Setting up OpenVPN Access Server with CloudFormation

This post is to continue on the my previous post about Setting up OpenvPN Access Server in Amazon VPC. To make it easy to launch it in an existing AWS VPC. I have put together a CloudFormation template to automate the process. You can find the CloudFormation template in my github repository.

You will be able to set up a OpenVPN Access Server with the cloudformation template in the CloudFormation Management Console.

Click Create New Stack button to start the process.

create stack

Give a stack name and specify where the template. The stack name is case-sensitive and has to be unique within your AWS account. It must start with a letter and can only contains alphanumeric characters. In other words, no spaces or special characters are allowed.

select template

You will need to enter a few inputs to specify things like VPC ID, Subnet ID, Admin user name, password and the like.

specify parameters

Add optional tags to mark whatever resources that are created by the stack to help identify them.

add tags

The final step is to review and click Continue button. The stack will be created and ready shortly. You should be able to get the OpenVPN’s URLs in the Outputs tab of the stack.


I am going to go through each section of the CloudFormation template. It consists of four sections:

  1. Parameters
  2. Mappings
  3. Resources
  4. Outputs


The Parameters section defines the inputs that you will need to to create the OpenVPN Access Server and related infrastructure components.

  • Instance Type – Instance type for the OpenVPN Access Server
  • VPC ID – ID of your VPC where the OpenVPN Access Server will be lanuched
  • Subnet ID – ID of your Subnet where the OpenVPN Access Server will be launced
  • Group Description – Security group description
  • Admin User – Admin user name
  • Admin Password – Admin user password
  • Admin CIDR IP –  IP block where you will be accessing the  Admin portal
  • Key Name – Keypair to ssh the OpenVPN Server’s console


The Mappings sections define what AMI should be used while launching the OpenVPN Access Server. It is essential a mapping table between regions and AMIs. Each region uses a different AMI.


The Resources section consists of the resources that will be created in a specific order:

  1. SecurityGroup – A security group for the OpenVPN Access Server
  2. IPAddress – An Elastic IP for the OpenVPN Access Server
  3. Instance – The OpenVPN Access Server
  4. IPAssoc – An association between the elastic IP and the OpenVPN Access Server

Security Group

The SecurityGroup resource defines the firewall rules for the OpenVPN Access Server in the VPC you have specified. The following are the minimum ports you will  need:

  • TCP 443 – Users log into the OpenVPN servers via this port.
  • UDP 1192 – VPN connections are running through this port.
  • TCP 943 – Admin Portal is running out of this port by default.

These ports can be changed in the OpenVPN Admin portal if needed.

IP Address

The IPAddress resource allocates a public IP (elastic IP) which will be associated with the OpenVPN Access Server. Users will need to access the OpenVPN Access Server via this public IP.


The Instance resource launches the OpenVPN Access Server. Depending on the region you run the cloudformation template, it will select the appropriate AMI accordingly. It will supply the admin user name, initial password and public IP as user-data to the instance.  You no longer have to SSH to the OpenVPN Access Server console to run the initial configuration. Since the user-data is stored as clear-text in user-data, you probably want to change the password afterward.

IP Association

The IPAssoc resource associates the public IP with the OpenVPN Access Server instance.


The Outputs section outputs a few things that you will need to access the OpenVPN Access Server after the stack is created:

  • OpenVPN Server Admin Portal – The URL for the  Admin portal
  • OpenVPN Server URL – The URL for the server
  • Group Name – The security group name
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

9 Responses to Setting up OpenVPN Access Server with CloudFormation

  1. sonoman74 says:

    Great article. However, when stack creation is finished, I have to ssh to vpn server and run the configuration script. I thought that after script execution, admin web UI would be ready and accesible, and that was not the case.

  2. Shing Chen says:

    You do not need to ssh to vpn server and run the configuration script. The admin web UI should be ready once you execute the cloudformation script. The cloudformation script leverages UserData to set the host name and admin credentials for the openvpn.

    • sonoman74 says:

      Nop. HTTP server is not starting. I have to login and run the configuration script, and then it starts.
      Probably it is related to me having updated the AMIs IDs mapping to the new version of OpenVPN AMI

  3. Shing Chen says:

    Weird. Which region did you run the Cloudformation script? Let me see if I can address it.

    • sonoman74 says:

      North California (west-1). Some more information: After the vpn server instance is initialized I cannot reach any of the ports used by openvpn. and if I access through ssh, after logging in, the configuration wizard auto-starts. Then, If I complete it, the services start up and everything works fine. But if I cancel that wizard and try wget on port 443 or 943, I get conn refused.

      And when I check User Data for that instance, I see this:


      • Alex says:

        Also running into this issue. When I configure the instance User Data using the web console it seems to work. However, when I pass the User Data to the instance using CloudFormation I still need to SSH in to complete the initial configuration even though it appears the User Data is present. Were you able to figure this out?

      • Shing Chen says:

        The Cloudformation template was due for update. I cleaned up the template and updated to reflect the latest OpenVPN AMIs. I created an OpenVPN in us-west-1 with the updated template. It took the user data. Here is the link to the latest template – Hope it helps.

  4. Graeson says:

    Thanks for the walk through … For other following along, as of May 28, 2015 these are the most recent OpenVPN Access Servers for the US: “us-east-1”: { “AMI”: “ami-0e868466” }, “us-west-1”: { “AMI”: “ami-cfa64a8b” }, “us-west-2”: { “AMI”: “ami-01291e31” }.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s