Skip to content



About this Document

This guide serves as a reference source for technical personnel, system administrators and network administrators. We start by explaining the basic concepts of OpenVPN. Then we provide step-by-step instructions to configure the OpenVPN server on the AXS Guard appliance. Finally, we show you how to connect to the AXS Guard OpenVPN server with a freely available OpenVPN client in a Windows environment.

Examples used in this Guide

All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log in as a full administrator or a user with lower access privileges.

As software development and documentation are ongoing processes, the screenshots shown in this guide may slightly deviate from the current user interface.

About OpenVPN


In this chapter, we introduce OpenVPN. Topics covered in this chapter include:

  • An introduction to and a definition of OpenVPN

  • The Encryption used by OpenVPN

  • Authentication Methods

  • Supported Network Protocols

  • Supported Clients

  • OpenVPN Configuration Files

What is OpenVPN?

OpenVPN is an open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between hosts. It is capable of establishing direct links between computers across networks which use network address translation (NAT) and firewalls.

OpenVPN Concept

The AXS Guard OpenVPN server allows peers to authenticate via client certificates or via a combination of client certificates and username/password authentication, such as a DIGIPASS OTP. When used in a multiclient-server configuration, the AXS Guard OpenVPN server releases an authentication certificate for every client, via a Signature and Certificate Authority. OpenVPN uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol.

Data Encryption

OpenVPN uses OpenSSL to provide encryption for the data and the control channel. OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Detailed information about the OpenSSL core library is outside the scope of this manual. For more details and specifications, consult the online resources:

Authentication Methods

OpenVPN offers several methods to authenticate peers:

  • Certificate-based authentication (PKI); the client is authenticated via a client certificate which is generated on the AXS Guard OpenVPN server and exported to the OpenVPN client.

  • Certificate-based authentication, but in combination with username/password authentication (e.g. DIGIPASS OTP, back-end authentication). This requires extra configuration, since the Authentication Method has to be selected for the OpenVPN service, but it provides extra security in that physical access to the client is not sufficient to connect to the OpenVPN server.


  • For details about supported Authentication Methods and their configuration, see the AXS Guard Authentication How To, which can be accessed via the Documentation button in the Administrator Tool.

  • For details about PKI and certificates, see the AXS Guard IPsec How To, which can be accessed via the Documentation button in the Administrator Tool.

Supported Protocols

OpenVPN can run over UDP or TCP. It multiplexes all communications over a single TCP/UDP port. It has the ability to work through most proxy servers (including HTTP) and is effective at working through NAT and getting out through firewalls. The AXS Guard OpenVPN server can push certain network configuration settings to the clients. These include IP addresses, routing commands and a few other connection options.

Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. The use of common network protocols (TCP and UDP) makes OpenVPN a desirable alternative to IPsec in situations where an ISP blocks specific VPN protocols.


  • On the AXS Guard OpenVPN server, port 443 and TCP are the recommended defaults for Firewall traversal.

  • Verify if you have no other services running on TCP port 443. If other services are running on that port, the OpenVPN service will not be able to receive connections.

Supported Clients

The AXS Guard supports any open source OpenVPN client, as well as the Community and Access Server Editions from OpenVPN Technologies, Inc, which offer the following advantages:

OpenVPN Configuration Files

Depending on the client, you will either have to export a configuration file or a configuration pack.

Both types contain the information (certificate + configuration) that is required for clients to successfully locate, connect to and authenticate with the OpenVPN server. The difference is that the private key in the OpenVPN Configration file cannot be password protected, which means you need to be cautious when distributing the file.

  • Use the OpenVPN configuration file for the Access Server Edition, e.g. if you intend to deploy the client via Active Directory.

  • Use the OpenVPN configuration pack for the Community Edition by OpenVPN Technologies or any other open source client.

The FQDN of the OpenVPN server as specified in the configuration must be resolvable by the client. Make sure your DNS repository is properly configured.

