Amazon Web Services EC2 BYOL appliance quick start guide
OpenVPN Access Server provides an Amazon Web Services (AWS) VPN that you can get up and running within minutes.
Working with AWS, you use their EC2 appliances or Amazon machine images (AMI), Linux-based virtual machines running on virtualized hardware. By using the OpenVPN Access Server EC2 instance from AWS, you can launch a VPN hosted in the cloud with the following benefits:
- Quickly extend your AWS private networking to remote users and other sites.
- Create hub-and-spoke network topology, site-to-site, user-to-cloud, and other secure VPN connections.
- Provide secure, remote access to applications deployed on AWS.
Read on for your guide to getting started with your VPN server on the web.
About Access Server Subscription Licensing
Subscription licensing, our newest Access Server licensing model, works with Access Server 2.8.1 or above and:
- Activates same subscription multiple times across all nodes.
- Shares VPN connections across same subscription.
- Scales VPN connections up or down any time.
- Deploys automatically and isn’t locked to hardware.
- Uses single subscription with high-availability failover or cluster setup.
- Includes auto renewal option.
Click through to customize your Subscription. Get Details
To launch a new instance with OpenVPN Access Server software:
- Select the OpenVPN Access Server listing in the AWS Marketplace and launch.
- Configure the software with a 64-bit AMI, the latest version of Access Server, and your desired region.
- Select your desired instance type. (Refer to OpenVPN Access Server System Requirements for details, if needed.)
- Use our predefined access on ports and protocols for the security group.
- Select a key pair for securely connecting to your instance (or click to create one).
- You're ready to launch.
Note: For the security group, we recommend using the default group for the marketplace instance but adjusting the sources for some ports to improve security. For your information, these are the ports that need to be open:
- TCP 22: For SSH to remotely administer your appliance. We recommend you restrict this port to trust IP addresses by entering a specific subnet in CIDR notation (e.g., 184.108.40.206/24 for a subnet or 220.127.116.11/32 for a single IP address).
- TCP 943: The Admin Web UI uses this port, which is also served on port 443 by default.
- TCP 945: The clustering functionality uses this port. If you don’t use this feature, you don’t need to open this port. If you do, ensure the cluster nodes can reach each other on their public addresses.
- TCP 443: For HTTPS, used by the Client Web UI, the interface where your users sign into the VPN server to retrieve client or config files. We recommend leaving this port open to the source as 0.0.0.0/0. The Admin Web UI is also default enabled on this port unless you turn off this setting. In multi-daemon mode, the OpenVPN TCP daemon shares this port with the Client Web UI, and your clients initiate TCP-based VPN sessions under this port number.
- UDP 1194: For the OpenVPN UDP port used by your clients to initiate UDP-based VPN sessions to the VPN server, the preferred way for clients to communicate. Keep this port open for all clients.
Once you launch your new AMI, you need to SSH into the console using an SSH client software and the private key pair you used/created previously.
Use the instance username openvpnas.
Connect with ssh:
ssh -i /path/key-pair-name.pem openvpnas@instance-public-ipv4-address
You can refer to Connect to Access Server via SSH using PuTTY for steps to connect with the PuTTY SSH client from a Windows computer. If you have a different configuration, please follow Amazon’s instructions on connecting to your instance.
Connect to your server, and Access Server completes the installation. Access Server then provides the URLs for your Admin and Client Web UIs and the username and password for signing into the Admin Web UI.
Refer to Finishing Configuration of Access Server for details.
In addition to the steps in the link above, we recommend you assign an Elastic IP address to your instance:
- From your AWS console, click Elastic IPs under Network & Security.
- Click Allocate Elastic IP address.
- Select the pool and enter any tags (optional).
- Click Allocate.
- After AWS allocates your new IP address, select it, and click Actions > Associate Elastic IP address.
- Choose Instance as the resource type, select your Access Server instance from the Instance search field, and select the Private IP address by clicking in the search field and selecting the option available.
- Click Associate.
- Sign in to your Access Server's Admin Web UI.
- Click Configuration > Network Settings and enter the Elastic IP in the Hostname or IP Address field.
