Abstract
The best Ubuntu VPN solution — OpenVPN Access Server works with your Linux distro of Ubuntu, also built on open-source software fundamentals. Get started!
Access Server fits seamlessly with Ubuntu. Access Server gives you the following benefits:
A self-hosted VPN solution.
A simplified, rapid deployment of secure remote access and site-to-site solutions.
A web-based administration interface.
Built-in OpenVPN Connect app distribution with bundled connection profiles.
We recommend you start by updating your operating system to the latest version and ensure it's set to the correct time:
Sign in to your Linux system on the console or via SSH and obtain root privileges.
Run the commands below to install updates and set time and date correctly.
apt updateapt upgradeapt install tzdatadpkg-reconfigure tzdata
Note
We assume your OS comes with a time synchronization tool to ensure the correct date and time. If it doesn't, you must ensure they're correct and consider installing a Network Time Protocol (NTP) client program to keep accurate time on your server. Access Server relies on accurate time for time-based one-time passwords for multi-factor authentication and certificate management.
Sign in to the Access Server portal.
Click Get Access Server.
Click Ubuntu LTS from Linux Software Package.
Select your Ubuntu version and copy the commands to install via the repository.
From your console or SSH session, copy and paste the instructions to install the openvpn-as package.
Important
We only support Ubuntu LTS versions. If your operating system version isn't listed as one we support, don't proceed, as the commands will likely fail.
After installing theopenvpn-aspackage, take note of the Admin UI and Client UI addresses as well as the randomly generated password for your administrative useropenvpn. These display on screen similar to this example:
+++++++++++++++++++++++++++++++++++++++++++++++Access Server 2.14.1 has been successfully installed in /usr/local/openvpn_asConfiguration log file has been written to /usr/local/openvpn_as/init.logAccess Server Web UIs are available here:Admin UI: https://198.51.100.130:943/adminClient UI: https://198.51.100.130:943Login as "openvpn" with "RR4ImyhwbFFq" to continue(password can be changed on Admin UI)+++++++++++++++++++++++++++++++++++++++++++++++
Using the information from the previous step, connect to the Access Server and sign in with theopenvpnuser and password.
Tip
The URL for the Admin Web UI is https://[address]/admin/ — replace [address] with your server's public IP address or DNS hostname.
The Access Server Admin Web UI provides an intuitive tool for managing settings for Access Server. The first time you access it, a warning will display. This is expected, as Access Server has a self-signed SSL certificate so the web service can function. Override this warning message and proceed.
Tip
We recommend you set up a valid DNS hostname for your Access Server and install a valid signed SSL certificate.
After you sign in and accept the EULA, the Activation page displays. Paste your activation here and click Activate.
Now that you've installed Access Server, follow these next steps.
When you complete the installation process on the command line, the output displays the URLs for your admin UI and client UI as well as the username and randomly generated password for the admin account.
+++++++++++++++++++++++++++++++++++++++++++++++Access Server 2.14.1 has been successfully installed in /usr/local/openvpn_asConfiguration log file has been written to /usr/local/openvpn_as/init.logAccess Server Web UIs are available here:Admin UI: https://198.51.100.130:943/adminClient UI: https://198.51.100.130:943Login as "openvpn" with "RR4ImyhwbFFq" to continue(password can be changed on Admin UI)+++++++++++++++++++++++++++++++++++++++++++++++
Admin UI | The Admin UI is the web-based GUI for managing your Access Server. We refer to it as the Admin Web UI. Typically, it is the address of your server with /admin/ appended, for example https://192.168.70.222/admin/. When you sign in to the Admin Web UI, you can manage the configuration, certificate, users, and so on as an administrative user. The web-based GUI provides simplified management of complex VPN features rather than having to run Linux-based commands and scripts. |
Client UI | The Client UI is the web-based GUI where users sign in to download clients or configuration files. Typically, it is the address of your server, https://192.168.70.222 as an example. TipThe web services run on port TCP 943, by default, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/admin/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface by leaving the :943 part out. |
Administrative User
For the first use of the Admin Web UI, sign in with theopenvpnuser created during setup. The user’s password is randomly generated and displays in the output at the completion of setup.
