So if you are looking for a simple poor mans solution, a custom client to server VPN solution like OpenVPN can help. <\/p><\/div>\n<\/div>\n
OpenVPN Server Types<\/h2>\n
There are two types of OpenVPN implemention.<\/p>\n
- \n
- OpenVPN Community Edition (CE):<\/strong> This is the free, open-source version of OpenVPN. It requires manual setup and configuration using command-line tools. Also, it does not have a UI for configuration. However, there is a open source project<\/a> that provides UI for community edition.<\/li>\n
- Self-hosted Access Server(AS): <\/strong>This is a commercial product from OpenVPN, that is built upon the open source version.\n
- \n
- It offers only two free users and you can use it free forever. For more users, you can checkout the pricing here.<\/a><\/li>\n
- It provides user-friendly web-based GUI for easier management and configuration.<\/li>\n
- It also supports multiple authentication methods such as LDAP, SAML etc.<\/li>\n<\/ol>\n<\/li>\n
- OpenVPN CloudConnexa: This is the cloud offering of the OpenVPN.\n
- \n
- It provides a user friendly approach for the configuration with the networks and applications.<\/li>\n
- It has integrated security features like contentent filtering and IDS\/IPS (Intrusion Detection Systetem and Intrusion Prevention System) to protect from the cyber attacks.<\/li>\n
- Highly scalable approach for growing projects, for more information, refer to this offical documentation.<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
In short, the Community Edition is ideal for someone looking for a free VPN setup that supports multiple users.<\/p>\n
Access Server is for organizations looking for an easier setup process and additional management features.<\/p>\n
\n\ud83d\udccc<\/div>\nImportant Note: <\/strong><\/b>This blog is based on the OpenVPN Community Edition setup.<\/div>\n<\/div>\nSetup Prerequisites<\/h2>\n
- \n
- Public subnets for the OpenVPN server <\/li>\n
- Private subnets with NAT attached – Only for testing the workloads via VPN (Optional)<\/li>\n
- OpenVPN client in the local machine to establish the authentication between the client and the VPN server<\/li>\n<\/ol>\n
Architecture & OpenVPN Workflow<\/h2>\n
The OpenVPN server will help to access the other AWS private resources securely.<\/p>\n
The OpenVPN server will create a secure HTTP tunnel over the Internet between the AWS network and our local machine so we can securely access the private AWS resources from the local machine.<\/p>\n
The below is the workflow of the OpenVPN server and the access to the private AWS resource.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/openvpn-ec2-server-access-1.png\")
<\/figure>\n- \n
- The OpenVPN server will generate the client certificate and key for the authentication.<\/li>\n
- Once the user gets the credentials and the OpenVPN client configuration file, that user can authenticate with the OpenVPN server with the help of the OpenVPN client application (Client app should be available on the local machine).<\/li>\n
- After authentication, a secure encrypted tunnel will be created between the client machine and the OpenVPN server.<\/li>\n
- During this process, the VPN server will assign a virtual IP to the user’s machine for the remote communication and traffic will reach the VPN server over the 1194 port.<\/li>\n
- The VPN server will route the traffic from the user to the AWS VPC<\/a> (Private subnets).<\/li>\n
- VPC will route the traffic to a particular destination based on the security group’s rules.<\/li>\n<\/ol>\n
How to Setup OpenVPN Server in EC2?<\/h2>\n
The steps below explain the OpenVPN server setup on an EC2 instance.<\/p>\n
Step 1: Create a Virtual Private Network<\/h3>\n
We need at least one private and a public subnet in the VPC to demonstrate this setup.<\/p>\n
The public subnet<\/strong> should be attached to the Internet Gateway<\/strong> for the inbound and outbound communication ( This is for the VPN Server).<\/p>\n
The private subnet<\/strong> has to be attached to the NAT Gateway<\/strong> to get the outbound internet access ( This is not mandatory, only for the testing purposes).<\/p>\n
I already have a VPC setup. If you want to see the creation of the VPC, you can refer to this blog<\/a>.<\/p>\n
![\"The](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-79-4.png\")
<\/figure>\nStep 2: Create an EC2 instance for the OpenVPN<\/h3>\n
To create an OpenVPN server<\/strong>, we need to use the public subnet<\/strong>, because it needs inbound and outbound internet access.<\/p>\n
I am choosing an Amazon Linux 2 AMI, t2-micro<\/strong> instance for this.<\/p>\n
Note: Currently we are using the Amazon Linux 2, so the installation steps might differ in other distros.<\/p><\/blockquote>\n
Navigate to the EC2 console and click
Launch instances<\/code> button.<\/p>\n![\"ec2](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-80-6.png\")
<\/figure>\nGive a name for the instance and select Amazon Linux as well as the AMI.<\/p>\n
![\"giving](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-81-4.png\")
<\/figure>\nSelect an instance type. I am choosing t2.micro, but you can choose any. If you already have a key pair, select it or create a new one.<\/p>\n
![\"choosing](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-82-5.png\")
<\/figure>\nSelect the VPC you have created, select the public subnet, enable public IP to access the server, and select the default security group, or you can create a new one for the OpenVPN server.<\/p>\n
![\"network](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-83-3.png\")
<\/figure>\nFor now, I am using the default configuration for the rest of the settings, but you can modify it if you want.<\/p>\n
![\"lauching](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-84-4.png\")
<\/figure>\nStep 3: Update Security Group Rules<\/h3>\n
We have attached the default security group to this server, but need to know what protocols need to be enabled for the incoming traffic.<\/p>\n
Navigate to the attached security group.<\/p>\n
![\"selecting](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-88-4.png\")
<\/figure>\nClicking the security group will open a new page, there you need to click the
Edit inbound rules<\/code> button to add or remove rules.<\/p>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-89-3.png\")
<\/figure>\nI will add a rule for SSH<\/strong>, then we can access this EC2 instance, and add a custom UDP port for the OpenVPN, which is
1194<\/code>.<\/p>\nI am adding one more port, which is 9090, to demonstrate a private AWS resource access, so that is optional.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-91-4.png\")
<\/figure>\nOnce the security group rules are properly added, we can access the instance.<\/p>\n
Step 4: Access the OpenVPN EC2 Instance<\/h3>\n
The instance will take a few minutes to prepare. Once the health checks are completed and the state is running, we can log in to the shell.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-85-4.png\")
<\/figure>\nIf you click the instance ID<\/strong>, you can see the option to connect and note down the server’s public IP for the upcoming configuration.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-86-5.png\")
<\/figure>\nYou can use the
EC2 Instance Connect<\/code> method to connect the server, or can use the SSH method with the key from the local machine.<\/p>\n![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-87-4.png\")
<\/figure>\nTo access from the local machine, use the following command.<\/p>\n
ssh -i <KEY> ec2-user@<PUBLIC_IP><\/code><\/pre>\nSetting up OpenVPN in Amazon Linux EC2 Instance<\/h2>\n
Follow the below steps to install the OpenVPN server on an EC2 instance.<\/p>\n
Step 1: Install OpenVPN and EasyRSA<\/h3>\n
Enable the EPEL repository for the additional software packages.<\/p>\n
sudo amazon-linux-extras enable epel<\/code><\/pre>\nInstall EPEL release package, OpenVPN and Easy-RSA<\/p>\n
sudo yum install -y epel-release\nsudo yum install -y openvpn easy-rsa<\/code><\/pre>\nStep 2: Configure OpenVPN<\/h3>\n
Initialize the Easy-RSA and generate certificates<\/p>\n
Easy-RSA is a tool for creating certificates for various use cases. It provides a framework with necessary components for generating certificates.<\/p>\n
cd \/etc\/openvpn\nsudo mkdir easy-rsa\ncd easy-rsa<\/code><\/pre>\nDownload the Easy-RSA package from the GitHub and extract it<\/p>\n
sudo wget -O easy-rsa.tar.gz https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.2.2\/EasyRSA-3.2.2.tgz\nsudo tar -xvf easy-rsa.tar.gz\ncd EasyRSA-3.2.2<\/code><\/pre>\nInitialize the Public Key Infrastructure (PKI)<\/p>\n
sudo .\/easyrsa init-pki<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-92-4.png\")
<\/figure>\nCreate a Certificate Authority (CA)<\/p>\n
The Certificate Authority is a trusted entity that is capable of issuing and managing certificates.<\/p>\n
sudo .\/easyrsa build-ca<\/code><\/pre>\nYou will be prompted to give the passphrase<\/strong>, which is actually a password, and also will be asked to provide a common name; you can give any name.<\/p>\n
![\"setting](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-93-4.png\")
<\/figure>\nCreate a request for a server key<\/p>\n
sudo .\/easyrsa gen-req server nopass<\/code><\/pre>\nWill prompt to provide a common name, you can just press
enter<\/code> or provide a hostname likedev.techiescamp.com<\/code><\/p>\n![\"requesting](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-94-3.png\")
<\/figure>\nTo sign the server certificate request, use the following command.<\/p>\n
sudo .\/easyrsa sign-req server server<\/code><\/pre>\nWill prompt for
yes<\/code> and needs to provide the CA passphrase<\/p>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-95-3.png\")
<\/figure>\nThe output will give the validity and other related information.<\/p>\n
Generate the Diffie-Hellman (DH) key exchange file<\/p>\n
The Diffie-Hellman protocol secures communication protocols such as SSL\/TLS<\/a>, SSH, and IPsec.<\/p>\n
sudo .\/easyrsa gen-dh<\/code><\/pre>\n![\"diffie](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-96-5.png\")
