How to connect it from internet?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
solution
OpenVpn Newbie
Posts: 2
Joined: Mon May 24, 2021 9:44 am

How to connect it from internet?

Post by solution » Mon May 24, 2021 9:46 am

I just installed openVPN access server on vmware esxi.
And I want to access lan now from home via internet.
Is it possible? what is my next step.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: How to connect it from internet?

Post by openvpn_inc » Mon May 24, 2021 11:17 am

Hello,

The next step ideally would be to set up a DNS record like vpn.yourcompany.com or something. This record should resolve to the public IP of your Internet gateway device - that is usually your WiFi router. With that set up, when you try to access vpn.yourcompany.com in some way, like pinging for example, it should try to access your Internet gateway's public IP. Now you need to set up port forwarding in your router for ports TCP 443, TCP 943, TCP 945, and UDP 1194. Those are the ports Access Server uses. Set up the port forwarding so that requests on the public IP of your router are forwarded to the internal IP of your OpenVPN Access Server. Now the web interface should load when you try to access https://vpn.yourcompany.com/.

Now go to the Access Server's Admin UI (https://vpn.yourcompany.com/admin), go to Network Settings, and set the 'hostname or IP address' field to the address vpn.yourcompany.com. Also if you hadn't done so yet, add a new user in User Permissions page.

Now go to a VPN client computer system, like your computer at home for example, and open https://vpn.yourcompany.com (without the /admin) and log in as a user on the Access Server. Now download the offered OpenVPN Connect client software and install it and use the button to start the connection. Now you have successfully connected from outside the network, and by default, Access Server is set up to give access to resources in the local network that the Access Server is on. If you want to access a fileshare on Windows for example, you can enter its IP in Windows Explorer: \\192.168.70.123\somefileshare

Note that if you had installed the VPN client before you correctly set the hostname or IP address field in Access Server, that VPN client will need a reinstall, so that it gets the correct information on how to connect to your server.

Also note that technically it is not required to use a DNS record. You can also use just the public IP address. But the downside of that is that if you ever change IP address, then you have to update it manually in Access Server and then reinstall your VPN clients so they will connect to the correct new IP address. If you use a DNS address, all you need to do in the event of a change of public IP, is to update the DNS record, and all clients will fall in line automatically.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

solution
OpenVpn Newbie
Posts: 2
Joined: Mon May 24, 2021 9:44 am

Re: How to connect it from internet?

Post by solution » Tue May 25, 2021 12:47 am

openvpn_inc wrote:
Mon May 24, 2021 11:17 am
Hello,


Now you need to set up port forwarding in your router for ports TCP 443, TCP 943, TCP 945, and UDP 1194. Those are the ports Access Server uses. Set up the port forwarding so that requests on the public IP of your router are forwarded to the internal IP of your OpenVPN Access Server. Now the web interface should load when you try to access https://vpn.yourcompany.com/.

Now go to the Access Server's Admin UI (https://vpn.yourcompany.com/admin), go to Network Settings, and set the 'hostname or IP address' field to the address vpn.yourcompany.com. Also if you hadn't done so yet, add a new user in User Permissions page.

Now go to a VPN client computer system, like your computer at home for example, and open https://vpn.yourcompany.com (without the /admin) and log in as a user on the Access Server. Now download the offered OpenVPN Connect client software and install it and use the button to start the connection. Now you have successfully connected from outside the network, and by default, Access Server is set up to give access to resources in the local network that the Access Server is on. If you want to access a fileshare on Windows for example, you can enter its IP in Windows Explorer: \\192.168.70.123\somefileshare

Note that if you had installed the VPN client before you correctly set the hostname or IP address field in Access Server, that VPN client will need a reinstall, so that it gets the correct information on how to connect to your server.

Also note that technically it is not required to use a DNS record. You can also use just the public IP address. But the downside of that is that if you ever change IP address, then you have to update it manually in Access Server and then reinstall your VPN clients so they will connect to the correct new IP address. If you use a DNS address, all you need to do in the event of a change of public IP, is to update the DNS record, and all clients will fall in line automatically.

Kind regards,
Johan

Code: Select all

https://192.168.0.5/admin/network_settings

Code: Select all

Hostname or IP Address: 192.168.0.5
- Should I change it to my public address internet IP?

Code: Select all

 TCP 443, TCP 943, TCP 945, and UDP 1194. 
Set port forwarding to my internet public address right?

Actually I don't need dns record nowday. How do I create dns feautre future?

Then clients how to connect with it?

Is it something like this?

Code: Select all

https://MyPublicInternetIp:PORT/

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to connect it from internet?

Post by chilinux » Wed May 26, 2021 5:21 pm

Yes, if OpenVPN AS is running behind a device performing NAT then the "Hostname or IP address" must be the public IP on the external/WAN side of the NAT device. Otherwise the OpenVPN configuration files produces by AS will contain the private IP which is unreachable from the Internet.

You normally only need to port forward TCP 443, TCP 943 and UDP 1194. Only if you are using the clustering feature should allowing TCP 945 be needed.

Clients should be downloading the OpenVPN Connect client and configuration files via https which by default already goes to port 443. So they should be connecting like this:

Code: Select all

https://MyPublicInternetIP/
The other ports will be specified in the configuration file and don't need to be manually specified.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: How to connect it from internet?

Post by openvpn_inc » Mon May 31, 2021 5:18 am

Hello solution and chilinux,

Thank you for your contributions, both of you, it will help future users to get their answers themselves quickly and easily.

Regarding the question of whether to put public IP, chilinux is right. However, I would like to once again point out that it is better to use a DNS record that resolves to the public IP. While using public IP will work now, you may end up breaking your VPN solution if that public IP ever changes. Hopefully in your case that will not happen.

In the case that you use a public IP directly, and the public IP on your VPN server changes, you have to update the IP in your Access Server and then put new connection profiles on your VPN clients to get them connected again. Otherwise they'll keep trying to reach the old IP.

In the case that you use a DNS record that in turn resolves to the public IP, and the public IP on your VPN server changes, you can simply update the DNS record, and you're done. And if you expect your public IP to change often, you can even automate that updating of the DNS record by using dyndns or such.

Anyway, just wanted to again recommend DNS over straight public IP for the above reasons.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: How to connect it from internet?

Post by chilinux » Sun Jun 06, 2021 9:22 am

I would generally agree that using DNS entries is preferable to using the IP directly.

However, for a novice using the current versions of OpenVPN AS, this is not made easy. Not only is configuring a DDNS client left external to OpenVPN AS, there is also the complexities of setting the Common Name of the SSL/TLS certificate for the web server accordingly. The CN should match exactly with the fully qualified DNS name. Since not all users have selected a domain or DDNS provider before installing OpenVPN AS, the server's hostname will not match during the install. Despite this, OpenVPN AS only generates a self-signed certificate at install.

The post-install certificate configuration options are the bare minimum options of allowing the user to upload the CA bundle, Certificate and Private key.

Other options I have come to expect from modern web server control panels are:

(1) The ability to regenerate the self-sign the certificate after changing the hostname/domain

(2) The ability to generate a Certificate Signing Request (CSR) using the already installed private key

(3) The ability to enroll with Let's Encrypt free Domain Validation certificate authority and be able to expect the control panel to automatically handle the certificate renewals every 2-3 months

If someone is not familar with using the openssl command line tool or a similar tool to generate a CSR then for novice users evaluating OpenVPN AS for the first time, it should be fine to just use the IP address in the short term.

As a matter of personal policy, I never recommend using a private key that has been provided by the certificate authority. I prefer to make sure the private key has never been exposed outside of the server.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: How to connect it from internet?

Post by openvpn_inc » Tue Jul 13, 2021 6:41 pm

Hello chilinux,

At least option #1 is present in Access Server 2.9.2. Regarding 2, that's an interesting option, at the moment we still rely on command line instructions to generate one yourself. Regarding 3, yes, that is coming.

About IP over DNS - problem with that is when the IP changes which is a real problem.

About private key - agreed, you should not use a private key generated by another party even the certificate authority. You should create one yourself and keep it yourself.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

mohammad alsharqi
OpenVpn Newbie
Posts: 7
Joined: Thu Dec 01, 2022 8:23 pm

Re: How to connect it from internet?

Post by mohammad alsharqi » Sat Dec 03, 2022 4:04 pm

openvpn_inc wrote:
Mon May 31, 2021 5:18 am
Hello solution and chilinux,

Thank you for your contributions, both of you, it will help future users to get their answers themselves quickly and easily.

Regarding the question of whether to put public IP, chilinux is right. However, I would like to once again point out that it is better to use a DNS record that resolves to the public IP. While using public IP will work now, you may end up breaking your VPN solution if that public IP ever changes. Hopefully in your case that will not happen.

In the case that you use a public IP directly, and the public IP on your VPN server changes, you have to update the IP in your Access Server and then put new connection profiles on your VPN clients to get them connected again. Otherwise they'll keep trying to reach the old IP.

In the case that you use a DNS record that in turn resolves to the public IP, and the public IP on your VPN server changes, you can simply update the DNS record, and you're done. And if you expect your public IP to change often, you can even automate that updating of the DNS record by using dyndns or such.

Anyway, just wanted to again recommend DNS over straight public IP for the above reasons.

Kind regards,
Johan
Dear Johan

I use noip.com for register my domain and put my private ip in the dns record. i still can access from my local router but when i try to use it from other router i couldn't access.

one thing more i'm wondering how reach to my public ip if i place my private ip in dns record because i'm connecting to to my isp through pppoe server

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: How to connect it from internet?

Post by openvpn_inc » Tue Dec 06, 2022 8:29 pm

Hello mohammad,

A DNS record that contains a private IP can only be usefully employed in the network where the private IP can be reached. DNS records normally are used with public IP addresses. That way if you run a service on a public IP, you can use the domain name instead of the IP. A lot easier to remember google.com than 123.45.67.89. Also helpful if the public IP of a service ever changes in the future - you just update the DNS record and everyone can still reach the service, even if it's on a new IP.

If your ISP does not give you a public IP, you can't effectively run services on your home network, because it won't be accessible directly from the Internet. You can work around that by connecting a VPN client in your home network to a VPN server like Access Server that does have a public IP, and then doing a port forward from the public IP of the Access Server to the VPN client in your home network, so you can actually offer a service on the public Internet from a server at home. Then a DNS record that points to the public IP of your Access Server makes sense.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply