AWS Frequently Asked Questions

Getting started

OpenVPN Access Server has a dedicated support ticket system with professionals standing by 24/7 across the world to answer any questions you may have. To reach our support ticket system, first create a free account. Once you have created an account — or if you already have an account — you can log-in and submit a ticket. We will be in touch right away.

We provide detailed instructions in the two guides below. Choose the one that matches your type of licensing.

  1. AWS Quick Start Guide
  2. AWS BYOL Quick Start Guide

To access the admin web interface, point to the public Elastic IP address you assigned and log in with the admin user you set up. The admin web interface URL has the following format:

You can download connection clients that include profiles directly from the public IP address of your Access Server. You can also download clients directly from our site and import profiles from your computer or from your server.

If you don’t find your questions here, you can also click on our general Frequently Asked Questions page for questions regarding licensing, renewals, purchases, and administration.


Amazon provides information on how to connect to your instance: Connecting to your Linux Instance Using SSH. You can also find specific information for connecting using the PuTTY SSH client from our site: Connecting to your new AMI.

  1. From the web admin interface, navigate to VPN Settings > Routing
  2. Choose Yes, using Routing
  3. Disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic from and to clients
  4. Set the OpenVPN Access Server security group accordingly to allow traffic from other IPs in the VPC to reach the clients
  5. Update your private subnet’s routing tables to let the internal VPC router know which subnets are reachable via the Access Server (i.e., VPN client subnets)

This may be caused by the DNS settings. When a problem occurs with redirecting VPN client Internet traffic, the most common issue is that domain names are not being resolved to IP addresses by a DNS server. To resolve this, you need to push a valid DNS server. If you don’t know one, you can use Google’s public DNS server. You can update the VPN Settings in the Admin UI to use Google’s servers: and Then save settings and update the server.

Amazon Configuration

If your Amazon Machine Image (AMI) with OpenVPN Access Server is not working, please contact support. We test these images carefully before they are released and found they are in working order. Despite all our care, however, it is possible some configuration settings or some conditions in the environment it is deployed in can cause issues. We’d be happy to look closer at the issue and offer our expertise to try and resolve the problem.

For technical support, please register for a free account with OpenVPN. Then you can open a Support Ticket.

OpenVPN Access Server requires access for inbound traffic on TCP 22 (SSH), TCP 943 and 443 (web interface), TCP 953 (if you use clustering), and UDP 1194 (OpenVPN UDP port for client communication).

An Elastic IP address is a static IPv4 address used for dynamic cloud computing. Your AWS account is associated with an Elastic IP address. If you’d like more detail, refer to Amazon’s explanation of Elastic IP Addresses.

It’s best practice to associate an Elastic IP address to your EC2 instance with OpenVPN Access Server so you can easily remap the same address to another instance in case the current instance fails. The Elastic IP address serves as the public IP access point to the admin web interface as well as the tunnel-establishment endpoint for VPN clients.

Some firewalls on public networks block everything except the most common ports (HTTP TCP/80 and HTTPS TCP/443). For OpenVPN to work well in this situation, by default the OpenVPN daemon listens on the TCP port 443 and can forward incoming web browser requests to a web service on port TCP 943 (since you cannot have both the web server and the OpenVPN server listening on the same port). This feature, called port sharing, allows any incoming HTTPS connection on port 443 to remap to the actual web service running on port 943. At the same time, the OpenVPN daemon is listening on port 443 and can handle incoming tunnel connections. You are then able to bypass existing firewall limitations.

If you are using a tiered instance it might be that your instance is unable to reach our online activation servers. For details on this and which ports and IP addresses to open, you can consult our documentation here:

OpenVPN Access Server Configuration

OpenVPN Access Server offers an active / passive high-availability mode out of the box. Refer to Active / Active High Availability Setup for OpenVPN Access Server for complete details.

If you don’t want OpenVPN Access Server to translate IP addresses, you can change this setting under VPN Settings > Routing in the admin interface. Choose Yes, using Routing, then disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic to and from clients.

For more information about OpenVPN Access Server, refer to our resource page: How to configure the OpenVPN Access Server: The Admin UI.

Don’t See What You're Looking For?

No Problem — We Have 24/7 Support Available.

Submit a Support Ticket