Oracle Quick Start Guide
Version 1.0, December 2019
1 : Considerations prior to Installation
Access Server is an Internet-facing application because incoming VPN connections will be originated on the internet. Therefore, it should be using a public subnet (see, https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/overview.htm#Public).
Two important considerations given that Access Server needs access to the Internet are:
1. Public IP address – We recommend the use of a Reserved Public IP address instead of an ephemeral one because the IP address or the hostname of the Access Server gets configured in the connection profiles needed by VPN clients to establish VPN to the Access Server. Having a reserved public IP address assigned means that the DNS entry for the hostname or the IP address of Access Server persists even if the specific instance is terminated and the IP address is associated with a new instance. See, https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingpublicIPs.htm
2. Firewalls – In OCI, Security List act as a firewall at the subnet-level whereas Network Security Groups act as a firewall for a specific instance. Whether you rely on one or both levels of access security. Additional security lists or network security groups need to be added to allow incoming access to the Access Server from the internet. See, Appendix A
2 : Post-install checks
AS hostname: The configured hostname or IP address is used to inform the VPN clients of the identity of the Access Server needs to set up a VPN with. By default, this is configured to the private IP address of the instance the Access Server is running on. This needs to be changed by logging into the Admin web portal. VPN clients will be unable to connect to the Access Server if this is not changed to the public IP address of the Access Server or a hostname that resolves to the public IP address of the Access Server.
DNS Servers for client use: The IP address of the DNS servers sent to VPN clients needs to be configured if the internet traffic from those clients need to be routed through the VPN.
Without these settings properly configured, the VPN will not function correctly.
3 : Configure Networking during Instance Creation
Enable ‘Assign a public IP address’ if you do not want to use a Reserved public IP address.
Select ‘Do not assign a public IP address’ if you want to use a Reserved public IP address. Also, select the Access Server-specific NSG if one has been created.
4 : After Instance is created
Note the ephemeral public IP address assigned (in this case, 220.127.116.11) or take the steps needed to assign the VNIC the reserved public IP address. See, appendix C.
Check that the NSG associated with the VNIC and Security List associated with the VCN subnet have all the needed ingress ports open. See Appendix A.
5 : SSH into Instance
Use openvpnas as the user account and ssh to the public IP address of the instance.
The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the sudo ovpn-init command in the terminal.
Read through the EULA, and enter yes to indicate your agreement.
> Will this be the primary Access Server node?
Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.
> Please specify the network interface and IP address to be used by the Admin Web UI:
Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.
> Please specify the port number for the Admin Web UI.
Explanation: This is the port you will use to access the web-based administration area. It is usually safe to leave this at the default port unless customization is desired.
> Please specify the TCP port number for the OpenVPN Daemon
Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT-based router. By default, the web-based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.
> Should client traffic be routed by default through the VPN?
Explanation: If you only have a small network you would like your remote users to connect to over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option. Provide answers to the prompts.
> Should client DNS traffic be routed by default through the VPN?
Explanation: If you would like your VPN clients to be able to resolve local domain names using an on-site DNS server, select yes for this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless of what you set for this option here.
> Use local authentication via internal DB?
Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.
> Should private subnets be accessible to clients by default?
Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients are able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.
> Do you wish to log in to the Admin UI as “openvpn”?
Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your “lockout” administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.
> Specify the username for an existing user or for the new user account:
Explanation: Enter the initial username you would like to use instead of the default ‘openvpn‘.
> Type the password for the ‘user’ account:
> Confirm the password for the ‘user’ account:
Explanation: Specify the password you would like to use for the account.
> Please specify your OpenVPN-AS license key (or leave blank to specify later):
Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes.
After you complete the setup wizard, you can access the Admin Web UI area to configure other aspects of your VPN. Please note that as Amazon does not reveal the elastic/external IP inside the machine, the links displayed within the setup wizard will not work in accessing the web interfaces. For this reason, you will need to replace the internal IP address with the external IP that Amazon has given you. As mentioned previously, you will be able to access the Admin Web UI on both the VPN port and the Admin port unless you disable this behavior in the Admin Web UI.
Note: If you selected yes to the Do you wish to log in to the Admin UI as “openvpn”? option in the setup wizard, you will need to define the password for this account by running:
sudo passwd openvpn
and press Enter.
