Free Training
We provide complimentary training sessions. For more information or to request assistance, please visit our training page.
Deploy the product
First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.
Steps
A comprehensive list of steps to ensure a successful deployment:
- Verify you are in the correct AWS account.
- Ensure you are in the appropriate region.
- Subscribe to the product using the link provided above, and ensure not to launch the product from the AWS Marketplace.
- Confirm the product was not launched from the AWS Marketplace.
- Deploy the product using the CloudFormation template link provided above.
- Wait for the deployment to complete while continuing to review the remaining documentation.
Initial Startup
Expect a slight delay in the startup time of our product relative to launching an instance with a standard AMI. This occurs as our bespoke software configuration is applied to tailor the product to your needs, extending the initialization process by a few minutes.
Server Connection
Using SSM
All of our products are designed to support AWS Systems Manager (SSM) right out of the box. We strongly believe in security, and the fewer ports exposed to the public, the better. The SSM service provided by AWS perfectly aligns with this approach.
When you need to connect to an instance, opt for connecting through the Session Manager. Once you've gained access, execute the command sudo su ec2-user
to switch to the user account where all of our tools are located. This ensures you have the appropriate permissions and access to the necessary resources. Additionally, you're encouraged to use the AWS Systems Manager service for secure and efficient management of your instances. This integrated service provides a unified interface for automated tasks and monitoring, further enhancing your operational security and efficiency.
Using SSH
This approach is also available to you. However, by default, we configure the Security Group to not expose port 22 to the public; it's set to be accessible only within the local subnet. If you need to access the server over the internet, you will need to change the Inbound rule accordingly. Once that is configured, you can access the instance using the ec2-user
username and the SSH key you selected at deployment time.
User Management
Creating a User
To route all user traffic through the VPN, use:
sudo ov_user_add -u USER_NAME -t all
For routing only remote network traffic via the VPN:
sudo ov_user_add -u USER_NAME -t partial
Available Options
- Required Options:
-u
: Specify the username (without spaces).-t
: Specifies the traffic routing mode. Chooseall
to route all traffic through the VPN orpartial
to route only traffic to the remote network.
- Optional:
--set-passwd
: Automatically generates and displays a password when creating a profile, eliminating the need for manually setting passwords for each user.
Copying Profiles Locally
Upon each execution, a .ovpn
file is generated in the openvpn_users
directory under the ec2-user
home folder. To transfer the profile to your local machine, utilize the SCP
command as follows:
scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .
Deleting a User
Execute the command below:
sudo ov_user_delete -u USER_NAME
Listing All Users
To see all available VPN server users, list the .ovpn
configuration files in the openvpn_users
folder:
ls -la /home/ec2-user/openvpn_users
Migrating to v1.9.x
If you're planning to upgrade to version v1.9.x and wish to keep all the .ovpn
profiles you've created for your users, follow these step-by-step instructions for a seamless transition:
- Log in to the instance.
- Ensure you are operating as
ec2-user
. - Navigate to the home directory of
ec2-user
. - Download the backup and restore CLI script to the instance using
curl
orwget
from this link: ov_backup_restore.sh. - Make the script executable with
chmod +x ov_backup_restore.sh
. - Execute the script with
ov_backup_restore.sh backup
. - Run
ls -la
to verify the contents of the current directory. - Look for a file named
0x4447-openvpn-backup.tar.gz
. - Copy this file to your local machine using your preferred method:
SCP
for example, as the data will be lost after the update. - Proceed with the product update.
- Upload the backup file to the root directory of
ec2-user
. - Re-download the backup and restore CLI script to the instance using
curl
orwget
from this link: ov_backup_restore.sh. - Execute the script again, but this time with
ov_backup_restore.sh restore
.
If everything goes as planned, all your configurations will be restored.
VPN Clients
Advanced details
Key Features
- Unlimited Users: Our product supports an unlimited number of users, ensuring scalability for your growing needs.
- Flexible Traffic Routing: Choose to route all or specific parts of your traffic through our product, giving you complete control over your data flow.
