OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Deploying the Access Server appliance on Microsoft Hyper-V

Request More Information

Compatibility and other notes

OpenVPN Access Server is available as a Hyper-V virtual appliance for deployment on Microsoft Hyper-V compatible machines. This appliance is based off the Ubuntu Server distribution line, therefore all of the required Hyper-V modules have already been included. To use the virtual appliance, you must download the virtual machine and import it using the Hyper-V Manager. The idea here is that we provide only the .VHD virtual hard disk image. You can create a new empty generation 1 type virtual machine in Hyper-V, and then when you get to the point where you create a virtual hard disk, you instead attach the .VHD file to it. You may have to update permissions on the .VHD file we provide to allow Hyper-V to read this file.

Further details on our appliance:

  • Our appliance for Microsoft Hyper-V is released as a VHD virtual hard disk image that needs to be attached to a generation 1 type VM.
  • It is built on the Linux Ubuntu 18.04 LTS x64 operating system and has no GUI.
  • It has no default settings for CPU or memory, as the creation of the virtual machine is up to you. We advise 1GB of RAM.
  • When increasing CPU count after initial launch, remember to increase amount of TCP/UDP daemons as well:
    1 TCP plus 1 UDP daemon for each 1 vCPU. This is in Network Settings page in the admin UI.
  • The open source VM tools package is installed so it will respond to shutdown/restart commands from the hypervisor.
  • SSH login as root user is enabled by default, as well as on the console. You should definitely change this password.
  • Default root user password is openvpnas. Instructions on how to secure this are further on in this document.

If you try to run this as a generation 2 VM, it will not succeed. You must use generation 1 VM.

Our appliance is currently based on Ubuntu 18.04 LTS x64 Linux operating system. As time progresses and newer versions of Ubuntu LTS (Long Term Support) are released we will upgrade eventually.

The current version of Access Server appliance is found in the link below, please download the file and keep it somewhere accessible:

https://openvpn.net/downloads/openvpn-as-latest-hyperv.zip

This is a standard .zip file that needs to be unpacked, preferably into the folder where your virtual machines hard disk images are kept, and you can then create a new VM and attach the enclosed VHD file as a virtual hard drive. The machine should then start normally. Do note that if you are using the Windows Server 2012 server of Hyper-V, Generation 1 VMs must be used since Generation 2 VMs do not support Linux machines at this time. It is normal to see a degraded status on the network adapter due to the way the underlying operating system interacts with Hyper-V. This does not signify a defect and your appliance is working as expected.

Login to the Access Server appliance console

In rare cases the OpenVPN Access Server appliance is deployed on a network where there is no DHCP server to automatically assign the Access Server an IP address. This is a problem that can be resolved by setting a static IP address manually. This is a step we describe a little further down on this page – please continue following the steps.

By default the appliance accepts SSH logins on the root account. To begin configuration you need to open the console of the virtual machine or log in through an SSH session, and log in with the following credentials.

  • User name: root
  • Password: openvpnas

Immediately upon logging in the installation wizard of OpenVPN Access Server will start asking you questions. We recommend you use the default settings and just press enter to accept them. You can adjust them at any point later on via the web interface. When you are asked for a license key you can simply press enter to continue installation if you do not have a license key and just want to test the product. If your appliance is deployed in a network where there is no DHCP service running your system will not have a valid IP address assigned. In such a case the installation wizard will fail with error IndexError: list index out of range. To resolve this you should set a static IP address on your appliance’s network interface as described in the section below, and then simply log on to the appliance again to restart the wizard. We recommend that you set a static IP address anyways, as this will prevent any surprises if at some point in the future the IP address changes because of the nature of DHCP where addresses are assigned dynamically.

Setting a static IP address on the appliance

Since Ubuntu 18 the program netplan is now the commonly used program to set the network IP address. In the past this was set with ifupdown which used a configuration file called /etc/network/interfaces, which still applies to Ubuntu 16 and older platforms, but as mentioned, we now use netplan.

Set a new password for the root account

As mentioned earlier, the default root password is openvpnas. That is not very secure and must be changed. To do so, simply type this command once you are logged in, and you can then provide a new password. Please take care to remember this new password as it may be somewhat difficult to reset it if you lose it.

Change root user password:

passwd

Set a password for the OpenVPN administrative user

The installation process will tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI. Usually the client UI is at the address of your server, for example https://192.168.70.222/. The admin UI is usually at the /admin/ address, for example https://192.168.70.222/admin/. Please note that the web services by default actually run on port TCP 943, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface so they don’t need to specify :943 in the URL.

Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:

passwd openvpn

You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like “Invalid certificate" or “Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the “passwd openvpn" command.

Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.

Update the OpenVPN Access Server to the latest version

We do not do a complete rebuild of our appliance image whenever a release of OpenVPN Access Server is made. This means that when you deploy the appliance it may have a slightly older version than what is available. We therefore recommend that after deploying the appliance you additionally perform an in-place upgrade for this appliance to bring it up to date to the latest released version of Access Server, if the version available on our website is newer than the appliance version shows you. To do so check the Access Server installation package files for Ubuntu page and right-click the download link for the Ubuntu 18 x64 OS and select “Copy Link Address" or “Copy target" or such. The exact wording depends on the browser used. The goal is having the link to the installation package in your copy/paste buffer. Next go to the command line of the appliance you want to upgrade the OpenVPN Access Server program of and use wget to download the installation package file directly to the server. These steps assume you are logged on to the OpenVPN Access Server command line through an SSH session and have root access.

Type wget followed by the pasted URL:

wget <paste copied url>

For example for Ubuntu 18 x64 installation package, latest version:

wget https://openvpn.net/downloads/openvpn-as-latest-ubuntu18.amd_64.deb

Optional step for advanced users: in some cases the certificates on your system may be outdated and the SSL certificate check fails. You can either update/install your certificate store bundle or you can override by adding –no-check-certificate after the wget command. You can afterward still use sha256sum checksum to validate the file. You can then compare that with the Access Server installation package sha256sum hash table on our website. Use command line “sha256sum filenamehere.deb" to generate the hash, and compare it to what is listed on the site. If they match you can be certain that you have the right file and it has downloaded correctly.

Now that the installation package file is downloaded to your system you can install it with the following command:

Install downloaded package on Debian/Ubuntu system:

dpkg -i openvpn-as-latest-ubuntu18.amd_64.deb

The upgrade process usually takes only a few seconds to complete. Your system is then up-to-date.

Update the appliance operating system

Between the time we have generated the appliance and the time you downloaded and deployed the OVA appliance file, a number of updates for the appliance’s operating system may have been released. To ensure that your operating system is up to date the built-in package manager program can be used to retrieve the updates and install them. To do so on the Ubuntu operating system we use in our appliances use the commands when logged on to the Access Server as a root user:

apt-get update
apt-get upgrade

Change the timezone configuration and install NTP

The appliance is by default set to US (Pacific – Los Angeles). Since it’s likely that you are not in this timezone you should update the timezone setting to the correct timezone. This is especially vital when you plan on using the Google Authenticator multi-factor authentication system, which relies on a time-based one time password system. The correct time on the server is therefore vital. Additionally we recommend you install the NTP (Network Time Protocol) client program so that the appliance can automatically retrieve the correct time and date from the Internet and keep itself perfectly aligned. The below commands run as a root user will do this.

To set the timezone:

dpkg-reconfigure tzdata

To install the NTP client:

apt-get install ntp

Share