When you launch a DigitalOcean Droplet, you select an authentication method. We recommend choosing an SSH key rather than a password. It's more secure to use SSH keys. Then, you can use a terminal or an SSH client to connect and authenticate with the key. For one way to connect from Windows, refer to Connect to Access Server via SSH using PuTTY. You can also refer to DigitalOcean’s tips on How to Connect to Droplets with SSH.

If you have Droplets on a private network, they can communicate with each other directly over that network. You can install Access Server on one of those droplets to provide secure access to the private network to VPN clients. To set up access, you add routes on that Droplet for the VPN client subnet. There is, as far as we know, no default gateway that can be used as a means to set up a global static route, so each Droplet that wants to address a connected VPN client directly needs a manually-added route:

1. Sign in to the Admin Web UI.
2. Click VPN Settings > Routing.
3. Choose Yes, using Routing.
4. Specify the private network that is in use on your DigitalOcean private network.
5. Add a route to the Droplet that wishes to address VPN clients directly by pointing the VPN client subnet to the private IP of the Access Server in your DigitalOcean private network.

You can assign VPN clients static IP addresses, so they have the same, predictable IP address each time they connect. You can do that on the User Permissions page.

We provide some recommendations for hardware and infrastructure here: OpenVPN Access Server system requirements.

For security, we recommend authenticating with an SSH key rather than a one-time password. DigitalOcean provides a tool to upload your SSH Key. You can find instructions within that same tool to create a key using Linux, macOS, or Windows. You can find this when you get to the “Create Key” step while creating your Droplet. You can also generate a key using PuTTY.

OpenVPN Access Server requires access for inbound traffic on TCP 22 for SSH, TCP 443 for OpenVPN TCP tunnel connectivity and HTTPS web interface, TCP 943 as a dedicated port for the web interface, TCP 945 for clustering functionality (if enabled), and UDP 1194 for OpenVPN UDP tunnel connectivity.

You can assign a publicly-accessible static IP address to a Droplet, then reassign it to another Droplet later, as needed, with a Reserved IP address. When you launch a Droplet, DigitalOcean assigns a random IPv4 address that stays with the Droplet until you terminate it. Every new launch means a unique IPv4 address. You can keep the same IPv4 address — regardless of terminating and creating new Droplets — using their Reserved IP address functionality (previously called Floating IP). You can attach or detach this static IP address as needed, keeping the public IP of your server the same. Refer to DigitalOcean's documentation on Reserved IPs.

We recommend using a hostname instead of an IP address. Refer to Setting up your OpenVPN Access Server Hostname.

OpenVPN Access Server supports a high-availability solution using clustering functionality. Multiple Access Server nodes share the same configuration, and a single DNS round-robin address connects each client with an available node. For complete details, refer to Understanding Clustering with OpenVPN Access Servers.

When a client connects to Access Server, Access Server assigns it an IP address. You can define a pool of addresses for that assignment or specify a static IP address for each VPN client.

• Assign the client-specific IP address on the User Permissions page in the Admin Web UI.
• Assign group-specific IP address pools on the Group Permissions page.
• Assign a dynamic IP address pool at the global level on the VPN Settings page.

For more information about OpenVPN Access Server, refer to our resource page: How to configure the OpenVPN Access Server.