AWS Frequently Asked Questions

Getting started

Visit our OpenVPN Support Center, where you can submit a support ticket.

We provide detailed instructions in the two guides below. Choose the one that matches your type of AWS licensing.

  1. AWS Tiered Quick Start Guide
  2. AWS BYOL Quick Start Guide

To access the Admin Web UI, point to the public IP address for your instance and sign in with the admin user. The Admin Web UI URL has the following format: https://xxx.xxx.xxx.xxx/admin.

You can download the OpenVPN Connect app from your Client Web UI. You can also download OpenVPN Connect directly from our site and import connection profiles.

Try the general Frequently Asked Questions page for questions regarding licensing, renewals, purchases, and administration.

Connectivity

Amazon provides information on how to connect to your instance: Connecting to your Linux Instance Using SSH. You can also find specific information for connecting using the PuTTY SSH client from our site: Create PuTTY SSH Session For Access Server.

  1. Sign in to the Admin Web UI.
  2. Click Configuration > VPN Settings.
  3. Under routing, choose Yes, using Routing.
  4. Click Save and Update Running Server.
  5. In AWS, disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic from and to clients.
  6. Set the OpenVPN Access Server security group accordingly to allow traffic from other IPs in the VPC to reach the clients.
  7. Update your private subnet’s routing tables let the internal VPC router know which subnets are reachable via the Access Server (i.e., VPN client subnets).

Amazon Configuration

If your Amazon Machine Image (AMI) with OpenVPN Access Server is not working, please contact support. We test these images carefully before they are released and found they are in working order. Despite all our care, however, it is possible some configuration settings or some conditions in the environment it is deployed in can cause issues. We’d be happy to look closer at the issue and offer our expertise to try and resolve the problem.

For technical support, submit a Support Ticket.

OpenVPN Access Server requires access for inbound traffic on TCP 22 (SSH), TCP 943 and 443 (web interface), TCP 953 (if you use clustering), and UDP 1194 (OpenVPN UDP port for client communication).

An Elastic IP address is a static IPv4 address used for dynamic cloud computing. Your AWS account is associated with an Elastic IP address. If you’d like more detail, refer to Amazon’s explanation of Elastic IP Addresses.

It’s best practice to associate an Elastic IP address to your EC2 instance with OpenVPN Access Server so you can easily remap the same address to another instance in case the current instance fails. The Elastic IP address serves as the public IP access point to the Admin Web UI as well as the tunnel-establishment endpoint for VPN clients.

Some firewalls on public networks block everything except the most common ports (HTTP TCP/80 and HTTPS TCP/443). For OpenVPN to work well in this situation, by default, the OpenVPN daemon listens on the TCP port 443 and can forward incoming web browser requests to a web service on port TCP 943 (since you can't have both the web server and the OpenVPN server listening on the same port). This port-sharing feature allows any incoming HTTPS connection on port 443 to remap to the web service on port 943. At the same time, the OpenVPN daemon listens on port 443 and can handle incoming tunnel connections. You can then bypass existing firewall limitations.

If you are using a tiered instance, ensure that your instance can reach our online activation servers. For details on this and which ports and IP addresses to open, refer to Troubleshooting problems with software licensing.

OpenVPN Access Server Configuration

You can run a cluster of Access Server to provide a high-availability, active-active setup. Refer to Setting up an OpenVPN Access Server cluster.

You can set OpenVPN Access Server to allow clients to keep their IP addresses:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > VPN Settings.
  3. Under Routing, click Yes, using Routing.
  4. In your AWS console, disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic to and from clients.

For more information about OpenVPN Access Server, refer to our resource page: How to configure the OpenVPN Access Server.

Don’t See What You're Looking For?

No Problem — We Have 24/7 Support Available.

Submit a Support Ticket