Deploying the Access Server appliance on VMWare ESXi
Compatibility and other notes
Our appliance for VMWare ESXi is meant for ESXi 5.0 or newer. VMWare Workstation and Fusion and even Player may also be compatible with the OVA file. We have heard reports of users doing this but we do not test for this ourselves. The image we create and offer on our website is meant for the VMWare ESXi product and that is what we test it on. It may be compatible with other products and virtualization solutions but that's not what we have intended or tested it for. The VMWare Converter tool may also be able to help in converting the appliance from one system to another if you wish to use one of VMWare's other virtualization platforms. However we can not provide support on this. We only support VMWare ESXi 5.0 and higher with our OVA appliance file.
Download the latest version of the Access Server appliance from the Access Server portal:
- After signing in, click Get Access Server.
- Click VMWare ESXi under As a Virtual Appliance.
Further details on our appliance:
- Our appliance for VMWare ESXi is released as an OVA file with virtual hardware revision 8 (vmx-08).
- It is built on the Linux Ubuntu 18.04 LTS x64 operating system and has no GUI.
- By default it is assigned 1 vCPU and 1GB of memory and has a swapfile of 512MB. Adjust as needed.
- When increasing CPU count, remember to increase amount of TCP/UDP daemons as well:
1 TCP plus 1 UDP daemon for each 1 vCPU. This is in Network Settings page in the admin UI.
- The open source VM tools package is installed so it will respond to shutdown/restart commands from the hypervisor.
- SSH login as root user is enabled by default, as well as on the console. You should definitely change this password.
- Default root user password is openvpnas. Instructions on how to secure this are further on in this document.
If you have an ESXi version older than version 5.0, then this appliance is not suitable for your ESXi system. In such a case you are not able to use our appliance. You do have the option of upgrading your ESXi installation to make it compatible or you can choose to instead set up a new virtual machine yourself, and install a compatible Linux OS in it, and then follow the steps to do an installation of Access Server on Linux OS to get your Access Server setup and working on your older ESXi server.
If you decide to build your own instance and install OpenVPN Access Server on a Linux OS that you have installed yourself then you may also want to install the VMWare Tools or the open source equivalent so that shut down and restart commands can be issued to the virtual machine through the hypervisor properly. Our appliance already comes with the tools installed that are compatible with ESXi and will listen to ESXi's shut down and restart commands.
Our appliance is currently based on Ubuntu 18.04 LTS x64 Linux operating system. As time progresses and newer versions of Ubuntu LTS (Long Term Support) are released we will upgrade eventually.
Deployment using the VMWare ESXi web interface
A series of screenshots has been prepared to guide you through the process. You can either just follow the text below, or click the line to reveal a screenshot. As preparation for deployment you should download the OVA file from our website and save it to your computer. Download the latest appliance in the Access Server portal.
Whereas the vSphere Client can deploy straight from a website URL, the ESXi web interface appears not to have that functionality, so you need to have the OVA file saved to your hard drive before deploying it through ESXi's web interface.
Note: if in the import process on ESXi 6.7 you get an error like "unhandled exception" and with error text "TypeError: Cannot read property 'keyValue' of undefined", then you have run into a bug in the VMWare ESXi 6.7 interface. We suggest you check VMWare forums and documentation to try to find a solution, or to use another tool to import our image, like ovftool.
Log on to the VMWare ESXi web interface.
Right click on Host and select Create/Register VM.
Select the Deploy a virtual machine from an OVF or OVA file option and click Next.
Enter a friendly name for the VM and select the AS2.ova file and click Next.
Select the datastore to deploy the appliance on, and click Next.
Select the VM network to connect the appliance to, and select thin or thick provisioning, and click Next.
Confirm settings and click Finish to start deployment.
Wait for deployment task to finish.
After finishing the task, look up the VM and open the virtual console.
Deployment using the VMWare vSphere Client
A series of screenshots has been prepared to guide you through the process. You can either just follow the text below, or click the line to reveal a screenshot.
Log on to your ESXi server with VMWare vSphere client
In the File menu select Deploy OVF Template...
Enter the URL: https://openvpn.net/downloads/openvpn-as-latest-vmware.ova and click next.
An overview of the chosen appliance is shown. Click next.
Choose a friendly name for the appliance and click next.
Choose the resource pool, if any, and click next.
Choose the datastore to deploy on and click next.
Choose thick or thin provisioning method and click next.
Choose VM network to attach the appliance's network interface to and click next.
Check the Power on after deployment checkbox and click finish.
Now wait for deployment window to finish and close it when it's done.
