OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Installing OpenVPN Access Server on a Linux system

Operating systems supported

OpenVPN Access Server can be installed with an installation package file on any compatible Linux operating system. This is suitable for installation on a server you already have or a dedicated server system you manage and want to install Access Server on. If you want to have full control over how the operating system is installed and configured and want to run Access Server on it, the installation guide on this page is what you are looking for. There are other options for installing Access Server which use prepared images that contain a suitable operating system and the OpenVPN Access Server program in it, ready for use. These are available for Microsoft Windows Server Hyper-V, VMWare ESXi, Amazon AWS, and other systems. We have a preference to use the latest Ubuntu 64 bits Long Term Support version for our prepared images. To learn more about exactly which installation packages are available for Linux operating systems check the software packages download page on our main website. The installation package can be selected and downloaded there.

If newer versions of an operating system are released, like for example when Debian 9 was released in 2017 but installation packages for OpenVPN Access Server were not available immediately for Debian 9 yet, usually the package installation file for the version before it will work just fine. For example the installation package for Debian 8 works on Debian 9. When new releases of Access Server are made, we update our build systems to add builds made specifically for the newer operating system versions, and we also stop making installations package files for operating system that are no longer supported and are considered end of life. As time passes and operating system move on to newer versions, so will we adjust our offering of installation packages as well.

Installation requirements and preparation

You will need to have access to a working supported Linux operating system installation that you have root level access to. It doesn’t matter if this is through the console directly or through an SSH session using for example a tool like PuTTY, and it doesn’t matter if you must log on as an unprivileged user first, and then can ‘sudo up’ to gain root privileges; that’s fine. On some operating systems a package called ‘net-tools’ may have to be installed because Access Server currently relies on ifconfig to function. This is the case on CentOS 7 and Debian 9 for example. Installation of such a package should be as simple as running one of these commands below. We also recommend installing wget if it’s not already installed as this makes the steps that follow later a bit easier.

Install ‘net-tools’ and ‘wget’ packages on CentOS 7:

yum install net-tools wget

Install ‘net-tools’ and ‘wget’ packages on Debian 9:

apt-get install net-tools wget

Furthermore it is required that the time and date on the server are correct. VPN server and client certificates are generated with an expiration date 10 years into the future so they’re unlikely to expire any time soon. But they are also generated with a start date, and if that date is in the future because the server has a date set in the future, then the certificates won’t work until that date and you’ll get some errors about that. Additionally, if you plan on using the multi-factor system called Google Authenticator, which uses a time-based one-time password generation system, then you must have an accurate time and date set. To ensure that any time drift or incorrect time and date on a system is automatically corrected you can install a Network Time Protocol (NTP) client program on the server which should automatically continuously keep the correct time for you on your server. Especially cloud-based virtual machines are susceptible to time drift. A deviation of 30 seconds can already be a problem when it comes to Google Authenticator. Usually these programs come preconfigured and require little to no configuration.

To install an NTP client on Ubuntu/Debian systems:

apt-get install ntp

To install an NTP client on Red Hat/CentOS systems:

yum install ntp

To make corrections to the timezone setting:

dpkg-reconfigure tzdata

The OpenVPN Access Server can function entirely within an environment where no Internet access at all is possible, but this does make license key activation more complicated, as you will have to contact us for an offline activation procedure or perform such a procedure yourself with the use of a second Access Server that does have Internet access. And if the Access Server doesn’t have Internet access it obviously can’t accept connections from clients from the Internet either of course. So the point is that it’s best to have the Access Server connected to the Internet, and we recommend to do this behind a firewall system with only ports TCP 443, TCP 943, and UDP 1194 forwarded from the public Internet to the private address of the Access Server behind the firewall. It is also important to check that DNS resolution is working as expected, so that pinging for example will result in the server being able to resolve this to an IP address. If DNS resolution doesn’t work right it can slow down the web interface and prevent license key activation.

Downloading and installing the package

In order to install the Access Server, you will need to download the Access Server package and place it somewhere on the intended server host. You can do this via a roundabout way by using your desktop computer to download the installation package from our website, and then uploading it using a tool such as SCP or WinSCP. But an easier method is to use wget, which is a tool designed to retrieve files directly from the Internet and save it directly on the file system of the Linux operating system where you are installing the OpenVPN Access Server program.

