How to configure OpenVPN Access Server

Introduction

This document provides an overview of the OpenVPN Access Server Client UI, Admin Web UI, and command line interface (CLI). Once you are familiar with these, these links provide more information on configuring your server:

If you’re having trouble accessing the web interface, refer to: Troubleshooting access to the web interface.

The Client UI

OpenVPN Access Server provides web services to run both the Admin Web UI and the Client UI. The Client UI provides your users with pre-configured VPN clients, which simplifies the process of connecting to your VPN server.

To access the Client UI, use either the IP address or hostname of your Access Server. For example:

  • https://123.456.78.90/
  • https://vpn.businessname.com/

The IP address is the external IP address of your server. A custom hostname can be set up using the Admin Web UI and a DNS ‘A’ record. You can follow the steps to set up a custom hostname here: Setting up your OpenVPN Access Server hostname.

This Client UI provides an interface for your users to sign in and retrieve pre-configured downloads of OpenVPN Connect. Each user can download and install OpenVPN Connect with a personalized and bundled user profile configuration, or they can download a configuration profile to import into any VPN client that supports .ovpn.

The Admin Web UI

The Admin Web UI is available at the same IP address or hostname that the Client UI uses, but with the directory /admin. For example:

  • https://123.456.78.90/admin
  • https://vpn.businessname.com/admin

The Admin Web UI provides a technical interface for your organization’s OpenVPN Access Server administrator to configure access rights, routing rules, user management, authentication, logging, and more. The Admin Web UI gives administrators the ability to manage most of the VPN settings online, with or without Linux knowledge.

The Admin Web UI is protected by a username/password combination. The default user is openvpn. Before you can sign in to the Admin Web UI with the openvpn username, you must first set the password at the command line interface:

passwd openvpn

With the password set, you can sign in to the Admin Web UI with the openvpn username.

If you have forgotten the password you can reset it with the same command:

passwd openvpn

Note: The root user credentials can’t be used to sign in to the Admin Web UI.

For more information about the features in the Admin Web UI, refer to the OpenVPN Access Server Admin Manual.

Admin Web UI Features

These sections provide an introduction to the Admin Web UI and how you can retrieve the server status, a configuration overview, and the number of current connected users. There are details on an easy way to query the log database and what the log reports look like.

Server Status

The Status Overview section indicates whether the VPN server is currently on or off. If it’s on, you can click on Stop the Server to stop the OpenVPN daemons. If the server is off, you can click on Start the Server to start the OpenVPN daemons.

Stopping or starting the daemons won’t affect the Admin Web UI service — it continues to actively listen on its configured port, which is by default TCP port 943. However, if you stop the daemons, this also stops the automatic internal routing of browser traffic to the standard HTTPS port TCP 443. With internal routing turned off, you must specify port 943 to access your Admin Web UI. For example:

  • https://123.456.78.90:943/admin
  • https://vpn.businessname.com:943/admin

Active Configuration

The Active Configuration section displays some important configuration settings that are managed in the configuration and authentication sections of the Admin Web UI.

Current Users

The Current Users section displays actively connected users with information in the following columns:

Common NameThe username.
Real AddressThe originating IP address of the connecting client.
VPN AddressThe IP address assigned by your OpenVPN Access Server.
Bytes Sent ReceivedThe data (in bytes) received and sent through the VPN tunnel.
Connected SinceWhen the currently active connection was last connected or reconnected.
BlockBlock the user, denying access to the VPN.

If an administrator blocks a user from the Current Users page, that block can be removed by unchecking the Deny Access box on User Management > User Permissions.

Querying the log database

The Log Reports section displays the log in your browser and provides the option to download it as a comma separated values (CSV) file. You can query your logs or filter the output using the fields under Query by Start Time and Filter by Number of Log Entries. You can also filter your results based on any text you enter into the filter records field.

There is a log database available through the CLI interface called logdba, which you can use to extract and export information.

Query log results

The results of a log query display below search and filter fields with information in the following columns:

NodeThe name of the OpenVPN Access Server. This is different for a multi-server setup, where the node name is different for each server.
UsernameThe username of the client connection, as authenticated by Access Server
Start TimeThe date and time that a specific connection or attempted connection occurred.
DurationThe length in time of the connection. Note: When a user’s connection is momentarily interrupted, a new, separate session is logged.
ServiceOne of the following:
VPN: Clients connecting through the OpenVPN daemon using a client.
WEB_CLIENT: Users signing into, or attempting to sign into the client web server using a browser.
WEB_ADMIN: Users signing into, or attempting to sign into the admin web server or Admin Web UI using a browser.
XML_API: Any XML-RPC API requests are logged with this service when the XML debug flag is enabled.
Real IPThe real IP address of the client connected to the Access Server or the user attempting to connect to a web service.
VPN IPThe IP address assigned to the client by the Access Server.
ProtoThe protocol used for the OpenVPN tunnel itself — UDP is generally the better choice here.
PortThe port the client connected on — the default ports are TCP 443 and UDP 1194.
Bytes InThe total number of bytes sent from the client to the Access Server.
Bytes OutThe total number of bytes sent from the Access Server to the client.
ErrorAny error messages display here, usually in short and technical phrases.

Admin Web UI User Manual

For more information about each Admin Web UI section, refer to the OpenVPN Access Server Admin Manual, which provides details about the different configuration options through your Admin Web UI portal as well as details on typical network configurations.

The Command Line Interface (CLI)

You can use the CLI to manage all of the Access Server VPN settings. And, the CLI enables you to use more advanced functions that aren’t available through the Admin Web UI.

Access to the CLI is typically established through an SSH session to your server or directly on your server’s console. On the CLI you can create your own shell scripts to automate tasks such as creating new users with custom settings or implementing custom authentication options.

For more information on using the CLI, refer to Access Server command line interface tools.