In a previous post I dealt with setting up an OpenVPN Community Edition server which is the free version of OpenVPN. I had initially hoped to use Authy for two-factor authentication in addition to LDAP but later found out that wasn’t going to work. So now I am looking at using DUO for two-factor authentication and OpenVPN Access Server.
Access Server is the “paid” version of OpenVPN and is significantly easier to install and configure vs. the open-source community edition. The two different products fulfill the same function and rely on the same technology to do so, but the underlying structure of Access Server is significantly different from the community edition.
Just to be clear, if you don’t need two-factor authentication, and don’t mind applying a bit of digital elbow grease, I highly recommend going with the community edition of OpenVPN as it is extremely scalable with no licensing fees. That being said, Access Server is decently economical, especially compared to putting in a hardware device like a Fortigate or Cyberroam UTM box.
This guide assumes you have an Ubuntu 13 box to work with, have full root access, know your way around the linux command-line, and have a basic understanding of networking concepts including VPN.
Let’s dive in!
Before you go any further, if you plan on using LDAP/Microsoft Active Directory, you need to make sure all of the proper ports are open between your Active Directory Domain Controller and your OpenVPN server. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?
Login to your box and elevate your privileges using:
Next we are going to make a directory in your user’s home folder, and download access server .deb package file to it for installation. I am using a 64-bit version of Ubuntu 13 server, and therefore getting the 64-bit package file, I will also provide a command to get the 32-bit package file below for those of you on 32-bit server. I recommend you hit up the OpenVPN downloads page and update this URL if you are referencing this tutorial some months/years later as I am sure there is probably a new version of the software out. OpenVPN Access Server Download Page
Then install the package file with the following:
That was tough… not really. Now the beauty of Access Server is that the configuration is done through easy-to-use Web-GUI’s (a web page or “graphical user interface” used to interact with something). After the install was complete something should have printed in the terminal window telling you how to access the Client UI and the WebUI for your new OpenVPN Access Server.
Now, before you get over to that nice GUI, you need to change the password for the default OpenVPN admin user account. You do this from the terminal. Run the following command to setup the password for user “openvpn”
Now you can visit the GUI page for OpenVPN and enter “openvpn” as the user and whatever password you just setup.
In my case, I am going to my Chrome web browser and typing this into the URL bar at the top: https://192.168.25.10:943/admin
When you first visit the Web GUI page, you are going to get a scary looking SSL error message. Just ignore it and proceed on. You will need to agree with some legalise language and then you can move on.
Access Server is free to use for up to 2 users concurrently. After that, you need to buy licenses.
One you are in the configuration is actually pretty straightforward for most admin with some poking around. I recommend sticking to NAT mode unless you specifically need BRIDGED for some reason. The only thing that might be a bit tricky is getting your syntax correct for LDAP configuration but really it is quite simple compared to config’ing the community edition.
Have questions? Feel free to leave comments and I will try to help. OpenVPN (the site) has pretty good tutorials on setting things up for Access Server, hence I felt it might be a bit redundant to dig into more here. My next post will be on getting DUO Multi-factor to work with Access Server + LDAP (assuming it can work…)