In this article we will see how we can access our resources within AWS without assigning them an Elastic IP address (public IP address).

Adding an Elastic IP address means that the EC2 instances will be exposed to the Internet which might be a security policy violation.

VMware Training – Resources (Intense)

One way to accomplish the VPC extension to your on-premises data center, is to use OpenVPN software. The OpenVPN software is actually composed from two pieces of software: the server that sits on AWS VPC and can be reachable via Internet and the client that is installed on the on-premises host. The user launch the client that connects to the server and a VPN tunnel is created between the two where the data can be securely exchanged.

So, this will be our topology. The goal is that the client can access the host from the private subnet:

So let’s start checking the basic things regarding the VPC that I created.

This is the VPC that has the as allocated CIDR:

There are two subnets, one public ( and one private (


There are two route tables and each of the two subnets is associated with one route table:

The route table to which the public subnet is associated has a default gateway through the internet gateway created (but not shown):

And this is the route table to which the private subnet is associated:

There is also an Elastic IP address allocated, but not associated yet. We will associate the Elastic IP address later once the EC2 instance launched, as OpenVPN server will be available:

I have an instance launched in the private subnet:

Let’s see a few details about the EC2 instance, like the IP address:

So now, it’s time to launch the EC2 instance that will have the OpenVPN software. You can both launch a regular EC2 instance and then install the software on it or you can use AWS Marketplace to launch the EC2 based on an AMI that has everything installed. For simplicity, we will choose the AWS Marketplace option.

So, from the EC2 Console, launch a new EC2 instance and on the first step, choose AWS Marketplace and then search for “openvpn”. Multiple results will be returned and you should expand the information for the first result:

You will get some information about the software and you can continue the process:

Then we can choose if we want to follow up on the regular EC2 instance launch process or use the 1-click launch process. We will go with the second option:

We need to select the region and the EC2 instance type. Apparently, a t2.micro instance is not working so you need at least a t2.small EC2 instance:

Select the VPC where the EC2 instance will be launched. As this will be in the public subnet, make sure the correct subnet is selected:

The last thing that you can set up is the security-group. There are specific ports that need to be opened on this EC2 instance when OpenVPN software is running. The ports are used for configuration and administration. You can modify later the security group by adding rules that allow other traffic as well:

You can see how you can connect to the EC2 instance, by choosing “Usage Instructions”. In this case, the username is “openvpnas”:

A few minutes later, you can see the EC2 instance up and running. Meanwhile, I associated the Elastic IP address with this instance so I can connect to it and configure it:

Once you connect to the OpenVPN server, the configuration wizard will start automatically:

lab@UBUNTU:~/AWS$ ssh -i AMAZON_LINUX.pem openvpnas@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 76:b9:f0:f5:bc:30:65:55:ce:51:df:f4:4b:1e:0b:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to OpenVPN Access Server Appliance 2.0.17

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

user-data not available: HTTP Error 404: Not Found: util/ec2:12,util/ec2:7,python2.7/urllib2:127,python2.7/urllib2:410,python2.7/urllib2:523,python2.7/urllib2:448,python2.7/urllib2:382,python2.7/urllib2:531 (urllib2.HTTPError)

          OpenVPN Access Server
          Initial Configuration Tool
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)

Please enter 'yes' to indicate your agreement [no]: yes

Then you will need to provide/accept some information:

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces:
(2) eth0:
Please enter the option number from the list above (1-2).
> Press Enter for default [2]:

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:

Should client traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Use local authentication via internal DB?
> Press ENTER for default [yes]:

Private subnets detected: ['']

Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]:

Once you configure everything, you will be provided with the links needed to access the OpenVPN server for configuration or to download the software to connect to your VPC:

Admin  UI:
Client UI:

After that, you will need to change the password for “openvpn” user:

openvpnas@openvpnas2:~$ sudo passwd openvpn
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Now, it’s time to connect to the OpenVPN server and download the OpenVPN client utility:

Use “openvpn” as user and the previously created password to download the client. The client will be provided based on your OS type:

Once you download the client and install it locally, you should see a new icon on the toolbar from where you can connect to the OpenVPN server:

Provide the username/password to connect:

And now let’s test if you can access from your local computer the resources from the AWS VPC:

[mbp:~/Downloads] AWS% ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=63 time=158.291 ms
--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 158.291/158.291/158.291/0.000 ms
[mbp:~/Downloads] AWS% ssh -i AMAZON_LINUX.pem ubuntu@
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-48-generic x86_64)

So now you have access to your AWS resources by extending the VPC to your local computer.

Once you disconnect, you will not have access anymore.

And we reached our goal to connect to our AWS resources, as if they were local in our data center.


  1. What is Amazon VPC?