OpenVPN on AWS - Secure Remote Access, Without the Per-Seat Invoice

Securing remote access to a private AWS environment usually comes down to two unpleasant options. Pay a commercial business VPN vendor a per-user fee that grows every time someone joins the team, while your connection metadata passes through their infrastructure. Or set up OpenVPN yourself - generating PKI certificates, writing firewall rules, and hoping the security group is locked down correctly - and hope nobody touches it again until it breaks.

Meetrix packages a validated OpenVPN deployment into a single AWS Marketplace AMI: server hardened, security group rules correct, and client certificate generation reduced to one command. Ready to get started? Launch the Meetrix OpenVPN AMI on AWS Marketplace.

What is OpenVPN?

OpenVPN is an open-source VPN protocol and software suite that builds an encrypted tunnel between a client device and a server, so traffic between them cannot be read or tampered with on the network in between. It is one of the most widely deployed VPN technologies in the world, used to give remote employees, contractors, and devices secure access to private networks, internal tools, and cloud VPCs that are not exposed to the public internet.

The OpenVPN Community Edition that ships in this AMI is free and open-source. There is no per-seat license, no client cap, and no vendor in the middle of your connection. Client apps are available for Windows, macOS, Linux, iOS, and Android through the official OpenVPN Connect application, so your team connects from whatever device they already use.

What Does a Team VPN Actually Cost?

Commercial business VPN platforms typically charge $7-10 per user per month. A 40-person remote team pays $3,360-$4,800 per year for VPN access alone, and that figure climbs every time the team grows. A self-hosted OpenVPN server on a single AWS t3a.small instance costs roughly $15-25 per month in total, regardless of whether 5 people connect or 50.

How Deployment Works

Meetrix reduces a fiddly manual setup to four steps:

  1. Launch from AWS Marketplace Open the Meetrix OpenVPN listing, subscribe, and choose the CloudFormation deployment path. The AMI and all dependencies ship pre-installed - no package managers or manual configuration required.
  2. Configure the CloudFormation Stack Set a stack name, pick your instance type (t3a.small is the recommended default), and select your SSH key pair. The vendor-recommended security group is generated automatically with only SSH (TCP/22) and OpenVPN (UDP/1194) open.
  3. Get Your Server IP Once the stack reaches CREATE_COMPLETE, the Outputs tab gives you the server's public IP and a ready-to-use SSH command - no hunting through the EC2 console.
  4. Generate a Client Profile and Connect SSH into the server and run the built-in add-client.sh script to generate a PKI certificate and a ready-to-use .ovpn file. Import it into OpenVPN Connect on any device and you are tunneling into your VPC.

What Meetrix Brings to This Deployment

  • Validated AWS configuration - The image ships with the correct security group rules, a hardened Ubuntu base, and a tuned OpenVPN install. You are not debugging a raw EC2 setup or guessing which ports to open.
  • One-command client provisioning - The add-client.sh script handles PKI certificate generation and produces a working .ovpn profile in one step. Most manual OpenVPN setups involve juggling easy-rsa by hand - this skips that entirely.
  • No per-user licensing - This is the open-source OpenVPN Community Edition, tuned for AWS. There is no seat-based pricing layered on top, unlike commercial business VPN platforms or OpenVPN Access Server.
  • Your traffic stays in your account - The server runs entirely inside your own AWS VPC. No third-party VPN vendor relays, inspects, or logs your team's connections.
  • Commercial support from engineers who run VPN infrastructure daily - If you need help scaling client capacity or hardening the deployment further, you are talking to engineers who deploy secure access infrastructure for a living - not a generic helpdesk.

Who Is OpenVPN on AWS Right For?

This deployment suits teams that need reliable, low-cost remote access to AWS resources without routing traffic through a third-party vendor.

  • Remote and distributed teams - give every employee secure access to private VPC resources without a per-seat bill
  • DevOps and platform engineers - lock down SSH and RDP access to internal servers and databases behind a VPN instead of exposing them publicly
  • Startups replacing commercial VPN subscriptions - cut recurring per-user costs while keeping the same level of access control
  • Compliance-focused organisations - finance and healthcare teams that cannot route traffic through a third-party VPN vendor's infrastructure
  • IT consultancies and MSPs - spin up an isolated VPN per client engagement without adding to a shared, growing seat count
  • Multi-region teams - deploy a consistent, low-cost VPN per office or region instead of a single shared commercial plan
  • Educational institutions and research labs - provide secure remote access to internal systems without per-user licensing fees

OpenVPN on AWS by Meetrix vs Alternatives

Feature OpenVPN on AWS by Meetrix Commercial Business VPN (NordLayer, Perimeter81) AWS Client VPN Self-Hosted OpenVPN (Manual)
Hosting Your AWS account - fully self-hosted Vendor's cloud infrastructure AWS-managed service in your VPC Your EC2 instance, configured by you
Data Control Complete - traffic never leaves your account Vendor relays and can log connections Complete - native AWS service Complete, if configured correctly
Deployment Time Minutes via AWS Marketplace Instant (SaaS signup) Hours - certificate-based setup via ACM 2-4 hours of manual setup
SSL & Auth PKI certificates automated via one script Managed by the vendor Mutual TLS via AWS Certificate Manager Manual - easy to misconfigure
Pricing Model AWS compute costs only (~$15-25/month, no per-user fee) Per-user subscription (~$7-10/user/month) Per connection-hour plus per-GB billing AWS compute costs only
GDPR / Data Residency Choose your AWS region, data stays there Vendor's data processing terms apply Choose your AWS region Your responsibility to configure
Support Meetrix engineers, commercial SLA Vendor support tiers Standard AWS support plans Community forums only

Resources

OpenVPN - Developer Guide

Step-by-step walkthrough of the full deployment: launching the AMI, generating client profiles, connecting with OpenVPN Connect, and troubleshooting common issues.

