Access server - public or private subnet?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jerryv
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 01, 2022 7:42 pm

Access server - public or private subnet?

Post by jerryv » Wed Jun 01, 2022 7:57 pm

Is there a recommended best practice on whether an Access Server instance should be deployed to a public subnet vs a private subnet (with elastic IP?) in AWS? Is one preferred, more secure, over the other?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Access server - public or private subnet?

Post by openvpn_inc » Thu Jun 02, 2022 11:26 am

Hello jerryv,

As far as I know all AWS EC2 instances are deployed with a private IP. A public IP is simply attached via 1:1 NAT. Regardless we see Access Server deployed on public IPs as well and this is fine. However the good thing about having it on a private IP is the ability to use a firewall to block off any unused ports from the outside world. In AWS world this is called security groups. By default Access Server launches with a security group that allows only the required ports, and this is the safer approach.

An elastic IP is recommended as you can at any time detach and reattach this same public IP to any of your instances. This allows you to for example swap out the EC2 instance if it has an issue while keeping the same public IP to the outside world. It's a minor convenience but could be relevant if you don't have a DNS record set up for the VPN connection. If for example the public IP of your server changes you'd have to either update the DNS record or update all the clients to use the new IP. There's a significant difference in amount of work involved if you have a lot of clients installed and such an IP change were to occur.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jerryv
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 01, 2022 7:42 pm

Re: Access server - public or private subnet?

Post by jerryv » Fri Jun 03, 2022 2:23 pm

Johan - thanks for the detailed reply, and elastic IP recommendation!

Post Reply