OpenVPN Access Server (AS) is the commercial, GUI-managed distribution of OpenVPN. It bundles a web-based Admin UI, a Client UI for users to download pre-configured connection profiles, and a licence-based concurrent connection model. The free tier allows two simultaneous VPN connections — enough for personal use, a home lab, or a small team.
This guide covers installation on AlmaLinux 9.x, which is RHEL-compatible but not officially supported by OpenVPN Inc. In practice, the RHEL 9 packages install and run without issues — with a few AlmaLinux-specific gotchas around SELinux and firewalld that will catch you out if you skip them.
Prerequisites
- AlmaLinux 9.x VPS or server with root access
- A public IP address or domain name pointing to the server
- Ports TCP 443, TCP 943, and UDP 1194 reachable from the internet
- A free account at openvpn.com (required to get the activation key)
A note on official support
OpenVPN Inc. officially supports RHEL 9. AlmaLinux, Rocky Linux, and Oracle Linux are RHEL-compatible but listed as best effort — meaning the packages work, but OpenVPN support staff will not troubleshoot AlmaLinux-specific issues. For a personal or small-team deployment this is not a concern.
Step 1 — Update the system and verify the time
Access Server uses time-based certificates and TOTP multi-factor authentication. An incorrect system clock will cause authentication failures that are annoying to debug.
yum update -y
timedatectl
Confirm the time zone and that NTP synchronisation is active:
timedatectl status
# Look for: NTP service: active
# System clock synchronized: yes
If the time zone is wrong:
timedatectl set-timezone Asia/Kolkata
Step 2 — Handle SELinux
AlmaLinux 9 ships with SELinux in enforcing mode. Access Server manages its own internal process permissions, and SELinux will block several of them — VPN tunnelling, NAT rules, and the web interface will either fail silently or throw permission errors.
The official recommendation from OpenVPN is to disable SELinux before installation:
# Check current state
sestatus
# Disable for the running session
setenforce 0
# Disable permanently
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# Verify the change
grep ^SELINUX= /etc/selinux/config
# Expected: SELINUX=disabled
A reboot is required for the permanent change to take effect at the kernel level. Reboot after installation (Step 5) rather than now.
Step 3 — Handle firewalld
Access Server installs and manages its own iptables/nftables rules for VPN tunnelling and NAT. The firewalld daemon running alongside it will periodically flush or overwrite those rules, causing connected clients to lose network access without any obvious error.
Stop and remove firewalld before proceeding:
systemctl stop firewalld
systemctl disable firewalld
yum erase firewalld -y
Confirm it is gone:
systemctl status firewalld
# Expected: Unit firewalld.service could not be found.
Access Server will manage the firewall rules directly after installation. If you need
firewalldfor other services on the same server, run Access Server on a dedicated machine or VM.
Step 4 — Get the install script from the OpenVPN portal
OpenVPN provides an OS-specific install script through the Access Server portal:
- Sign in at myaccount.openvpn.com
- Click Get Access Server
- Select Red Hat / RHEL as the operating system
- Copy the
bashcommand shown under Install on Linux OS
The command looks like this:
curl -fsSL https://as-repository.openvpn.net/as/install.sh | bash --yes
The script auto-detects your OS, adds the OpenVPN repository, and installs the
openvpn-aspackage. It is the recommended installation method — do not add the repo manually or install the RPM directly unless you have a specific reason to do so.
Step 5 — Run the install script
Paste and run the command copied from the portal:
curl -fsSL https://as-repository.openvpn.net/as/install.sh | bash --yes
When the installation completes, the output displays your Admin UI address, Client UI address, and a randomly generated password for the openvpn administrative user:
+++++++++++++++++++++++++++++++++++++++++++++++
Access Server 3.x.x has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
Access Server Web UIs are available here:
Admin UI: https://YOUR.SERVER.IP:943/admin
Client UI: https://YOUR.SERVER.IP:943
To login please use the "openvpn" account with "<generated-password>" password.
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++
Save this output. The generated password is shown only once.
