Plesk is a powerful web server management tool. Among the included features is an OpenVPN Server, so when you’re working remotely you can connect directly to your server remotely. This can be very helpful if you’re a developer who works remotely from insecure locations like a Starbucks Coffeeshop or other remote location. The instructions provided by Plesk are not really clear on this topic, nor at least not fully up-to-date and the included client download package is a legacy version of the OpenVPN client.
TLDR (in summary) if you’re the only person who manages both the Plesk Server and uploads files, and you want a really secure setup, read on. Otherwise, you can just stop here, because this is NOT going to give you any real-world benefits.
As of the writing of this post, Plesk only supports a single remote host at a given time. And if you configure multiple devices they all use the same encryption key. Additionally, you’re limited to traffic intended for the Plesk server directly, and it does not route traffic more broadly within either the server LAN or to the WAN. This results in a network configuration known as split-tunneling. Meaning only traffic for the remote server is sent over the tunnel and all other traffic still goes out your internet connection. So the net result is a secure connection just to your Plesk server, but nothing else. If you’re already using FTPS and SSH, then this really provides NO benefit for you. There are feature requests to extend the Virtual Private Network features of Plesk, but as of this writing, it has not been implemented yet.
Also, because technology changes quickly, please note the following – this documentation is based on the following software versions:
- Plesk Onyx Version 17.8.11 Update #38
- OpenVPN Windows Client 18.104.22.168 (link)
- Windows 10 Enterprise, Version 10.0.17134.523
Let’s get started on how to configure the OpenVPN Server.
- Start by installing the Plesk Extension: Virtual Private Networking
- Then open the Extensions shortcut via the navigation pane > Virtual Private Networking.
- On the Preferences page that opens, specify the following parameters:
- Remote Address: Leave this blank as you’re intending to remotely connect TO the Plesk server.
- Remote UDP port: You can leave this field blank if you have not specified the remote address above.
- Local UDP port, your server will listen for incoming VPN traffic on this local UDP port. The default port is 1194.
- Local peer address and Remote peer address: Usually leave the default. This needs to be a separate address space from either your existing WAN or LAN of the server, as well as ideally not overlapping with the local IP address that you’ll be connecting from as well.
- Click OK.
- The Plesk VPN component is initially disabled. To use the VPN functionality, enable the component by clicking the “Switch On” button.
- Click on “For a Windows Client” button to download the package. BUT DO NOT use the OpenVPN client included.
- Extract the package to any location.
- Open the extracted files and copy the vpn-key to you c: directory
- Then open the openvpn.conf file using any text editor, such as Notepad, or my preferred editor, Notepad++
- Change the line: secret system/vpn-key
To read: secret c://vpn-key
- Save the file as openvpn.ovpn
- Change the line: secret system/vpn-key
- Then move the file from its current location to c:\ — in Windows 10 usually the security permissions will prohibit you from directly saving-as to the c: directory.
- From the start menu, run OpenVPN Client — not the OpenVPN GUI.
- Right-click on the sys-tray icon and select Import > From File. Point it to your c:\openvpn.ovpn file
- In a few seconds (but not immediately), it will show the VPN in the listing when you right-click on the OpenVPN Client sys-tray icon. Click on the Plesk Server, then select Connect.
You should be all set, and you can test your connection by trying to ping your server from the command line to the IP address selected above, typically 172.16.0.1 — if this resolves then your VPN is setup properly. You can also go to a www.WhatIsMyIP.com and verify that all other web traffic is routing through your local internet connection and not your server.
You’re now configured to access your server over the VPN tunnel.
Now, you’ll need to access your Plesk server using that IP address, which can itself be problematic. Sure FTP/FTPS to 172.16.0.1 will work just fine, but if you try to navigate to the Plesk Web Console, at https://172.16.0.1 you’ll get a certificate error because the certificate is signed for the FQDN (Fully Qualified Domain Name) such as Plesk.example.com
You could modify you hosts file, but then you’ll have all sorts of problems connecting if your not connected via the VPN tunnel.
So this begs the question, why even bother with this? The only reason I can think of is if you’re using Plesk as a GUI management for your web servers, and you want to really keep the sever closed off. With the VPN setup, you can close down FTP/FTPS ports, as well as the Plesk ports like 8443 to the outside world. It creates a much more secure setup and is a good ideal if you’re the only one who is going to manage this server. But otherwise, if other people need to use FTP or the console, then there is no reason to implement this.