Tutorial: Deploy Access Server in AWS GovCloud
Deploy Access Server in AWS GlovCloud regions to provide encrypted, Zero Trust-aligned VPN access for government workloads that require strict security, compliance, and US data residency.
Overview
AWS GovCloud is a set of isolated AWS regions designed to host sensitive United States government workloads and regulated data, and meet strict security, compliance, and residency requirements.
For more information, refer to:
Once deployed, Access Server enables encrypted, Zero Trust-aligned access to sensitive GovCloud-hosted resources for authorized users — helping organizations enforce strong identity-based access controls, keep workloads private within GovCloud VPCs, and support remote administrators, operators, and partners, all while aligning with strict security, compliance, and US data-residency requirements.
By using the Access Server appliance from the AWS GovCloud Marketplace, you can launch a VPN hosted in the cloud with the following benefits:
Prerequisites
A Commercial AWS account
A GovCloud AWS account
An EC2 key pair in your GovCloud account for SSH access to the instance.
Note
AWS GovCloud accounts are separate from commercial AWS accounts and require independent sign-in credentials. You will be redirected to the GovCloud login page during the launch process.
Select your licensing model
Access Server supports two licensing models in AWS GovCloud:
Model | How it works |
|---|---|
BYOL (bring your own license) | Purchase a subscription from OpenVPN separately and activate it on your instance. Includes a free tier of two concurrent connections with no time limit. |
PAYG (pay as you go) | Subscribe and manage connections directly through AWS billing. Scale connections up or down without spinning up a new instance. |
For a full comparison of license types, refer to Access Server license options.
Deploy with BYOL
You can deploy a BYOL instance in AWS GovCloud using two methods: the Access Server Portal (recommended, uses CloudFormation) or the AWS Marketplace directly (manual EC2 launch).
Option 1: Launch from the Access Server Portal
Sign in or create a new account on our website for the Access Server product.
Select Start 14-Day Free Trial or Try Free Version.
Tip
If you already have a subscription, click Activation Keys and purchase more.
If you select Start 14-Day Free Trial:
Enter the number of VPN connections you want (10 is the default).
Provide billing information.
Complete the trial setup. Billing begins after the 14-day trial ends.
If you select Try Free Version:
A free subscription with 2 VPN connections is created automatically.
No billing information is required.
From the Access Server Portal, click Install Access Server.
Click the AWS Launcher tab.
Review the details for your instance:
Select your OpenVPN Subscription: This populates with your subscription from the previous step.
Select an AWS region: Select the AWS GovCloud region. You can choose US East GovCloud (us-gov-east-1) or US West GovCloud (us-gov-west-1).
Optionally, click the CloudFormation template link to launch the script manually from your AWS GovCloud account under CloudFormation Stacks.
Click Launch Now.
You're redirected to the AWS GovCloud login page.
From the AWS GovCloud Quick create stack page, provide your configuration details:
Stack name: Enter a name for the CloudFormation stack (default:
openvpn-accessserver).ActivationKey: This populates automatically from your subscription key.
VpcId: Select your existing virtual private cloud.
SubnetId: Select a subnet from the VPC.
InstanceName: Enter a name for the EC2 instance (default:
OpenVPNAccessServer).InstanceType: Select your instance type.
Tip
We recommend a minimum of
t4g.small, witht4g.largebest for light-to-medium loads andt4g.xlargefor heavy loads. Refer to System Requirements for details.KeyName: Select an EC2 key pair for SSH access to the instance.
Acknowledge that AWS CloudFormation will create IAM resources.
Click Create stack.
The stack creates an EC2 instance and security group, and installs Access Server.
Important
The system requires up to five minutes for complete initialization. On AWS, this process occurs in two stages: Access Server is installed, and then reinstalled during initialization (ovpn-init). During this time, authentication attempts will fail, and this is expected behavior. Don't attempt to sign in until both stages are complete. Once initialization finishes, you can sign in successfully.
When the stack completes, you can find your connection details for the Admin Web UI in the stack output:
On the CloudFormation status page, click the Outputs tab.
Two outputs are displayed: AdminPortal, and TempPassword.
The AdminPortal is the URL for you to access the Admin Web UI.
The TempPassword is for authenticating with the
openvpnadmin user account on the Admin Web UI.
Open a web browser and navigate to the Admin Web UI using the AdminPortal URL.
Enter the username (
openvpn) and the TempPassword from the stack output.Once signed in, we recommend changing the
openvpnpassword from the Users page.Hop over to First-Time Setup for your first use and configuration of Access Server.
Once the AMI is launched, SSH into the console using an SSH client and the private key pair you used during setup.
Instance username:
ubuntuConnect with SSH:
ssh -i /path/key-pair-name.pem ubuntu@instance-public-ipv4-address
You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.
