OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Digital Ocean Quick Start Guide

Getting started with DigitalOcean and OpenVPN Access Server

DigitalOcean is a cloud infrastructure provider with worldwide data centers. Their services are easy to deploy and scale. OpenVPN Access Server provides a Digital Ocean Marketplace VPN that you can get up and running within minutes.

Working with DigitalOcean, you’ll use their Droplets, which are Linux-based virtual machines running on virtualized hardware. When you create a Droplet, you have a new server for your use. By using the OpenVPN Access Server Droplet from their Marketplace, you’ll be up and running with a VPN hosted in the cloud, with the following benefits:

  • Quickly extend your DigitalOcean private networking to remote users and other sites
  • Create hub-and-spoke network topology, site-to-site, user-to-cloud, and various other secure VPN connections
  • Provide secure, remote access to applications deployed on Droplets

Read on for your guide to get started with your VPN server on the web.

Creating a Droplet

To get started, visit the DigitalOcean Marketplace to find the OpenVPN Access Server VPN.

Click on Create OpenVPN Access Server Droplet to begin the set up with DigitalOcean.

Choose your preferred DigitalOcean plan and settings for your Droplet. We recommend that you choose SSH keys under Authentication. It is more secure than a one-time password. This guide assumes you’ll use an SSH key. Here’s a little bit of information about the specific choices with DigitalOcean. More details can be found on their site.

Plan There are three options to choose from with different price models within each:

1. Standard – provides the most flexibility and great for website hosting, staging environments, and low-intensity compute requirements
2. General Purpose Performance Droplets – best for mainstream production workloads that have predictable compute needs with a higher ratio of memory to CPU

3. CPU Optimized Performance Droplets – these support CPU-intensive tasks and projects that need more RAM or I/O such as batch processing large data sets or video encoding

If you’re starting out with Access Server, you may want to consider choosing Standard. Then, if you notice that the performance of data travelling through the VPN tunnel is too slow, consider choosing a CPU-optimized Droplet. Decrypting and encrypting data is very CPU intensive.

Block Storage With this, you can include additional storage for your Droplet. Think of this like locally connected storage drives you can partition, format, and manage volumes using familiar tools. They provide you with added storage space when you don’t need a higher processing power or more memory from a larger Droplet.

For Access Server, it requires very little storage for logs. Even 25 GB is more than enough.

Datacenter Region DigitalOcean will grey out any regions that are not available to your chosen Droplet plan. Some are disabled due to limited capacity if you don’t already have resources in that region. DigitalOcean attempts to select the best option for you, but you can select a specific one.
Additional Options Private networking: Adds another network interface for Droplets that is unreachable from the internet, keeping traffic between droplets internalized within the datacenter.

IPv6: The most recent IP protocol version is not compatible with OpenVPN Access Server. Reference: Limited IPv6 support built into the Access Server

User data: Use Cloud-init to configure your Droplet. Not necessary for your Access Server Droplet.

Monitoring: Provides graphs and alert policies for metrics and usage through an agent created by DigitalOcean.

Authentication IMPORTANT STEP

SSH keys: We recommend you choose this, more secure, authentication method. If you need help with generating an SSH Key, you can find tips on DigitalOcean’s site when you click on New SSH key.

After completing your choices, click on Create Droplet.


As DigitalOcean creates your Droplet, it displays the status.

Connecting to your new Droplet with PuTTY SSH Client

You’ll now set up Access Server on your new Droplet by using SSH to login. In this section, we will cover the most common case for Windows OS users by detailing this with the PuTTY SSH Client. DigitalOcean also provides steps on doing this you can reference: How to Connect to Droplets with SSH.

  1. Download the PuTTY and PuTTYgen tools from the page linked.
  2. Launch the PuTTYgen tool.
  3. Click on Conversions > import key.
  4. Select the key file you used for your Droplet and click Open.
  5. After PuTTYgen has succesfully loaded your key file, click Save Private Key.
  6. Close the Puttygen tool.
  7. Open the PuTTY client.
  8. In the Host Name (or IP address) field, enter the IP address of your Droplet. This can be found on your DigitalOcean Droplet’s landing page in the ipv4 field. You do not need to change the default port, 22.
  9. On the left navigation panel, navigate to Connection >SSH > Auth.
  10. Under the field, Private key file for authentication:, click Browse… and select the private key file generated with PuTTYgen previously.
  11. Click Open and you will connect to your Droplet or server. NOTE: To simplify this process in the future, you may want to save these settings as a profile. From the Session category, select or enter a name under the Saved Sessions box and click Save. You will then be able to easily reload your settings by double clicking that profile or selecting it and clicking Load.
  12. You will receive a warning that PuTTY has not seen this server before. Simply click Yes.
  13. When prompted to login, do so as the root user.
  14. If the private key you specified was correct, you should now be logged in and the OpenVPN Access Server Setup Wizard should start. You can now begin configuring your server. If you have an SSH key with a passphrase, you will be prompted to enter that, prior to the wizard starting.

Running the OpenVPN Access Server Setup Wizard

The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance.

