Setting up OpenVPN Access Server in Amazon VPC

Instances in VPC are not accessible from the Internet unless you associate an elastic IP to them. If you don’t want to expose your instances to the public, you may want to  consider setting up an OpenVPN Access Server to create a secure VPN tunnel to access your instances.  The server comes with 2 concurrent user licenses.  In this post, i will show you how to set up an OpenVPN Access server in Amazon VPC with the following few  simple steps:

  1. Launch a OpenVPN Access Server Instance
  2. Run the Initial Configuration Tool
  3. Set up Network and VPN Settings

Launch a OpenVPN Access Server Instance

Go to EC2 Management Dashboard and click Launch Instance button to bring up the Create a New Instance window.  You will need to select AWS Marketplace and put OpenVPN to the search box.


Once you click Go button, you should be able to get the OpenVPN Access Server in the result. Click the OpenVPN Access Server title to proceed.


It will give you more details about the OpenVPN Access Server. Select the region you would like to launch the OpenVPN Access Server instance and click Continue button. In this demonstration, I have selected US West (Northern California).


It will select Standard Small (m1.small) by default as the EC2 Instance Type. You can change it to Standard Micro (t1.micro) which is sufficient. Select the VPC and Subnet you would like to use. I highly recommend to launch it in VPC. It provides you an option to change security groups if needed after launching. if you launch it in EC2-Classic, you will stuck with the security group assignment. Make sure you supply a key pair. Amazon will install the public key to the instance and you will need the private key to SSH to the instance to do additional setup later on.

Click Launch with 1-Click button to proceed. If you don’t see the VPC Settings section, you will need to use Launch with EC2 Console option instead.  i have seen the VPC Settings section does not show up occasionally lately.


Run the Initial Configuration Tool

It will take 10-15 minutes for the instance to be ready.  Wait until the Status Checks changing from initializing to 2/2 checks passed. In the meantime, let’s allocate and associate a public IP (elastic IP)  with the OpenVPN Access Server instance.  You can go to the Elastic IPs section in the EC2 Management Console to accomplish it. See Getting Started with Amazon VPC to learn more about it.


You will need to SSH into the instance with you key pair that you supplied to run the OpenVPN Access Server Initial Configuration Tool. The user ID associated with the key pair is root. In your SSH client, you will need to login as root@[public IP of your OpenVPN Access Server].

For example, root@

The tool will start automatically. It will prompt you to answer a list of the questions below. You will pretty much hit the Enter key to take the default setting except the first question about the license agreement which you have to type yes to proceed.

  • Please enter ‘yes’ to indicate your agreement [no]: yes
  • Will this be the primary Access Server node? yes
  • Please specify the network interface and IP address to be used by the Admin Web UI: 2
  • Please specify the port number for the Admin Web UI: 943
  • Please specify the TCP port number for the OpenVPN Daemon: 443
  • Should client traffic be routed by default through the VPN? yes
  • Should client DNS traffic be routed by default through the VPN? yes
  • Use local authentication via internal DB? no
  • Should private subnets be accessible to clients by default? yes
  • Do you wish to login to the Admin UI as “openvpn”? yes
  • Please specify your OpenVPN-AS license key (or leave blank to specify later):


Once the initial configuration is complete, you will need to set the password for the admin user. If you take the default admin user name, you will use passwd openvpn to set it.  Otherwise, replace openvpn with whatever the admin user name you have chosen.


Set up Network and VPN Settings

You will need to log into the Admin web UI to do few more updates. Then you are good to go.  The Admin web UI is https://%5Bpublic IP of your OpenVPN Access Server]:943/admin.

For example:

On the Admin web UI, update Hostname or IP Address to the public IP of your OpenVPN Access Server under Configuration > Server Network Settings. Then click Save Settings button which is located at the bottom of the page.

Server Network Settings

Whenever you make any changes to the settings, you will need to click Update Running Server button to apply it.  The button is on the top of the page after you make the changes.

Update Running Server

If  you have any subnets or networks that you want to access through your OpenVPN Access Server but they are not listed in the Routing section under Configuration > VPN Settings, you will need to add them there . Once again, you will need to click Save Settings and Update Running Server button to apply the changes. In the screen shot below, I have and In fact, the was added by the system automatically. The OpenVPN Access Server is in the network. I only had to add manually.


Another setting you may want to change is User Authentication under Authentication > General. You can set the preferred authentication method there. By default, it is using PAM which is authenticated by the underneath Operating System (Linux).  If you want to add a user to connect to the OpenVPN Access Server, you will need to add the user from the Linux console and set the password there.

User Authentication


At this point, you should be able to access instances in and network assuming security groups are set up properly to allow connections from  your OpenVPN Access Server.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

2 Responses to Setting up OpenVPN Access Server in Amazon VPC

  1. Pingback: Setting Up OpenVPN Access Server with CloudFormation | Shing Chen's Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s