Free Training

We provide complimentary training sessions. For more information or to request assistance, please visit our training page.

Deploy the product

First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.


A comprehensive list of steps to ensure a successful deployment:

  1. Verify you are in the correct AWS account.
  2. Ensure you are in the appropriate region.
  3. Subscribe to the product using the link provided above, and ensure not to launch the product from the AWS Marketplace.
  4. Confirm the product was not launched from the AWS Marketplace.
  5. Deploy the product using the CloudFormation template link provided above.
  6. Wait for the deployment to complete while continuing to review the remaining documentation.

Initial Startup

Expect a slight delay in the startup time of our product relative to launching an instance with a standard AMI. This occurs as our bespoke software configuration is applied to tailor the product to your needs, extending the initialization process by a few minutes.

Server Connection

Using SSM

All of our products are designed to support AWS Systems Manager (SSM) right out of the box. We strongly believe in security, and the fewer ports exposed to the public, the better. The SSM service provided by AWS perfectly aligns with this approach.

When you need to connect to an instance, opt for connecting through the Session Manager. Once you've gained access, execute the command sudo su ec2-user to switch to the user account where all of our tools are located. This ensures you have the appropriate permissions and access to the necessary resources. Additionally, you're encouraged to use the AWS Systems Manager service for secure and efficient management of your instances. This integrated service provides a unified interface for automated tasks and monitoring, further enhancing your operational security and efficiency.

Using SSH

This approach is also available to you. However, by default, we configure the Security Group to not expose port 22 to the public; it's set to be accessible only within the local subnet. If you need to access the server over the internet, you will need to change the Inbound rule accordingly. Once that is configured, you can access the instance using the ec2-user username and the SSH key you selected at deployment time.

User Management

Creating a User

To route all user traffic through the VPN, use:

sudo ov_user_add -u USER_NAME -t all

For routing only remote network traffic via the VPN:

sudo ov_user_add -u USER_NAME -t partial

Available Options

  • Required Options:
    • -u: Specify the username (without spaces).
    • -t: Specifies the traffic routing mode. Choose all to route all traffic through the VPN or partial to route only traffic to the remote network.
  • Optional:
    • --set-passwd: Automatically generates and displays a password when creating a profile, eliminating the need for manually setting passwords for each user.

Copying Profiles Locally

Upon each execution, a .ovpn file is generated in the openvpn_users directory under the ec2-user home folder. To transfer the profile to your local machine, utilize the SCP command as follows:

scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .

Deleting a User

Execute the command below:

sudo ov_user_delete -u USER_NAME

Listing All Users

To see all available VPN server users, list the .ovpn configuration files in the openvpn_users folder:

ls -la /home/ec2-user/openvpn_users

VPN Clients

Advanced details

Key Features

  • Unlimited Users: Our product supports an unlimited number of users, ensuring scalability for your growing needs.
  • Flexible Traffic Routing: Choose to route all or specific parts of your traffic through our product, giving you complete control over your data flow.
  • Reliable Connectivity: Utilizes UDP with a fallback to TCP on port 443, enhancing the likelihood of successful connections under various network conditions.
  • Customizable Security: Offers configurable certificate key sizes, allowing you to balance between security needs and performance.
  • Easy Profile Management: Comes with custom Command Line Interfaces (CLIs) that simplify the creation and management of .ovpn profiles, making setup a breeze.
  • Automatic Profile Renewal: Automatically regenerates user profiles 30 days before they expire, removing the hassle of manual renewals.
  • Notification System: Sends out email notifications whenever new profiles are automatically generated, keeping you informed.
  • Enhanced Access Control: Provides an option for password access using Pluggable Authentication Modules (PAM), adding an extra layer of security.

Use Cases

Access to Private AWS Subnets:

AWS networks contain subnets, which can be public or private. Private subnets are secure areas not directly accessible from the public internet, housing critical servers and data. The most secure method to access these private subnets is through a VPN deployed in a public subnet. This setup encrypts your connection, allowing safe access to the private subnet and its servers as if they were local to your network, ensuring data security and integrity within AWS environments.

Secured Internet Connection for Remote Employees:

Beyond accessing private resources, this VPN also safeguards the internet connections of remote employees. By routing their traffic through the VPN, all online activities are encrypted, protecting company-sensitive data from potential interception by third parties. This ensures that employees can work securely from any location, preserving confidentiality and data integrity.

Inter-Office Connectivity:

For organizations with multiple office locations, maintaining a secure and reliable inter-office network is crucial. Our VPN solution facilitates the creation of a secure virtual network overlaying the public internet, linking different office locations. This secure network tunnel ensures that data exchanged between offices is encrypted and protected from external threats, enabling seamless collaboration and resource sharing across geographical locations.

Compliance and Data Protection:

Businesses subject to stringent regulatory requirements can benefit significantly from our VPN solution. By encrypting data in transit and providing secure access controls, the VPN helps organizations comply with data protection laws and industry standards. This is particularly important for sectors like healthcare, finance, and legal, where data privacy is paramount.

How To

How To Change the Instance Type

Ensure your data is backed up regularly. A straightforward method includes:

  1. Navigate to the CloudFormation console.
  2. Select the stack you wish to update.
  3. Click the Update button.
  4. Proceed with the default option by clicking Next.
  5. On the Parameters page, select a new instance type from the dropdown menu.
  6. Continue clicking Next until the process concludes.

Wait for the stack update to complete.


Here are solutions to common issues you might encounter:

Not Authorized for Images


If you encounter an error like API: ec2:RunInstances Not authorized for images:... in the CloudFormation stack's Event tab:

Solution: Ensure you have accepted the AWS Marketplace subscription for the software before using our CloudFormation file.

The Product is Misbehaving


In case the product does not function as expected despite following all instructions:

Solution: Confirm that the UserData values have been correctly passed to the instance:

sudo cat /var/lib/cloud/instance/user-data.txt

UserData Seems OK


If the UserData appears correct but the product is still not performing as expected:

Solution: Check for errors during the boot process with:

sudo cat /var/log/messages | grep 0x4447

Issue with Remote Access


Trouble accessing the server over SSH:


  • Verify your public IP is allowed in the EC2 instance's Security Group inbound rules.
  • Use the correct EC2 Key Pair provided at stack launch.
  • Login as ec2-user, not root, since root login is disabled.

How to Check CA Expiration


Checking the CA certificate's expiration date:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt

Updating the CA certificate:

cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/

Restart the OpenVPN service afterwards.

How to Check the Server Certificate Expiration


Checking the server certificate's expiration date:

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt

Renewing the server certificate:

cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/

Restart the OpenVPN service afterwards.

How to Check the CRL Certificate Expiration


Checking the CRL (Certificate Revocation List) expiration date:

sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'

Updating the CRL certificate:

cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/

Restart the OpenVPN service afterwards.