Installing OpenVPN server in AWS EC2 with User data

OpenVPN Server is one of the common and popular VPN server available in the market, I will share the installation of the OpenVPN with EC2 using the user-data to automate the installation during the boot up of the server. You may refer to the official AWS user guide about what’s User Data at With the help of installation script, you can setup the whole server in few seconds.

First, just login to your AWS EC2 console and click on launch a new instance, than you will be redirect to the Choose an AMI page, I just select the Ubuntu Server 20.04 as my OS.

Since I just use for demo purpose, so I just select the default t2.micro free tier instance, you may select the suitable instance type for your own use case.

On the configuration instance details page, I just use the default setting for all, again, you may select whichever VPC, subnet and necessary configuration for your own use case

On the same page, just scroll to the bottom most of the page, than you will see the Advanced Details, here is where you can enter your User Data for the instance. User data is the script which will be automatically run by the instance for the first time when the EC2 is spin up, and this is the only time that this user data script will be run.

You can copy the following code to the User data text area. The script below actually will download the automated installation shell script from the Github, than add the execution permission to the script, then execute the shell script by supplying the answer to the question that may pop up during the installation step.

#! /bin/bash
apt-get update
curl -O

chmod +x


Just in case you may want to create more than 1 OpenVPN user during the setup, you may just append the following script into your user data. You may create as much as you want just by duplicate the following line of code and changing the client name.

 MENU_OPTION="1" CLIENT="Candy" PASS="1" ./

You may also customise the answer supply with the following

  • DNS=1
  • CLIENT=clientname
  • PASS=1

If the server is behind NAT, you can specify its endpoint with the ENDPOINT variable. If the endpoint is the public IP address which it is behind, you can use ENDPOINT=$(curl -4 (the script will default to this). The endpoint can be an IPv4 or a domain.

Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.

Just click on next to proceed to setup for storage and tags for your instance, again, just depend on your own use case, than you may customise the size of storage and tag.

On the configuration security group page, you may need to create the security group which allow the port 22 SSH access from your own IP or your organization IP range. Then you need to add another port which is UDP 1194 from where you want to allow the user to connect to your VPN server, normally should be allow all IP

For my demo purpose, I just allow access from all around the world to access my SSH and also OpenVPN.

Once you done configure the security group, just click next to preview the configuration and also select your SSH key pair, you can just create a new key pair in this page if you don’t created it before.

Once the EC2 is up and running, than you can get the public IP from the EC2 console page and SSH into to server to get the .ovpn file (OpenVPN configuration file) and use this file to connect to your VPN server.

Once you log into the server, you may need to switch to root user because the user data is always executed as root permission, the *.ovpn file will be located in the home directory of the root user. If you create more than 1 user in your user data script, than you should see number of .ovpn file in this directory.

$ ssh -i yourkey.pem [email protected]
$ sudo su -
$ cd ~
$ ls 
david.ovpn  snap

Next, we may need to copy this file to your local machine or pass this file to the client who wish to connect to the OpenVPN server, you may either just cat the file and copy paste the content of the file in your machine or just using scp command to copy the file over the internet.

To connect to the VPN server, you need to install the VPN client in your machine, for MacOS, you may download and install the Tunnelblick at For the window user, you may just download the OpenVPN client at

Once the installation done, just go to the downloaded .ovpn file and double click it, than all the configuration will be imported to the Tunnelblick apps, than you are ready to connect, just click on the connect button at the right bottom to connect to the OpenVPN server.

In MacOS, when you hover over the Tunnelblick apps on the top bar, you should see this small box show up that you are connected to the VPN and your inbound/outbound speed and bandwidth. With that, it’s showing that you are connect to the OpenVPN server in the remote side.

To double check is that correct, we can just check out outgoing public IP by going to the site

Yes, it’s confirm that my outgoing IP now is change to the AWS IP, and my location being detected in Singapore – SG, this is where my OpenVPN server located.

Few of the thing you should take note that your OpenVPN server should have the elastic IP/Fix IP in order for your client to connect it to and also just in case you need to use the OpenVPN to connect to your secure remote site where only accessible by the knowed IPs.

Thanks to the Angristan who share the solution in his github page, you may refer to the original github page at the link.

Some of the VPN client that you may use for difference OS:

Leave a Reply, pub-3772983857049267, DIRECT, f08c47fec0942fa0
%d bloggers like this: