Set up VPN access using OpenVPN Access Server

Prerequisites

• An FQDN that will resolve to the OpenVPN VMs public IP. This is so a valid SSL certificate can be added when connecting to the Admin portal for OpenVPN Access Server. This can be a sub-domain. 
• A Valid SSL for the VMs FQDN

The process outlined:

1. Create the application from App Launchpad
2. Set up NSX rules
   1. Create IPSet
   2. Create Port Profiles
   3. Create Firewall Rule
   4. Create NAT rule
3. Configuring OpenVPN Access Server
4. Connecting to the VPN via an OpenVPN client
5. Register with OpenVPN for additional client connections

Create the application from App Launchpad

Locate the application in App Launchpad.

The smallest size should be fine for the VPN VM

Once the Application has been created, the next step involves setting up rules in the VDC’s NSX Edge to allow clients to connect into the VPN VM.

Setting up the NSX Edge

There are two rules to set up in the NSX Edge, two new Application Port Profiles, and one IP Set to be used by the rules.

The IPSet

First, determine the local IP assigned to the OpenVPN Access Server VM.

1. Click Virtual Machines
2. Click Details under the OpenVPN Access Server VM
3. Click NICs in the VM details menu.
4. Locate the IP Address assigned to the VMs NIC

In this example, 192.168.0.3 is being used by the OpenVPN VM.

Create an IP Set to be used by firewall rules for this VM.

1. Under Networking, on the left-hand menu, click Edges
2. Click on the name of the NSX Edge to bring up its details
3. Under Security, click on IP Sets
4. Click NEW to create an IP Set for the VM

When creating the IP Set

1. Name it appropriately
2. Give it a description (optional)
3. Enter the local IP for the OpenVPN Access Server VM (This was determined earlier)
4. Click ADD to add the IP to the IP Set
5. Save the IP Set

Create the Application Port Profiles

There are two Application Port Profiles that need to be created. These are for admin access to OpenVPN Access server, and a port to allow VPN clients to connect.

A third port profile will be used which will allow https access.  This is to allow VPN users to log in, and download OpenVPN configuration files for their clients, as well as access information on setting up the client on their device.  We don’t need to create this port profile, as it will already exist as a default profile on the system

Creating the port profiles:

1. Click on Application Port Profiles, under Security, in the NSX menu
2. Click NEW under “Custom Applications” when creating a new profile
3. Create the Admin Access profile
   1. Name the profile “OpenVPN - Admin“
   2. Add a description for the profile (optional)
   3. Select TCP as the protocol
   4. Set 943 as the port
   5. Click Save
4. Create the VPN client port profile
   1. Name the profile “OpenVPN - Client Access”
   2. Add a description (optional)
   3. Set the protocol to UDP
   4. Set the port to 1194
   5. Click save

The Firewall Rule

In the NSX Edge, under Services, click on Firewall. Click on Edit Rules to create an allow for the ports required by OpenVPN Access Server.

1. Click NEW ON TOP to create a new Rule
2. Name the rule “OpenVPN Access Server”
3. Add the Application Port profile
   1. Click the Pencil near the option for the rule
   2. Tick “Choose a specific application”
   3. Click the Funnel icon near Name and Search of OpenVPN to display both of the rules we had created earlier. You will want to repeat this, and the next step, allowing HTTPS as well.
   4. Tick the box next to both of the OpenVPN the port profiles
   5. Click Save
4. Set Source to Any
   1. Tick the Pencil under Source
   2. Toggle the switch for Any Source.
   3. Click the KEEP button
5. Add the Destination IP Rule
   1. Tick the Pencil Icon under Destination, for the new rule
   2. Tick the box next to the IPSet that we created previously
   3. Click the KEEP button
6. Save the new Rule by clicking SAVE at the bottom

The NAT Rule

We next need to make a NAT rule so the NSX knows what public IP will translate to the private IP for the OpenVPN VM. Note that you will need an FQDN that resolves to this IP, and preferably a valid SSL for this domain name.

In the NSX menu, click on NAT under Services, and then NEW, near the top of the NAT menu.  We will need to set 3 different NAT rules.  One for each of the required application ports.

The required Application ports are:

• OpenVPN - Admin
• OpenVPN - Client Access
• HTTPS

Use the above, during step 6, when creating these NAT rules.