Option 2: Launch from the AWS Marketplace
Note
This method launches from EC2 directly rather than using CloudFormation. The initial Access Server configuration runs interactively the first time you SSH into the instance, and you activate your subscription separately after launch.
Sign in to your Commercial AWS account.
Navigate to the AWS Marketplace.
Select the OpenVPN Access Server / Self-Hosted VPN (BYOL) listing.
Review the details and click View purchase options.
Click Launch your software.
Under Launch method, select Launch from EC2 Console.
Under Version, select the latest Access Server version listed.
Under Region, select a GovCloud region:
US East GovCloud (
us-gov-east-1)US West GovCloud (
us-gov-west-1)
Click Launch from EC2.
You're redirected to the AWS GovCloud login page.
Sign in to your GovCloud account.
From the AWS GovCloud Launch from EC2 page, provide your configuration details:
Name: Enter a name for the EC2 instance (default:
OpenVPNAccessServer).Instance type: Select your instance type. Refer to System Requirements for guidance.
Key pair (login): Select an EC2 key pair for SSH access to the instance.
Network settings: Select your existing VPC, subnet, and security groups.
Add a security group with the following inbound rules:
Type
Source
Port range
SSH
0.0.0.0/022
Custom TCP
0.0.0.0/0943
Custom TCP
0.0.0.0/0443
Custom UDP
0.0.0.0/01194
Tip
Port TCP 22 doesn't need to be open to all IP addresses (
0.0.0.0/0). This access is only required to manage the instance. For better security, restrict the source IP to only the administrator's IP address.Click Launch instance.
Once the AMI is launched, SSH into the console using an SSH client and the private key pair you used during setup.
Instance username:
openvpnasConnect with SSH:
ssh -i /path/key-pair-name.pem openvpnas@instance-public-ipv4-address
You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.
Once the AWS instance deployment is complete, you can access your Access Server's Admin Web UI.
The initial Access Server configuration tool runs automatically the first time you sign in to the instance via SSH.
Accept the default values by pressing Enter for each prompt, or enter your preferred settings.
In the last steps of the installation process, the randomly generated password for the
openvpnadministrative account is displayed in the console.Access the Admin Web UI at:
https://[your-ip-address]/admin
Replace
[your-ip-address]with the public IP address of your instance.
Deploy with PAYG
You can deploy Access Server to AWS GovCloud directly from the Access Server PAYG marketplace listing on AWS.
Sign in to the AWS Marketplace.
Select the Access Server / Self-Hosted VPN (PAYG) listing.
Review the details and click View purchase options.
Select your desired options for the contract:
Duration: One month or a year.
Auto-renewal: Whether or not the contract renews automatically.
Available units: The connection plan that best fits your user needs.
Tip
A connection is an actively connected user device, such as a headless server, a mobile tablet, or a remote laptop.
The contract cost displays.
Review the terms and conditions.
Select whether you need to add a purchase order.
Click Subscribe.
Your contract is currently pending and you can set up your account on our site.
Click Set up your account to be directed to our site for the next steps.
Note
If you already have an OpenVPN account, sign in to your existing account and skip these steps.
Click to create a new account on our website.
Follow the steps to add your contact information and confirm your email.
Once you've successfully signed in, the Access Server Portal displays, starting on the Deploy Access Server screen.
You can also click AWS Contract in the navigation, displaying your available connections and email notification options.
From the Access Server portal, click Install Access Server.
From the AWS Launcher option, review the instance details:
Select your OpenVPN Subscription: This populates with your subscription from the previous step.
Select an AWS region: Select the AWS GovCloud region. You can select between:
US East GovCloud (
us-gov-east-1)US West GovCloud (
us-gov-west-1)
Optional
You can click the CloudFormation template link to launch the script manually from your AWS Cloud account under CloudFormation Stacks.
Click Launch Now, and you will be redirected to the AWS GovCloud login page.
From the AWS GovCloud Quick create stack page, provide your configuration details:.
Stack name: You can enter a stack name; the default is openvpn-accessserver.
ActivationKey: This populates with the AWS PAYG license key.
VpcId: Select your VPC for the instance.
SubnetId: Select the public Subnet ID.
InstanceName: You can enter a name for the instance; the default is OpenVPNAccessServer.
InstanceType: Select the desired instance type. (We recommend minimum t4g.small, with t4g.large best for light-medium loads, and t4g.xlarge best for heavy loads. Refer to System Requirements.)
KeyName: Select an existing EC2 KeyPair for SSH access to the instance.
Acknowledge that AWS CloudFormation will create IAM resources.
Click Create stack.
The stack creates an EC2 instance, security group, and installs Access Server.
Once the stack completes, you can find your connection details for the Admin Web UI in the stack output.
Important
The system requires up to five minutes for complete initialization. On AWS, this process occurs in two stages: Access Server is installed, and then reinstalled during initialization (ovpn-init). During this time, authentication attempts will fail, and this is expected behavior. Don't attempt to sign in until both stages are complete. Once initialization finishes, you can sign in successfully.
Here's how to access the Admin Web UI after the stack is complete:
On the CloudFormation status page, click the Outputs tab. Two outputs are displayed:
AdminPortal: The URL to access the Admin Web UI.
TempPassword: The password for authenticating the
openvpnadmin user account on the Admin Web UI.
Open your web browser and navigate to the Admin Web UI using the AdminPortal URL.
Enter the username (
openvpn) and the temporary password displayed in the stack output.Once signed in, we recommend changing the password under Users → openvpn user account.
Hop over to First-Time Setup for your first use and configuration of Access Server.
Once your AMI is launched, SSH into the console using an SSH client and the private key pair you used during setup.
Instance username:
ubuntuConnect with SSH:
ssh -i /path/key-pair-name.pem ubuntu@instance-public-ipv4-address
You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.
Post-deployment steps
The following steps apply to all license types and launch methods.
We recommend you assign an Elastic IP address to your instance:
From your AWS console, click Elastic IPs under Network & Security.
Click Allocate Elastic IP address.
Select the pool and enter any tags (optional).
Click Allocate.
After AWS allocates your new IP address, select it, and click Actions > Associate Elastic IP address.
Choose Instance as the resource type, select your Access Server instance from the Instance search field, and select the Private IP address by clicking in the search field and selecting the option available.
Click Associate.
Sign in to your Admin Web UI.
Click VPN Server.
Enter the Elastic IP in the Hostname (or IP address) field.
Click Save and Restart.
If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, ensure you disable source destination check protection on Amazon; otherwise, routing won’t function properly.
Turn off source/destination checks:
From Instances in the EC2 console, right-click on the VPN instance ID.
Click Networking > Change source/destination check.
Check Stop under Source / Destination checking and click Save.
Source/destination checking can also block traffic if you want VPC data to go directly to the IP addresses of your VPN clients in the VPN client subnet. For that use case, turn off the check as well.
Access Server’s default routing uses network address translation (NAT). Traffic originating from the VPN clients appears to come from the local IP address of Access Server with NAT, and this is simpler than setting up routing.
However, when using NAT, traffic from the VPC itself can’t directly access a VPN client because the NAT engine prevents direct contact. You must configure routing instead of NAT to allow direct access to a VPN client.
To access this configuration:
Sign in to the Admin Web UI.
Click Access Controls.
The Group and User Access Rules tab displays.
Click the Global Access Rules tab.
Set Reachable via to Route.
Configure your subnets for your network.
Click Save and Restart.
After setting up routing, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VPC network to the VPN client subnet is possible. However, because the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Amazon routing table for your VPC so that the return traffic flows properly. Refer to Amazon’s AWS VPC routing documentation: Route tables for your VPC (Amazon).
When you launch a BYOL EC2 instance from the AWS Marketplace, you can pass user data to perform automated configuration tasks during deployment. You can use this feature to preconfigure Access Server with specific settings, such as administrative credentials.
User data is supported when launching instances manually from the EC2 dashboard, or via the AWS API or CLI.
Tip
If you deploy from the Access Server Portal, user data isn't exposed directly. To use it, download the CloudFormation (CF) template, modify it to include your user data, and deploy it manually using AWS CloudFormation Stacks.
Here’s an example of user data sent during launch:
Send a username and password for your administrative user. When you do this, you don’t need to SSH in to finish the setup wizard. You’ve already set your account credentials.
Entering user data:
During the instance launch, click Advanced details to expand that section.
Scroll down to the text field, User data.
Enter your data for one or more of the available settings below. Ensure you enter each row as key1=value1, and don’t use quote keys or spaces on either side of the equal character. Example:
public_hostname=vpn.example.com admin_user=admin1 admin_pw=p@$w0rd
Available settings for pre-configuration with Access Server:
Key | Description |
|---|---|
public_hostname | The hostname used by clients to contact the server. |
admin_pw | The administrative account initial password. WarningThis parameter is communicated to the instance via cleartext channel. |
license | The Access Server license key. TipWithout a license key, Access Server allows up to two concurrent connections. |
reroute_gw (boolean, default=0) | If 1, clients route internet traffic through the VPN. |
reroute_dns (boolean, default=0) | If 1, clients route DNS queries through the VPN. Note: If the VPC CIDR block is defined, it is made accessible to VPN clients via NAT. |