Free Training

We provide free training, feel free to reach us through our training page.

Key aspects

  • Removed the complexity of creating the main certificates correctly.
  • No more tedious configuration.
  • All or partial traffic routing.
  • UDP as the default protocol with a fall back to TCP over 443 if the UDP port is blocked.
  • Configurable certificate key size.
  • Minimized downtime thanks to our custom resilience feature.
  • All unique data is stored in a external storage, including user profiles.
  • The downtime minimized to the time it takes to boot the EC2 Instance and mount the EFS drive.

Example use cases

Your imagination is your limit, but here are some ideas that are worth considering:

  • Route all the traffic over the VPN server for remote workers to keep the data flow secure.
  • Access remote resources located in private subnets using the partial traffic mode.
  • Connect two or more offices together with a secure link.

Additional details


Our VPN Server has built in resilience to make sure that you don't lose all your users, lose the VPN configuration, or lose connectivity by a changing IP. Even if you lost the EC2 Instance, as long as you have the EFS drive or a backup of it, you can restore the exact configuration as it was originally.


This product was designed for public access, but we recommend you don't allow SSH connections from the public Internet. Expose only the VPN ports and allow SSH access from the local subnet once you make your first profile for yourself.



We provide a CloudFormation file. Before you click the orange button to deploy the stack, make sure to subscribe first to the product on the AWS Marketplace, and if you want to check the CloudFormation prior to deployment, follow this link.

The First Boot

The boot time of our product will be slower than if you started an instance from a clean AMI, this is due to our custom code that needs to be executed in order to prepare the product for you. This process can take a few minutes longer than usual.

Connecting to the Server

To connect to the server: get it's IP, connect to the instance over SSH with the username ec2-user, while using the private key you selected at deployment time.

User Management

How to create a user

Run this command to send all the traffic through the VPN:

sudo ov_user_add -u USER_NAME -t all

Run this command to send only the traffic for the remote network through the VPN:

sudo ov_user_add -u USER_NAME -t partial

How to copy the profiles locally

Every time you do so, a new .ovpn file will be created in the openvpn_users folder located in the ec2-user folder. You can copy the new file to your local computer using the SCP command, like so:

scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .

How to delete a user

Just run the following command:

sudo ov_user_delete -u USER_NAME

How to list all the users

Since every time you create a user a .ovpn configuration file is created, you can just list the content of the openvpn_users folder, like so:

ls -la /home/ec2-user/openvpn_users

The output is the list of all the users you have available for your VPN server.

VPN Clients

Final Thought

Test the setup

Before you go into production, make sure to test the product. This ensures that you get used to how it works.

Security Concerns

Below we give you a list of potential ideas to consider regarding security, but this list is not exhaustive – it is just a good starting point.

  • Expose to the public only the ports needed for clients to connect to the VPN
  • Block public SSH access
  • Allow SSH connection only from limited subnets
  • Ideally allow SSH connection only from another central instance
  • Don't give root access to anyone but yourself

How To

How to change the instance type

If you need more memory and CPU capacity, you can change your instance type to a bigger one. To do so, follow these instructions:

  1. Go to the CloudFormation console
  2. Click on the stack that you want to update.
  3. Click the Update button.
  4. Keep the default selection and click Next
  5. On the new Parameters page, change the instance type from the drop down.
  6. Click Next till the end.

Wait for the stack to finish updating.

How to restore from a backed up EFS drive

Restoring from a backed up EFS drive is not straightforward due to how AWS restores the drive. By design AWS restores the data (even on a new and empty drive) in special folders called: aws-backup-restore_timestamp-of-restore. Meaning they do not recreate the original folder structure. Check how AWS restores EFS Backups to learn more.

This means you have to reorganize the drive before you use it with our product. To do so, you have two options:

  1. Launch a temporary EC2 Instance, mount the drive and reorganize it.
  2. Or you can reorganize it using our SFTP Server - Single User Setup product.

Make sure all the resources are in the same VPC, subnet, and have the correct Security Groups.


These are some of the common solutions to problems you may run into:

Not authorized for images


My CloudFormation stack failed with the following error API: ec2:RunInstances Not authorized for images:... in the Event tab.


You have to accept the subscription from the AWS Marketplace first, before you use our CloudFormation file.

The product is misbehaving

Solution I did follow all the instructions from the documentation.


Check if the values entered in the UserData reached the instance itself.

sudo cat /var/lib/cloud/instance/user-data.txt

UserData seams ok


The UserData reached the instance, and yet the product is not acting as it should.


Use the following command to see if there were any errors during the boot process.

sudo cat /var/log/messages | grep 0x4447

Issue with remote access


Unable to access the server over SSH.


  • Ensure that your public IP address is allowed to access the EC2 instance. You will need to add an inbound rule to the Security Group used by the EC2 instance.
  • Ensure you are using the right EC2 Key Pair that you provided when you launched your stack.
  • Ensure you are not using the root user to login as this is disabled. You need to login as ec2-user

Issue with user management


The below error indicates that this instance failed to mount your EFS drive.

sudo ov_user_add -u USER_NAME
No such file or directory

You will also see the following message in your dmesg.

amazon/efs/mount.log:2020-09-04 23:29:58,803 - ERROR - Failed to mount at /etc/openvpn/easy-rsa: retu Connection timed out"


Ensure that your EFS Drive allows inbound connections on TCP Port 2049 from your Elastic IP and the EC2 subnet being used by the VPN Server.

How to check CA expiration


How to check the expiration date of the certificate:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt

How to make a new cert with a new data:

cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/

Don't forget to restart the OpenVPN service after thees changes.

How to check the Server certificate expiration


How to check the expiration date of the certificate:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt

How to make a new cert with a new data:

cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/

Don't forget to restart the OpenVPN service after thees changes.

How to check the CRL certificate expiration


How to check the expiration date of the certificate:

sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'

How to make a new cert with a new data:

cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/