Free Training

We provide complimentary training sessions. For more information or to request assistance, please visit our training page.

Deploy the product

First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.

Initial Startup

Expect a slight delay in the startup time of our product relative to launching an instance with a standard AMI. This occurs as our bespoke software configuration is applied to tailor the product to your needs, extending the initialization process by a few minutes.

Server Connection

To access the server, retrieve its IP address and establish an SSH connection using the ec2-user username. Ensure you employ the private key chosen during deployment for authentication. Once connected, a customized Message of the Day (MOTD) will welcome you, offering comprehensive details about the product.

User Management

Creating a User

To route all user traffic through the VPN, use:

sudo ov_user_add -u USER_NAME -t all

For routing only remote network traffic via the VPN:

sudo ov_user_add -u USER_NAME -t partial

Copying Profiles Locally

Upon each execution, a .ovpn file is generated in the openvpn_users directory under the ec2-user home folder. To transfer the profile to your local machine, utilize the SCP command as follows:

scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .

Deleting a User

Execute the command below:

sudo ov_user_delete -u USER_NAME

Listing All Users

To see all available VPN server users, list the .ovpn configuration files in the openvpn_users folder:

ls -la /home/ec2-user/openvpn_users

VPN Clients

Advanced details

Key Features

  • Optimized certificate creation process for ease and accuracy.
  • Simplified configuration eliminates unnecessary steps.
  • Versatile traffic routing with options for complete or selective data flow.
  • Default use of UDP protocol, seamlessly switching to TCP over port 443 if needed.
  • Adjustable certificate key size for enhanced security.
  • Custom resilience feature to minimize operational interruptions.
  • External storage for secure, unique user profile management.

Use Cases

The possibilities are boundless, but here are some practical applications:

  • Secure data transmission for remote employees by routing all traffic through the VPN.
  • Enable access to resources in private subnets with partial traffic routing.
  • Securely link multiple office locations.


Our solution includes resilience features to mitigate data loss and maintain connectivity, adapting to IP address changes. Utilize our CloudFormation template for an effective deployment process, ensuring a smooth start with all necessary components.


We advise a comprehensive testing phase before full-scale implementation. This approach is not a reflection of product reliability but a strategy to familiarize users with the system, allowing for any adjustments prior to live deployment.

Security Recommendations

Though designed for public use, we advocate for restricted SSH access, limiting exposure to necessary VPN ports and confining SSH connections to your local network. Here are additional security measures to consider:

  • Publicly expose only essential VPN connection ports.
  • Restrict public SSH access.
  • Allow SSH connections exclusively from certain subnets.
  • Centralize SSH access through a dedicated instance.
  • Reserve root access solely for primary administrators.

How To

How To Change the Instance Type

Ensure your data is backed up regularly. A straightforward method includes:

  1. Navigate to the CloudFormation console.
  2. Select the stack you wish to update.
  3. Click the Update button.
  4. Proceed with the default option by clicking Next.
  5. On the Parameters page, select a new instance type from the dropdown menu.
  6. Continue clicking Next until the process concludes.

Wait for the stack update to complete.


Here are solutions to common issues you might encounter:

Not Authorized for Images


If you encounter an error like API: ec2:RunInstances Not authorized for images:... in the CloudFormation stack's Event tab:

Solution: Ensure you have accepted the AWS Marketplace subscription for the software before using our CloudFormation file.

The Product is Misbehaving


In case the product does not function as expected despite following all instructions:

Solution: Confirm that the UserData values have been correctly passed to the instance:

sudo cat /var/lib/cloud/instance/user-data.txt

UserData Seems OK


If the UserData appears correct but the product is still not performing as expected:

Solution: Check for errors during the boot process with:

sudo cat /var/log/messages | grep 0x4447

Issue with Remote Access


Trouble accessing the server over SSH:


  • Verify your public IP is allowed in the EC2 instance's Security Group inbound rules.
  • Use the correct EC2 Key Pair provided at stack launch.
  • Login as ec2-user, not root, since root login is disabled.

How to Check CA Expiration


Checking the CA certificate's expiration date:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt

Updating the CA certificate:

cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/

Restart the OpenVPN service afterwards.

How to Check the Server Certificate Expiration


Checking the server certificate's expiration date:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt

Renewing the server certificate:

cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/

Restart the OpenVPN service afterwards.

How to Check the CRL Certificate Expiration


Checking the CRL (Certificate Revocation List) expiration date:

sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'

Updating the CRL certificate:

cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/

Restart the OpenVPN service afterwards.