5.1 : Wait for the initial configuration to complete
5.2 : Set password for OpenVPN Access Server Administrator
Set the password for the Access Server administrator’s account that has default username of openvpn using sudo passwd openvpn
5.3 : Changing default timezone
The default timezone is set to US (Pacific – Los Angeles). If you reside at another timezone and you would like to change this setting, run the following command (you will be asked what timezone you would like to set):
sudo dpkg-reconfigure tzdata
The system will show the new local time after this setting is configured.
5.3.1 : Install NTP client for automatic time synchronization
6 : Connect to the Access Server Admin portal
Enter https://publicipaddress/admin. Where publicipaddress is the public IP address assigned to the Instance created earlier (in this case, 18.104.22.168). Access Server portal uses a self-signed certificate which will cause the browser to show a security warning. Accept the risk and continue.
6.1 : Login to the Administration Portal
Use the password set by you previously.
6.2 : See the Status on login
The internal IP address is being used as Server name. This needs to be changed using Network Settings under Configuration.
6.3 : Change server name
Change server name to the public IP address of the Instance. You may either use an IP address or a hostname here, although it is strongly recommended that you use a hostname since your clients will depend on this setting to be able to know where to connect to, and updating a DNS record is much easier than reinstalling all clients to update the IP address they need to connect to. Also, SSL certificates require a proper FQDN hostname in order to function properly.
Note: If you leave this setting as the default, NONE of your clients will be able to connect to your VPN server since by default it is set to a non-routable (private) IP address!
6.4 : Check VPN Settings & Configure DNS Servers
The setting to have clients use specific DNS servers needs to be turned ON. You can then configure primary and secondary DNS server IP addresses of your choice.
7 : Additional Security Recommendations
8 : Appendix A: Ingress Application Traffic and Firewall Configuration
8.1 : Adding Rules to Security List of VCN
8.1.1 : Once in the VCN section, click on the ‘Security Lists’ in the sidebar
8.1.2 : Select the Security List
Here modification to the default Security List is shown. But, a new security list can be added.
8.1.3 : Add Ingress Rules
8.1.4 : Add TCP Ingress Rules
Port 943 is used to access to the Access Server Admin and Client portals. Port 443 is used for OpenVPN VPN tunnel.
8.1.5 : Add UDP Ingress Rules
Port 1194 is used for OpenVPN VPN tunnel.
8.1.6 : Completed Ingress Rules
8.2 : Adding Rules to Network Security Group
This section shows the minimum ingress rules needed. If needed, add ICMP.
8.2.1 : Select NSG section of the VCN
8.2.2 : Create a new NSG
8.2.3 : Provide NSG Name and Compartment
8.2.4 : Create ingress rule for needed TCP ports
8.2.5 : Add another rule for UDP port
8.2.6 : Select NSG while creating instance
9 : Appendix B: Considerations for Site-to-Site Networking
9.1 : Disable source/dest checking
If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, you will need to disable source destination check protection on OCI, otherwise routing will not function properly. This setting must also be used if for example you want traffic from your VCN to go directly to the VPN IP addresses of your VPN clients in the VPN client subnet or this security feature will block the traffic.
9.1.1 : Select Attached VNICs from Resources shown when viewing Instance Details
9.1.2 : Expand the options to find Edit VNIC
9.1.3 : Check the ‘Skip Source/Destination Check’
9.2 : Setup static routes
By default, the OpenVPN Access Server gives VPN clients access to your VNC by using the NAT method (Network Address Translation). Using this method, traffic originating from the VPN clients will appear to be coming from the local IP address of the Access Server. For that reason, routing is not necessary and is much easier to implement. However, one drawback of using such a method is that traffic from the VNC itself cannot directly access a VPN client as the NAT engine prevents such direct contact. In order to allow a VPN client to be directly addressable via the VNC, you will need to configure the Access Server to use the routing method instead of NAT. Once that is done, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VNC network to the VPN client subnet is then possible. However, because the VNC does not automatically recognize the VPN subnet within the VPN instance, it does not know how to send the return traffic back to the instance. To correct this problem, you will need to add a static route in the routing table for your VNC so that the return traffic flows properly. To learn how to do this see this document on OCI routing: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingroutetables.htm
10 : Appendix C: Use of Reserved Public IP address
10.1 : Add Reserved IP address in the compartment
10.2 : Create a reserved public IP
10.3 : Select VNIC of the instance
10.4 : Go to VNIC details
10.5 : Select IP Address Resource
10.6 : Edit IP address resource
10.7 : Assign reserved public IP address