Skip to content
Vignesh Rao edited this page Sep 28, 2023 · 17 revisions

VPN Server

vpn-server is a light weight package, that provides a fully automated, and highly scalable solution to create your own on-demand VPN server. This package is portable, and platform independent offering the ability to scale up and scale down instances on the go.

Why vpn-server?

  • You need a VPN but don't want to pay for it?
  • OpenVPN is the solution, but configuring it manually can be a lengthy process.
  • Once configured, keeping the instance up all the time costs $$.
  • Scaling up/down a VPN server on demand can make that lengthy process an absolute nightmare.
  • This module allows you to create your own on demand VPN server with a single call. ETA: ~2 minutes.
  • Done using your own VPN server? Simply delete all the AWS resources with a single call. ETA: ~10 seconds.
  • The solution is fully automated and runs with OpenVPN using AWS EC2.

How it works

  • Create an AWS EC2 instance using a pre-built OpenVPN AMI.
  • Create a security group with the necessary ports allowed.
  • Configure the vpn server using SSH.
  • Download the OpenVPN client and connect using the public DNS of the ec2 instance.
  • All set! Now the internet traffic will be routed through the VPN. Verify it using an IP Lookup

To take it a step further, if you have a registered domain in AWS, vpn-server can be accessed with an alias record in route53 pointing to the public IP of the ec2 instance.

  • All the above steps are performed automatically when creating a new VPN server.
  • This module can also be used to clean up all the AWS resources spun up for creating a vpn server.

ENV Variables

Environment variables can be loaded from any env file.


  • VPN_USERNAME - Username to access OpenVPN Connect client.
  • VPN_PASSWORD - Password to access OpenVPN Connect client.


  • VPN_PORT - Port number for web interfaces. Defaults to 943
  • IMAGE_ID - AMI ID to be used. Defaults to a pre-built AMI from SSM parameter for OpenVPN Access Server AMI Alias
  • INSTANCE_TYPE - Instance type to use for the VPN server. Defaults to t2.micro (minimum memory requirement is 1 GiB)
  • KEY_PAIR - Name of the key pair file to connect to ec2. Defaults to OpenVPN
  • SECURITY_GROUP - Name of the security group. Defaults to OpenVPN Access Server
  • VPN_INFO - Name of the JSON file to dump the server information. Defaults to vpn_info.json
  • HOSTED_ZONE - Domain name for the hosted zone.
  • SUBDOMAIN - Alias record name using which the VPN server has to be accessed.
  • AWS_PROFILE_NAME - AWS profile name. Uses [default] profile.
  • AWS_ACCESS_KEY - AWS Access Key. Defaults to ~/.aws/credentials
  • AWS_SECRET_KEY - AWS Secret Key. Defaults to ~/.aws/credentials
  • AWS_REGION_NAME - AWS Region Name. Defaults to us-east-2


By default, vpn-server loads all the environment variables from a .env file and validates using pydantic

Use case 1

To use a custom .env file, specify it before instantiating the object.

import os

import vpn

os.environ['env_file'] = 'custom.env'

vpn_server = vpn.VPNServer()

Use case 2

To override your .env file or to get away from environment variables simply use kwargs during instantiation.

import vpn

kwargs = dict(
    security_group="Open VPN Sept 26 2023",

vpn_server = vpn.VPNServer(**kwargs)

From the example above, an output file named vpn_info_sept2623.json will be stored in the current working directory. This can be used to delete the VPN server, that deletes all the AWS resources acquired during creation.


In the example provided above,

  • will be server hostname
  • an instance_type of at least t2.micro is required
  • any string values can be used for the args key_pair, security_group, and vpn_info
    • 💡 use a suffix str(int(time.time())) to avoid overwrites when spinning up multiple VPN servers
  • key_pair and vpn_info will be used as filenames, so use appropriate naming convention


To test an existing VPN server

import vpn

vpn_server = vpn.VPNServer()

Running a test will confirm three things

  1. GET connection to public IP address, public DNS name and the alias record (if hosted_zone and subdomain are provided)
  2. SSH connectivity on port 22 to the public DNS
  3. Service availability on VPN server


  • vpn-server uses built-in waiter to await instance warmup and SSH connectivity
  • These waiters may potentially trigger a WaiterError (not caught during testing)
  • There are exception handlers in place to handle them, so retry if connectivity is lost

Further reading

Refer the runbook for implementation details.

Clone this wiki locally