![\"openvpn_access_server\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/openvpn_access_server.png\")
<\/p>\nVirtual private network or VPN for short is a convenient way of setting up a secure connection to another networked host. OpenVPN Access Server is an open source software that implements VPN techniques through custom security protocols. VPN connections can be essential for development environments, allow secure browsing over public WiFi, or provide an anchor point for devices for which a static IP address\u00a0might not be possible.<\/p>\n
<\/p>\n
OpenVPN clients can be installed on Windows, Mac and Linux as well as Android and iOS while the OpenVPN Access Server (AS) is available for most Linux distributions. This introductory guide to OpenVPN goes through the steps for setting up and configuring your personal Access Server, and how to connect to it.<\/p>\n
OpenVPN AS supports multiple configurations such as secure remote access to an internal network and private cloud network resources with fine-grained access control. The OpenVPN AS setup consists of three main components:<\/p>\n
The server software is available for a variety of Linux distributions and version. You can check out the OpenVPN Access Server\u00a0Software Packages -page<\/a>\u00a0or click the links below to find the correct software for your system.<\/p>\n Getting the Access Server installed is simple, download the appropriate package for your system and then use a package manager to install it. The installation process will set up\u00a0a default configuration, which allows a quick and easy way to get a server running. Below are listed the terminal commands for Debian 8, Ubuntu 14 and CentOS 7\u00a0systems to download and install the OpenVPN AS.<\/p>\n OpenVPN requires the\u00a0ifconfig<\/em>\u00a0-network utility, which can be installed along with the\u00a0net-tools<\/em>.<\/p>\n With CentOS 7 you will also need to make the following changes to\u00a0firewalld<\/em>.<\/p>\n Once the installation is complete, you will see output similar to the example below. You can then continue ahead with configuring your new VPN server.<\/p>\n Like mentioned towards the end of the installation output, you will need to set a password for the default user to log into the AS. Set a new password for the user\u00a0openvpn<\/em>\u00a0with the command underneath. Make sure the password is secure as the control panel\u00a0is accessible from the public internet by default.<\/p>\n With the password set, open the OpenVPN Access Server admin panel at the address specified by the installation output.<\/p>\n When opening the page for the first time, you will see a warning that your connection is not secure. This notice is normal as your web browser does not trust the OpenVPN self-signed SSL certificate by default. You will need to bypass the warning or add an exception on your web browser to continue to the login screen.<\/p>\n Log in with the username\u00a0openvpn<\/em>\u00a0and the password you assigned. Once in, you will see the OpenVPN status page similar to the image below.<\/p>\n On the Status Overview, you can find a summary of the server settings and a start\/stop -button to turn the VPN server on or off. At the right side panel, is an\u00a0At a glance<\/i>\u00a0server and connections status.\u00a0The OpenVPN Access Server allows two concurrent users for free.<\/p>\n Once logged in, open the\u00a0User Permissions<\/em>\u00a0-tab under\u00a0User Management<\/em>.\u00a0OpenVPN AS uses the same account credentials as the Linux server it is hosted on, this allows access control based on the user and group permissions defined in the control panel.<\/p>\n To make connecting and logging in easier, you should add your username to the\u00a0User Permissions<\/em>\u00a0-table.<\/p>\n For improved security, you might wish to lock the default user account; this can be done with the\u00a0passwd<\/em>\u00a0-terminal command show below using the\u00a0-l<\/em>\u00a0parameter. The same command with parameter\u00a0-u<\/em>\u00a0will unlock the account later if needed.<\/p>\n You can also control user specific IP address settings under User Permissions by clicking the\u00a0Show<\/em>\u00a0-link to open the advanced options. These settings allow you to assign a static IP address to each user, choose between NAT and routing, define the networks the users should have access to, configure a VPN Gateway, or setup a DMZ addresses that allow connections to the client through the public IP of the VPN server.<\/p>\n If you are possibly\u00a0going to have more than a couple of users connecting to the VPN, you might wish to define the permissions on the group level. Create a user group on your cloud server and add the same group name to the\u00a0Group Permissions<\/em>\u00a0list, you can then give access to users directly from your server terminal, adding them to the authorised\u00a0user group, without needing to add every user manually in the web admin panel.