Skip to main content

AWS EC2 Tiered Appliance Quick Start Guide for Access Server

Abstract

How to launch the AWS marketplace appliance for Access Server and get your VPN server up and running in minutes with tiered pricing.

Access Server provides an Amazon Web Services (AWS) VPN that you can get up and running within minutes.

When working with AWS, you use their EC2 instances or Amazon Machine Images (AMIs), which are Linux-based virtual machines running on virtualized hardware. By using the Access Server EC2 instance from their marketplace, you can launch a VPN hosted in the cloud, with the following benefits:

Read on for your guide to getting started with your VPN server on the web.

AWS tiered instances for Access Server

This guide walks you through launching a tiered Access Server instance from AWS Marketplace, where the AMI includes a fixed number of connections.

With tiered instances, you choose a predefined number of connections, and billing is handled through AWS. Your instance is ready to use immediately with that capacity. If your needs change, you need to deploy a new instance with a different tier.

AWS Marketplace also offers other deployment options, including Pay-As-You-Go (PAYG) and Bring-Your-Own-License (BYOL). This guide focuses on tiered instances.

For a detailed comparison of all AWS licensing options, refer to the AWS licensing options FAQ.

If you have licensing issues with your Amazon tiered instance and it’s only allowing two connections, see our AMI tiered instance licensing troubleshooting page.

AWS tiered — launch

To launch a new tiered instance with Access Server software:

  1. Select one of the Access Server listings with a specified number of connected devices in the AWS Marketplace and launch.

  2. Review the EULA and software subscription information.

  3. Configure the software with a 64-bit AMI, the latest version of Access Server, and your desired region.

  4. Select your desired instance type. (Refer to Access Server System Requirements for details, if needed.)

  5. Use our predefined access on ports and protocols for the security group.

  6. Select a key pair for securely connecting to your instance (or click to create one).

  7. You're ready to launch.

Tip

For the security group, we recommend using the default group for the marketplace instance but adjusting the sources for some ports to improve security. For your information, these are the ports that need to be open:

  • TCP 22: For SSH to remotely administer your appliance. We recommend you restrict this port to trust IP addresses by entering a specific subnet in CIDR notation (e.g., 12.34.56.0/24 for a subnet or 11.22.33.44/32 for a single IP address).

  • TCP 943: The Admin Web UI uses this port, which is also served on port 443 by default.

  • TCP 443: For HTTPS, used by the Client Web UI, the interface where your users sign into the VPN server to retrieve client or config files. We recommend leaving this port open to the source as 0.0.0.0/0. The Access Server is also default enabled on this port unless you turn off this setting. In multi-daemon mode, the OpenVPN TCP daemon shares this port with the Client Web UI, and your clients initiate TCP-based VPN sessions under this port number.

  • UDP 1194: For the OpenVPN UDP port used by your clients to initiate UDP-based VPN sessions to the VPN server, the preferred way for clients to communicate. Keep this port open for all clients.

🖱️ Connect to your new AMI

Once the AMI is launched, SSH into the console using an SSH client and the private key pair you used during setup.

  • Instance username: ubuntu

  • Connect with SSH:

    ssh -i /path/key-pair-name.pem ubuntu@instance-public-ipv4-address

You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.

🛠️ Finish Access Server installation

Connect to your server, and the Access Server will complete the installation. Access Server then provides the URLs for your Admin Web UI and Client Web UI, and the username and password for signing in to the Admin Web UI.

Refer to First-Time Setup for details.

🌍 Assign an Elastic IP

We recommend you assign an Elastic IP address to your instance:

  1. From your AWS console, click Elastic IPs under Network & Security.

  2. Click Allocate Elastic IP address.

  3. Select the pool and enter any tags (optional).

  4. Click Allocate.

  5. After AWS allocates your new IP address, select it, and click Actions > Associate Elastic IP address.

  6. Choose Instance as the resource type, select your Access Server instance from the Instance search field, and select the Private IP address by clicking in the search field and selecting the option available.

  7. Click Associate.

  8. Sign in to your Admin Web UI.

  9. Click VPN Server.

  10. Enter the Elastic IP in the Hostname (or IP address) field.

  11. Click Save and Restart.

🕒 Change default time zone

The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:

sudo dpkg-reconfigure tzdata

⏰ Install NTP client for automatic time synchronization

We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:

apt-get install ntp

🚫 Disable source/dest checking (recommended)

If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, ensure you disable source destination check protection on Amazon; otherwise, routing won’t function properly.

Turn off source/destination checks:

  1. From Instances in the EC2 console, right-click on the VPN instance ID.

  2. Click Networking > Change source/destination check.

  3. Check Stop under Source / Destination checking and click Save.

Source/destination checking can also block traffic if you want VPC data to go directly to the IP addresses of your VPN clients in the VPN client subnet. For that use case, turn off the check as well.

🔁 Set up static routes (optional)

Access Server’s default routing uses network address translation (NAT). Traffic originating from the VPN clients appears to come from the local IP address of Access Server with NAT, and this is simpler than setting up routing.

However, when using NAT, traffic from the VPC itself can’t directly access a VPN client because the NAT engine prevents direct contact. You must configure routing instead of NAT to allow direct access to a VPN client.

To access this configuration:

  1. Sign in to the Admin Web UI.

  2. Click Access Controls.

    • The Group and User Access Rules tab displays.

  3. Click the Global Access Rules tab.

  4. Set IP Addresses and Subnets to Route for Reachable via.

  5. Configure your subnets for your network.

After setting up routing, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VPC network to the VPN client subnet is possible. However, because the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Amazon routing table for your VPC so that the return traffic flows properly. Refer to Amazon’s AWS VPC routing documentation: Route tables for your VPC (Amazon).

🔄 Update operating system software

We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

🛡️ Further Security Recommendations

Additional Security Steps You Can Take After Installation

In this section: