VMware ESXI VPN Server Appliance Quick Start Guide
How to deploy an open virtual appliance (OVA) on an ESXi hypervisor server and then start using the Access Server VPN web interface.
We deliver Access Server for VMware ESXi as an OVA archive file that can be deployed on ESXi.
The Access Server ESXi appliance is based on Ubuntu 24.04 LTS.
The appliance includes ESXi-compatible guest support software.
It is preconfigured for 2GB of RAM, 50GB disk, and 2 vCPUs.
The appliance is delivered as an open virtual appliance (OVA).
Requires ESXi 6.5 or newer (virtual hardware version 13).
Tip
Refer to our system requirements to ensure your system works with Access Server.
This guide provides the steps to deploy the open virtual appliance (OVA) on an ESXi hypervisor server and then start using the Access Server web interface.
Notice
Other virtualization solutions that support OVA may also work but we haven't tested them and can't guarantee they'll function properly.
Follow the steps below to download the Access Server ESXi OVA file that can be deployed on your ESXi server.
Sign in to theĀ Access Server portalĀ on our website. If you don't have a free account, create one.
Click Get Access Server and click VMWare ESXi under Containers and virtual machines.
Click the download button, Download OVA.
Download the OVA file.
Note
The OVA already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.
Below is a series of screenshots of a typical deployment process on an ESXi server. These are based on ESXi 6.5. If you have a newer version the process may be slightly different.
Sign in to the VMWare ESXi web interface:
Right-click Host and select Create/Register VM:
Click Deploy a virtual machine from an OVF or OVA file and click Next:
Enter a friendly name for the VM then select the OVA file and click Next:
Select the datastore to deploy the appliance on and click Next:
Select the VM network to connect the appliance and click Next:
Confirm settings and click Finish to start deployment:
Wait for the deployment task to complete:
After finishing the task, look up the VM and open the virtual console:
Once you've created the virtual machine, sign in to the console. You can access the appliance console directly from the ESXi web interface using these credentials:
Username: root
Password: openvpnas
Tip
Alternatively, you can connect via SSH, but keep in mind that SSH access via credentials for the root user is disabled by default on the Access Server Hyper-V appliance based on Ubuntu 24.04 LTS. If you need SSH access, see step 4 below to create a new user with sudo rights.
After signing in, you'll immediately see the Access Server version details and the Admin Web UI URL. Wait a few seconds for the login credentials for the 'openvpn' user to appear.
Example screen output after signing in to the appliance console:
OpenVPN Access Server Appliance 2.14.3 openvpn2 tty1 Web UI: https://192.0.2.84:943/admin To login please use the "openvpn" account with "U8zqy2CzYgAt" password. openvpn2 login:
Tip
When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts.
Open a browser and enter the Admin Web UI URL to manage your Access Server configuration.
SSH Access: If you prefer SSH to connect, you'll need to create a new user since SSH via credentials for the root user is disabled by default. Follow these steps:
Optional: You can configure SSH access by adding an SSH key to the root account or modifying the
sshd_configfile. For these methods, please look for online documentation.
Important
We recommend setting a static IP address. Refer toĀ Set A Static IP Address On An Ubuntu System.
Administrative User
For the first use of the Admin Web UI, sign in with theĀ openvpnĀ user created during setup. The userās password is randomly generated and displays in the output at the completion of setup.
On Access Server versions older than 2.9, you must manually set the password for theĀ openvpnĀ user with this command:
passwd openvpn
You can now open a browser and enter your Admin Web UI address.
Invalid Certificate
Access Serverās web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since itās self-signed, it triggers an expected warning. We recommendĀ adding your own SSL certificateĀ in the Admin Web UI to resolve this.
By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.
The first time you sign into the Admin Web UI, Access Server displays theĀ ActivationĀ page so you can easily get an activation key:
Click Get Activation Key.
This takes you to the Access Server portal.
Sign in with your openvpn.com account if needed.
Click Activation Keys.
Click Purchase A New Key.
Select the number of concurrent connections for your subscription.
For a free subscription with two connections, select the free option.
For five or more connections, select the standard option.
Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
Return to your Admin Web UI.
Paste the subscription key in the text field.
Click Activate.
Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on theĀ Access Server portalĀ by clickingĀ Access Server Information.
We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. Itās easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.
Refer to Hostname and follow the steps.
Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.
Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer toĀ Authentication SystemĀ for more information.
With your VPN server configured, yourĀ users can get connected. Choose one of the options below to connect to the server.
Option to connect | Procedure |
|---|---|
Download a bundled VPN client to connect | A user follows these steps to download a pre-configured OpenVPN Connect app:
|
Download a connection profile | A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:
|
Admin provides users with ways to connect | Alternatively, as an admin, you can use these ways to connect your users:
|
Tip
Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configureĀ split-tunnel traffic, their IP address remains the same for internet traffic.
We recommend the following steps to improve your security and detail each step below:
Change the password for the root user.
Change the password for the Admin Web UI.
Perform software updates periodically.
Ensure you change the default root password to one of your choosing.
Connect to the appliance and sign in as the root user.
Enter this command to change the root user password:
passwd
Change the initial password for the Admin Web UI:
Sign in to the Admin Web UI.
ClickĀ User Management > User Permissions.
ClickĀ More SettingsĀ for the administrative user.
Enter a new password in theĀ Local PasswordĀ field.
The virtual appliance is delivered as a starting point that you should update to get the latest security patches and Access Server release.
Sign in to the Access Server appliance console as a root user.
Run these commands one at a time:
apt updateapt upgradeapt upgrade openvpn-as
We recommend that you reboot the appliance after installing updates to ensure they apply correctly.
Check these subsections if you need help.
We have encountered problems with using VMXNET2/3 type network interfaces so the appliance comes configured with an E1000 interface. When adding a second network interface you should make this an E1000 interface as well, to avoid unexpected reordering of network interface names.
If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the openvpnas service with this command:
service openvpnas restart
There can be a couple of reasons for this. First, ensure that the virtual network switch that the VM is attached to is correctly configured and gives access to the Internet.
If an IP is assigned to your ESXi hypervisor but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem.
In some networks, you may need to allow the ESXi hypervisor host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the ESXi hypervisor host network traffic and the virtual machine traffic may be going out through the same ESXi hypervisor hostās network card.