Manoj Kumar
- Nov 17
- 7 min read

Beginner's Guide to OpenVPN: Everything You Need To Know

Prerequisites:

You will need the following items to complete this tutorial

A Compute Engine (VM) Instance up and running with OpenVPN Access Server.

Install OpenVPN Access Server on Compute Engine

Setup your own OpenVPN Access Server in Google Cloud Platform
The following post explains how to install Access Server in Compute Engine.
How to Setup OpenVPN-AS in Ubuntu 20.04 - Google Cloud(GCP).

An Overview of OpenVPN

Introduction

In today's society, the Internet is as common as any other public service. When a person buys a house or moves into a new apartment, or a business moves into a new location, the first utility on the list to be purchased is Internet service, followed by power, heat, trash, and sometimes (though unlikely) a landline or telephone service. It's even possible to argue that the current qualifier isn't required. With programmes like One Laptop per Child and efforts from companies like Facebook and Google, so-called third-world countries now have access to the Internet despite the lack of running water, sewerage, or even telephone lines.

When you have a large-scale service with a large number of users, it becomes vital to secure and protect the data transmitted across that network at some point. In most gatherings particularly dense crowds, there is a more malicious element attempting to take advantage of those who are less knowledgeable. Virtual Private Networks (VPNs) were developed in response to a growing demand for secure communication across an otherwise vulnerable infrastructure.

Intelligence agencies have long been targets of the government. Methods and procedures have been gradually improved and tuned over thousands of years to protect sensitive information from attackers and other inquisitive eyes. Originally, wax-sealed letters delivered by trusted individuals meant that you and the recipient could be confident that a message had arrived safely and undamaged. As time and technology progressed, intercepting those messages, reading or altering them, and sending them on their path grew easier.

What is a virtual private network (VPN)?

Types of VPN's

History of OpenVPN

OpenVPN packages

OpenVPN Connect

Quick tour

Take a look at the Admin Web UI, Client UI, and OpenVPN Connect in action.

Administrator Web User Interface:

Client Web User Interface:

OpenVPN Connect Interface:

Step - 1: OpenVPN Access Server Administrator Web User Interface Status

The status section explains how to utilise the Admin Web UI to get server status, a configuration overview, and the number of currently connected users. There are instructions for querying the log database and viewing log reports.

Status Overview

The VPN server is now on or off, as shown by the Status Overview section. If it's turned on, you may stop the OpenVPN daemons by clicking Stop the Server. If the server is not running, you may start the OpenVPN daemons by clicking Start the Server.

Active Configuration

The Active Configuration area of the Admin Web UI displays several key configuration options that are controlled in the configuration and authentication sections.

Current Users

The Current Users section provides information about actively connected users in the following columns:

Log results

The log query's results are displayed below the search and filter fields, with information in the columns below:

Step - 2: OpenVPN Access Server Configuration

Activation Key

When OpenVPN Access Server is utilised without any software licencing, it will enable two connections by default. This allows you to get a free trial of the product.
It also provides the possibility to generate subscription keys via our Access Server site, with two free connections. The benefit of utilising and enabling this is that you can easily change the number of connections permitted on a subscribed OpenVPN Access Server by modifying the subscription from our Access Server interface.

Clustering Mode

In version 2.7.3, OpenVPN adds the clustering capability to Access Server. Clustering is a high-availability technique that distributes the strain of VPN connections and data exchanges among numerous servers. Multiple Access Servers, or nodes, are used in a clustering system to offer active connections for VPN customers.
Please see this page for further information on the Cluster functionality and how to configure it.

TLS Settings

TLS Settings lets you change the TLS settings for both the OpenVPN protocol (tunnel) and the Access Server web server. When the Access Server is installed, the SSL library used is OpenSSL.
TLS Settings allows you to adjust the minimum TLS protocol used by both the OpenVPN tunnel and the Web Server. It's a basic interface that prevents the Access Server and Web Server from having to deal with different minimal protocols.

Network Settings

You may alter the hostname, protocol, daemons, and port numbers for the three network servers that make up the Access Server: the VPN Server, the Admin Web UI, and the Client Web Server, on the Server Network Settings page.
Hostname - VPN clients will use this name or IP address to connect to the VPN Server. It must be a fully qualified domain name or a public IP address (FQDN).
Protocol - Protocol choices include TCP, UDP, and Both (multi-daemon mode). The OpenVPN protocol works best when using only the UDP protocol. The downloaded Access Server connections profiles are pre-programmed to try UDP first, then TCP if that fails. TCP or both may be required for some networks that may restrict some traffic.
Network Settings offers a simple interface for configuring VPN server settings as well as website settings for the Admin and Client servers. It's a basic website that shows how easy it is to configure the Access Server in comparison to manually specifying these parameters.