OpenVPN Access Server

AXS Guard features an OpenVPN Access Server which facilitates the rapid deployment of secure remote access for OpenVPN users. The OpenVPN Access Server is fully compatibile with the OpenVPN Connect Client, which is freely available for Windows, Android and iOS.

With this client, users can easily download and import their OpenVPN configuration and certificate via a secure connection to the AXS Guard Cloud. This feature considerably alleviates administrative burden for system administrators, as they no longer have to manually distribute OpenVPN certificates and configuration files to authorized users.

OpenVPN Server-Side Configuration


In this chapter, we explain how to configure the AXS Guard OpenVPN server. Topics covered in this chapter include:

  • How to activate the OpenVPN server

  • How to initialize the AXS Guard Certificate Authority (CA)

  • How to create a server certificate

  • How to configure the AXS Guard OpenVPN server

  • How to create, assign and export an OpenVPN client configuration

  • How to configure authentication for the OpenVPN service

  • How to configure user-level settings, such as Firewall rights

Feature Activation

  1. Log on to the AXS Guard appliance.

  2. Navigate to System > Feature Activation > VPN.

  3. Select Do you use OpenVPN? and update your configuration.


About Server and Client Certificates

You must use the AXS Guard CA to create the appropriate client and server certificates. The concept and use of the AXS Guard PKI are fully explained in the PKI How To, which can be downloaded by clicking on the Documentation button in the administrator tool. What follows is an overview of what is covered in this manual.

  • How to initialize the CA

  • How to generate certificates

  • How to import, export and revoke certificates

  • How to configure automatic notifications.

Why we advise against using a commercial CA

When private services - such as VPN access - are provided, it is recommended to use a private CA, such as the built-in CA.

Public CAs will issue certificates for anybody, while the built-in CA insures only a select group of people have access. Therefore access to the OpenVPN server needs to be secured with certificates issued by the built-in Certificate Authority.

The use of a commercial CA is also very inconvenient if you have a lot of clients to manage. If a commercial CA is used for the server certificate, then you will be forced to stay with the same commercial CA to sign the client certificates. In case you switch certificate vendors, you will be forced to reconfigure all OpenVPN clients.

Connection Settings

The connection settings are used by the OpenVPN server to listen for incoming client connections. The parameters listed in the table below are included in the client configuration file which is generated when you export an OpenVPN configuration pack. To configure the connection settings:

  1. Navigate to VPN > OpenVPN > Server.

  2. Enable the OpenVPN server.

  3. Configure the connection settings as explained in the tables below.

    OpenVPN Connection Settings

Option Description

Enable OpenVPN Server

Enables and starts the OpenVPN server.

Server Binding Options

Select the appropriate option. See the context-sensitive help on the AXS Guard appliance for additional information. OpenVPN will bind to all interfaces by default.

IP Address

OpenVPN will bind to the specified IP address. This field is only visible if you set the option above to Bind to IP address .


Select the protocol for OpenVPN connections. TCP is the system default as it can traverse proxies. Changing this option on an existing server configuration requires you to reconfigure your clients.

Server Port

Enter the OpenVPN server port. 443 is the system default port. Changing the port on an existing server configuration requires you to reconfigure your clients.

Avoid port conflicts. If another service is using TCP port 443, for example the webmail or reverse proxy service, the OpenVPN server will fail to start. Change the OpenVPN port number in that case.

Option Description


The number of seconds between keep-alive checks. 5 seconds is the system default.


If the client does not reply to the OpenVPN server within the specified period, the connection will be reset. 10 seconds is the system default.

Option Description

Tunnel Device Type

Select the device type which will be used to set up OpenVPN connections. TUN is the system default option which is supported by most devices and operating systems. TUN is also required if you intend to use the OpenVPN Access Server. TAP is only needed if you want to transport non-IP based traffic or for bridging, e.g. if you want your LAN and VPN clients to be in the same broadcast domain.

