Deploying the Access Server appliance on VMWare ESXi
We deliver Access Server for VMware ESXi as an OVA archive file that can be deployed on ESXi.
- The Access Server ESXi appliance is based on Ubuntu 22.04 LTS.
- The appliance includes ESXi compatible guest support software.
- It is preconfigured for 2GB of RAM, 50GB disk, and 2 vCPUs.
- The appliance is delivered as an open virtual appliance (OVA).
- Requires ESXi 6.5 or newer (virtual hardware version 13).
This guide provides the steps to deploy the open virtual appliance (OVA) on an ESXi hypervisor server, and then get started with the Access Server web interface.
Note: Other virtualization solutions that support OVA may also work but we haven't tested them and can't guarantee they'll function properly.
Download the Access Server open virtual appliance (OVA)
Follow the steps below to download the Access Server ESXi OVA file that can be deployed on your ESXi server.
- Sign in to the Access Server portal on our website. If you don't have a free account, set one up.
- Click Get Access Server > VMware ESXi.
- Click the download button, Download OVA.
- Download the OVA file.
Note: The OVA already includes the open-source VM tools package to respond to shutdown/restart commands from the hypervisor.
Deployment using the VMWare ESXi web interface
Below is a series of screenshots of a typical deployment process on an ESXi server. These are based on ESXi 6.5. If you have a newer version the process may be slightly different.
Sign in to the VMWare ESXi web interface.
Right-click Host and select Create/Register VM.
Click Deploy a virtual machine from an OVF or OVA file and click Next.
Enter a friendly name for the VM then select the OVA file and click Next.
Select the datastore to deploy the appliance on and click Next.
Select the VM network to connect the appliance and click Next.
Confirm settings and click Finish to start deployment.
Wait for the deployment task to complete.
After finishing the task, look up the VM and open the virtual console.
Configure your Access Server
The next step is signing into the appliance console and configuring Access Server.
- You can access the console directly from ESXi web interface, or you can connect via SSH and use these credentials:
- Username: root
- Password: openvpnas
- Walk through the setup wizard until your Access Server's web interface addresses and login credentials display at the end.
- Set the correct timezone for your appliance deployment with this command:
- Refer to Finishing Configuration of Access Server to finalize configuration.
Note: We recommend setting a static IP address. Refer to Set a static IP address on an Ubuntu system.
Additional security improvement steps
We recommend the following steps to improve your security and detail each step below:
- Change the password for the root user (console and SSH access for the root user is enabled by default).
- Change the password for the Admin Web UI.
- Perform software updates periodically.
Change the root user password
Ensure you change the default root password to one of your choosing.
- Connect to the appliance and sign in as the root user.
- Enter this command to change the root user password:
Change the web interface account password
Change the initial password for the Admin Web UI:
- Sign in to the Admin Web UI.
- Click User Management > User Permissions.
- Click More Settings for the administrative user.
- Enter a new password in the Local Password field.
- Click Save Settings and Update Running Server.
Update the Access Server appliance
The Access Server VHD is delivered as a starting point that you should update to get the latest security patches and Access Server release.
- Sign in to the Access Server appliance console as a root user.
- Run these commands one at a time:
apt upgrade openvpn-as
- We recommend that you reboot the appliance after installing updates to ensure they apply correctly.
Check these subsections if you need help.
Problems after adding a second network interface
We have encountered problems with using VMXNET2/3 type network interfaces so the appliance comes configured with an E1000 interface. When adding a second network interface you should make this an E1000 interface as well, to avoid unexpected reordering of network interface names.
IndexError: list index out of range
If you receive the error message, "IndexError: list index out of range," your appliance is deployed on a network without a DHCP service to assign a valid IP address. To resolve this, set a static IP address. You can then sign into the appliance again and restart the wizard.
Why doesn't my virtual machine have internet access?
There can be a couple of reasons for this. First, ensure that the virtual network switch that the VM is attached to is correctly configured and gives access to the Internet.
If an IP is assigned to your ESXi hypervisor but not to the virtual machine you may have a firewall blocking DHCP requests, or you may be on a network that does not do DHCP. In that case, setting a static IP on the appliance may solve this problem.
In some networks, you may need to allow the ESXi hypervisor host to communicate with the network with the ability to spoof MAC addresses. That is because the virtual machines need their own MAC addresses to participate in the network, but both the ESXi hypervisor host network traffic and the virtual machine traffic may be going out through the same ESXi hypervisor host’s network card.