Launch Connector on AWS

To configure a network that represents your AWS Virtual Private Cloud (VPC) and install an AWS instance with a Connector that uses AWS CloudFormation, follow these steps:

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com.
  2. Access Networks and click to add a new network.
  3. Provide a network name and fill in the CIDR ranges of your AWS VPC subnets.
  4. Provide a Connector name, select a VPN Region, and click create.
  5. Click on the download icon beside the connector to expand the options.
  6. Select Launch Connector on AWS from the options list to initiate the workflow with the following steps:
    1. Select an AWS Region.
    2. Click Launch.
  7. Log in to AWS.
  8. On the Quick create stack webpage, specify the stack details: Stack name, KeyName, SubnetId, VpcId, and then click Next.
  9. Click the I acknowledge that AWS CloudFormation might create IAM resources checkbox to allow CloudFormation to create RouteManagerRole IAM::Role resources. This role configures routes in the VPC Route table to use the Connector. Click Create stack.
  10. Monitor the stack creation as it goes from CREATE_IN_PROGRESS state to CREATE_COMPLETE.
  11. On completion, open the Resources tab to view the created resources. Check that the RouteManagerRole was created along with an InstancSecurityGroup, InstanceProfile, and the EC2Instance.
  12. Click on the Physical ID of the EC2 instance to check its details.
    Note: The EC2 instance uses Ubuntu. If you want to connect to it with SSH, use ubuntu as the username.
  13. The Connector EC2 automatically connects to the VPN Region and the Network will show up as online on the Status page of OpenVPN Cloud Admin portal.

A new EC2 instance Security Group is automatically created after the Network Connector deployment through CloudFormation. This Security Group contains only one Inbound Rule to allow SSH connections (Protocol: TCP; Port: 22; Source: 0.0.0.0/0).

Modify existing Security Groups

If you are using Security Groups to protect any instances that need their traffic to be routed through the Connector instance, you need to add the Security Group of the Connector instance to their inbound rules.

This screenshot shows the inbound rules of sg-0d7ffe09b9076d0dd – launch-wizard-1 Security Group are being edited to add the last rule, which accepts all incoming traffic coming from the Security Group sg-0210e0cbe1ce14ee7 that is associated with the Connector instance.

Modify existing Security Groups

Optional: Check and add routes to the VPC Route Table associated with the subnet

Check that a route exists in the route table for the VPN Subnet IP address range configured in Network Settings of OpenVPN Cloud. The default VPN IPv4 subnet address range for OpenVPN Cloud is 100.96.0.0/11. If a route to destination 100.96.0.0/11 using the Connector instance as a target is absent, add it. If other OpenVPN Cloud Networks need to be reached from the VPC, add a route with those Network subnets as the destination and the Connector instance as the target.

The screenshot below shows how the route table should look with an entry for the OpenVPN Cloud VPN IP address subnet (100.96.0.0/11) and an entry for subnet 192.168.0.0/28 which is another Network (for example, office network) that is reachable via OpenVPN Cloud. Both entries have target as the instance running the Connector.

Note: If you allow CloudFormation to create RouteManagerRole IAM::Role resources, this role will configure routes in the VPC Route table to use the Connector automatically and update the route table as new Networks are added to the VPN.

Check and add routes to the VPC Route Table associated with the subnet