VPN Server
The VPN Server section allows you to configure core network and security settings for your Access Server deployment. This includes how your VPN clients connect, how IP addresses are assigned, and how traffic is encrypted and handled.
You'll find several configuration tabs here that align with common deployment needs, including clustering, encryption policies, and advanced networking features.
π§ Network Settings
Configure how your server communicates with VPN clients and what interface and protocols it uses.
Server Address
This is the name or IP address that VPN clients use to access the VPN server. It must be a public IP address or a fully qualified domain name (FQDN). We strongly recommend using an FQDN for this setting.
Interface
This configures the interface where Access Server listens to VPN server requests. If clients can't access the interface listed, they can't connect to the server.
OpenVPN daemons
You can change the number of TCP or UDP daemons and their port numbers with these fields.
Protocols
You can choose TCP and UDP, TCP, or UDP as the protocol options.
Tip
The OpenVPN protocol functions best over the UDP protocol. By default, Access Server's downloaded connection profiles are pre-programmed to try UDP first and then TCP if that fails. However, you may need TCP or both for specific networks that block certain types of traffic.
For example, only traffic for protocols such as HTTP, HTTPS, FTP, SMTP, POP3, and IMAP is allowed on a public network. Most of those are TCP-only. Supporting TCP connections is helpful for connections through such a network. By default, we choose port TCP 443, the same port as HTTPS traffic, which is usually allowed even on restrictive networks.
We consider TCP less ideal due to the possibility of the TCP meltdown phenomenon, which occurs when one transmission protocol is stacked on top of another (such as TCP traffic transported within an OpenVPN TCP tunnel). The underlying layer may encounter a problem and attempt to correct or compensate for it, but the layer above overcompensates, resulting in delays and additional issues.
OpenVPN UDP Daemon
You can adjust the number of UDP daemons and their port numbers with these fields.
OpenVPN TCP Daemon
You can adjust the number of TCP daemons and their port numbers with these fields.
πΊοΈ Subnets
Manage the IP address ranges assigned to connected VPN clients and user groups.
Default VPN client address pool
Set the dynamic IP address range that clients receive when connecting. Access Server pulls IP addresses from this subnet unless predefined for specific users.
Static IP address pool
Set up a unique subnet that Access Server uses for static IP address assignment. This is an optional setting.
Default group address pool
When a group doesn't have a specific dynamic IP address pool, the group references this subnet list to allocate client IP addresses.
For NAT, use the default global group subnet.
For routing, assign unique node global group subnets.
Specify a list of node subnets, one per line.
Remove all values from this field to revert to the default global subnets.
π Clustering & Failover
Set up Access Server for high availability and scalability.
Create A New Cluster
Form a multi-node cluster for load balancing and shared configuration. Click New Cluster to begin the setup process for Access Server's high-availability deployment using a shared MySQL database and internal node communication.
Note
Joining a cluster triggers a restart of Access Server. After joining, all locally defined users on the node become invalid, as the cluster relies on a shared user database.
π₯οΈ Node Name
Specifies a unique identifier for the node within the cluster. This name is used to distinguish the node in the Admin Web UI and in logs.
ποΈ MySQL Settings
Defines the database connection parameters for the shared MySQL-compatible database used by all nodes in the cluster.
MySQL hostname or IP address: The address of the MySQL database server.
MySQL Port: The database server port (default is typically 3306).
MySQL Username and Password: Credentials for an account with appropriate permissions to manage Access Server data.
π Inter-Node Communication Settings
Configures the internal communication channel between nodes in the cluster. The Hostname or IP address is the internal address used by this node to communicate with other cluster nodes.
π Global Cluster Client Connection Endpoint
Specifies the client-facing connection endpoint used for VPN access in a clustered environment. This typically points to a round-robin DNS hostname that balances traffic across nodes and enables automatic failover.
Join A Cluster
Join an existing Access Server cluster setup. When you click Join Cluster, you can enter the cluster configuration settings.
