Friday, November 15, 2024
Google search engine
HomeGuest BlogsHow to Install and Configure OpenVPN Access Server

How to Install and Configure OpenVPN Access Server

Introduction

OpenVPN Access Server is a tool that provides secure access to private networks. With the support for all popular OSes and multiple authentication methods, it is a go-to VPN solution for many SMBs.

If you do not use more than two simultaneous connections, the Access Server is free of charge.

Follow this guide to learn how to set up OpenVPN Access Server and configure network settings.

OpenVPN Access Server guide heading imageOpenVPN Access Server guide heading image

Prerequisites

Take note of the following information:

  • Data center name – e.g., CloudTest_DC
  • Organization name – e.g., CloudOrgTest
  • Site location – e.g., atlvpdc.geeksforgeeks.org

The details are available on the VMware Cloud Director landing page.

Organization details pageOrganization details page

Organization Overview

On the Cloud Director landing page, select a data center. Below is the overview of the information you need for OpenVPN Access Server setup.

Note: All IPs in this guide are used as an example. Please use your own public IPs within the external network’s range. You can choose any private IP for the configuration.

  • External network name. In the Data Centers tab, select Networking -> Edges and click the Edge name.
Cloud Director list of edgesCloud Director list of edges

Choose Gateway Interfaces to view the external network name. The name includes your organization’s name.

External network name in vCDExternal network name in vCD
  • First available public IP address. In the Data Centers tab, select Networking -> Edges. Click the Edge name and then IP Allocations to view the assigned public IP range.
Edge IP allocation in vCDEdge IP allocation in vCD

Then, click SERVICES and refer to the NAT and Firewall rules to determine which public IP from the range on TCP 443 port is unavailable. In our case, 131.xxx.xxx.108 is taken, so the first available public IP is 131.xxx.xxx.106.

List of firewall rules with taken IPsList of firewall rules with taken IPs
  • Document new DMZ network subnet for the new OpenVPN server. Choose any private IP. We picked /29 in case a second OpenVPN node is needed. For example:
    • DMZ network: 10.xxx.xxx.1/29
    • DMZ gateway: 10.xxx.xxx.1
    • One OpenVPN Access Server IP: 10.xxx.xxx.2
  • The number of used NICs for the edge. If you have 10 NICs, the new DMZ network will be created as Isolated even if Routed is selected. The Used NICs number is in the list of your edges
The number of used NICs for an edge in vCDThe number of used NICs for an edge in vCD
  • VM guest network, for example, 10.xxx.xxx.0/24.

Create OpenVPN Access Server Account

To create a free OpenVPN Access Server account:

1. Go to the OpenVPN Access Server page.

2. Click the Get Your Free Connections button.

OpenVPN Access Server sign-up button.OpenVPN Access Server sign-up button.

3. Enter the Email and click Create Your Account.

OpenVPN Access Server email fieldOpenVPN Access Server email field

4. Click the Confirm your email link when you receive the Email from OpenVPN.

5. Enter a password when the page loads.

6. Select Business Use (requires more information) or Personal Use and click Continue.

OpenVPN Access Server license type selectionOpenVPN Access Server license type selection

The Access Server Portal loads.

7. Click Create to create an activation key.

OpenVPN Access Server activation buttonOpenVPN Access Server activation button

The subscription and key details page loads.

8. Click the Copy Key button and save the subscription key as you will need it later for the OpenVPN Access Server configuration.

OpenVPN Access Server subscriptions page with the Copy Key button highlighted. OpenVPN Access Server subscriptions page with the Copy Key button highlighted.

Create DMZ Network for New OpenVPN Access Server

To create a new DMZ for the new OpenVPN Access Server network in VMware Cloud Director for your organization, navigate to Data Centers -> Networking – > Networks.

Click NEW to start the wizard.

