Docs / Security / How to Set Up OpenVPN Access Server

How to Set Up OpenVPN Access Server

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 27 views · 3 min read

How to Set Up OpenVPN Access Server

OpenVPN Access Server is a full-featured SSL VPN solution that provides secure remote access to your Breeze instance and private network. It includes a web-based administration interface and supports multiple authentication methods, making it straightforward to deploy and manage.

Installing OpenVPN Access Server

On Ubuntu or Debian-based Breeze instances:

sudo apt update
sudo apt install -y ca-certificates wget net-tools gnupg
wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repo-public.asc
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repo-public.asc] http://as-repository.openvpn.net/as/debian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn-as.list
sudo apt update
sudo apt install -y openvpn-as

On AlmaLinux or Rocky Linux:

sudo yum install -y https://as-repository.openvpn.net/as-repo-centos8.rpm
sudo yum install -y openvpn-as

Initial Configuration

After installation, set the admin password:

sudo passwd openvpn

Access the Admin Web UI at https://your-breeze-ip:943/admin and log in with the openvpn user and the password you set. The client portal is available at https://your-breeze-ip:943.

Network Settings

In the Admin UI, configure these essential settings under Configuration > VPN Settings:

  • VPN IP Network — set the VPN subnet (e.g., 172.27.224.0/20)
  • Routing — choose whether clients should route all traffic through the VPN or only specific subnets
  • DNS Settings — push DNS servers to connected clients for name resolution

User Management

Add VPN users through the Admin UI or command line:

# Create a new user via the command line
sudo /usr/local/openvpn_as/scripts/sacli --user newuser --new_pass "SecurePassword123" SetLocalPassword

# Grant admin privileges
sudo /usr/local/openvpn_as/scripts/sacli --user newuser --key "prop_superuser" --value "true" UserPropPut

Configuring Authentication

OpenVPN Access Server supports multiple authentication backends:

  • Local authentication — built-in user database
  • LDAP/Active Directory — integrate with existing directory services
  • RADIUS — connect to RADIUS servers for centralized authentication
  • SAML — enable single sign-on through SAML identity providers

Configure authentication under Authentication > General in the Admin UI.

Firewall Configuration

Open the required ports on your Breeze instance:

# Admin and client web interfaces
sudo ufw allow 943/tcp

# OpenVPN TCP and UDP
sudo ufw allow 443/tcp
sudo ufw allow 1194/udp

sudo ufw reload

Client Connection

Users download the OpenVPN Connect client from the client portal at https://your-breeze-ip:943. The portal provides auto-configured profiles that include all necessary certificates and settings.

Hardening the Installation

# Restrict TLS to 1.2 and above
sudo /usr/local/openvpn_as/scripts/sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut

# Enforce certificate-based authentication
sudo /usr/local/openvpn_as/scripts/sacli --key "auth.module.type" --value "certificate" ConfigPut

# Apply changes
sudo /usr/local/openvpn_as/scripts/sacli start

Best Practices

  • Enable multi-factor authentication — require a second factor like TOTP alongside passwords
  • Use certificate pinning — prevent man-in-the-middle attacks by pinning server certificates
  • Limit concurrent connections — set per-user connection limits to prevent credential sharing
  • Monitor active sessions — regularly review connected users in the Admin UI
  • Keep the server updated — apply OpenVPN Access Server updates promptly for security patches

OpenVPN Access Server provides a reliable and feature-rich VPN solution for securing access to your Breeze instance and internal resources.

Was this article helpful?

Related Articles