OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Quick Start Guide for Using the OpenVPN Access Server Virtual Appliance for the Microsoft Hyper-V Virtualization Platform

Current appliance version is: 2.5.2

Last updated: September 2, 2018


OpenVPN Access Server is available as a Hyper-V virtual appliance for deployment on Microsoft Hyper-V compatible machines. This appliance is based off the Ubuntu Server distribution line, therefore all of the required Hyper-V modules have already been included. To use the virtual appliance, you must download the virtual machine and import it using the Hyper-V Manager.

Downloading and Running the Virtual Machine

The current version of Access Server appliance is found in the link below, please download the file and keep it somewhere accessible:

Decompress the file into the folder where your virtual machines are kept and then create a new VM and attach the enclosed VHD file as the new hard drive. The machine should start normally. Do note that if you are using the Windows Server 2012 server of Hyper-V, Generation 1 VMs must be used since Generation 2 VMs do not support Linux machines at this time. It is normal to see a Degraded status on the network adapter due to the way the underlying operating system interacts with Hyper-V. This does not signify a defect and your appliance is working as expected.

Initial Setup of Access Server

The appliance downloaded from this website comes depersonalized and must be personalized before it can be used. Please follow the instructions below in order to customize your OpenVPN Access Server appliance. Upon the initial startup of the appliance, you will be asked to login to the console of the appliance. To do so, use the following credentials: Username: root Password: openvpnas

Running the OpenVPN Access Server Setup Wizard (required)

The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the ovpn-init command in the terminal. Read through the EULA, and enter yes to indicate your agreement.


> Will this be the primary Access Server node?

Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.

> Please specify the network interface and IP address to be used by the Admin Web UI:

Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.

> Please specify the port number for the Admin Web UI.

Explanation: This is the port you will use to access to the web based administration area. It is usually safe to leave this at the default port unless customization is desired.

> Please specify the TCP port number for the OpenVPN Daemon

Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT based router. By default the web based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.

> Should client traffic be routed by default through the VPN?

Explanation: If you only have a small network you would like your remote users to connect over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

> Should client DNS traffic be routed by default through the VPN?

Explanation: If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yesfor this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless what you set for this setting here.

> Use local authentication via internal DB?

Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.

> Should private subnets be accessible to clients by default?

Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients is able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.

> Do you wish to login to the Admin UI as “openvpn"?

Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your “lock out" administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.

> > Specify the username for an existing user or for the new user account:

Explanation: Enter the initial username you would like to use instead of the default ‘openvpn‘.

> Type the password for the ‘user’ account: > Confirm the password for the ‘user’ account:

Explanation: Specify the password you would like to use for the account.

> > Please specify your OpenVPN-AS license key (or leave blank to specify later):

Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes. After you complete the setup wizard, you can access the Admin Web UI area to configure other aspects of your VPN. The URL for the Admin Web UI area is displayed upon the completion of the setup wizard. As mentioned previously, you will be able to access the Admin Web UI on both the VPN port and the Admin port unless you disable this behavior in the Admin Web UI. Note: If you selected yes to the Do you wish to login to the Admin UI as “openvpn"?option in the setup wizard, you will need to define the password for this account by running: passwd openvpn and press Enter.

The root password is the equivalent of an administrator password in the Windows environment. Anyone who has this password would also have full control over the appliance. Becuase this is set to a default password of ‘openvpnas‘, it should be changed to something secure, especially if you plan to use this appliance in production environments. To do so, execute the follow command (you will be asked for your new root password): passwd

Configure Static IP Addressing (optional)

The appliance by default automatically obtains networking information from DHCP. If your network has no DHCP server and/or you would like to manually assign an IP address to your Access Server appliance, please follow the steps below:

  1. Type the command: nano /etc/network/interfaces into the console and press Enter.
  2. Use the down arrow keys to scroll down to the iface eth0 inet dhcp line, and change dhcp to static.
  3. Add the following lines using the template below: address ‘ipAddr’ netmask ‘subnet’ gateway ‘gw’ dns-nameservers ‘dns1’ ‘dns2’

For example, if you would like to configure your appliance to have an IP address of, and subnet mask of, a gateway of, and nameservers of and, your configuration will look like this: # The primary network interface allow-hotplug eth0 iface eth0 inet static address netmask gateway dns-nameservers Once you are done, press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor. To activate the new configuration, run the following command: ifdown eth0 && ifup eth0.

Changing Default Timezone (optional)

The default timezone is set to US (Pacific – Los Angeles). If you reside at another timezone and you would like to change this setting, run the following command (you will be asked what timezone you would like to set): dpkg-reconfigure tzdataThe system will show the new local time after this setting is configured.

Disabling the Lock Out aka (bootstrap) account (optional)

In the setup wizard, you were prompted to create an initial username and password that allowed you to login to the Admin Web UI. This username and password combination will always be active disregarding its status in the “User Permissions"area. This might be undesirable if your server is facing the Internet since anyone who has this username and password combination will have full administrator rights to change any setting on your Access Server Admin Web UI. After you have created a secondary administrator account in the Admin Web UI, you may disable this lock out account by following the steps below:

  1. Enter the command: nano /usr/local/openvpn_as/etc/as.conf
  2. Press the Page Down key on your keyboard and scroll down with your Down arrow key until you see entries starting with boot_pam_users.
  3. Put a sign before the entry correlating to the bootstrap username you have created previously. Usually this is the boot_pam_users.0= entry. DO NOT put a # sign before the boot_pam_service entry. Doing so will cause unexpected behaviors in your VPN server.
  4. Press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor.
  5. Restart the VPN server by entering the following command: /etc/init.d/openvpnas restart

You may choose to reenable this feature at any time by removing the #sign from the aformentioned file and restarting Access Server.

From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have became available. To make sure your appliance operating system is up to date, execute the following command: apt-get update && apt-get upgrade