IP Range

The range of IP addresses that is distributed to the OpenVPN clients. Use the CIDR notation, e.g. Make sure the range is not used elsewhere in your network to avoid routing issues.

Use small Subranges

Enable to support outdated client software, i.e. for computers which are using OpenVPN 2.0.9 or older versions.

OpenVPN 2.0.9 and older versions of the client software cannot configure a network range for OpenVPN TUN and TAP devices (IP + subnet). As a workaround, the server IP range is divided into small subranges; each client will be allocated a virtual /30 subnet, taking up 4 IP addresses per client, plus 4 additional IP addresses on the server side.

It is recommended to upgrade the client software instead of using this option, as this may result in premature depletion of the configured IP address pool (IP range).

Security Settings

  1. Navigate to VPN > OpenVPN > Server.

  2. Select the Security Settings tab.

  3. Enter the settings as explained in the tables below.

    Security Settings

Option Description

Server Certificate

Select the server certificate for the OpenVPN server. Go to PKI > Certificates to create or import a server certificate. If no hostname is specified in the server certificate, enter it in the Server Hostname field.

Current Certificate

Shows the certificate details of the selected server certificate.

Server Hostname

This field is optional. Enter the external FQDN or IP address of the OpenVPN server, e.g. The hostname will be written to the OpenVPN client configuration files used by the OpenVPN clients. Note that you only need to enter a hostname if you did not specify an FQDN or IP address in the server certificate.

Option Description

Allow Duplicate Certificates

Allows simultaneous OpenVPN connections from a single user if enabled. Enable this option if you have users which require OpenVPN access from different computers or devices which use the same client certificate.

Enforce Additional Authentication

If enabled, clients will be required to provide a username/password in addition to a client certificate for authentication. Go to Authentication > Services to configure the authentication policy of the OpenVPN server. Select DIGIPASS to enforce two-factor authentication.

Option Description

Cipher Algorithm

Select the desired data encryption cipher for OpenVPN connections. AES is highly recommended and is the system default algorithm. The digits after AES represent the key size, which is expressed in bits. 128 bits is the system default key size. The higher the key size, the stronger the encryption. Changing this option on an existing server configuration requires you to reconfigure the clients. .

Push-to-Client Configuration

  1. Navigate to VPN > OpenVPN > Server.

  2. Select the Push-to-Client Configuration tab.

  3. Enter the settings as explained in the tables below.

  4. Update your configuration.

    Push-to-Client Configuration

Option Description

DNS Server

Add the primary domain name server address. Repeat to set secondary DNS server addresses.

WINS Server

Add the primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat to set secondary WINS server addresses.

Search Domain

Enter a connection-specific DNS suffix, e.g. This allows clients to resolve unqualified hostnames in the specified domain.

Option Description

Re-route Client Traffic

If enabled, all client traffic, including Internet traffic, will be routed over the VPN connection. If you disable this option, you must add the internal networks that should be reachable by your OpenVPN clients.


Add the internal network(s) you wish to make available to your OpenVPN clients. Use the CIDR notation, e.g.

Granting Access to OpenVPN

Group-level Access

  1. Navigate to Users & Groups > Groups

  2. Select the appropriate group

  3. Select the VPN tab

  4. Check the appropriate VPN option

  5. Click on update to save your settings


User-level Access

  1. Navigate to Users & Groups > Users.

  2. Select the appropriate user by clicking on the username.

  3. Click on the VPN tab.

  4. If access to the VPN service is already allowed in the user’s group, select use group configuration. If not, set the option to on to overrule the group configuration.

  5. Update your configuration.

    Configuring OpenVPN Access for a User

OpenVPN Firewall and Application Control Settings

System-Wide Firewall Policies

System-wide firewall policies affect all users on the AXS Guard network. Connected OpenVPN users are considered a part of the secure network. It is crucial to restrict the system-wide firewall rights as much as possible.