Create new DMZ network option in vCDCreate new DMZ network option in vCD

1. Select Routed for the network type step and click NEXT.

vCD Network Wizard step 1vCD Network Wizard step 1

2. Enter a network Name and the Gateway CIDR you chose earlier, for example, 10.xxx.xxx.1/29. Other fields are optional. Click NEXT.

vCD Network Wizard step 2 vCD Network Wizard step 2

3. Chose Interface Type Internal for the selected edge with the Public IP and click NEXT. An example gateway is 10.xxx.xxx.1.

vCD Network Wizard step 3vCD Network Wizard step 3

4. Add static IP pools defined by the gateway CIDR you designated earlier. For example, 10.xxx.xxx.2 – 10.xxx.xxx.6. Click NEXT.

vCD Network Wizard step 4vCD Network Wizard step 4

5. If your edge has a DNS, you can enable Use Edge DNS. Otherwise, specify a public DNS provider, for example, 8.8.8.8 (primary DNS) and 1.1.1.1 (secondary DNS). Click NEXT.

vCD Network Wizard step 5vCD Network Wizard step 5

6. Review the network configuration and click FINISH when ready.

vCD Network Wizard step 5vCD Network Wizard step 5

Create SNAT/DNAT Edge Rules

To create new rules, in the Data Centers tab:

1. Navigate to Networking -> Edges.

2. Select an Edge Gateway and click Services. Wait for the pop-up window to load to apply all new rules on the external network name recorded.

vCD Edge Gateways screenvCD Edge Gateways screen

3. Click the NAT tab to start adding new rules. You can save the changes after every rule or when you add all of them.

Create SNAT Rule

To create a SNAT rule for outbound internet access in the NAT section:

1. Click the + SNAT RULE button.

Add SNAT rule button in vCDAdd SNAT rule button in vCD

2. Select the external public network.

3. Add the OpenVPN Access Server IP 10.xxx.xxx.2 in the Original Source IP/Range for any port and protocol.

4. Add the previously noted first available public IP 131.xxx.xxx.106 in the Translated Source IP/Range for any port and protocol.

5. Add a relevant description and click KEEP.

Edit SNAT rule section in vCDEdit SNAT rule section in vCD

The Save changes message appears on the main page. Save the progress now or when you add all rules.

Create DNAT Rules

Create the DNAT inbound rules in the NAT section:

1. Click the + DNAT RULE button.

2. Select the external public network.

3. Add the public IP 131.xxx.xxx.106 in the Original Source IP/Range.

4. Select UDP in the Protocol drop-down list.

5. Choose Any in the Original Port drop-down list.

6. Add the OpenVPN Access Server IP 10.xxx.xxx.2 in the Translated Source IP/Range field for any source port and IP.

7. Enter 1194 in the Translated Port.

8. Add a relevant description and click KEEP.

Edit DNAT rule section in vCDEdit DNAT rule section in vCD

Repeat the same steps for the second and third DNAT inbound rule, with these changes:

  • Set Protocol to TCP, Translated Port to 443, and add a relevant description.
  • Set Protocol to TCP, Translated Port to 943, and add a relevant description. (This one is a temporary rule for initial administration).

Remember to click Save changes when you finish adding all the rules or after every rule.

The rule list should look like this:

NAT rules table in vCDNAT rules table in vCD

Create Firewall Edge Rules

The firewall rules in this section must be higher than deny rules.

To create a firewall rule in the Data Centers tab:

1. Navigate to Networking -> Edges.

2. Select an Edge Gateway and click Services. Wait for the pop-up window to load.

3. Click the Firewall tab and the + button to start adding new rules. You need six different rules listed in step 6 below. Save the changes after every rule or when you add all of them.

Add edge firewall rule screen in vCDAdd edge firewall rule screen in vCD

Edit the values in the columns for every firewall rule. Hover over a cell to see the available actions. For the names of firewall rules, use the description from the NAT rules.

4. For Source and Destination, click the IP button to add an IP.

Add source IP address for firewall rule.Add source IP address for firewall rule.

5. For Service, click the + button and add the protocol and the destination port as listed in the image in step 6. Leave the source port to any.

Note: The order of the source and destination port in the Add Service box does not correlate to how the firewall rule table displays them.

