Deploy the product

Steps

A comprehensive list of steps to ensure a successful deployment:

1. Verify you are in the correct AWS account.
2. Ensure you are in the appropriate region.
3. Subscribe to the product using the link provided above, and ensure not to launch the product from the AWS Marketplace.
4. Confirm the product was not launched from the AWS Marketplace.
5. Deploy the product using the CloudFormation template link provided above.
6. Wait for the deployment to complete while continuing to review the remaining documentation.

Initial Startup

Expect a slight delay in the startup time of our product relative to launching an instance with a standard AMI. This occurs as our bespoke software configuration is applied to tailor the product to your needs, extending the initialization process by a few minutes.

Server Connection

Using SSM

All of our products are designed to support AWS Systems Manager (SSM) right out of the box. We strongly believe in security, and the fewer ports exposed to the public, the better. The SSM service provided by AWS perfectly aligns with this approach.

When you need to connect to an instance, opt for connecting through the Session Manager. Once you've gained access, execute the command sudo su ec2-user to switch to the user account where all of our tools are located. This ensures you have the appropriate permissions and access to the necessary resources. Additionally, you're encouraged to use the AWS Systems Manager service for secure and efficient management of your instances. This integrated service provides a unified interface for automated tasks and monitoring, further enhancing your operational security and efficiency.

Using SSH

This approach is also available to you. However, by default, we configure the Security Group to not expose port 22 to the public; it's set to be accessible only within the local subnet. If you need to access the server over the internet, you will need to change the Inbound rule accordingly. Once that is configured, you can access the instance using the ec2-user username and the SSH key you selected at deployment time.

User Management

Creating a User

To route all user traffic through the VPN, use:

sudo ov_user_add -u USER_NAME -t all

For routing only remote network traffic via the VPN:

sudo ov_user_add -u USER_NAME -t partial

Available Options

• Required Options:
  • -u: Specify the username (without spaces).
  • -t: Specifies the traffic routing mode. Choose all to route all traffic through the VPN or partial to route only traffic to the remote network.
• Optional:
  • --set-passwd: Automatically generates and displays a password when creating a profile, eliminating the need for manually setting passwords for each user.

Copying Profiles Locally

Upon each execution, a .ovpn file is generated in the openvpn_users directory under the ec2-user home folder. To transfer the profile to your local machine, utilize the SCP command as follows:

scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .

Deleting a User

Execute the command below:

sudo ov_user_delete -u USER_NAME

Listing All Users

To see all available VPN server users, list the .ovpn configuration files in the openvpn_users folder:

ls -la /home/ec2-user/openvpn_users

VPN Clients

• Desktop
  • Windows
  • MacOS
  • Linux
• Mobile
  • iOS
  • Android

Advanced details

Key Features

• Unlimited Users: Our product supports an unlimited number of users, ensuring scalability for your growing needs.
• Flexible Traffic Routing: Choose to route all or specific parts of your traffic through our product, giving you complete control over your data flow.
• Reliable Connectivity: Utilizes UDP with a fallback to TCP on port 443, enhancing the likelihood of successful connections under various network conditions.
• Customizable Security: Offers configurable certificate key sizes, allowing you to balance between security needs and performance.
• Easy Profile Management: Comes with custom Command Line Interfaces (CLIs) that simplify the creation and management of .ovpn profiles, making setup a breeze.
• Automatic Profile Renewal: Automatically regenerates user profiles 30 days before they expire, removing the hassle of manual renewals.
• Notification System: Sends out email notifications whenever new profiles are automatically generated, keeping you informed.
• Enhanced Access Control: Provides an option for password access using Pluggable Authentication Modules (PAM), adding an extra layer of security.

Use Cases

Access to Private AWS Subnets:

AWS networks contain subnets, which can be public or private. Private subnets are secure areas not directly accessible from the public internet, housing critical servers and data. The most secure method to access these private subnets is through a VPN deployed in a public subnet. This setup encrypts your connection, allowing safe access to the private subnet and its servers as if they were local to your network, ensuring data security and integrity within AWS environments.

Secured Internet Connection for Remote Employees:

Beyond accessing private resources, this VPN also safeguards the internet connections of remote employees. By routing their traffic through the VPN, all online activities are encrypted, protecting company-sensitive data from potential interception by third parties. This ensures that employees can work securely from any location, preserving confidentiality and data integrity.

Inter-Office Connectivity:

For organizations with multiple office locations, maintaining a secure and reliable inter-office network is crucial. Our VPN solution facilitates the creation of a secure virtual network overlaying the public internet, linking different office locations. This secure network tunnel ensures that data exchanged between offices is encrypted and protected from external threats, enabling seamless collaboration and resource sharing across geographical locations.

Compliance and Data Protection:

Businesses subject to stringent regulatory requirements can benefit significantly from our VPN solution. By encrypting data in transit and providing secure access controls, the VPN helps organizations comply with data protection laws and industry standards. This is particularly important for sectors like healthcare, finance, and legal, where data privacy is paramount.

How To

How To Change the Instance Type

Ensure your data is backed up regularly. A straightforward method includes:

1. Navigate to the CloudFormation console.
2. Select the stack you wish to update.
3. Click the Update button.
4. Proceed with the default option by clicking Next.
5. On the Parameters page, select a new instance type from the dropdown menu.
6. Continue clicking Next until the process concludes.

Wait for the stack update to complete.

F.A.Q

Here are solutions to common issues you might encounter:

Not Authorized for Images

The Product is Misbehaving

sudo cat /var/lib/cloud/instance/user-data.txt

UserData Seems OK

sudo cat /var/log/messages | grep 0x4447

Issue with Remote Access

How to Check CA Expiration

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/ca.crt

cd /usr/share/easy-rsa/3/pki
sudo openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey private/ca.key
sudo mv ca.crt ca.old.crt
sudo mv ca_new.crt ca.crt
sudo cp ca.crt /etc/openvpn/server/

How to Check the Server Certificate Expiration

sudo openssl x509 -noout -enddate -in /etc/openvpn/server/server.crt

cd /usr/share/easy-rsa/3
sudo ./easyrsa renew server
sudo cp pki/issued/server.crt /etc/openvpn/server/

How to Check the CRL Certificate Expiration

sudo openssl crl -in /etc/openvpn/server/crl.pem -text | grep 'Next Update'

cd /usr/share/easy-rsa/3
sudo echo "set_var EASYRSA_CRL_DAYS 3650" >> vars
sudo ./easyrsa gen-crl
sudo cp pki/crl.pem /etc/openvpn/server/