Based on which Linux operating system you have chosen, look up the installation file on our software packages download page on our main website. Select the operating system you use and next select the installation package for your specific operating system. Note that there are 64 bits versions (x64) and 32 bits versions (x86). If your operating system is 64 bits, it is recommended to install the 64 bits version, but you can also install the 32 bits version (not recommended). If your operating system is 32 bits only then you cannot use the 64 bits version but must install the 32 bits version.

You can right-click the download link and select “Copy Link Address" or “Copy target" or such. The exact wording depends on the browser used. The goal is having the link to the installation package in your copy/paste buffer. Next go to the Linux server where you want to install the OpenVPN Access Server program and use wget to download the installation package file directly to the server.

Type wget followed by the pasted URL:

wget <paste copied url>

For example for Ubuntu 16 x64 installation package, Access Server 2.1.12:


Optional step for advanced users: it is possible to use https:// for the connection instead if you prefer a secure connection, and you can verify if the package file you have downloaded has been correctly downloaded, and that it is in fact the package file that we are distributing and not somehow a tainted copy. This is all very unlikely but still you can check with the tool sha256sum, which creates a hash for the downloaded file. You can then compare it with the Access Server installation package sha256sum hash table on our website. Use command line “sha256sum openvpn-as-2.1.12-Ubuntu16.amd_64.deb" to generate the hash, and compare it to what is listed on the site. If they match you can be certain that you have the right file and it has downloaded correctly.

Now that the installation package file is downloaded to your system you can install it with the following command:

Install downloaded package on Debian/Ubuntu system:

dpkg -i openvpn-as-2.1.12-Ubuntu16.amd_64.deb

Install downloaded package on RedHat/CentOS/Fedora system:

rpm -Uvh openvpn-as-2.1.12-CentOS7.x86_64.rpm

The installation process should then commence and finish. The output may look like this:

The Access Server has been successfully installed in /usr/local/openvpn_as Configuration log file has been written to /usr/local/openvpn_as/init.log Please enter “passwd openvpn" to set the initial administrative password, then login as “openvpn" to continue configuration here: To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool. Access Server web UIs are available here: Admin UI: Client UI:

The Access Server tries to adapt itself to the network configuration it finds. But if you have a complex network setup you may need to run the ovpn-init tool to reconfigure to listen to another network interface. It’s worth mentioning that the ovpn-init tool can be used to wipe all OpenVPN Access Server configuration with the –force option in case you make a mistake during initial setup. Don’t use the –force option on an existing installation unless you can live with losing all configuration and certificates and want to start over. Also, the program will ask for a license key, but you do not have to enter one. If no valid license key is found it will just assume a demonstration mode where all functions work but you’re limited to 2 simultaneous VPN tunnel connections.

Finishing configuration and using the product

Once the program is installed it will automatically configure itself with some standard settings. The installation process will also tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI. Usually the client UI is at the address of your server, for example The admin UI is usually at the /admin/ address, for example Please note that the web services by default actually run on port TCP 943, so you can visit them at and as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface.

Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:

passwd openvpn

You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like “Invalid certificate" or “Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the “passwd openvpn" command.

Once you are logged in to the Admin UI you can select which authentication system to use. The available choices are local, PAM, RADIUS, and LDAP. The default is PAM and this means that user accounts must be present in the operating system in order to be able to log on to the Access Server. You can also use another external system like RADIUS or LDAP server, for example to connect to a Windows Server Active Directory using an LDAP or RADIUS connector. If you do that we recommend that you use LDAP for best results. If you are managing only a limited amount of users and don’t want things to be too complicated the recommendation is to switch the authentication system to local mode. You can then use the User Permissions screen in the web interface to add/remove users and set passwords and access control rules for them. Almost everything can then be configured purely from the Admin UI, although some advanced options are only available in the command line tools. We recommend that if you choose to use PAM that you look at the command line authentication options documentation specifically to learn how to add/remove users and manage passwords.

Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.

Limitations of an unlicensed OpenVPN Access Server

When the OpenVPN Access Server is installed without a license key it goes into a sort of demonstration mode. There is no time limit or functionality limit on this mode. The only difference between a licensed Access Server and an unlicensed one is the amount of simultaneous OpenVPN tunnel connections the Access Server allows. An unlicensed server will only ever allow 2 simultaneous connections and that’s it. To unlock more connections you can purchase a license key to unlock more connections. We suggest you read the licensing frequently asked questions page and the pricing overview page to learn more.