Subscribe to Access Server on AWS — SaaS Offering
Create an Access Server SaaS subscription with AWS where you pay as you go. This tutorial gets you started with the SaaS offering.
Access Server provides an Amazon Web Services (AWS) VPN that you can get up and running within minutes.
From the Software as a Service (SaaS) AWS Marketplace, you can launch Access Server. This VPN hosted in the cloud has the following benefits:
Read on for your guide to getting started with your VPN server on the web.
You'll select the Access Server / Self-Hosted VPN (PAYG) SaaS option from the AWS marketplace.
Review the details and click View purchase options.
Select your desired options for the contract:
Duration: One month or a year.
Auto-renewal: Whether or not the contract renews automatically.
Available units: The connection plan that best fits your user needs.
Tip
A connection is an actively connected user device, such as a headless server, a mobile tablet, or a remote laptop.
The contract cost displays.
Review the terms and conditions.
Select whether you need to add a purchase order.
Click Subscribe.
Your contract is currently pending and you can set up your account on our site.
Click Set up your account to be directed to our site for the next steps.
Note
If you already have an OpenVPN account, sign in to your existing account and skip these steps.
Click to create a new account on our website.
Follow the steps to add your contact information and confirm your email.
Once you've successfully signed in, the Access Server Portal displays, starting on the Deploy Access Server screen.
You can also click AWS Contract in the navigation, displaying your available connections and email notification options.
From the Deploy Access Server page, select the nearest AWS region from the drop-down.
Click Launch Script on AWS.
Optional: You can click Download The CloudFormation Script to launch the script manually.
You are directed to AWS, where you can select your inputs for Quick create stack:
Stack name: You can enter a stack name; the default is openvpn-accessserver.
ActivationKey: This populates with the AWS SaaS license key.
VpcId: Select your VPC for the instance.
SubnetId: Select the public Subnet ID.
InstanceName: You can enter a name for the instance; the default is OpenVPNAccessServer.
InstanceType: Select the desired instance type; the default is t3.small.
KeyName: Select an existing EC2 KeyPair for SSH access to the instance.
Acknowledge that AWS CloudFormation will create IAM resources and click Create stack.
Once the AWS SaaS stack deployment has finished, you can access your Access Server's Admin Web UI.
Important
The system requires up to five minutes for complete initialization. This process occurs in two stages; you must wait for both to complete. If you attempt to sign in before this completes, you'll encounter authentication failures. Once initialization is complete, you can sign in successfully.
Here's how to access the Admin Web UI after the stack is complete:
After the stack has been completed, the cloud formation tab, Outputs, will provide key information required to access the Admin Web UI:
IP Address: The public IP address of the Access Server instance.
Username: The default username for the Admin Web UI is
openvpn.Temporary Password: A temporary password will be generated and displayed.
Open your web browser and navigate to the Admin Web UI using the provided IP address, such as:
https://<public_ip_of_instance>/admin
Enter the username (
openvpn) and the temporary password displayed in the stack output.Once signed in, we recommend changing the password from the User Permissions page.
Once you launch your new AMI, you must SSH into the console using an SSH client software and the private key pair you used/created previously.
Use the instance username openvpnas.
Connect with ssh:
ssh -i /path/key-pair-name.pem openvpnas@instance-public-ipv4-address
You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.
We recommend you assign an Elastic IP address to your instance:
From your AWS console, click Elastic IPs under Network & Security.
Click Allocate Elastic IP address.
Select the pool and enter any tags (optional).
Click Allocate.
After AWS allocates your new IP address, select it, and click Actions > Associate Elastic IP address.
Choose Instance as the resource type, select your Access Server instance from the Instance search field, and select the Private IP address by clicking in the search field and selecting the option available.
Click Associate.
Sign in to your Admin Web UI.
Click Configuration > Network Settings and enter the Elastic IP in the Hostname or IP Address field.
The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:
sudo dpkg-reconfigure tzdata
We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:
apt-get install ntp
If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, ensure you disable source destination check protection on Amazon; otherwise, routing won’t function properly.
Turn off source/destination checks:
From Instances in the EC2 console, right-click on the VPN instance ID.
Click Networking > Change source/destination check.
Check Stop under Source / Destination checking and click Save.
Source/destination checking can also block traffic if you want VPC data to go directly to the IP addresses of your VPN clients in the VPN client subnet. For that use case, turn off the check as well.
Access Server’s default routing uses network address translation (NAT). Traffic originating from the VPN clients appears to come from the local IP address of Access Server with NAT, and this is simpler than setting up routing.
However, when using NAT, your traffic from the VPC itself can’t directly access a VPN client as the NAT engine prevents direct contact. You must configure routing instead of NAT to allow direct access to a VPN client.
To access this configuration:
Sign in to the Admin Web UI.
Click Configuration > VPN Settings.
Scroll to the Routing section, where you can click Yes, using Routing.
Configure your subnets for your network.
After setting up routing, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VPC network to the VPN client subnet is possible. However, because the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Amazon routing table for your VPC so that the return traffic flows properly. Refer to Amazon’s AWS VPC routing documentation: Route tables for your VPC (Amazon).
We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:
sudo apt-get update sudo apt-get upgrade