VPN Settings

The VPN Settings interface allows you to change how the Access Server handles routing. You may build VPN IP subnetworks, adjust routing parameters, and provide DNS server settings for clients. Because the options on this page are global, they can be deactivated as a global setting while still being established on the user and group levels.
VPN IP network - When a VPN Client connects to your Access Server, the virtual VPN IP network assigns it a unique IP address. The Dynamic IP Address network is in charge of this.
Routing - This is where you may specify whether or not connected users have access to server-side resources, whether or not all traffic is routed through the VPN, and whether or not clients can access network services via the VPN gateway IP address.
DNS Settings - You can leave the client's DNS settings alone, utilise the Access Server's DNS settings, or provide particular DNS server IP addresses in the DNS section. If you choose Yes for Should client Internet traffic be routed through the VPN?, clients must use the same DNS servers as the Access Server host.
VPN settings allow for the simple configuration of routing settings. These are all global settings, therefore they aren't absolute. These options will take precedence if they are stated in the user/group settings.

Advanced VPN

Advanced VPN gives you more options for customising how the Access Server handles routing. Consider it an extension of VPN Settings Configuration.
Inter-Client Communication - This option defines whether or not users may communicate with one another.
Multiple Sessions per User - This option defines whether a single user can connect to the server many times at the same time. Each such connection is counted as a distinct concurrent user for purposes of user limitations. No matter what option a user has, they cannot have numerous concurrent VPN connections if they have a static IP address.

Web Server

Web Server Configuration gives you access to general information about SSL web server certificates and keys, as well as the ability to upload CA bundle files, certificates, and keys, and validate selected certificates and keys.
It allows you to customise your Access Server's certification settings. You can learn more about the certification package, upload your own certification, and revert to the prior certification.

CWS Settings

CWS Settings allows you to customise how users interact with the webserver. Certain features may be configured, such as blocking access to administration, allowing only specified OpenVPN user interfaces to access the webserver, or changing how users update their own passwords worldwide.
Configure XML-RPC/REST API - You may use the settings in this area to block people from using the API or to enable them to do so.
Customize Client Web Server UI - You may manage the choices users see on the CWS using these setting options. Restriction can be applied to any of the available downloads/profiles. For example, if you don't want users to be able to download their own profiles, you can disable user-locked profiles.
CWS Settings allows you to control who has access to the Client Web Server. It also allows you to customise what appears on the page when a user has successfully logged in.

Failover

Failover Settings allows the administrator to enable Access Server's built-in failover capability. You have the option of using this functionality, which allows you to configure a secondary node with access to both the primary and secondary nodes.

CA Management

It allows you to examine and create certificate authority (CA) certificates for your Access Server. It's a new feature included in version 2.9 that allows you to see the information of current and previous CA certificates and, if required, issue a new one.

Step - 3: User Management

After you've installed Access Server on your server, you'll need to provide access to users. The Admin Web UI provides an administrator with a simple interface for controlling access control for your users, such as adding or removing credentials, defining permissions for sub-networks, and managing privileges.

User Permissions

User Permissions is where you configure all user settings for Local Authentication. You may change the passwords of users, assign them to groups, grant or remove admin access, and ban them from the server.

User Profiles

It allows you to browse all of your users' profiles, create and download new ones, and remove old ones.
User Profiles gives you general information on how to manage your VPN client user profiles. This area of the Admin Web UI is applicable to version 2.9 and above.

Group Permissions

Group Permissions allows you to configure Access Server Client settings at the group level. These preferences take precedence over any global setting. The group configurations are used if no user settings are provided.
User Permissions and Group Permissions are quite similar. In terms of the combinations they provide, they are practically identical.

Step - 3: Authentication

Authentication refers to the process of selecting an authentication mechanism for users.
Users can be authenticated using one of four network protocols provided by Access Server. The setup requirements for each of them are different. Other parameters will need to be configured depending on the protocol used. Each of these protocols will have its own database, which will store the various user permissions and credentials.
General - You have four alternative choices for user authentication using General. For Access Server, you may establish local, PAM, RADIUS, and LDAP authentication.
PAM - It shows whether your Access Server is using Pluggable Authentication Modules (PAM). It's the mechanism that allows users to log in to a Unix host's access server. It has a Use PAM button that allows you to switch to PAM when it's not in use.
RADIUS - It allows you to set up RADIUS servers for user authentication and accounting (optionally). You can pick from three different RADIUS configuration techniques. You may also set up five RADIUS servers to function as authentication servers.
LDAP - The settings for authenticating users using an LDAP server may be configured using LDAP. If you wish to secure authentication using the limitations specified by your LDAP server, you must establish these parameters. You may validate user credentials using LDAP by using an Active Directory domain controller or another LDAP server. For Access Server to properly search for user credentials while attempting to authenticate.

Step - 3: Tools

Profiles - It allows you to select the configuration profiles to use for the Access Server as well as customise the various profiles.
DB Convert - Converting from SQLite to MySQL is a function provided by Access Server to assist with the transition from the default setup to the Cluster configuration. When converting from one format to another, you have the option of maintaining your credentials. It adds to Access Server's already extensive failover capabilities.

Conclusion:

Here are some more setup options that are recommended for beginners.