On Access Server versions older than 2.9, you must manually set the password for theopenvpnuser with this command:
passwd openvpn
You can now open a browser and enter your Admin Web UI address.
Invalid Certificate
Access Server’s web interface comes with a self-signed certificate. This allows you to sign in to the Admin Web UI right away. Since it’s self-signed, it triggers an expected warning. We recommendadding your own SSL certificatein the Admin Web UI to resolve this.
By clicking through to the site, you can continue to the web interface. At the login screen, enter the username and password for your openvpn user.
The first time you sign into the Admin Web UI, Access Server displays theActivationpage so you can easily get an activation key:
Click Get Activation Key.
This takes you to the Access Server portal.
Sign in with your openvpn.com account if needed.
Click Activation Keys.
Click Purchase A New Key.
Select the number of concurrent connections for your subscription.
For a free subscription with two connections, select the free option.
For five or more connections, select the standard option.
Once you've finished obtaining a subscription, click Copy Key to copy the subscription key.
Return to your Admin Web UI.
Paste the subscription key in the text field.
Click Activate.
Once your subscription loads, you can see the available connections. When users start connecting, you'll see how many are connected. You can also see the connection details on theAccess Server portalby clickingAccess Server Information.
We recommend using a hostname for your web interfaces and client connections, rather than the IP address of your server. It’s easier for clients and users to sign in with a domain such as vpn.example.com than to use an IP address.
Refer to Setting up your Access Server Hostname and follow the steps.
Once signed in to the Admin Web UI, you can configure user authentication. Access Server supports local authentication where you configure users in the Admin Web UI. You can also use an external authentication system with PAM, RADIUS, LDAP, or SAML.
Access ServerAccess Server 2.10 and newer supports using multiple authentication systems simultaneously. Refer toAccess Server’s User Authentication Systemfor more information.
With your VPN server configured, yourusers can get connected. Choose one of the options below to connect to the server.
Option to connect | Procedure |
|---|---|
Download a bundled VPN client to connect | A user follows these steps to download a pre-configured OpenVPN Connect app:
|
Download a connection profile | A user follows these steps to download a connection profile. They can then load this file into an installed VPN client like OpenVPN Connect:
|
Admin provides users with ways to connect | Alternatively, as an admin, you can use these ways to connect your users:
|
Tip
Once connected, a simple test the user can perform is checking their IP address. If internet traffic travels over your encrypted VPN tunnel, the user's IP address changes when they connect to Access Server. If you configuresplit-tunnel traffic, their IP address remains the same for internet traffic.
Set up a DNS hostname for your server.
Install a valid signed SSL certificate.
Configure VPN settings.
Set up users.
Additional security steps.
To reach Access Server via the internet, set the hostname or IP address to one facing the public internet. If you set up your server in a private network, it may assume a private IP that can't be reached from the internet. Change this setting by setting up a DNS hostname that resolves to the public IP address where your Access Server can be reached.
Ensure the right ports are open so your VPN clients can reach Access Server from outside your private network.
Access Server's default, internal VPN subnet is 172.27.224.0/20. You can change the subnet to one that might work better for your current network.
Your users and devices need a VPN client program, like OpenVPN Connect, to establish a connection to Access Server. You can obtain the necessary software and connection details from the Client Web UI. This is the same address as the Admin Web uI, minus the /admin part.
Tip
The URL for the Client Web UI is https://[address]/ — replace [address] with the public IP address or DNS hostname of your server.
Users can sign in with their credentials and obtain all the necessary client software and configuration to connect to your Access Server.
Successfully running the Linux commands here requires executing them with root privileges logged in as a root user or sudo up.
By default, an unlicensed server allows only two connections. You canpurchase a subscriptionto increase this.
Licensing an Access Server without internet access requirescontacting OpenVPN supportfor an offline activation procedure.
If you experience slowness with the web interface or license key activation, check that DNS resolution is working as expected.
In this section:
