🔐 Setup OpenVPN Access Server
Deploy OpenVPN Access Server with a web-based admin UI and client portal. Manage users, certificates, and connection profiles from a browser — no command-line config required.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/openvpn-as/openvpn-as-ubuntu.sh
chmod +x openvpn-as-ubuntu.sh
sudo bash openvpn-as-ubuntu.shTutorial Steps
1 Download & Run the Script
The script installs Docker, pulls the OpenVPN AS image, and starts the server. Admin credentials are displayed at the end of the setup.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/openvpn-as/openvpn-as-ubuntu.sh
chmod +x openvpn-as-ubuntu.sh
sudo bash openvpn-as-ubuntu.sh2 Access the Admin UI
Open your browser and navigate to the OpenVPN admin panel:
https://YOUR-SERVER-IP:943/admin3 Create User Accounts
In the admin panel, go to User Management → User Permissions to create VPN accounts. Each user can download their personalized .ovpn config from the client portal at port 943.
4 Connect with OpenVPN Client
Download the OpenVPN Connect app on any device, import the .ovpn profile, and connect. The free tier supports up to 2 simultaneous VPN connections.
Ports Used
| Port | Protocol | Purpose |
|---|---|---|
| 943 | TCP | Admin UI & Client Portal |
| 443 | TCP | HTTPS VPN Tunnel |
| 1194 | UDP | OpenVPN Tunnel |
Files Location
/root/docker/openvpn-as/docker-compose.ymlOverview
OpenVPN Access Server is the commercial distribution of OpenVPN with a web management UI, user authentication via LDAP or local database, and auto-generated client configuration files. It supports both SSL-VPN (TCP 443) and UDP transport, making it one of the most firewall-friendly VPN solutions available.
Why Use It
OpenVPN Access Server is the easiest path to a production-grade OpenVPN deployment. It automates certificate generation, user management, client profile distribution, and LDAP/AD authentication — tasks that take days to configure manually with OpenVPN Community Edition. The auto-generated .ovpn profile means end users can connect with zero configuration: download, import, connect. The TCP 443 fallback makes it work through virtually every corporate firewall, hotel network, or ISP that blocks UDP.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
OpenVPN AS uses port 943/TCP for the admin UI and client portal, port 443/TCP for the SSL-VPN tunnel (recommended — blends with HTTPS), and port 1194/UDP for the standard OpenVPN tunnel. Open 443/TCP and 1194/UDP for VPN clients. Restrict port 943 to your management IP only — it should never be reachable from the general internet. If you run a web server on the same machine, the SSL-VPN daemon on 443 will conflict; move your web server to 8443 or use a different server for OpenVPN AS.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
WireGuard Easy is simpler and faster but lacks user management, LDAP integration, and a client portal — suitable for personal use, not teams. Pritunl is a self-hosted VPN with a more polished enterprise UI, multi-server clustering, and SSO support — a direct OpenVPN AS competitor without the 2-connection free tier restriction. NetBird and Headscale offer WireGuard mesh VPNs with access control but a different architecture (peer-to-peer vs. hub-and-spoke). Commercial appliances (Cisco AnyConnect, Palo Alto GlobalProtect) offer enterprise support, compliance certification, and hardware options but at a significantly higher cost.
When Not to Use It
Skip OpenVPN AS if you need more than 2 simultaneous connections but cannot afford licenses — use Pritunl or the OpenVPN Community Edition instead. If your users are technically capable, WireGuard Easy is faster and lighter. OpenVPN AS is also not suitable if you need a mesh VPN (all devices connecting to each other) rather than a hub-and-spoke VPN (all devices connecting through one server). For high-performance use cases where VPN throughput matters, WireGuard's modern cryptography outperforms OpenVPN's older cipher suites significantly.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
What is the difference between OpenVPN AS and OpenVPN Community Edition?
OpenVPN Community Edition is the raw open-source OpenVPN daemon — powerful but configured entirely via config files with no web UI. OpenVPN Access Server builds on top of it adding a web admin panel, user portal, auto-generated PKI, LDAP integration, and client profile download. The free tier of AS is limited to 2 simultaneous connections; Community Edition has no such limit.
How many users can I have on the free tier?
The free tier of OpenVPN Access Server allows unlimited user accounts but limits simultaneous VPN connections to 2 at any given time. If a third user tries to connect while 2 are already active, their connection is rejected. For more concurrent connections, you need a paid license from OpenVPN Inc. ($14–$20/user/year at time of writing).
How does TCP 443 mode work and why does it matter?
In TCP 443 SSL-VPN mode, OpenVPN wraps your VPN traffic inside a TLS connection on port 443 — the same port used by HTTPS. To firewalls and DPI systems, it looks like ordinary web traffic. This bypasses most corporate firewalls, hotel networks, and ISPs that block or throttle UDP or non-standard ports. It is slower than UDP 1194 due to TCP-over-TCP overhead but far more universally compatible.
Can I connect OpenVPN AS to Active Directory?
Yes. Go to Authentication → LDAP in the admin UI and enter your Active Directory server address, bind DN, bind password, and base DN. Once configured, users log in to the VPN with their Windows AD credentials. When you disable a user in AD, they immediately lose VPN access. You can also map AD groups to VPN access groups for per-group subnet restrictions.
How do users get their VPN connection profile?
Users navigate to https://YOUR-SERVER:943 (the client portal), log in with their VPN credentials, and download their personalized .ovpn profile or the full OpenVPN Connect installer with the profile embedded. They import the profile into OpenVPN Connect on any device (Windows, macOS, iOS, Android) and connect with one click. No manual configuration is required on the client side.
Can I use OpenVPN AS for site-to-site VPN between two networks?
Yes. In site-to-site mode, one location runs OpenVPN AS as the server and the remote site runs an OpenVPN client (Community Edition) as a gateway. Configure the server to push the remote subnet route and the client to advertise its local subnet. All traffic between the two networks flows through the encrypted tunnel without each individual device needing a VPN client.
How do I revoke a user's VPN access?
In the admin UI, go to User Management → User Permissions, find the user, and set their 'Allow Access' to 'No' or delete the account entirely. If you want to ensure their existing connection is terminated immediately, go to Current Users and disconnect the active session. Their certificate remains in the PKI but the server will refuse connections from revoked accounts on the next authentication attempt.
Is OpenVPN AS slower than WireGuard?
Yes, significantly. OpenVPN uses TLS with older cipher suites (AES-256-GCM is the best available) and runs in user space, adding CPU overhead. WireGuard uses modern ChaCha20-Poly1305 encryption and runs in the kernel, achieving throughput 3–5× higher on the same hardware. For most business use cases (email, office apps, intranet access) OpenVPN AS is fast enough. For high-throughput workloads like large file transfers between offices, WireGuard is the better choice.