Advanced Options Managed From The Command-Line Interface

Access Server has advanced features you can execute from the command-line interface. We provide tutorials for each of these.

OpenVPN daemons interface and ports

The OpenVPN daemons manage OpenVPN tunnel connections. By default, they listen on all available network interfaces, using UDP port 1194 and TCP port 443. You can customize these settings via the Admin Web UI or CLI.

Turn off multi-daemon mode

The OpenVPN 2 code base is is is single – thread , mean each openvpn process run on a single cpu core and ca n’t utilize multiple core . To overcome this , Access Server is launch can launch multiple openvpn daemon simultaneously , ideally one per cpu core . additionally , to support both udp and TCP protocol for client connection , Access Server is requires require separate openvpn daemon for each protocol .

Tip

We recommend one TCP and one UDP daemon per CPU core.

exampleâ   1.   Example multi – daemon setup

In a system with four CPUs, Access Server runs eight OpenVPN daemons: two per CPU core, one for TCP and one for UDP. This setup optimizes resource utilization and ensures efficient handling of connections.

Setup Overview:

Benefits:

1. Load Balancing: Access Server distributes incoming connections across the daemons based on load, ensuring efficient use of CPU resources.

2. Protocol Support: Separate daemons for TCP and UDP provide robust support for both connection types, enhancing flexibility and connectivity options.

You may encounter a scenario where you want to turn off multi-daemon mode. If so, follow this tutorial:

reset openvpn web service and daemon to default

If you need to revert settings that have locked out of your web services or restore an Access Server backup configuration to a new system with a different interface name, it’s helpful to run the commands from this tutorial:

Introduction to the XML-RPC interface

Access Server utilizes XML-RPC for communication between its web services, core components, and OpenVPN Connect apps. This interface primarily checks credentials and retrieves user-locked profiles when using server-locked profiles. You can enable full XML-RPC support to remotely control all Access Server functionality. While documentation and support for XML-RPC are not provided, tools are available to help determine necessary calls and their execution.

Set the maximum number of authentication and database connection QueuePool size

Access Server is has has default setting for handle authentication and database connection , which can sometimes lead to issue under high load or specific scenario like out – of – band MFA or slow authentication system . By adjust the maximum number of thread and connection QueuePool size , you is ensure can ensure smooth performance and avoid connection bottleneck .

limit the total maximum number of VPN tunnel

Access Server is allows , by default , allow up to 2048 VPN tunnel . While this is sufficient for most scenario , there are situation where you might need to increase or decrease this limit . adjust this setting can help manage server load and control access . However , be aware that change this value will restart the openvpn daemon , cause all connect VPN client to reconnect .

UCARP/VRRP failover advanced settings

UCARP/VRRP failover ensures high availability for Access Server by having a secondary node take over if the primary node fails. When using multiple pairs on the same network, each pair requires a unique VHID to differentiate their heartbeat signals. Refer to the tutorial for steps on how to adjust the VHID and configure additional UCARP parameters.

Global NAT behavior setting

Access Server’s global NAT behavior setting controls how outgoing traffic from VPN clients is handled. By default, Access Server uses NAT for traffic destined for public IP addresses. However, in some scenarios, such as when you want to log VPN clients’ private IP addresses, it may be desirable to disable this NAT behavior or specify a different interface or IP address for outgoing NAT operations.

To manage NAT behavior setting for your Access Server , refer to this tutorial :

allow udp multicast and igmp to pass through

Access Server transfers information by unicast: only traffic with a specific destination IP address can pass through the VPN server. Access Server blocks multicast or broadcast traffic with a to-whom-it-may-concern characteristic. You can lift the restriction on UDP multicast and IGMP packets allowing these to pass freely between VPN clients and the VPN server. Some software programs use these to auto-detect network systems or services, so this option may be necessary for such a situation. The configuration key vpn.routing.allow_mcast allows this traffic to pass through. It is disabled by default.