Skip to content

OpenVPN Access Server

Introduction

This document provides instructions for configuring a custom URL for users to connect to the AXS Guard OpenVPN Access Server using the OpenVPN Connect app. The custom URL replaces the static URL provided by AXS Guard Cloud. This document is intended for system administrators and IT professionals.

image

Requirements

Public DNS Records

To allow users to connect to your OpenVPN Access Server using a custom domain name, create a public DNS record (A record) that points to the server's public IP address. Refer to your DNS provider's documentation for specific instructions on creating an A record.

Server Certificates

Server certificates are required for the OpenVPN AS and the OpenVPN server.

Server Type Requirements
OpenVPN AS A valid certificate signed by a public Certificate Authority (CA) is required for the domain name associated with the public DNS record. The OpenVPN Connect app does not accept self-signed certificates or certificates signed by an untrusted CA by default. The certificate must be imported via PKI > Certificates on your AXS Guard appliance before you can assign it to the OpenVPN AS.
OpenVPN Server Use the AXS Guard built-in CA to issue the server certificate and assign it to the OpenVPN server.

Client Certificates

To establish a VPN connection, users need a valid client certificate. AXS Guard automatically issues these client certificates to users upon successful connection to the OpenVPN access server, as shown in the example below. Go to PKI > Certificates for an overview of certificates issued by AXS Guard.

image

Click on the certificate name in the overview to view additional details:

image

Server-side Configuration

Refer to the AXS Guard OpenVPN server documentation for detailed configuration instructions. This document focuses solely on the OpenVPN network configuration and local access server settings required for this specific setup. For proper operation, the AXS Guard appliance needs to be reachable over the internet via TCP port 443. Firewall rules are created automatically upon saving your configuration.

Network Settings

  1. Log in to your AXS Guard appliance.
  2. Navigate to VPN > OpenVPN > Server.

  3. Configure the network settings as shown in the example below (change the default protocol and server port).

    image

Access Server Settings

  1. Select the Access Server tab.

  2. Configure the local access server settings as shown in the example below.

    • Assign the certificate associated with the public DNS record of the OpenVPN AS.
    • The hostname must match the name as configured in your public DNS record(s) as well as the CN (or one of the Subject Alternative Names) in the server certificate.

    image

User Authentication

Ensure that the appropriate users are granted access to OpenVPN. Configure the authentication policy for the OpenVPN AS, as explained in the OpenVPN server documentation.

image

Testing your Connection

Follow the connection instructions as provided in the OpenVPN server documentation.

image

Logs

Two types of server-side logs exist for the OpenVPN Connect app: Config and Access Server.

OpenVPN Config Logs

  1. Log in to your AXS Guard appliance.
  2. Navigate to VPN > OpenVPN > Logs > Config Logs.

  3. Select the appropriate date.

    image

Access Server Logs

  1. Log in to your AXS Guard appliance.
  2. Navigate to Reverse Proxy > HTTP(S) > Logs.

  3. Select _openvpn-as_, then rewrite, error or access.

    image