AWS Frequently Asked Questions
Looking for answers with your Amazon instance of Access Server? We’ve got you covered. OpenVPN on AWS.
Getting started
Visit our OpenVPN Support Center, where you can submit a support ticket.
We provide detailed instructions in our installation guides. Choose the one that matches your AWS licensing type:
To access the Admin Web UI, point to the public IP address for your instance and sign in with the admin user. The Admin Web UI URL has the following format: https://xxx.xxx.xxx.xxx/admin.
You can download the OpenVPN Connect app from your Client Web UI. You can also download OpenVPN Connect directly from our site and import connection profiles.
Try our frequently asked questions for answers regarding licensing, renewals, purchases, administration, and more.
Connectivity
Amazon provides information on how to connect to your instance: Connecting to your Linux instance using an SSH client. You can also follow our tutorial: Connect to Access Server via SSH using PuTTY.
Turn on routing from the Access Server Admin Web UI.
In AWS, disable the source/destination check on the Access Server instance to allow the appliance to forward traffic from and to clients.
Set the Access Server security group accordingly to allow traffic from other IPs in the VPC to reach the clients.
Update your private subnet's routing tables to let the internal VPC router know which subnets are reachable via the Access Server (i.e., VPN client subnets).
Amazon Configuration
If your Amazon Machine Image (AMI) with Access Server isn't working, contact support. We test these images carefully before they are released and have found that they are in working order. Despite all our care, however, it is possible that some configuration settings or some conditions in the environment in which it is deployed can cause issues. We’d be happy to look closer at the issue and offer our expertise to try to resolve the problem.
Access Server requires access for inbound traffic on TCP 22 (SSH), TCP 943 and 443 (web interface), TCP 945 (if you use clustering with Access Server versions prior to 3.0), and UDP 1194 (OpenVPN UDP port for client communication).
An Elastic IP address is a static IPv4 address used for dynamic cloud computing. Your AWS account is associated with an Elastic IP address. If you’d like more details, refer to Amazon’s explanation of Elastic IP addresses.
It’s best practice to associate an Elastic IP address with your Access Server EC2 instance so you can easily remap the same address to another instance in case the current instance fails. The Elastic IP address serves as the public IP access point to the Admin Web UI as well as the tunnel-establishment endpoint for VPN clients.
Some firewalls on public networks block everything except the most common ports (HTTP TCP/80 and HTTPS TCP/443). For OpenVPN to work well in this situation, by default, the OpenVPN daemon listens on TCP port 443 and can forward incoming web browser requests to a web service on TCP port 943 (since you can't have both the web server and the OpenVPN server listening on the same port). This port-sharing feature allows any incoming HTTPS connection on port 443 to remap to the web service on port 943. At the same time, the OpenVPN daemon listens on port 443 and can handle incoming tunnel connections. You can then bypass existing firewall limitations.
If you are using a tiered instance, ensure that your instance can reach our online activation servers. For tips on troubleshooting licenses, refer to Troubleshooting Tips.
Access Server Configuration
You can run a cluster of Access Servers to provide a high-availability, active-active setup. Refer to the Cluster Setup topic for details.
You can set Access Server to allow clients to keep their IP addresses:
Enable routing in the Access Server Admin Web UI.
In your AWS console, disable the source/destination check on the Access Server instance to let the appliance forward traffic to and from clients.