Quick Start Guide for Using the OpenVPN Access Server Virtual Appliance for the Microsoft Hyper-V Virtualization Platform
Current appliance version is: 2.1.3
Last updated: August 24, 2016
OpenVPN Access Server is available as a Hyper-V virtual appliance for deployment on Microsoft Hyper-V compatible machines. This appliance is based off the Ubuntu Server distribution line, therefore all of the required Hyper-V modules have already been included. To use the virtual appliance, you must download the virtual machine and import it using the Hyper-V Manager.
Downloading and Running the Virtual Machine
Decompress the file into the folder where your virtual machines are kept and then create a new VM and attach the enclosed VHD file as the new hard drive. The machine should start normally. Do note that if you are using the Windows Server 2012 server of Hyper-V, Generation 1 VMs must be used since Generation 2 VMs do not support Linux machines at this time. It is normal to see a Degraded status on the network adapter due to the way the underlying operating system interacts with Hyper-V. This does not signify a defect and your appliance is working as expected.
Initial Setup of Access Server
The appliance downloaded from this website comes depersonalized and must be personalized before it can be used. Please follow the instructions below in order to customize your OpenVPN Access Server appliance. Upon the initial startup of the appliance, you will be asked to login to the console of the appliance. To do so, use the following credentials: Username: root Password: openvpnas
Running the OpenVPN Access Server Setup Wizard (required)
The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the ovpn-init command in the terminal. Read through the EULA, and enter yes to indicate your agreement.
> Will this be the primary Access Server node?
Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.
> Please specify the network interface and IP address to be used by the Admin Web UI:
Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.
> Please specify the port number for the Admin Web UI.
Explanation: This is the port you will use to access to the web based administration area. It is usually safe to leave this at the default port unless customization is desired.
> Please specify the TCP port number for the OpenVPN Daemon
Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT based router. By default the web based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.
> Should client traffic be routed by default through the VPN?
Explanation: If you only have a small network you would like your remote users to connect over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.
> Should client DNS traffic be routed by default through the VPN?
Explanation: If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yesfor this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless what you set for this setting here.
> Use local authentication via internal DB?
Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.
> Should private subnets be accessible to clients by default?
Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients is able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.
> Do you wish to login to the Admin UI as "openvpn"?
Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your "lock out" administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.
> > Specify the username for an existing user or for the new user account:
Explanation: Enter the initial username you would like to use instead of the default 'openvpn'.
> Type the password for the 'user' account: > Confirm the password for the 'user' account:
Explanation: Specify the password you would like to use for the account.
> > Please specify your OpenVPN-AS license key (or leave blank to specify later):
Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes. After you complete the setup wizard, you can access the Admin Web UI area to configure other aspects of your VPN. The URL for the Admin Web UI area is displayed upon the completion of the setup wizard. As mentioned previously, you will be able to access the Admin Web UI on both the VPN port and the Admin port unless you disable this behavior in the Admin Web UI. Note: If you selected yes to the Do you wish to login to the Admin UI as "openvpn"?option in the setup wizard, you will need to define the password for this account by running: passwd openvpn and press Enter.
Changing the Root Password (recommended)
The root password is the equivalent of an administrator password in the Windows environment. Anyone who has this password would also have full control over the appliance. Becuase this is set to a default password of 'openvpnas', it should be changed to something secure, especially if you plan to use this appliance in production environments. To do so, execute the follow command (you will be asked for your new root password): passwd
Configure Static IP Addressing (optional)
The appliance by default automatically obtains networking information from DHCP. If your network has no DHCP server and/or you would like to manually assign an IP address to your Access Server appliance, please follow the steps below:
- Type the command: nano /etc/network/interfaces into the console and press Enter.
- Use the down arrow keys to scroll down to the iface eth0 inet dhcp line, and change dhcp to static.
- Add the following lines using the template below: address 'ipAddr' netmask 'subnet' gateway 'gw' dns-nameservers 'dns1' 'dns2'
For example, if you would like to configure your appliance to have an IP address of 192.168.0.100, and subnet mask of 255.255.255.0, a gateway of 192.168.0.1, and nameservers of 184.108.40.206 and 220.127.116.11, your configuration will look like this: # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 gateway 192.168.0.1 dns-nameservers 18.104.22.168 22.214.171.124 Once you are done, press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor. To activate the new configuration, run the following command: ifdown eth0 && ifup eth0.
