNS hostname that balances traffic across nodes and enables automatic failover.

Join A Cluster

Join an existing Access Server cluster setup. When you click Join Cluster, you can enter the cluster configuration settings.

Note

Joining a cluster triggers a restart of Access Server. After joining, all locally defined users on the node become invalid, as the cluster relies on a shared user database.

πŸ–₯️ Node Name

Specifies a unique identifier for the node within the cluster. This name is used to distinguish the node in the Admin Web UI and in logs.

πŸ—„οΈ MySQL Settings

Defines the database connection parameters for the shared MySQL-compatible database used by all nodes in the cluster.

  • MySQL hostname or IP address: The address of the MySQL database server.

  • MySQL Port: The database server port (default is typically 3306).

  • MySQL Username and Password: Credentials for an account with appropriate permissions to manage Access Server data.

πŸ” Inter-Node Communication Settings

Configures the internal communication channel between nodes in the cluster. The Hostname or IP address is the internal address used by this node to communicate with other cluster nodes.

Set Up Failover

Failover allows Access Server to maintain VPN availability by designating a secondary node to take over if the primary node becomes unreachable. This setup requires a shared virtual IP and direct communication between the two failover nodes, which must be on the same local network.

Important

Failover requires both nodes to be on the same subnet and have uninterrupted network access to the shared virtual IP.

🌐 Shared failover IP for VPN services

Defines the shared virtual IP address used by both the primary and secondary nodes for VPN client connections. This IP must be reachable on the local LAN and will move between nodes during failover events.

🟒 Primary Node

Specifies the IP address of the primary node in the failover pairβ€”the node that normally handles VPN traffic.

Advanced Settings

  • SSH Username: Username for SSH access used to coordinate failover.

  • SSH Password: Corresponding password for authentication.

  • SSH Port: The port used for SSH access (default is 22 unless customized).

πŸ”΅ Secondary Node

Specifies the IP address of the secondary node, which takes over if the primary becomes unavailable.

Advanced Settings

  • SSH Username: Username for SSH access used to coordinate failover.

  • SSH Password: Corresponding password for authentication.

  • SSH Port: The port used for SSH access (default is 22 unless customized).

πŸ” Security / Encryption

Customize how traffic is encrypted and enhance the security of your VPN environment.

TLS

Select the TLS version securing the control channel.

Minimum TLS level required

Set the minimum TLS protocol to use. The default is TLS 1.2.

Not all OpenVPN clients support the minimum TLS protocol setting, which may prevent some clients from connecting to the server. When possible, we recommend updating older clients to use improved security protocols.

TLS control channel security

OpenVPN protocol uses two communication channels during the VPN session. One is the control channel, where key negotiation, authentication, and configuration occur. The other is the data channel where the encryption packets are. The control channel can be secured further by signing and verifying the packets with a shared key. This is called TLS Auth. With TLS Crypt for OpenVPN, we add another layer of encryption to the control channel on top of signing and verifying with a shared key as TLS Auth does. This extra layer of encryption applies even to the key exchange before the TLS session starts.

Data-channel ciphers

The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.

Connection security refresh

This setting determines the amount of time in minutes Access Server renegotiates each TLS session.

OpenVPN client certificate requirements

Allow server-locked connection profiles by turning this option on.

⚑ Data Channel Offload (DCO)

OpenVPN data channel offloading (DCO) improves performance when enabled on the VPN server and clients. DCO offloads the data channel encryption and decryption to the kernel space. Handling encryption in the kernel space rather than the user space improves performance.

Use DCO if possible

Turn on DCO. This requires the DCO kernel installed on the server.

DCO status

Displays the status of DCO on your server.

DCO module

Displays the version of the DCO module on your server.

OpenVPN daemon

Displays the OpenVPN binary.

βš™οΈ Advanced

Adjust low-level and optional features for specialized network setups.

Multiple sessions per user

Allow users to connect to the VPN server from multiple devices simultaneously.

MTU (Maximum Transmission Unit)

Set the maximum transmission unit (MTU) size for VPN traffic.

Legacy client support options

Enable compatibility for clients that do not announce their supported ciphers.

Legacy Windows networking

Control options related to Windows networking, such as NetBIOS over TCP/IP.