1. Name the NAT Rule Appropriately
2. Add a description (optional)
3. Leave Interface Type as DNAT, which is it’s default setting
4. Set the External IP for the FQDN
5. Set the Internal IP for the OpenVPN Access Server VM
6. Set the Application Port Profile ports
   1. Tick the pencil icon near Application
   2. Click the “Choose a specific application“ toggle
   3. Click the filter icon near Name and search for either OpenVPN or HTTPS based on which NAT rule you are creating
   4. Check the box next to the port profiles
   5. Click Save
7. Click Save

Once all three NAT rules are in place, the firewall set-up is done, and we can power on the VM to configure it.

Configuring the OpenVPN Access Server VM

There are two stages when configuring the OpenVPN Access Server when it is launched from our App Launchpad. The first step involves logging in as root in the shell for the VM, and the second involves logging into the Web UI.

Initial Shell setup

This step isn’t as complicated as it may sound. When you log into the VM as root, via the vCloud Director Console, for the first time, you will be prompted to input all the required information, and the setup at this stage will run automatically.

To start this process, first power on the VM, and launch the VMs console.  Log in as root.  Because this is likely the first time you have logged into the VM, an initial temporary password can be retrieved in vCloud director.

Under the VM's box click details.

In the VM details menu, first click “Guest OS Customization”, and then click EDIT near the top.

On the next screen, you will find the temporary VM password in the field for “Specify password”. This password is set when the App first launched from App Launchpad, as Gust customisation also runs at that time.

Now that you have this password, launch a console and log in as root.  After logging in you will be prompted for the following.

1. First, you will be prompted to change the root password.  You will need to re-enter the root password, then a new password and a new password again to confirm.
2. Next, you will be prompted to enter the VPN VMs domain name.  This should be a valid domain name that resolves to the VPN VMs public IP, as this will allow you to secure web logins with an SSL certificate.
3. You will see “Installing OpenVPN Access Server” momentarily, and then you will be prompted to set up the password for the Admin user.

After these steps, you will be briefly prompted with information on how to log into the OpenVPN Access Server.  If you missed this information the following will let you log in:

As Admin:

https://your-vpn-domain-name.com:943/admin

As a Client

https://your-vpn-domain-name.com

Note, that you must use HTTPS to access the server.  Initially, OpenVPN Access Server will be installed with a Self Signed SSL certificate; however, you can configure a valid SSL at a later time, and the SSL warning when first accessing the server can be ignored.

Configuring the VPN via the Web UI

Now that the Web UI is available, management can now be handled via this interface.

First, login to the WebUI using the username openvpn, and the password you set up during the last stage.

After logging in you will need to read and accept the EULA

Initially, OpenVPN access server will be running the unlicensed free version, which allows two VPN connections to occur at any time.  In later steps, we will go over how to license this VM with OpenVPN.

There are two steps we will discuss for getting you started with OpenVPN Access Server, setting the server hostname in the WebUI, and creating an initial user. Further information for configuring your VPN can be found at https://openvpn.net/static-links/documentation

1. Click on “Network Settings“ under CONFIGURATION.
2. Replace the VMs Local IP, under Hostname or IP Address, with the domain name used previously in this guide.
3. Click “Save Settings” at the bottom of the page
4. Click “Update Running Server“, in green, near the top of the page.  This will restart the services used by the VM, and you will need to wait a moment, then log back in at the same URL that was used previously.

Next, we will add a user that can log into the VPN via a client device. Click on “User Permissions” under “USER MANAGEMENT” in the left-hand menu.

On this page, enter a Username in the available text space, located under the admin account. I would also recommend adding “Allow Auto-login” as this will make it simpler when connecting with a client device; however, this option is up to you.

You will also want to click the “More Settings” icon, and set a strong password for the user.

Adjust any other settings that suit your needs, and don’t forget to click “Save Settings”, near the bottom, to save the new user.

After saving the user, you will again need to click “Update Running Server” for the change to take place.

Now your user will be able to log in, and connect to the VPN.

Connecting to the VPN with a Client device

The first step for a new user to connect to the VPN is to log into the normal https page, and use their credentials to log in.

OpenVPN is supported on many devices with several of them providing applications available to connect to the VPN. Click on the icon for your client device to review detailed information on how to connect with that device.

Registering OpenVPN Access Server to allow for additional client connections

If you would like to license OpenVPN Access Server so that additional clients can have access to the VPN, you can do so at the official OpenVPN site.

https://openvpn.net/access-server/pricing/