- Reliable Connectivity: Utilizes UDP with a fallback to TCP on port 443, enhancing the likelihood of successful connections under various network conditions.
- Customizable Security: Offers configurable certificate key sizes, allowing you to balance between security needs and performance.
- Easy Profile Management: Comes with custom Command Line Interfaces (CLIs) that simplify the creation and management of .ovpn profiles, making setup a breeze.
- Automatic Profile Renewal: Automatically regenerates user profiles 30 days before they expire, removing the hassle of manual renewals.
- Notification System: Sends out email notifications whenever new profiles are automatically generated, keeping you informed.
- Enhanced Access Control: Provides an option for password access using Pluggable Authentication Modules (PAM), adding an extra layer of security.
Use Cases
Access to Private AWS Subnets:
AWS networks contain subnets, which can be public or private. Private subnets are secure areas not directly accessible from the public internet, housing critical servers and data. The most secure method to access these private subnets is through a VPN deployed in a public subnet. This setup encrypts your connection, allowing safe access to the private subnet and its servers as if they were local to your network, ensuring data security and integrity within AWS environments.
Secured Internet Connection for Remote Employees:
Beyond accessing private resources, this VPN also safeguards the internet connections of remote employees. By routing their traffic through the VPN, all online activities are encrypted, protecting company-sensitive data from potential interception by third parties. This ensures that employees can work securely from any location, preserving confidentiality and data integrity.
Inter-Office Connectivity:
For organizations with multiple office locations, maintaining a secure and reliable inter-office network is crucial. Our VPN solution facilitates the creation of a secure virtual network overlaying the public internet, linking different office locations. This secure network tunnel ensures that data exchanged between offices is encrypted and protected from external threats, enabling seamless collaboration and resource sharing across geographical locations.
Compliance and Data Protection:
Businesses subject to stringent regulatory requirements can benefit significantly from our VPN solution. By encrypting data in transit and providing secure access controls, the VPN helps organizations comply with data protection laws and industry standards. This is particularly important for sectors like healthcare, finance, and legal, where data privacy is paramount.
How To
How To Change the Instance Type
Ensure your data is backed up regularly. A straightforward method includes:
- Navigate to the CloudFormation console.
- Select the stack you wish to update.
- Click the
Update
button. - Proceed with the default option by clicking
Next
. - On the
Parameters
page, select a new instance type from the dropdown menu. - Continue clicking
Next
until the process concludes.
Wait for the stack update to complete.
F.A.Q
Here are solutions to common issues you might encounter:
Not Authorized for Images
Solution
If you encounter an error like API: ec2:RunInstances Not authorized for images:...
in the CloudFormation stack's Event tab:
Solution: Ensure you have accepted the AWS Marketplace subscription for the software before using our CloudFormation file.
The Product is Misbehaving
Solution
In case the product does not function as expected despite following all instructions:
Solution: Confirm that the UserData values have been correctly passed to the instance:
sudo cat /var/lib/cloud/instance/user-data.txt
UserData Seems OK
Solution
If the UserData appears correct but the product is still not performing as expected:
Solution: Check for errors during the boot process with:
sudo cat /var/log/messages | grep 0x4447
Issue with Remote Access
Solution
Trouble accessing the server over SSH:
Solution:
- Verify your public IP is allowed in the EC2 instance's Security Group inbound rules.
- Use the correct EC2 Key Pair provided at stack launch.
- Login as
ec2-user
, notroot
, since root login is disabled.
How to Check CA Expiration
Solution
Checking the CA certificate's expiration date:
sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt
Updating the CA certificate:
cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/
Restart the OpenVPN service afterwards.
How to Check the Server Certificate Expiration
Solution
Checking the server certificate's expiration date:
sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt
Renewing the server certificate:
cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/
Restart the OpenVPN service afterwards.
How to Check the CRL Certificate Expiration
Solution
Checking the CRL (Certificate Revocation List) expiration date:
sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'
Updating the CRL certificate:
cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/
Restart the OpenVPN service afterwards.