<\/p>\n The IP settings can be configured in the\u00a0Server Network Settings<\/em>\u00a0under\u00a0Configurations<\/em>\u00a0-menu. By default, the AS listens for incoming connections on the first network interface, but if you have multiple public IP addresses, it is possible to select between the interfaces or to listen on all of them.<\/p>\n In the VPN Server settings, you will find the hostname, IP addresses and protocols, as well as the port numbers all easily configured straight from the control panel.<\/p>\n If you have a valid domain name configured for your server, you can set the hostname to the\u00a0Hostname or IP Address<\/em>\u00a0-field to allow the AS to validate the configuration in the\u00a0Web Server<\/em>\u00a0-settings. The hostname also sets the server address in the AS generated profiles. Keep it set to the IP address the server is listening if you do not have a DNS record pointing to the server\u2019s IP.<\/p>\n Next are the\u00a0IP address settings for the\u00a0Admin Web control panel and port selection. Be careful when making changes to the admin IPs not to lock yourself out from the admin panel by changing the IP to something unreachable.\u00a0In such case, it is possible to reconfigure the AS manually at your cloud server side using the\u00a0\/usr\/local\/openvpn_as\/bin\/ovpn-init<\/em>\u00a0-tool as mentioned in the installation output.<\/p>\n With the basic configuration set, go to the Advanced VPN settings and scroll down to the bottom of the page. Here you will find the Additional OpenVPN Config Directives that allow you to specify additional server and client options.<\/p>\n To improve the server-client encryption, include the following\u00a0cipher and authentication options in both directives as shown above and then click the Save Settings button.<\/p>\n Remember to reload the server with the prompt at the top of the page as well.<\/p>\n For Mac and Windows users, the easiest way to set up a\u00a0VPN client is to use the OpenVPN Connect. It can be installed directly from your Access Server\u00a0and allows connecting to the VPN by logging in through the web portal. Linux users should use the OpenVPN client available through their system package manager.<\/p>\n Open the web connection login page on your browser. By default, the connection page can be found at the port 943 of your cloud server. You can use either the public IP address or domain name if you have one configured. Note that the connection needs to use HTTPS.<\/p>\n Opening the address\u00a0will show a warning that your connection is not trusted. Acknowledge the warning and proceed to sign in with your username and password.<\/p>\n After logging in, click the link to continue. It will start a\u00a0download for the Connect -client.<\/p>\n Install the client software, while keeping the OpenVPN connection page open. Follow the instructions in the installation wizard, and allow the application to connect to an untrusted SSL certificate when asked.<\/p>\n When the installation is complete, the client will automatically connect to the VPN and the login page will update to show the connection details. You can close the browser tab without interrupting the VPN,\u00a0but it can be helpful for disconnecting from the Access Server.<\/p>\n When logged it, you will be greeted by a list of connection options and a profile download shortcut, click the\u00a0Yourself (user-locked profile)<\/em>\u00a0-link to download your OpenVPN profile.<\/p>\n Save the file anywhere you can find it later, e.g. in your\u00a0~\/<\/em>\u00a0home directory.<\/p>\n OpenVPN client for most distributions can be installed from the standard repositories.<\/p>\n That is all that is need; you can then connect to the Access Server with the command below where the\u00a0~\/client.ovpn<\/em>\u00a0is your profile saved in your home directory. Enter your username and password when prompted.<\/p>\n When the VPN is up and running, you will see an output message\u00a0like the one below, a timestamp and a confirmation that the connection was successful.<\/p>\n Keep the terminal open while you wish to remain connected to the OpenVPN server. You can disconnect at any time by stopping the client with\u00a0Ctrl+c<\/em>\u00a0or by closing the terminal window.<\/p>\n With the VPN connection up and running, you should check that everything is working as expected. First, make sure you have access to the internet. If that works, you should test where you are connecting. Below are a couple of easy ways to verify that your connection is being routed through the OpenVPN Access Server.