Skip to main content

AWS EC2 VPN Server Setup: Quick Start Guide

Abstract

How to launch the AWS Marketplace appliance for Access Server and get your VPN server up and running in minutes.

Access Server provides an Amazon Web Services (AWS) VPN that you can get up and running within minutes.

Working with AWS, you use their appliances, which are Linux-based virtual machines running on virtualized hardware. By using the Access Server appliance from their marketplace, you can launch a VPN hosted in the cloud, with the following benefits:

Read on for your guide to getting started with your VPN server on the web.

📝 Important notes about the BYOL licensing model

  • Launch Options:

    • Choose from AWS marketplace instances with a set number of connections, the bring-your-own-license (BYOL) Access Server instance, or a pay-as-you-go option.

  • Subscription for Set Connections:

    • When selecting an instance with a set number of connections (tiered), you pay for those connections through AWS, and you are limited to that set amount.

  • BYOL Instance:

    • For BYOL, you purchase a license separately to unlock connections, then activate it on your Access Server installation.

    • You can adjust the number of connections up or down at any time by adjusting the subscription purchased on our site.

    • Refer to AWS Tiered.

  • PAYG Instance:

    • For PAYG, you purchase through AWS and can adjust the number of connections up or down by adjusting the amount through AWS.

    • Refer to AWS PAYG.

  • Free Trial for BYOL AMI:

    • After launching a BYOL-type AMI, you can start immediately with up to two simultaneous connections and test all features of Access Server with no time limit.

    • To expand beyond two connections, you must purchase and activate a license key.

  • Further Information:

🚀 Launch the AMI

To launch a new instance with Access Server software:

  1. Sign in to the Access Server portal.

  2. Click Install Access Server.

  3. Select Amazon AWS as your Cloud provider (IaaS).

  4. Select your AWS region and subscription (click on the Activation Keys page to manage the subscription options).

  5. Click Launch Script on AWS.

  6. From the AWS Quick create stack page, provide your configuration details:

    • Stack name: Enter a name for the cloud formation stack (default: openvpn-accessserver).

    • ActivationKey: This populates automatically from your subscription key.

    • VpcId: Select your existing virtual private cloud.

    • SubnetId: Select a subnet from the VPC.

    • InstanceName: Name the EC2 instance (default: OpenVPNAccessServer).

    • InstanceType: Select your instance type. (We recommend minimum t4g.small, with t4g.large best for light-medium loads, and t4g.xlarge best for heavy loads. Refer to System Requirements for details, if needed.)

    • KeyName: Select an EC2 key pair for SSH access to the instance.

  7. Click Create stack.

    • The stack creates an EC2 instance, security group, and installs Access Server.

🖱️View the stack output

When the stack completes, you can find your connection details for the Admin Web UI in the stack output:

  1. On the CloudFormation status page, click the Outputs tab.

    • Two outputs are displayed: AdminPortal, and TempPassword.

  2. The AdminPortal is the URL for you to access the Admin Web UI.

  3. The TempPassword is for authenticating with the openvpn admin user account on the Admin Web UI.

  4. You can now use this information to open the Admin Web UI in a browser and sign in.

  5. Hop over to First-Time Setup for your first use and configuration of Access Server.

🚫 Disable source/dest checking (recommended)

If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, ensure you disable source destination check protection on Amazon; otherwise, routing won’t function properly.

Turn off source/destination checks:

  1. From Instances in the EC2 console, right-click on the VPN instance ID.

  2. Click Networking > Change source/destination check.

  3. Check Stop under Source / Destination checking and click Save.

Source/destination checking can also block traffic if you want VPC data to go directly to the IP addresses of your VPN clients in the VPN client subnet. For that use case, turn off the check as well.

🌐 Set up static routes (optional)

Access Server’s default routing uses network address translation (NAT). Traffic originating from the VPN clients appears to come from the local IP address of Access Server with NAT, and this is simpler than setting up routing.

However, when using NAT, traffic from the VPC itself can’t directly access a VPN client because the NAT engine prevents direct contact. You must configure routing instead of NAT to allow direct access to a VPN client.

To access this configuration:

  1. Sign in to the Admin Web UI.

  2. Click Configuration > VPN Settings.

  3. Scroll to the Routing section, where you can click Yes, using Routing.

  4. Configure your subnets for your network.

After setting up routing, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VPC network to the VPN client subnet is possible. However, because the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Amazon routing table for your VPC so that the return traffic flows properly. Refer to Amazon’s AWS VPC routing documentation: Route tables for your VPC (Amazon).

Launch automation with user data (optional)

When you launch an EC2 instance, you can pass user data to the instance to perform common automated configuration tasks. You can use this feature to preconfigure Access Server with specific settings, as defined below.

We use AWS “user data,” which is only available to you through the manual launch method on the EC2 dashboard or via API or CLI.

Here’s an example of user data sent during launch:

  • Send a username and password for your administrative user. When you do this, you don’t need to SSH in to finish the setup wizard. You’ve already set your account credentials.

Entering user data:

  1. During the steps above for creating an AMI, when you reach step 7, Advanced details, expand that section.

  2. Scroll down to the text field, User data.

  3. Enter your data for one or more of the available settings below. Ensure you enter each row as key1=value1, and don’t use quote keys or spaces on either side of the equal character. Example:

public_hostname=vpn.example.com
admin_user=admin1
admin_pw=p@$w0rd

Available settings for pre-configuration with Access Server:

Key

Description

public_hostname

The hostname used by clients to contact the server.

admin_pw

The administrative account initial password.

Warning

This parameter is communicated to the instance via cleartext channel.

license

The Access Server license key.

Tip

Without a license key, Access Server allows up to two concurrent connections.

reroute_gw (boolean, default=0)

If 1, clients route internet traffic through the VPN.

reroute_dns (boolean, default=0)

If 1, clients route DNS queries through the VPN. Note: If the VPC CIDR block is defined, it is made accessible to VPN clients via NAT.

🔒 Further Security Recommendations

Additional Security Steps You Can Take After Installation

In this section:

Access Server's web server used by the administrator to configure the VPN server.