Note
Joining a cluster triggers a restart of Access Server. After joining, all locally defined users on the node become invalid, as the cluster relies on a shared user database.
π₯οΈ Node Name
Specifies a unique identifier for the node within the cluster. This name is used to distinguish the node in the Admin Web UI and in logs.
ποΈ MySQL Settings
Defines the database connection parameters for the shared MySQL-compatible database used by all nodes in the cluster.
MySQL hostname or IP address: The address of the MySQL database server.
MySQL Port: The database server port (default is typically 3306).
MySQL Username and Password: Credentials for an account with appropriate permissions to manage Access Server data.
π Inter-Node Communication Settings
Configures the internal communication channel between nodes in the cluster. The Hostname or IP address is the internal address used by this node to communicate with other cluster nodes.
Set Up Failover
Failover allows Access Server to maintain VPN availability by designating a secondary node to take over if the primary node becomes unreachable. This setup requires a shared virtual IP and direct communication between the two failover nodes, which must be on the same local network.
Important
Failover requires both nodes to be on the same subnet and have uninterrupted network access to the shared virtual IP.
π’ Primary Node
Specifies the IP address of the primary node in the failover pairβthe node that normally handles VPN traffic.
Advanced Settings
SSH Username: Username for SSH access used to coordinate failover.
SSH Password: Corresponding password for authentication.
SSH Port: The port used for SSH access (default is 22 unless customized).
π΅ Secondary Node
Specifies the IP address of the secondary node, which takes over if the primary becomes unavailable.
Advanced Settings
SSH Username: Username for SSH access used to coordinate failover.
SSH Password: Corresponding password for authentication.
SSH Port: The port used for SSH access (default is 22 unless customized).
π Security / Encryption
Customize how traffic is encrypted and enhance the security of your VPN environment.
TLS
Select the TLS version securing the control channel.
Minimum TLS level required | Set the minimum TLS protocol to use. The default is TLS 1.2. Not all OpenVPN clients support the minimum TLS protocol setting, which may prevent some clients from connecting to the server. When possible, we recommend updating older clients to use improved security protocols. |
TLS control channel security | OpenVPN protocol uses two communication channels during the VPN session. One is the control channel, where key negotiation, authentication, and configuration occur. The other is the data channel where the encryption packets are. The control channel can be secured further by signing and verifying the packets with a shared key. This is called TLS Auth. With TLS Crypt for OpenVPN, we add another layer of encryption to the control channel on top of signing and verifying with a shared key as TLS Auth does. This extra layer of encryption applies even to the key exchange before the TLS session starts. |
Data-channel ciphers
The data-channel encryption cipher determines how the data packets transmitted through the OpenVPN tunnel are encrypted and decrypted. On the server, ciphers can be specified in order of priority. The first cipher that the client also supports will be used for the VPN session. This allows for backward compatibility so that newer clients capable of better encryption ciphers will prefer to use those, while older clients can still connect using older cipher methods.
Connection security refresh
This setting determines the amount of time in minutes Access Server renegotiates each TLS session.
OpenVPN client certificate requirements
Allow server-locked connection profiles by turning this option on.
β‘ Data Channel Offload (DCO)
OpenVPN data channel offloading (DCO) improves performance when enabled on the VPN server and clients. DCO offloads the data channel encryption and decryption to the kernel space. Handling encryption in the kernel space rather than the user space improves performance.
Use DCO if possible | Turn on DCO. This requires the DCO kernel installed on the server. |
DCO status | Displays the status of DCO on your server. |
DCO module | Displays the version of the DCO module on your server. |
OpenVPN daemon | Displays the OpenVPN binary. |
βοΈ Advanced
Adjust low-level and optional features for specialized network setups.
Multiple sessions per user
Allow users to connect to the VPN server from multiple devices simultaneously.
MTU (Maximum Transmission Unit)
Set the maximum transmission unit (MTU) size for VPN traffic.
Legacy client support options
Enable compatibility for clients that do not announce their supported ciphers.
Legacy Windows networking
Control options related to Windows networking, such as NetBIOS over TCP/IP.