Free Training
We provide complimentary training sessions. For more information or to request assistance, please visit our training page.
Deploy the product
First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.
Initial Startup
Expect a slight delay in the startup time of our product relative to launching an instance with a standard AMI. This occurs as our bespoke software configuration is applied to tailor the product to your needs, extending the initialization process by a few minutes.
Server Connection
To access the server, retrieve its IP address and establish an SSH connection using the ec2-user username. Ensure you employ the private key chosen during deployment for authentication. Once connected, a customized Message of the Day (MOTD) will welcome you, offering comprehensive details about the product.
User Management
Creating a User
To route all user traffic through the VPN, use:
sudo ov_user_add -u USER_NAME -t all
For routing only remote network traffic via the VPN:
sudo ov_user_add -u USER_NAME -t partial
Copying Profiles Locally
Upon each execution, a .ovpn file is generated in the openvpn_users directory under the ec2-user home folder. To transfer the profile to your local machine, utilize the SCP command as follows:
scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .
Deleting a User
Execute the command below:
sudo ov_user_delete -u USER_NAME
Listing All Users
To see all available VPN server users, list the .ovpn configuration files in the openvpn_users folder:
ls -la /home/ec2-user/openvpn_users
VPN Clients
Advanced details
Key Features
- Optimized certificate creation process for ease and accuracy.
- Simplified configuration eliminates unnecessary steps.
- Versatile traffic routing with options for complete or selective data flow.
- Default use of UDP protocol, seamlessly switching to TCP over port 443 if needed.
- Adjustable certificate key size for enhanced security.
- Custom resilience feature to minimize operational interruptions.
- External storage for secure, unique user profile management.
Use Cases
The possibilities are boundless, but here are some practical applications:
- Secure data transmission for remote employees by routing all traffic through the VPN.
- Enable access to resources in private subnets with partial traffic routing.
- Securely link multiple office locations.
Resilience
Our solution includes resilience features to mitigate data loss and maintain connectivity, adapting to IP address changes. Utilize our CloudFormation template for an effective deployment process, ensuring a smooth start with all necessary components.
Testing
We advise a comprehensive testing phase before full-scale implementation. This approach is not a reflection of product reliability but a strategy to familiarize users with the system, allowing for any adjustments prior to live deployment.
Security Recommendations
Though designed for public use, we advocate for restricted SSH access, limiting exposure to necessary VPN ports and confining SSH connections to your local network. Here are additional security measures to consider:
- Publicly expose only essential VPN connection ports.
- Restrict public SSH access.
- Allow SSH connections exclusively from certain subnets.
- Centralize SSH access through a dedicated instance.
- Reserve root access solely for primary administrators.
How To
How To Change the Instance Type
Ensure your data is backed up regularly. A straightforward method includes:
- Navigate to the CloudFormation console.
- Select the stack you wish to update.
- Click the
Updatebutton. - Proceed with the default option by clicking
Next. - On the
Parameterspage, select a new instance type from the dropdown menu. - Continue clicking
Nextuntil the process concludes.
Wait for the stack update to complete.
F.A.Q
Here are solutions to common issues you might encounter:
Not Authorized for Images
Solution
If you encounter an error like API: ec2:RunInstances Not authorized for images:... in the CloudFormation stack's Event tab:
Solution: Ensure you have accepted the AWS Marketplace subscription for the software before using our CloudFormation file.
The Product is Misbehaving
Solution
In case the product does not function as expected despite following all instructions:
Solution: Confirm that the UserData values have been correctly passed to the instance:
sudo cat /var/lib/cloud/instance/user-data.txt
UserData Seems OK
Solution
If the UserData appears correct but the product is still not performing as expected:
Solution: Check for errors during the boot process with:
sudo cat /var/log/messages | grep 0x4447
Issue with Remote Access
Solution
Trouble accessing the server over SSH:
Solution:
- Verify your public IP is allowed in the EC2 instance's Security Group inbound rules.
- Use the correct EC2 Key Pair provided at stack launch.
- Login as
ec2-user, notroot, since root login is disabled.
How to Check CA Expiration
Solution
Checking the CA certificate's expiration date:
sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt
Updating the CA certificate:
cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/
Restart the OpenVPN service afterwards.
How to Check the Server Certificate Expiration
Solution
Checking the server certificate's expiration date:
sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt
Renewing the server certificate:
cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/
Restart the OpenVPN service afterwards.
How to Check the CRL Certificate Expiration
Solution
Checking the CRL (Certificate Revocation List) expiration date:
sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'
Updating the CRL certificate:
cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/
Restart the OpenVPN service afterwards.