The default system-wide firewall policies (stat-sec and stat-z-fix) provide appropriate security for OpenVPN access. However, you can overrule these default policies simply by creating separate, custom policies. The custom policies must then be added to the AXS Guard group or user profile in order to be applied after authentication.

A list of default firewall rules is available in the AXS Guard Firewall How To, which can be accessed via the Documentation button in the Administrator Tool. You can also click on a firewall rule or policy to view its configuration.

User and Group Firewall Policies.

Able highly recommends the use of a strong client-side firewall and the creation of dedicated firewall policies for access to network resources that are available through the VPN connection. A predefined firewall policy, fwd-access-lan, is available for convenience. This policy allows any type of traffic towards the AXS Guard secure LAN when a VPN connection is established.

About Application Control

The application control system monitors the application layer (layer 7 of the OSI model) of the network. This is also known to as Deep Packet Inspection (DPI), a form of computer network packet filtering that examines the data part of a packet as it passes the AXS Guard, searching for defined criteria, such as protocols or websites, to decide whether the packet may pass or needs to be blocked. The AXS Guard also collects and reports statistical information about all layer 7 traffic.

The application control system allows application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports, e.g. http traffic on ports other than 80, and also the opposite, e.g. detect Skype traffic on port 80. The system will also detect and block access to certain file types, such as multimedia files (if enabled).


Group-level Configuration

  1. Navigate to Users & Groups > Groups.

  2. Click on the appropriate group name.

  3. Select the VPN tab to specify the VPN firewall and application control policies.

  4. Update your configuration.

    L2TP Group Level Firewall Configuration



Add Firewall Policy

Select specific firewall policies for group members who connect to the corporate network with a VPN client, such as a PPTP client. Go to Firewall > Policies > Dynamic for an overview of defined firewall policies.

Option Description

Use computer/system application control policies

Enforce the system-wide policies, assigned under Application Control > General and the computer-level policies, if any.

Add to computer/system application control policies

Assign specific policies to this group, in addition to the system-wide policies configured under Application Control > General and computer-level policies, if any.

Overrule computer/system application control policies

Do not enforce the system-wide policies and computer-level policies, but only the specified policies. The specific policies will be enforced when a member of the group successfully authenticates.

User-level Configuration

  1. Navigate to Users & Groups > Users.

  2. Click on the appropriate username.

  3. Select the VPN tab and select the appropriate firewall and application control policy modes as explained below.

  4. Update your configuration.

    User Level Firewall Configuration

Option Description

Use Group Firewall Policies

Select this option if you wish to apply the same firewall policies for VPN use as defined in the user’s group.

Add to Group Firewall Policies

Select this option to add specific policies for VPN use, in addition to the user’s group firewall policies.

Overrule Groups Firewall Policies

Select this option to overrule the group firewall configuration and specify unique policies for the user.

Option Description

Use group application control policies

Only enforce the policies as configured for the user’s group.

Add to group application control policies

Enforce the policies as configured for the user’s group and the policies that are specified in the user profile.

Overrule group application control policies

Only policies configured at the user, computer and system levels are enforced. Group policies are not enforced.

Overrule Group / Computer / System Application Control Policies

Only the application control policies configured at the user level are enforced.

Exporting OpenVPN Configuration Files

OpenVPN client configuration and certificate files must be generated on the AXS Guard CA under PKI > Certificates. See the PKI guide for more information on creating and exporting certificates.

  • Mind the difference between OpenVPN Configuration Packs and Configuration Files, as explained in OpenVPN Configuration Files.

  • You can simply block a user’s OpenVPN access by revoking the client certificate.

Generating an OpenVPN Client Configuration

  1. Go to PKI > Certificates.

  2. Export the client’s OpenVPN configuration pack.

    Exporting an OpenVPN Client Configuration

Format Description


Used by PAX units, IPsec Road Warriors and L2TP clients.

OpenVPN Configuration Pack

Used by OpenVPN clients (with private key protection).