Add firewall service box in vCDAdd firewall service box in vCD

6. When you finish, the firewall rules table looks like this:

Edge Gateway firewall rules table in vCDEdge Gateway firewall rules table in vCD

Create vApp with VM

To create a vApp with a new VM in the Data Centers tab:

1. Navigate to Compute -> vApps -> NEW and select New vApp.

Create a vApp with a new VM screen in vCDCreate a vApp with a new VM screen in vCD

2. Enter a name for the vApp and click the ADD VIRTUAL MACHINE button

Create a name for the vAppCreate a name for the vApp

3. Enter a VM name without spaces.

4. Select Type -> New and specify the OS details:

  • OS family: Linux
  • Operating System: Ubuntu Linux (64-bit)
  • Boot image: Ubuntu 20.04.3 Server.
New VM settings in vCDNew VM settings in vCD

5. In the Compute section, select Custom Sizing Options and set all four values to 1.

6. Enter 16GB for the disk size in the Storage section.

New VM storage settings in vCDNew VM storage settings in vCD

5. In the Network section, choose:

  • The previously created routed network.
  • Network Adapter Type: VMXNET3
  • IP Mode: Manual IP
  • IP Address: OpenVPN Access Server IP 10.xxx.xxx.2
New VM network configurationNew VM network configuration

6. Click OK and then CREATE. The progress is shown on the vApps screen.

Configure VM

To complete the VM setup, power on the vApp to start the OpenVPN Access Server VM:

1. In the vApps screen, click the ACTIONS link and choose Power On.

Power on menu for vApp in vCDPower on menu for vApp in vCD

2. Click VM Consoles and then VM Console to get access to the VM.

Launching VM console from the vApp screenLaunching VM console from the vApp screen

Wait for the VM to boot up.

3. Highlight ens160 and choose Edit IPv4.

VM Console network interface configurationVM Console network interface configuration

4. Choose Manual for the IPv4 Method. Confirm by selecting Done.

VM Console network interface IP method manualVM Console network interface IP method manual

5. Enter the network settings you used previously and select Save.

VM Console manual IP configuration stepVM Console manual IP configuration step

6. Select Done for the rest of the options and Continue to the storage configuration screen.

VM Console confirm storage configurationVM Console confirm storage configuration

7. Complete the profile setup and save the account information securely. The username is stored in the sudoers file. Do not use “openvpn” as a username so that the OS and the OpenVPN Access Server application account can be separate.

Note: The server’s name will be reflected in the Web OpenVPN Access Server Subscription Portal.

VM Console profile setupVM Console profile setup

8. Skip the SSH Server installation. Select Done to continue.

VM Console SSH setup stepVM Console SSH setup step

9. Wait for the process to finish and select Reboot Now.

VM Console installation complete screen. VM Console installation complete screen.

When done, the console shows the Failed unmounting /cdrom message.

10. In the Cloud Director, locate the OpenVPN Access Server VM in the Compute -> Virtual Machines screen. Click ACTIONS and select Eject Media to remove the Ubuntu ISO from the VM.

VM eject media option in vCDVM eject media option in vCD

11. Return to the VM console and hit Enter to reboot the machine. The VM boots to the login screen.

12. Enter the username and password used during the profile creation.

Ubuntu 20.04.3 LTS screenUbuntu 20.04.3 LTS screen

Verify VM Network and Install Updates

Ping the edge gateway and a DNS server via the VM console to verify the connection.

ping 10.xxx.xxx.1
ping 1.1.1.1
Pinging edge gateway and a DNS server via the VM consolePinging edge gateway and a DNS server via the VM console

When you confirm the connection is working, update the system:

sudo su -
apt update -y && apt upgrade -y

To make changes in the network configuration, edit the netplan config file using a text editor:

nano /etc/netplan/00-installer-config.yaml
netplan config file in nano editornetplan config file in nano editor

Install OpenVPN Access Server

To install the OpenVPN Access Server:

1. Go to the OpenVPN Access Server packages page and click the Ubuntu icon.

2. Copy and paste the commands one by one in the VM console while logged in as root. If there are any errors, check for typing mistakes. The second command has capital O, not a zero.

apt update && apt -y install ca-certificates wget net-tools gnupg
wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -
echo "deb http://as-repository.openvpn.net/as/debian focal main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as

When the update finishes, you see the confirmation message.

Access Server update confirmation message. Access Server update confirmation message.

3. Save the OpenVPN Access Server password so you can use it later. The password can be changed via the OpenVPN Access Server UI.