<\/p>\n When connected to a VPN, your network traffic first goes through the VPN server before heading to its real destination. For anyone else on the internet, it seems though your requests originate from your AS. Many online services can show the source address of your connection. One such is Google search for \u201cmy ip\u201d, you can use the link below for a shortcut.<\/p>\n https:\/\/www.google.com\/search?q=my+ip<\/a><\/p>\n If the IP address displayed above the search results matches that of your server\u2019s public IP address, the VPN is routing correctly.<\/p>\n UpCloud servers have a private IP address only accessible to the cloud servers on your account. While connected through a VPN, your client is essentially linked to the server\u2019s private network, but only on that host. As such you should be able to reach the VPN server\u2019s private IP address, which is listed at your\u00a0UpCloud Control Panel<\/a>\u00a0under\u00a0Network<\/em>\u00a0-menu and\u00a0Private Network<\/em>\u00a0-tab.<\/p>\n You can test the connections for example with\u00a0ping<\/em>\u00a0-command in your client computer\u2019s terminal or command prompt.<\/p>\n If you get a reply, your OpenVPN Access Server is working and you can use the private IP address on your VPN server for other connections.<\/p>\n Note that CentOS and other Red Hat variants might block ICMP requests at their firewall by default, in such case, you can test the routing with SSH instead.<\/p>\n![\"redhat\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/redhat.png\")
<\/a>![\"fedora\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/fedora.png\")
<\/a>![\"centos\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/centos.png\")
<\/a>![\"ubuntu\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/ubuntu.png\")
<\/a>![\"debian\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/debian.png\")
<\/a>![\"opensuse\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/opensuse.png\")
<\/a><\/p>\nDebian 8<\/h5>\n
wget http:\/\/swupdate.openvpn.org\/as\/openvpn-as-2.1.4-Debian8.amd_64.deb\nsudo dpkg -i openvpn-as-2.1.4-Debian8.amd_64.deb<\/pre>\n
Ubuntu\u00a014<\/h5>\n
wget http:\/\/swupdate.openvpn.org\/as\/openvpn-as-2.1.4-Ubuntu14.amd_64.deb\nsudo dpkg -i openvpn-as-2.1.4-Ubuntu14.amd_64.deb<\/pre>\n
CentOS 7<\/h5>\n
sudo yum install net-tools\ncurl -O http:\/\/swupdate.openvpn.org\/as\/openvpn-as-2.1.4-CentOS7.x86_64.rpm\nsudo rpm -i openvpn-as-2.1.4-CentOS7.x86_64.rpm<\/pre>\n
sudo firewall-cmd --add-service=https --permanent\nsudo firewall-cmd --add-port=943\/tcp --permanent\nsudo firewall-cmd --add-masquerade\u00a0--permanent\nsudo firewall-cmd --reload<\/pre>\n
The Access Server has been successfully installed in \/usr\/local\/openvpn_as\nConfiguration log file has been written to \/usr\/local\/openvpn_as\/init.log\nPlease enter \"passwd openvpn\" to set the initial\nadministrative password, then login as \"openvpn\" to continue\nconfiguration here: https:\/\/<public IP>:943\/admin\nTo reconfigure manually, use the \/usr\/local\/openvpn_as\/bin\/ovpn-init tool.<\/pre>\n
Configuring the Access Server<\/h2>\n
sudo passwd openvpn<\/pre>\n
https:\/\/<public IP>:943\/admin<\/pre>\n
![\"ssl_sercurity_warning\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/ssl_sercurity_warning.png\")
<\/p>\n![\"status_overview\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/status_overview.png\")
<\/p>\nUser Management<\/h4>\n
![\"adding_user\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/adding_user.png\")
<\/p>\n\n
passwd openvpn -l<\/pre>\n
![\"user_ip_settings\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/user_ip_settings.png\")
<\/p>\nServer Network Settings<\/h4>\n
![](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/server_network_settings-1.png\")
<\/p>\nAdvanced VPN<\/h4>\n
![\"Additional](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/additional_config_directives.png\")
<\/p>\ncipher AES-256-CBC\nauth SHA256<\/pre>\n
Connecting to the\u00a0Access Server<\/h2>\n
https:\/\/<server IP\/domain>:943<\/pre>\n
![\"logging_in\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/logging_in.png\")
<\/p>\nMac and Windows<\/h4>\n
![\"connecting\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/connecting.png\")
<\/p>\n![\"vpn_connected\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/vpn_connected.png\")
<\/p>\nLinux<\/h4>\n
![\"download_config\"](\"https:\/\/www.upcloud.com\/support\/wp-content\/uploads\/2016\/05\/download_config.png\")
<\/p>\n# Debian and Ubuntu\nsudo apt-get install openvpn\n# CentOS\nsudo yum install openvpn<\/pre>\n
sudo openvpn --config ~\/client.ovpn<\/pre>\n
Tue Apr 26 04:17:24 2016 Initialization Sequence Completed<\/pre>\n
Testing your connection<\/h2>\n
Your IP to the internet<\/h4>\n
Using the private IP addresses<\/h4>\n
ping <private IP><\/pre>\n
Conclusions<\/h2>\n