Free Training

We offer free training sessions. Please don't hesitate to contact us through our training page for further assistance.

Video Tutorial

Deploy the product

First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.

The First Boot

The boot time of our product may be slower compared to starting an instance from a clean AMI. This is because our custom code needs to be executed to prepare the product for you. As a result, this process may take a few minutes longer than usual.

Connecting to the Server

If you need to connect to the server, obtain its IP address and connect to the instance over SSH using the username ec2-user. Make sure to use the private key you selected during the deployment process. Upon successful connection, you should be greeted with a custom MOTD (Message of the Day) that provides detailed product information.

User Management

How to create a user

Run this command to send all the traffic through the VPN:

sudo ov_user_add -u USER_NAME -t all

Run this command to send only the traffic for the remote network through the VPN:

sudo ov_user_add -u USER_NAME -t partial

How to copy the profiles locally

Every time you do so, a new .ovpn file will be created in the openvpn_users folder located in the ec2-user directory. You can copy the new file to your local computer using the SCP command, like this:

scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .

How to delete a user

Just run the following command:

sudo ov_user_delete -u USER_NAME

How to list all the users

Since every time you create a user, a .ovpn configuration file is generated, you can simply list the contents of the openvpn_users folder, like this:

ls -la /home/ec2-user/openvpn_users

The output is a list of all the users available for your VPN server.

VPN Clients

Advanced details

Key aspects

  • Simplified the process of creating the main certificates correctly.
  • Streamlined configuration, eliminating tedious steps.
  • Flexible traffic routing options, allowing for all or partial traffic routing.
  • UDP as the default protocol, with automatic fallback to TCP over port 443 if UDP is blocked.
  • Customizable certificate key size.
  • Minimized downtime with our custom resilience feature.
  • Secure storage of unique data, including user profiles, in an external storage.
  • Reduced downtime to the time it takes to boot the EC2 Instance and mount the EFS drive.

Example use cases

Your imagination is your limit, but here are some ideas worth considering:

  • Route all traffic through the VPN server for remote workers to maintain secure data flow.
  • Access remote resources located in private subnets using the partial traffic mode.
  • Connect two or more offices together with a secure link.

Resilience

Our product incorporates built-in resilience measures to prevent data loss and ensure uninterrupted connectivity, even in the event of changing IP addresses. The CloudFormation template we provide offers a streamlined and efficient way to deploy and set up all the necessary components, allowing you to get up and running swiftly with everything you need.

Test the setup

Before going into production, it is important to thoroughly test the product. This is not because we lack confidence in its functionality, but rather to ensure that you become familiar with how it works and can address any potential challenges or issues beforehand. Testing will help you gain confidence in the product's performance and make necessary adjustments, if needed, before deploying it in a live production environment.

Security Concerns

This product was designed for public access, but we recommend that you refrain from allowing SSH connections from the public Internet. Instead, expose only the VPN ports and enable SSH access solely from the local subnet once you create your initial profile for yourself.

Below, we provide you with a list of potential ideas to consider regarding security. Please note that this list is not exhaustive but serves as a solid starting point.

  • Only expose the ports necessary for clients to connect to the VPN to the public.
  • Block public access to SSH.
  • Permit SSH connections only from specific subnets.
  • Ideally, limit SSH connections to another central instance.
  • Avoid granting root access to anyone other than yourself.

How To

How to change the instance type

Make sure you regularly back up your drive(s). One simple solution would be to use:

  1. Go to the CloudFormation console
  2. Click on the stack that you want to update.
  3. Click the Update button.
  4. Keep the default selection and click Next
  5. On the new Parameters page, change the instance type from the drop down.
  6. Click Next till the end.

Please wait for the stack to finish updating.

How to restore from a backed up EFS drive

Restoring from a backed up EFS drive is not straightforward due to how AWS restores the drive. By design AWS restores the data (even on a new and empty drive) in special folders called: aws-backup-restore_timestamp-of-restore. Meaning they do not recreate the original folder structure. Check how AWS restores EFS Backups to learn more.

This means you have to reorganize the drive before you use it with our product. To do so, you have two options:

  1. Launch a temporary EC2 Instance, mount the drive and reorganize it.
  2. Or you can reorganize it using our SFTP Server - Single User Setup product.

Make sure all the resources are in the same VPC, subnet, and have the correct Security Groups.

F.A.Q

These are some of the common solutions to problems you may encounter:

Not authorized for images

Solution

My CloudFormation stack encountered a failure with the following error: API: ec2:RunInstances Not authorized for images:... in the Event tab.

Solution

Before using our CloudFormation file, please ensure that you accept the subscription from the AWS Marketplace.

The product is misbehaving

Solution

I followed all the instructions from the documentation.

Solution

Please verify if the values entered in the UserData section have been successfully passed to the instance itself.

sudo cat /var/lib/cloud/instance/user-data.txt

UserData seams ok

Solution

The UserData reached the instance, but the product is not behaving as expected.

Solution

Use the following command to check if there were any errors during the boot process.

sudo cat /var/log/messages | grep 0x4447

Issue with remote access

Solution

Unable to access the server over SSH.

Solution

  • Ensure that your public IP address is allowed to access the EC2 instance. You will need to add an inbound rule to the Security Group used by the EC2 instance.
  • Ensure you are using the right EC2 Key Pair that you provided when you launched your stack.
  • Ensure you are not using the root user to login as this is disabled. You need to login as ec2-user

Issue with user management

Solution

The below error indicates that this instance failed to mount your EFS drive.

sudo ov_user_add -u USER_NAME
No such file or directory

You will also see the following message in your dmesg.

amazon/efs/mount.log:2020-09-04 23:29:58,803 - ERROR - Failed to mount fs-90d252e8.efs.us-east-2.amazonaws.com at /etc/openvpn/easy-rsa: retu Connection timed out"

Ensure that your EFS drive allows inbound connections on TCP port 2049 from your Elastic IP and the EC2 subnet being used by the VPN server.

How to check CA expiration

Solution

How to check the expiration date of the certificate:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt

How to generate a new certificate with updated information:

cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/

Don't forget to restart the OpenVPN service after thees changes.

How to check the Server certificate expiration

Solution

How to check the expiration date of the certificate:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt

How to generate a new certificate with updated information:

cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/

Don't forget to restart the OpenVPN service after thees changes.

How to check the CRL certificate expiration

Solution

How to check the expiration date of the certificate:

sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'

How to generate a new certificate with updated information:

cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/

Don't forget to restart the OpenVPN service after thees changes.