Save the OpenVPN Access Server passwordSave the OpenVPN Access Server password

Configure OpenVPN Access Server

To configure OpenVPN Access Server:

1. Go to the OpenVPN Access Server admin page using the public IP, for example:

https://131.xxx.xxx.106:943/admin

2. Use the credentials you noted after the OpenVPN Access Server installation.

3. Click Agree if you agree to the terms and conditions.

OpenVPN Access Server EULAOpenVPN Access Server EULA

4. In Configuration -> Network Settings, change the hostname from the private IP address to the public IP.

OpenVPN Access Server network settings pageOpenVPN Access Server network settings page

5. Scroll down and click Save Settings and Update Running Server.

OpenVPN Access Server update running server messageOpenVPN Access Server update running server message

6. Navigate to Activation, enter the subscription key from the OpenVPN Access Server portal, and click Activate.

OpenVPN Access Server activation keyOpenVPN Access Server activation key

If successful, you receive the message “Subscription is active and operating normally.”

OpenVPN Access Server Subscription is active and operating normally messageOpenVPN Access Server Subscription is active and operating normally message

7. Navigate to Configuration – > VPN Settings, scroll to the Routing section and add the guest VM subnet you used previously.

OpenVPN Access Server routing settingsOpenVPN Access Server routing settings

8. Go to User Management -> User Permissions and create a new user account for the client VPN access. Click the More Settings icon to add a password.

OpenVPN Access Server user permissions pageOpenVPN Access Server user permissions page

9. Click Save Settings and Update Running Server

On the client side, there are a few more steps:

1. Log in to https://your_public_ip/ with the user you just created.

2. Install the recommended client for the OS you are using. Depending on the OS you choose, you either get a file to download or are redirected to the page to follow the installation instructions.

OpenVPN Access Server client OS selectionOpenVPN Access Server client OS selection

In Windows, if you get a Defender alert, accept to continue the installation. The profile is included with the installation.

If you already have the OpenVPN Access Server application installed and you are adding another connection, download the profile and import it.

OpenVPN Access Server user profile import linkOpenVPN Access Server user profile import link

3. Finally, launch the OpenVPN Access Server client and establish a connection.

Launch the OpenVPN Access Server client and establish a connectionLaunch the OpenVPN Access Server client and establish a connection

To test if the connection is working, RDP or SSH into your VM using the private IP.

Final Steps

Some firewall and DNAT rules are not necessary anymore. Log in to the Cloud Director and remove:

  • TCP 943 firewall rule.
  • TCP 943 DNAT rule.

To do so:

  1. Navigate to Networking -> Edges.
  2. Select an Edge Gateway and click Services.
  3. In the Firewall section, highlight the port 943 rule and click the X button to delete it.
  4. In the NAT tab, delete the DNAT TCP 943 rule. Highlight the row and click the X button.

Note: Once you remove the 943 firewall and NAT rules, the OpenVPN Access Server admin page will be accessible via https://your_public_ip/admin

Troubleshooting

If you can connect to your VMs with the SSL VPN Plus client and cannot when connected with the OpenVPN Connect application, please review the firewall rules you created and subnet added to the OpenVPN Admin page.

Additionally, try changing the following settings in the OpenVPN Access Server Admin page:

1. Go to the https://your_public_ip/admin page.

2. Navigate to Configuration -> VPN Settings.

VPN Settings in the OpenVPN Access Server AdminVPN Settings in the OpenVPN Access Server Admin

3. In the Routing section, change “Should client Internet traffic be routed through the VPN?” to No.

Setting for Should client Internet traffic be routed through the VPN in OpenVPN Access Server adminSetting for Should client Internet traffic be routed through the VPN in OpenVPN Access Server admin

Useful Links

For additional information on OpenVPN Access Server, consult the Open VPN documentation:

If you need to do subnet calculations, use the subnet calculator.

Note: Learn also how to install OpenVPN on Docker.

Conclusion

By following the instructions in this guide, you should have a working OpenVPN Access Server installation with proper configuration.

The setup process is straightforward and simple if you complete all the steps in the tutorial.

Was this article helpful?
YesNo

RELATED ARTICLES

Most Popular

Recent Comments