If your Amazon Machine Image (AMI) with OpenVPN Access Server is not working, please contact support. We test these images carefully before they are released and found they are in working order. Despite all our care, however, it is possible some configuration settings or some conditions in the environment it is deployed in can cause issues. We’d be happy to look closer at the issue and offer our expertise to try and resolve the problem.

For technical support, submit a Support Ticket.

OpenVPN Access Server requires access for inbound traffic on TCP 22 (SSH), TCP 943 and 443 (web interface), TCP 953 (if you use clustering), and UDP 1194 (OpenVPN UDP port for client communication).

An Elastic IP address is a static IPv4 address used for dynamic cloud computing. Your AWS account is associated with an Elastic IP address. If you’d like more detail, refer to Amazon’s explanation of Elastic IP Addresses.

It’s best practice to associate an Elastic IP address to your EC2 instance with OpenVPN Access Server so you can easily remap the same address to another instance in case the current instance fails. The Elastic IP address serves as the public IP access point to the Admin Web UI as well as the tunnel-establishment endpoint for VPN clients.

Some firewalls on public networks block everything except the most common ports (HTTP TCP/80 and HTTPS TCP/443). For OpenVPN to work well in this situation, by default, the OpenVPN daemon listens on the TCP port 443 and can forward incoming web browser requests to a web service on port TCP 943 (since you can't have both the web server and the OpenVPN server listening on the same port). This port-sharing feature allows any incoming HTTPS connection on port 443 to remap to the web service on port 943. At the same time, the OpenVPN daemon listens on port 443 and can handle incoming tunnel connections. You can then bypass existing firewall limitations.

If you are using a tiered instance, ensure that your instance can reach our online activation servers. For details on this and which ports and IP addresses to open, refer to Troubleshooting problems with software licensing.

You can run a cluster of Access Server to provide a high-availability, active-active setup. Refer to Setting up an OpenVPN Access Server cluster.

You can set OpenVPN Access Server to allow clients to keep their IP addresses:

1. Sign in to the Admin Web UI.
2. Click Configuration > VPN Settings.
3. Under Routing, click Yes, using Routing.
4. In your AWS console, disable the source/destination check on the OpenVPN Access Server instance to let the appliance forward traffic to and from clients.

For more information about OpenVPN Access Server, refer to our resource page: How to configure the OpenVPN Access Server.