<\/figure>\nStep 3: Configure OpenVPN Server<\/h3>\n
Create a configuration file for the OpenVPN server<\/p>\n
sudo vim \/etc\/openvpn\/server.conf<\/code><\/pre>\nAdd the following configurations<\/p>\n
port 1194\nproto udp\ndev tun\nca \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/ca.crt\ncert \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/issued\/server.crt\nkey \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/private\/server.key\ndh \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/dh.pem\nserver 10.8.0.0 255.255.255.0\nkeepalive 10 120\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn-status.log\nverb 3\npush \"route 10.0.4.0 255.255.255.0\" <\/code><\/pre>\nPort
1194<\/code>, is the default listening port of the OpenVPN and UDP is the protocol, which is faster than the TCP protocol.<\/p>\ndev tun<\/code> –> Indicating that the OpenVPN to use tunnel device, (Layer 3 IP based tunneling)<\/p>\nca \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/ca.crt<\/code> –> Certificate Authority certificate<\/p>\ncert \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/issued\/server.crt<\/code> –> Server’s SSL certificate<\/p>\nkey \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/private\/server.key<\/code> –> The private key of the server certificate<\/p>\ndh \/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/dh.pem<\/code> –> Diffie-Hellman exchange key<\/p>\nserver 10.8.0.0 255.255.255.0<\/code> –> Virtual IP for the VPN clients<\/p>\nkeepalive 10 120<\/code> –> Sends ping request for each 10 seconds to ensure that connection is active and if there is no response in 120 seconds, it will restart the server.<\/p>\npersist-key<\/code> –> This will avoid reloading the private key each time the OpenVPN server restarts.<\/p>\npersist-tun<\/code> –> Keep the tunnel persistently.<\/p>\nstatus \/var\/log\/openvpn-status.log<\/code> –> Stores the OpenVPN logs in the specific path.<\/p>\nverb 3<\/code> –> The verbosity level for the logs.<\/p>\npush \"route 10.0.4.0 255.255.255.0\"<\/code> –> Route to connect the VPN clients and10.0.4.0<\/code> is the private network the clients can securely access.<\/p>\nEnable and start the OpenVPN service<\/p>\n
sudo systemctl enable openvpn@server\nsudo systemctl start openvpn@server<\/code><\/pre>\nTo check the OpenVPN service status.<\/p>\n
sudo systemctl status openvpn@server<\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-18-5.png\")
<\/figure>\nStep 4: Enable Split Tunnel (NAT) for Internet Access<\/h3>\n
Now, if you establish the VPN connection from the local machine, you can only access the particular AWS private network.<\/p>\n
This is quite secure because all the traffic will go through the secured VPN tunnel, which is called the full-tunnel method.<\/p>\n
But the problem is that we can’t access anything besides the AWS private network, even Google.<\/p>\n
So, we need only the secure connection for the AWS network, but we also need to use the other networks. This method is called split tunnel.<\/p>\n
For that we need to enable NAT.<\/p>\n
To allow the clients to access the internet,<\/p>\n
sudo sysctl -w net.ipv4.ip_forward=1\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<\/code><\/pre>\nTo make the configuration persistent<\/p>\n
echo \"net.ipv4.ip_forward = 1\" | sudo tee -a \/etc\/sysctl.conf\nsudo iptables-save | sudo tee \/etc\/iptables\/rules.v4<\/code><\/pre>\nRestart the OpenVPN service.<\/p>\n
sudo systemctl restart openvpn@server<\/code><\/pre>\nThe OpenVPN Server setup is completed.<\/p>\n
Generate a client key<\/h2>\n
Next step is to create the client key for a user. This is required to authenticate from the VPN client with the sever for a specific user.<\/p>\n
Navigate to the
EasyRSA-3.2.2<\/code> directory.<\/p>\n\/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2<\/code><\/pre>\nGenerate a client key without password.<\/p>\n
sudo .\/easyrsa gen-req client nopass<\/code><\/pre>\nThis will prompt you to give a client name. It will create the
client.req<\/code> andclient.key<\/code> files.<\/p>\n![\"output](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-24-6.png\")
<\/figure>\nSign the client certificate request using the OpenVPN CA.<\/p>\n
sudo .\/easyrsa sign-req client client<\/code><\/pre>\nThis will prompt you to type
yes<\/code>. Also you need to provide a passphrase. It will create the client certificates.<\/p>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-25-5.png\")
<\/figure>\nMove Certificates to Local Workstation<\/h2>\n
Now that we have the certificates generated, we need to copy it to our local workstation for validation.<\/p>\n
You can find the certs and key<\/strong> in the following locations.<\/p>\n
- \n
\/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/ca.crt<\/code><\/li>\n\/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/issued\/client.crt<\/code><\/li>\n\/etc\/openvpn\/easy-rsa\/EasyRSA-3.2.2\/pki\/private\/client.key<\/code><\/li>\n<\/ol>\nUse
cat<\/code> command to manually copy and paste. <\/p>\nOr you use