OpenVPN Configuration File

Used by OpenVPN clients (without private key protection).

Export Password

A password to protect the certificate. You will need this password to install the certificate on the client.

Downloading OpenVPN Configuration Files

Users can also download their OpenVPN configuration via the AXS Guard cloud. In order to do this, users need a compatible OpenVPN client and a valid set of credentials - like a username and a password - and of course the address (URL) of the OpenVPN Access Server.


  • The AXS Guard OpenVPN server must be correctly configured and running.
  • The Tunnel Device Type must be set to TUN - IPv4 Encapsulation (TAP is not supported).
  • The AXS Guard appliance must be reachable via the AXS Guard cloud. This can be tested by logging in to the AXS Guard cloud portal. Then select Technical and click on the login button which matches the license of your appliance.


OpenVPN Access Server URL:
Simply replace 0000-000XXXXX with the license number of your AXS Guard appliance.

Supported Clients:

OS Client
Windows OpenVPN Connect
Linux OpenVPN 3 Linux
macOS OpenVPN Connect v3 (OpenVPN Connect v2 is not supported)
iOS OpenVPN Connect v3

User Authentication

Setting the OpenVPN Server Policy

Clients are authenticated by their client certificate. However, additional authentication methods are available for increased security, e.g. DIGIPASS authentication.

In this section, we explain how to configure additional authentication methods for OpenVPN users. For detailed information about authentication methods and policies, see the AXS Guard Authentication How To, which can be accessed via the Documentation button in the Administrator Tool.

The instructions in this section are only relevant if you enabled authentication on the OpenVPN server (see Security Settings).

  1. Navigate to Authentication > Services.

  2. Click on OpenVPN.

  3. Choose the appropriate Authentication Policy by clicking on the Select button, e.g. DIGIPASS if you want users to authenticate with a one-time password.

  4. Update your configuration.

    Setting the Authentication Policy for OpenVPN

Field Description


The AXS Guard service to be configured. This field cannot be edited.

Authentication Policy

The authentication policy determines how users must authenticate to access the service. Go to Authentication > Advanced > Policy for an overview of policies configured on your system.

Brute Force Attack Protection

Enable to protect the selected service against brute force attacks as configured under Authentication > General.

AXS Guard Service

Supported Authentication Policies


  • OATH


  • DirectoryService


  • Password

Setting the OpenVPN Access Server Policy

Configure the authentication policy for users who download their OpenVPN configuration via the AXS Guard cloud, using their OpenVPN Connect Client.

  1. Navigate to Authentication > Services.

  2. Click on OpenVPN Access Server.

  3. Choose the appropriate Authentication Policy by clicking on the Select button.


OpenVPN Client-Side Configuration

Deploying with Active Directory


The documentation to install and deploy the OpenVPN Technologies client is available on the official website: The main reason you want to use this client, is because it can be deployed via Active Directory, which is particularly useful in large network environments.

The OpenVPN Connect client (MSI) must be deployed via GPOs using a generic server locked profile. For further information and instructions, see the online reference: Deploying the Access Server Connect Client via GPOs

Copying the Server and Client Files to Their Appropriate Directories

The AXS Guard OpenVPN configuration file, which contains the client certificate and configuration, must be copied to the appropriate directory on the client, typically C:\Program Files\OpenVPN\config\ This process can be automated with an Active Directory logon script. Refer to your Active Directory documentation for information about creating logon scripts. Check the OpenVPN online reference for more information.

Windows OpenVPN Client Connect Example

  1. Download and install the OpenVPN Client Connect app.
  2. Launch the OpenVPN Connect app.
  3. Enter your OpenVPN Connect URL, e.g.
    Replace 0000-00012345 with the license number of your AXS Guard appliance.


  4. Click on the Next button.

  5. Enter your user credentials for the OpenVPN Access Server.
  6. Click on Import to download your OpenVPN configuration.
  7. Click on the slider button to connect to the OpenVPN server (to initiate a VPN connection).
  8. Enter your OpenVPN server password when prompted.