- Click Save and Update Running Server.
We recommend finishing the additional configuration steps below to finalize your AWS VPN server.
If you need to change the time zone of the instance, run this command:
sudo dpkg-reconfigure tzdatasudo dpkg-reconfigure tzdata
The system shows the new local time after you configure this setting.
We recommend everyone set this up, but especially those using multi-factor authentication.
apt-get install ntp
If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, ensure you disable source destination check protection on Amazon; otherwise, routing won’t function properly.
Turn off source/destination checks:
- Right-click on the VPN instance
- Select Change Source/Dest.
- Check and make sure the status is Disabled.
Source/destination checking can also block traffic if you want VPC data to go directly to the IP addresses of your VPN clients in the VPN client subnet. For that use case, turn off the check as well.
OpenVPN Access Server’s default routing uses network address translation (NAT). Traffic originating from the VPN clients appears to come from the local IP address of the Access Server with NAT, and this is simpler than setting up routing.
However, when using NAT, your traffic from the VPC itself can’t directly access a VPN client as the NAT engine prevents direct contact. You must configure routing instead of NAT to allow direct access to a VPN client.
To access this configuration:
- Sign in to the Admin Web UI.
- Click Configuration > VPN Settings.
- Scroll to the Routing section, where you can click Yes, using Routing.
- Configure your subnets for your network.
After setting up routing, the source IP address of packets coming from the VPN clients is kept intact, and direct access from the VPC network to the VPN client subnet is possible. However, because the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Amazon routing table for your VPC so that the return traffic flows properly. Refer to Amazon’s AWS VPC routing documentation: Route tables for your VPC (Amazon).
From the time we've generated the appliance and the time you've downloaded and are using it, operating system updates might have become available. Ensure your appliance OS is up to date by running the following commands:
sudo apt-get update sudo apt-get upgrade
When you launch an EC2 instance, you can pass user data to the instance to perform common automated configuration tasks. You can use this feature to preconfigure Access Server with specific settings, as defined below.
We use AWS “user data,” which is only available to you through the manual launch method on the EC2 dashboard or via API or CLI.
Here’s an example of user data sent during launch:
- Send a username and password for your administrative user. When you do this, you don’t need to SSH in to finish the setup wizard. You’ve already set your account credentials.
Entering user data:
- During the steps above for creating an AMI, when you reach step 7, Advanced details, expand that section.
- Scroll down to the text field, User data.
- Enter your data for one or more of the available settings below. Ensure you enter each row as key1=value1, and don’t use quote keys or spaces on either side of the equal character. Example:
public_hostname=vpn.example.com admin_user=admin1 admin_pw=p@$w0rd
The settings below are available for pre-configuration with Access Server.
|public_hostname||The hostname used by clients to contact the server.|
|admin_pw||The administrative account initial password. Note: This parameter is communicated to the instance via a cleartext channel. A more secure method would be to ssh to the instance and use the sacli tool to set the password. With root privileges from /usr/local/openvpn_as/scripts, use this command:
./sacli --user openvpn --new_pass yourpass setlocalpassword
|license||The Access Server license key. Note: Without a license key, Access Server allows up to two concurrent connections.|
|reroute_gw (boolean, default=0)||If 1, clients route internet traffic through the VPN.|
|reroute_dns (boolean, default=0)||If 1, clients route DNS queries through the VPN. Note: If the VPC CIDR block is defined, it is made accessible to VPN clients via NAT.|
If you have questions that are not addressed, or need additional assistance, please submit a support ticket. The OpenVPN Access Server dedicated support ticket system has professionals standing by 24/7 to answer any questions you have. To create a ticket, first create a free account. Once you have created your account — or if you already have an account — you can submit a ticket. All tickets will be addressed within 24 hours, and we are usually able to answer within thirty minutes to an hour of receiving a ticket.
Note: We do not offer support here for the open source version of OpenVPN. For open
source specific support, see getting support for the open source OpenVPN project.
The Access Server license key. Note: Without a license key, Access Server allows up to two concurrent connections.