scp<\/code> to directly copy from the OpenVPN server to the local machine<\/strong> via SSH.<\/p>\nOnce you have the files copied, move on to the next step.<\/p>\n
Generate a VPN Client Configuration File<\/h2>\n
Once the above files are present in the local machine, we need to create a OpenVPN Client configuration file.<\/p>\n
Make sure all files are in the same directory.<\/p>\n
vim client.ovpn<\/code><\/pre>\nAdd the following configurations in the file.<\/p>\n
client\ndev tun\nproto udp\nremote 34.209.222.65 1194\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\nca ca.crt\ncert client.crt\nkey client.key\nroute 10.0.4.0 255.255.255.0<\/code><\/pre>\nHere
34.209.222.65<\/code><\/strong> is the OpenVPN Server’s public IP so replace it with yours. <\/p>\nAdd
redirect-gateway def1<\/code> to route all traffic through the VPN, this might affect the regular internet access. <\/p>\nNow you should have the following files in your local workstation.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-97-5.png\")
<\/figure>\nInstall & Configure OpenVPN Client<\/h2>\n
Now that we have the necessary certs and config files for client authentication, we can configure the OpenVPN client application.<\/p>\n
First, need to install the OpenVPN client.<\/p>\n
You can follow this official downloads page<\/a> to download the client based on your platform.<\/p>\n
After the installation, if you open the client, you can see a
+<\/code> button to add a configuration.<\/p>\n![\"OpenVPN](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-27-5.png\")
<\/figure>\nOn the next step, you need to upload the
.ovpn<\/code> file that we have configured earlier.<\/p>\n![\"openvpn](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-28-5.png\")
<\/figure>\nOnce you uploaded the OpenVPN Configuration file, you can see a
connect<\/code> button to establish the connection<\/p>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-29-5.png\")
<\/figure>\nOnce the connection is successfully established, we can see the green mark on the radio button.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-30-4.png\")
<\/figure>\n<\/p>\nVPN Validation Using Private ec2 Instance<\/h2>\n
Now, we need to check whether we can access the private AWS resources.<\/p>\n
For that, I am creating an EC2 instance within private subnet and deploying a Prometheus application inside it.<\/p>\n
I am choosing Amazon Linux as AMI.<\/p>\n
![\"creating](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-19-5.png\")
<\/figure>\nSelect the keypair and choose the VPC and private Subnet.<\/p>\n
![\"selecting](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-20-7.png\")
<\/figure>\nWait until the state and status are ready and note down the private IP of the server.<\/p>\n
![\"checking](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-21-4.png\")
<\/figure>\nNow, I am getting in the private server through SSH from the VPN Server, because the VPN server is public and on the same network as the private server.<\/p>\n
We can also SSH to the private server from the local machine as well because the VPN connection is established between local workstation and the VPC network.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-22-7.png\")
<\/figure>\nCopy the keypair to the VPN server and change the permission.<\/p>\n
sudo chmod 400 techiescamp.pem<\/code><\/pre>\nTo SSH to the private server, use the following command.<\/p>\n
sudo ssh -i techiescamp.pem ec2-user@<PRIVATE_SERVER_IP><\/code><\/pre>\n![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-23-5.png\")
<\/figure>\n\n\ud83d\udca1<\/div>\nImportant Note:<\/strong><\/b> If we enable AWS SSM<\/a>, we can connect to the server without using SSH, otherwise, we can access the shell only from another public server of the same network with the key pair.<\/div>\n<\/div>\nDeploy Application in Private ec2 Instance<\/h2>\n
We are installing Prometheus on a private server to demonstrate access from a local machine but you can try with any application even a simpe nginx server also enough for the testing. <\/p>\n
You can follow this blog<\/a> for the Prometheus installation.<\/p>\n
Now, we can try to access the Prometheus dashboard from our local machine with its private IP securely.<\/p>\n
![\"the](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-31-4.png\")
<\/figure>\nConclusion<\/h2>\n
This blog mainly covers setting up the OpenVPN server on the EC2 instance and accessing private AWS resources.<\/p>\n
There is a managed service available in AWS, AWS Client VPN Endpoint. We don’t need a server to deploy for the OpenVPN, and it will automatically scale based on the user connection.<\/p>\n
If you want to see the AWS Client VPN Endpoint setup, refer to this blog<\/a>.<\/p>\n
The next blog will cover access to the AWS EKS private cluster resources.<\/p>\n
\n
- VPC will route the traffic to a particular destination based on the security group’s rules.<\/li>\n<\/ol>\n
- Self-hosted Access Server(AS): <\/strong>This is a commercial product from OpenVPN, that is built upon the open source version.\n