Manual Installation and Configuration in Windows


You need the following to successfully install, configure and run your OpenVPN client in Windows:

  • A working server configuration.

  • A valid client certificate.

  • The free OpenVPN client, which can be downloaded from

  • A Windows workstation with Internet access

  • Windows Administrator privileges (required to install and run the OpenVPN software)

Installing the OpenVPN Client

  1. Log in to Windows as an administrator.

  2. Download the OpenVPN client software.

  3. Start the installer and follow the on-screen instructions.

Extract the OpenVPN Configuration Files

  1. Log on to Windows (administrator privileges are required).

  2. Save the OpenVPN configuration pack to the location of your choice.

  3. Right click on the file and select Extract All as shown below.


Testing the OpenVPN Connection

  1. Open the folder where your extracted the OpenVPN configuration pack.

  2. Right-click on the OpenVPN configuration file and select Start OpenVPN on this config file (administrator privileges are required).


  3. Enter the credentials and certificate password as requested on screen.

  4. Minimize the window when your connection is up.

    OpenVPN Connection Up

Close the window to stop the OpenVPN connection.

OpenVPN Status and Logs


In this chapter, we explain how to check the status of connected users and the OpenVPN logs.

Checking the Status

  1. Log on to the AXS Guard appliance.

  2. Navigate to VPN > Status > OpenVPN.

Accessing the OpenVPN Logs

  1. Log on to the AXS Guard appliance.

  2. Navigate to VPN > Logs > OpenVPN.

  3. Click on the desired log date to view the entries.

Type Description
Server Logs The OpenVPN server logs contain detailed information about VPN server events, such as client connection details, encryption and authentication. They allow you to analyze and troubleshoot client connectivity.
Config Logs The config logs contain useful information about OpenVPN client connect events. See the context-sensitive help on your AXS Guard appliance for additional information.


The OpenVPN service fails to start

If another service on your appliance is already using port 443, the service will not start. In that case, you must change the port number.

AXS Guard services that also use port 443:

  • The SSL VPN server

  • The Reverse Proxy server

  • The Webmail server

Contact Able Support if you need to change your Webmail service port.

The connection to the OpenVPN server is successful, but I cannot connect to the corporate LAN

Windows requires administrator privileges to execute some functions in the OpenVPN software, such as adding network routes. Run the OpenVPN client as an administrator.

The OpenVPN client indicates that the route addition failed using CreateIpForwardEntry

Run the VPN client as an administrator.

The OpenVPN client indicates that the user cannot write to the log folder

Run the VPN client as an administrator.

Authenticating without providing a certificate password.


This is possible, but not recommended. The certificate passphrase protects your certificate when it’s copied from one location to another. It also prevents abuse in case it is intercepted or stolen by a third party and provides authentication if no other authentication method has been configured for the OpenVPN service.

This operation requires you to use the command line. Note that the openssl binary, which is needed to remove the certificate password, is not included with the OpenVPN client, so this method only works on a Linux machine or on a Windows machine where the cygnus or openssl package is installed. If a user insists on removing the password of the pkcs12 client certificate, use the following command:

openssl pkcs12 -in <name of .p12> -nodes -out file.pem

Put this file in C:\Program Files\OpenVPN\config. Then modify the ovpn config file as follows:

  • Remove:

    pkcs12 <name of cert>

  • And add:

    ca file.pem
    cert file.pem
    key file.pem
I see an "Auth Username/Password was not provided by peer" error in the logs.

Delete the current OpenVPN client configuration and export the original OpenVPN client configuration again on the client.


If you encounter a problem

If you encounter a problem with AXS Guard, follow the steps below:

  1. Check the troubleshooting section of the feature-specific manual.

  2. Check the knowledge base on this site for information about special configurations.

  3. If no solution is available in any of the above sources, contact your AXS Guard vendor.

Contact Information

(+32) 15-504-400