Meetrix.IO | Binuka Ranatunga

OpenVPN Developer Guide

Quick Setup Walkthrough

How Teams Use This in Production

B2B SaaS | North America
92%cost reduction

Replacing a Per-Seat VPN Subscription for a 40-Person Remote Team

The problem

A fully remote SaaS company was paying a commercial business VPN vendor $8 per user per month for 40 employees - over $3,800 a year - just to reach their internal admin tools and a private RDS database. Their security lead also flagged that the vendor had visibility into every connection's metadata.

What Meetrix did

Deployed the OpenVPN AMI inside the company's existing VPC and generated all 40 client profiles using the built-in add-client.sh script. The security group was locked down so RDP and database access were only reachable through the VPN tunnel.

Annual VPN cost fell from $3,840 to under $300 40 client profiles provisioned in a single afternoon All connection metadata stays inside their AWS account
"We were paying nearly $4,000 a year for a VPN that gave a third party visibility into our team's connections. Meetrix set up OpenVPN in our own AWS account in an afternoon, and our IT lead can now manage client access directly." Head of IT, B2B SaaS Company, Canada
Telehealth | Europe
100%EU data residency

Compliant Remote Access for Clinicians at a Telehealth Provider

The challenge

A telehealth startup needed clinicians to remotely access internal scheduling and patient-record systems hosted on AWS. Their legal team blocked every commercial VPN option under consideration, since routing traffic through a third-party vendor's infrastructure created an unacceptable data processing relationship under GDPR Article 28.

Our approach

Deployed the OpenVPN AMI inside the client's eu-central-1 VPC, with the security group restricted to a single inbound UDP port. Each clinician received an individually generated client certificate, giving the compliance team a clear, per-user audit trail.

All remote access traffic stays inside the EU GDPR Article 28 concerns fully resolved Per-clinician audit trail via individual certificates
"No commercial VPN vendor was going to get our legal team's sign-off. Meetrix gave every clinician their own certificate on a server that never leaves our AWS account, which is exactly what our compliance review needed." CTO, Telehealth Provider, Germany
IT Consultancy | APAC
30 minto go live

Disposable, Per-Client VPN Servers for a Growing IT Consultancy

The problem

A small IT consultancy managing AWS infrastructure for multiple clients needed an isolated, secure access setup for every new engagement. A shared commercial VPN plan meant per-seat costs kept climbing as they onboarded more clients, and access for an old engagement never seemed to get cleanly revoked.

What Meetrix did

Standardised the consultancy's onboarding process on the Meetrix OpenVPN AMI, deploying a fresh CloudFormation stack inside each new client's own AWS account. Every engagement gets its own server and its own set of client certificates from day one.

New client VPN live in under 30 minutes Zero recurring per-seat VPN costs across clients Each client's access fully isolated in their own account
"Every new client used to mean another seat on our VPN bill. Now we spin up a clean OpenVPN server in their own AWS account in half an hour, and when the engagement ends, access ends with it." Founder, IT Consultancy, Singapore

Frequently Asked Questions

Is OpenVPN free to run on AWS?

OpenVPN Community Edition is free, open-source software. You pay only for the underlying AWS compute - typically $15-25 per month for a t3a.small instance. There is no per-user fee and no client limit imposed by the software itself. Meetrix's AWS Marketplace listing uses standard pay-as-you-go AWS billing with no extra software charges on top.

How is this different from AWS Client VPN?

AWS Client VPN is a fully managed service billed per active connection-hour plus data processed per GB, which scales up quickly once a team is connected for a full workday. The Meetrix OpenVPN AMI runs on a single EC2 instance with a flat monthly cost regardless of how many clients connect or how long they stay connected, and gives you direct access to the underlying server configuration.

How many clients can connect to one OpenVPN server?

A t3a.small instance comfortably handles several dozen concurrent remote-access connections for typical workloads like SSH, RDP, and internal web access. If you need more capacity, choose a larger instance type when launching the CloudFormation stack - the same AMI scales with your instance size.

Can I use this for site-to-site VPN instead of remote access?

The Meetrix AMI ships configured for client-to-site remote access, which covers the majority of use cases - securing access to a private VPC for a distributed team. OpenVPN itself supports site-to-site topologies, and Meetrix can help configure a custom setup as part of our support offering if your architecture needs it.

Get Your OpenVPN Server Running on AWS

Stop paying per-seat VPN fees. Deploy a self-hosted OpenVPN server on AWS in minutes - configured by a team that does this every day.

Deploy on AWS Marketplace

© 2025 Meetrix, All rights reserved.