Changing Default Timezone (optional)
The default timezone is set to US (Pacific - Los Angeles). If you reside at another timezone and you would like to change this setting, run the following command (you will be asked what timezone you would like to set): dpkg-reconfigure tzdataThe system will show the new local time after this setting is configured.
Disabling the Lock Out aka (bootstrap) account (optional)
In the setup wizard, you were prompted to create an initial username and password that allowed you to login to the Admin Web UI. This username and password combination will always be active disregarding its status in the "User Permissions"area. This might be undesirable if your server is facing the Internet since anyone who has this username and password combination will have full administrator rights to change any setting on your Access Server Admin Web UI. After you have created a secondary administrator account in the Admin Web UI, you may disable this lock out account by following the steps below:
- Enter the command: nano /usr/local/openvpn_as/etc/as.conf
- Press the Page Down key on your keyboard and scroll down with your Down arrow key until you see entries starting with boot_pam_users.
- Put a # sign before the entry correlating to the bootstrap username you have created previously. Usually this is the boot_pam_users.0= entry. DO NOT put a # sign before the boot_pam_service entry. Doing so will cause unexpected behaviors in your VPN server.
- Press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor.
- Restart the VPN server by entering the following command: /etc/init.d/openvpnas restart
You may choose to reenable this feature at any time by removing the #sign from the aformentioned file and restarting Access Server.
Updating Operating System Software (recommended)
From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have became available. To make sure your appliance operating system is up to date, execute the following command: apt-get update && apt-get upgrade
Select Operating System Platform for Downloads
Using the OpenVPN Access Server Virtual Appliance
Release with Access Server v1.2.0
The OpenVPN Access Server is available as a VMware virtual appliance for deployment on Windows. To use the virtual appliance, you must download the virtual machine and run it with VMware software (such as VMware Workstation, VMware Server, VMware Player or VMware Fusion). Note that the free VMware Player application for Windows can be downloaded from:
Upgrading the Access Server Software on an AS v1.1.* Virtual Appliance
If you installed the Virtual Appliance Release with Access Server v1.1.1, v1.1.2 or v1.1.3, you can upgrade the Access Server software to the new v1.2.0 version by issuing these commands at the Virtual Appliance shell prompt:
dpkg -i openvpn-as-1.2.0-Ubuntu8.i386.deb
The package is updated while preserving the configuration (including license information and all keys/certificates) from the previous Access Server installation.
Downloading and Running the Virtual Machine
Once VMware Player (or another VMware software distribution) has been installed, download the OpenVPN Access Server virtual appliance. The virtual appliance is distributed as a .ZIP archive file and may be obtained from.
"Download Here" link at the top of this page (Login Required. Register and create a FREE account)
After downloading the virtual appliance ZIP file, expand the ZIP file into the desired directory. On Windows, you can expand the ZIP archive by right-clicking on the file and selecting "Extract All".
To load the extracted virtual machine into your VMware software, you can either
- Locate the "OpenVPN-AS-Appliance.vmx" file in the extracted folder and double-click on this file.
- Run your VMware software, select Open, and select the "OpenVPN-AS-Appliance.vmx" file in the extracted folder.
Start the virtual machine if it does not start automatically (as with VMware Player). Next, click inside the appliance window to select it for input. (When the appliance window is selected, the mouse pointer will vanish. Press Control-ALT to return to your computer.)
Initial Setup of Access Server
The first time the virtual appliance boots, you will be queried for some information. First, you must agree to the End User License Agreement (EULA). Next, you will be asked to enter some basic settings that the OpenVPN Access Server needs to initialize itself. These settings may be safely defaulted by pressing 'Enter'.
At the end of the boot sequence, the appliance window will turn to a blue background and show the URL of the appliance management interface. Enter this URL into a browser to continue the setup. You will likely receive a browser warning about the web server SSL certificate not being recognized. You can safely ignore these warnings.
On the appliance management interface, enter the username and password for the appliance. The initial credentials are:
See the Virtual Appliance section of the FAQ for information on how to change the root password.
Once logged in, you will be directed to the "System Information" page which gives you basic control over the virtual appliance. You can reboot, shut down, or change the network settings of the appliance.
The next step is to log into the OpenVPN Access Server Admin Web UI. On the "System Information" page, click on the "AS Admin Login" link located in the upper right corner of the page. You will receive another certificate-related browser warning at this point; that warning can also be ignored. At the Access Server Admin Web UI login page, enter the same username and password you entered previously for the appliance management interface.
Once logged in to the Access Server Admin Web UI, follow the instructions in the "Welcome to the Access Server Admin UI" information box to complete configuration of the Access Server.