The following information pertains to the setup choices you will make after reading through the End User License Agreement.

Will this be the primary Access Server node? Hit Enter to accept the default setting. Any Access Server on DigitalOcean needs to be set up as a primary node. The UCARP/VRRP failover model does not work. Cluster nodes can be set up and added, but they must first be set as primary nodes and later configured in the Admin UI to join a cluster node.
Please specify the network interface and IP address to be used by the Admin Web UI This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. For all DigitalOcean setups, you must select option 1 at this time.
Please specify the port number for the Admin Web UI This is the port you will use to access the web-based administration area. It typically works well to leave this at the default port unless you need customization.
Please specify the TCP port number for the OpenVPN Daemon This is the port that the Access Server will listen on for incoming OpenVPN client TCP connections. The web interface also listens on this port. We recommend leaving this at the default port TCP 443, the standard HTTPS port.

Access Server also has a UDP port for incoming connections. For technical reasons related to the TCP Meltdown phenomenon, the UDP port is preferred by the OpenVPN client. The TCP port is used as a fallback in case UDP connectivity fails.

Should client traffic be routed by default through the VPN? If you use the OpenVPN Access Server only to access resources on a private, DigitalOcean network, set this to no. If you wish to redirect the VPN client’s Internet-related traffic through your VPN server, set it to yes.
Should client DNS traffic be routed by default through the VPN? If you would like your VPN clients to be able to resolve local domain names through the DNS server used by your Droplet, select yes for this option. Also select yes if you will use a custom DNS server.
Use local authentication via internal DB? Select yes to use local authentication. It is the simplest and best option as well as the default. With it, you will use the Admin Web UI to manage your user accounts for Access server.

In this same Admin Web UI, you can always change the authentication method to PAM, LDAP, or RADIUS at any time.

If you select no, Linux PAM authentication is used and you will need to add/change/delete users within the Linux operating system itself.

If you plan on using LDAP or RADIUS, choose yes and configure these settings after you login to the Admin Web UI.

Should private subnets be accessible to clients by default? The Access Server can try to detect which private network it is connected to and make it available to VPN clients by default. In the Admin Web UI, you can change this and add or remove private network subnets from the VPN Settings page. This option is called “Should VPN clients have access to private subnets?” and you can specify any that all VPN clients should be able to access.
Do you wish to login to the Admin UI as “openvpn”? This defines the initial username for the admin account to login to the Access Server Admin Web UI. It will also serve as your lockout administrator username should you ever lock yourself out of your own server. If you’d like to specify your own username, select no. Otherwise, accept yes as the default.

If you choose no, you will be prompted to enter a new username as well as type and confirm the password.

Please specify your OpenVPN-AS license key (or leave blank to specify later) If you are testing out the product, we recommend you leave this blank. The Access Server will allow two connections for free by default. A fixed license key can be activated at any time.

If you are an experienced user of Access Server, you can activate your fixed license key immediately on this Access Server without running any prior tests. Enter the activation key here.

After completing your configuration selections, you will need to define the password for your “openvpn” user as your final step before going to the Admin Web UI. Please note that if you specified a custom Admin UI username instead of the default ‘openvpn’ user account, you should use that username you entered instead.

Enter sudo passwd openvpn and press Enter. Set and confirm the password.

Login to Admin Web UI

You can access your Admin Web UI from the web browser. The URL will be dependent on your Droplet IP address or defined hostname (example: https://123.45.67.89:943/admin/).

  1. Upon first login, you will see an SSL certificate warning. This is normal. Please override. If you’d like, here are more details about SSL certificates.
  2. Login with the username ‘openvpn’, or the username specified during initial setup if you took this step.
  3. You can now start using your OpenVPN Access Server by adding users in the User Permission table and other settings

Setting up a Hostname

We strongly recommend using a hostname, rather than an IP address if possible, since your clients will depend on this setting to know how to connect. Updating a DNS record is easier than reinstalling all clients to update the IP address if that changes for any reason.

Here are some helpful tips for setting this up. If you would like additional help, send us a support ticket and we’ll lend a hand.

  1. Register a domain name with a registrar.
  2. Add a DNS A record that points to your domain with the value of your Access Server public IP address. For example: vpn.example.com points to 123.45.67.89.
  3. Within the Access Server Admin Web UI, navigate to Configuration > Network Settings.
  4. Enter the new hostname (vpn.example.com) in the Hostname or IP Address field.
  5. Click Save Settings and Update Running Server.
  6. When you type in https://vpn.example.com/ in your web browser, you will reach your Access Server.
  7. If the public IP address of your Access Server ever changes, from your registrar’s DNS management, change the DNS A record to point to the new public IP address.
  8. Clients will automatically connect to the updated IP address.

Changing Default Timezone

The default timezone is set to US (Pacific – Los Angeles). If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:

sudo dpkg-reconfigure tzdata

Updating Operating System Software

We also recommend updating your Linux OS. From the time we have generated the appliance and you have downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:

sudo apt-get update

sudo apt-get upgrade

Further security recommendations

We have additional security recommendations we suggest you implement, for all OpenVPN Access Server installations.

Share