Now reboot to apply the SELinux change from Step 2:
reboot
Step 6 — Open required ports (iptables)
Since firewalld is removed, Access Server manages iptables directly. After the reboot, verify the necessary ports are accessible:
# Check Access Server's own iptables rules are in place
iptables -L -n | grep -E "443|943|1194"
If you are behind a cloud provider’s security group or a hardware firewall (AWS EC2, for example), ensure the following are open inbound:
| Port | Protocol | Purpose |
|---|---|---|
| 443 | TCP | VPN tunnel (TCP fallback) + web UI redirect |
| 943 | TCP | Admin and Client web interface |
| 1194 | UDP | VPN tunnel (primary) |
Step 7 — Log in to the Admin Web UI
Open a browser and navigate to:
https://YOUR.SERVER.IP:943/admin
The browser will show a certificate warning — this is expected. Access Server installs with a self-signed certificate by default. Click through the warning to proceed.
Sign in with:
- Username:
openvpn - Password: the generated password from the install output
Change the password immediately after first login under User Management → User Permissions → openvpn → (edit).
Step 8 — Activate the free licence
On first login, Access Server shows the Activation page.
- Click Get Activation Key — this takes you to the Access Server portal
- Sign in with your openvpn.com account
- Click Activation Keys → Purchase A New Key
- Select the free option (2 concurrent connections)
- Click Copy Key
- Return to the Admin Web UI, paste the key into the activation field
- Click Activate
The dashboard now shows 2 available connections.
Step 9 — Configure hostname (recommended)
Using a domain name instead of a raw IP address makes client configuration more portable — if your server IP changes, you only update DNS rather than re-issuing client profiles.
In the Admin Web UI: Configuration → Network Settings → Hostname or IP address
Enter your domain (e.g. vpn.thelinuxstudent.in) and click Save Settings → Update Running Server.
Step 10 — Add a VPN user
User Management → User Permissions → New Username
Enter a username and tick Allow Auto-login if you want the user to connect without entering a password each time. Click Save Settings → Update Running Server.
Step 11 — Connect a client
Direct the user (or yourself) to the Client UI:
https://YOUR.SERVER.IP:943
Log in with the VPN user credentials. From here, download the OpenVPN Connect app pre-bundled with the connection profile for your OS (Windows, macOS, Linux, Android, iOS). The profile is pre-configured — no manual .ovpn editing required.
Alternatively, download the .ovpn profile file directly and import it into any OpenVPN-compatible client.
Useful commands
# Check Access Server service status
systemctl status openvpnas
# Stop / start / restart
systemctl stop openvpnas
systemctl start openvpnas
systemctl restart openvpnas
# View real-time logs
tail -f /var/log/openvpnas.log
# Check connected clients via CLI
/usr/local/openvpn_as/scripts/sacli VPNSummary
# Query current configuration
/usr/local/openvpn_as/scripts/sacli ConfigQuery
# Query specific settings (e.g. port, protocol, daemon status)
/usr/local/openvpn_as/scripts/sacli ConfigQuery | grep -E "port|proto|daemon"
Troubleshooting
Web UI unreachable after reboot
Access Server may take 30–60 seconds to fully initialise on boot. If the web UI does not load, check service status with systemctl status openvpnas and review /var/log/openvpnas.log.
Clients connect but cannot reach the internet or internal hosts This is almost always a NAT or routing issue. Verify IP forwarding is enabled:
sysctl net.ipv4.ip_forward
# Expected: net.ipv4.ip_forward = 1
If it reads 0, Access Server did not set it — set it manually:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-openvpn.conf
sysctl -p /etc/sysctl.d/99-openvpn.conf
Self-signed certificate warning on the web UI This is expected. To resolve it, install a valid certificate via the Admin Web UI under Configuration → Web Server → SSL Certificate. If your domain has a Let’s Encrypt certificate already, you can import it there.
firewalld has been detected warning during install
You did not fully remove firewalld before running the install script. Re-run Steps 3 and 4, then reinstall.
AlmaLinux 9 is not on OpenVPN’s official support list, but the RHEL 9 packages install cleanly and run reliably once SELinux and firewalld are out of the way. The two-connection free tier is genuinely useful — it covers a personal device and a phone, or two remote machines, with no time limit and no feature restrictions beyond the concurrent connection count.