OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Installing OpenVPN Access Server on a Linux system

Request More Information

Operating systems supported

OpenVPN Access Server can be installed with an installation package file on any compatible Linux operating system. This is suitable for installation on a server you already have or a dedicated server system you manage and want to install Access Server on. If you want to have full control over how the operating system is installed and configured and want to run Access Server on it, the installation guide on this page is what you are looking for. There are other options for installing Access Server which use prepared images that contain a suitable operating system and the OpenVPN Access Server program in it, ready for use. These are available for Microsoft Windows Server Hyper-V, VMWare ESXi, Amazon AWS, and other systems. We have a preference to use the latest Ubuntu 64 bits Long Term Support version for our prepared images. To learn more about exactly which installation packages are available for Linux operating systems check the software packages download page on our main website. The installation package can be selected and downloaded there.

If newer versions of an operating system are released, like for example when Debian 9 was released in 2017 but installation packages for OpenVPN Access Server were not available immediately for Debian 9 yet, usually the package installation file for the version before it will work just fine. For example the installation package for Debian 8 works on Debian 9. When new releases of Access Server are made, we update our build systems to add builds made specifically for the newer operating system versions, and we also stop making installations package files for operating system that are no longer supported and are considered end of life. As time passes and operating system move on to newer versions, so will we adjust our offering of installation packages as well.

Installation requirements and preparation

You will need to have access to a working supported Linux operating system installation that you have root level access to. It doesn’t matter if this is through the console directly or through an SSH session using for example a tool like PuTTY, and it doesn’t matter if you must log on as an unprivileged user first, and then can ‘sudo up’ to gain root privileges; that’s fine.

Furthermore it is required that the time and date on the server are correct. VPN server and client certificates are generated with an expiration date 10 years into the future so they’re unlikely to expire any time soon. But they are also generated with a start date, and if that date is in the future because the server has a date set in the future, then the certificates won’t work until that date and you’ll get some errors about that. Additionally, if you plan on using the multi-factor system called Google Authenticator, which uses a time-based one-time password generation system, then you must have an accurate time and date set. To ensure that any time drift or incorrect time and date on a system is automatically corrected most modern distributions have some time synchronization program already built in, so please look into that to see if it is working and time and date are correct on your server.

To make corrections to the timezone setting:

dpkg-reconfigure tzdata

The OpenVPN Access Server can function entirely within an environment where no Internet access at all is possible, but this does make license key activation more complicated, as you will have to contact us for an offline activation procedure or perform such a procedure yourself with the use of a second Access Server that does have Internet access. And if the Access Server doesn’t have Internet access it obviously can’t accept connections from clients from the Internet either of course. So the point is that it’s best to have the Access Server connected to the Internet, and we recommend to do this behind a firewall system with only ports TCP 443, TCP 943, and UDP 1194 forwarded from the public Internet to the private address of the Access Server behind the firewall. It is also important to check that DNS resolution is working as expected, so that pinging for example www.google.com will result in the server being able to resolve this to an IP address. If DNS resolution doesn’t work right it can slow down the web interface and prevent license key activation.

Access Server since version 2.7.5 gets distributed via a software repository now. So if your system is isolated from the Internet, things become a little difficult. We do still offer the option to download software packages separately, but Access Server now comes in 2 packages. The OpenVPN Connect client software bundle, and the OpenVPN Access Server. Both must be installed for Access Server to successfully install.

Install repository, then upgrade

You will have to figure out which operating system you are running right now, and then select the correct operating system. You can then obtain instructions from our website on how to install the repository. With that information you can then install the software repository and install the latest version of Access Server. In the future you can then use the software repository to update your Access Server.

You need to know which operating system you’re on. All official OpenVPN Inc cloud images and appliance images that we released in 2018 and 2019 are Ubuntu 18 x64. But in case you need to be sure or don’t know what operating system you have, you can use the information below to figure this out.

Figure out your operating system:

cat /etc/issue
lsb_release -a
uname -a

You should get some useful information out of these commands. Some may fail in some situations, which is fine, you should still be getting the information you need. Below is an example of output from an older Access Server on Amazon AWS:

OpenVPN Access Server Appliance 2.1.9 \n \l
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
Linux openvpnas2 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This information tells us we are running Ubuntu 16.04.2 LTS on an x86_64 platform. Take a look at the information you are seeing on your system, and determine the operating system name and version number and whether it’s only x86 (32 bits) or x86_64 (64 bits). Based on which Linux operating system you have, look up the repository installation instructions on our software packages download page on our website. Select the operating system you use, and then in the selection drop-down select which version of that operating system you have. If we take the above example, you would here select Ubuntu 16 64bits.

You will then see a list of instructions that you can copy paste to your server’s command line. It will set up the software repository for you, and download and install the latest Access Server version for you and upgrade your existing installation. In the future you can use apt update and apt upgrade to update your system and the Access Server at the same time.

Note that there are 64 bits versions (x64) and 32 bits versions (x86). If your operating system is 64 bits, it is recommended to install the 64 bits version, but you can also install the 32 bits version (not recommended). If your operating system is 32 bits only then you cannot use the 64 bits version but must install the 32 bits version.

If you have an operating system version that is older than what we have listed, you may need to consider updating your whole system including the whole operating system instead. For example, we don’t offer downloads for CentOS 5 anymore, because CentOS 5 was not able to handle functions we now need to use for IPv6 support. Trying to install OpenVPN Access Server software that is designed for CentOS 6 on an older platform like CentOS 5 will result in failure. So installing an Access Server meant for a newer operating system than you have, will usually fail. If however you install an Access Server meant for a slightly older operating system than you have, will usually succeed. For example the package for Ubuntu 16 64 bits may work on Ubuntu 17 64 bits.

We recommend that after the upgrade process has completed you reboot the server:

reboot

This completes the upgrade process.

Finishing configuration and using the product

Once the program is installed it will automatically configure itself with some standard settings. The installation process will also tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI. Usually the client UI is at the address of your server, for example https://192.168.70.222/. The admin UI is usually at the /admin/ address, for example https://192.168.70.222/admin/. Please note that the web services by default actually run on port TCP 943, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface.

Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:

passwd openvpn

You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like “Invalid certificate" or “Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the “passwd openvpn" command.

Once you are logged in to the Admin UI you can select which authentication system to use. The available choices are local, PAM, RADIUS, and LDAP. The default is PAM and this means that user accounts must be present in the operating system in order to be able to log on to the Access Server. You can also use another external system like RADIUS or LDAP server, for example to connect to a Windows Server Active Directory using an LDAP or RADIUS connector. If you do that we recommend that you use LDAP for best results. If you are managing only a limited amount of users and don’t want things to be too complicated the recommendation is to switch the authentication system to local mode. You can then use the User Permissions screen in the web interface to add/remove users and set passwords and access control rules for them. Almost everything can then be configured purely from the Admin UI, although some advanced options are only available in the command line tools. We recommend that if you choose to use PAM that you look at the command line authentication options documentation specifically to learn how to add/remove users and manage passwords.

Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.

Limitations of an unlicensed OpenVPN Access Server

When the OpenVPN Access Server is installed without a license key it goes into a sort of demonstration mode. There is no time limit or functionality limit on this mode. The only difference between a licensed Access Server and an unlicensed one is the amount of simultaneous OpenVPN tunnel connections the Access Server allows. An unlicensed server will only ever allow 2 simultaneous connections and that’s it. To unlock more connections you can purchase a license key to unlock more connections. We suggest you read the licensing frequently asked questions page and the pricing overview page to learn more.

Share