Look up the virtual machine in the inventory and open the virtual console.
Login to the Access Server appliance console
In rare cases the OpenVPN Access Server appliance is deployed on a network where there is no DHCP server to automatically assign the Access Server an IP address. This is a problem that can be resolved by setting a static IP address manually. This is a step we describe a little further down on this page - please continue following the steps.
By default the appliance accepts SSH logins on the root account. To begin configuration you need to open the console of the virtual machine or log in through an SSH session, and log in with the following credentials.
- User name: root
- Password: openvpnas
Immediately upon logging in the installation wizard of OpenVPN Access Server will start asking you questions. We recommend you use the default settings and just press enter to accept them. You can adjust them at any point later on via the web interface. When you are asked for a license key you can simply press enter to continue installation if you do not have a license key and just want to test the product. If your appliance is deployed in a network where there is no DHCP service running your system will not have a valid IP address assigned. In such a case the installation wizard will fail with error IndexError: list index out of range. To resolve this you should set a static IP address on your appliance's network interface as described in the section below, and then simply log on to the appliance again to restart the wizard. We recommend that you set a static IP address anyways, as this will prevent any surprises if at some point in the future the IP address changes because of the nature of DHCP where addresses are assigned dynamically.
Setting a static IP address on the appliance
Since Ubuntu 18 the program netplan is now the commonly used program to set the network IP address. In the past this was set with ifupdown which used a configuration file called /etc/network/interfaces, which still applies to Ubuntu 16 and older platforms, but as mentioned, we now use netplan.
- Instructions on how to set a static IP address on Ubuntu 16 or older
- Instructions on how to set a static IP address on Ubuntu 18 or newer
Adding a secondary network interface
On our VMWare ESXi appliance we have encountered problems with the paravirtual network driver for the VMXNET2 and VMXNET3 type network adapters. We therefore use the E1000 adapter type which works well. When you add a secondary network interface, to for example connect a (new) private network, then you should also make this of the E1000 adapter type. If you use the VMXNET2/3 type adapter, then the network interfaces will be reordered, causing configuration that previously applied to your primary adapter to apply to your secondary adapter, which could be confusing and also cause some problems with connectivity. So the recommendation is that when you use our VMWare ESXi appliance, and you want to add a secondary network adapter, then the E1000 adapter is the best type to add to avoid issues.
Set a new password for the root account
As mentioned earlier, the default root password is openvpnas. That is not very secure and must be changed. To do so, simply type this command once you are logged in, and you can then provide a new password. Please take care to remember this new password as it may be somewhat difficult to reset it if you lose it.
Change root user password:
Set a password for the OpenVPN administrative user
The installation process will tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI. Usually the client UI is at the address of your server, for example https://192.168.70.222/. The admin UI is usually at the /admin/ address, for example https://192.168.70.222/admin/. Please note that the web services by default actually run on port TCP 943, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface so they don’t need to specify :943 in the URL.
Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:
You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like “Invalid certificate" or “Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the “passwd openvpn" command.
Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.
Update the OpenVPN Access Server to the latest version
We do not do a complete rebuild of our appliance image whenever a release of OpenVPN Access Server is made. This means that when you deploy the appliance it may have a slightly older version than what is available. We therefore recommend that after deploying the appliance you additionally perform an in-place upgrade for this appliance to bring it up to date to the latest released version of Access Server, if the version available on our website is newer than the appliance version shows you. To do this simply run these commands:
Mark the package openvpn-as for update:
apt-mark unhold openvpn-as
Then run the update process:
apt update apt upgrade
And if you like you can lock the package so it stays on this version now:
apt-mark hold openvpn-as
The upgrade process usually takes only a minute or so to complete. Your system is then up-to-date and has the latest Access Server version.
Update the appliance operating system
Between the time we have generated the appliance and the time you downloaded and deployed the OVA appliance file, a number of updates for the appliance’s operating system may have been released. To ensure that your operating system is up to date the built-in package manager program can be used to retrieve the updates and install them. To do so on the Ubuntu operating system we use in our appliances use the commands when logged on to the Access Server as a root user:
apt update apt upgrade
Change the timezone configuration and install NTP
The appliance is by default set to US (Pacific – Los Angeles). Since it’s likely that you are not in this timezone you should update the timezone setting to the correct timezone. This is especially vital when you plan on using the Google Authenticator multi-factor authentication system, which relies on a time-based one time password system. The correct time on the server is therefore vital. By default our appliance already has a time synchronization program installed that keeps the time up to date automatically. But it does help to know the correct timezone.
To set the timezone: