Overview
Valdras Gate is a production-ready OpenVPN AMI that removes the usual hassle of setting up and running a VPN. You can launch a secure server in minutes, with built-in user management, automated email delivery of VPN profiles, and strong security out of the box. There are no per-user fees and no complicated setup. Just start the AMI and begin adding users with simple CLI commands.
The server is fully configured on first boot. It creates client certificates and VPN profiles automatically, then sends them to users through AWS SES. You can add or remove users with a single command, track certificate expiration, and control who can reach your private AWS resources.
Valdras Gate supports both split-tunnel and full-tunnel modes, handles unlimited users without extra charges, and manages certificates automatically. You only pay for the EC2 instance itself-no subscriptions, no per-user pricing, and no lock-in. It gives you secure remote access in minutes while removing the ongoing overhead of running a VPN service.
OpenVPN® is a registered trademark of OpenVPN, Inc. and neither 0x4447™ nor its product is affiliated with or endorsed by OpenVPN, Inc.
Highlights
- Production-ready OpenVPN server that's fully configured and operational on first boot. No complex setup, no certificate generation hassles, no firewall rules to configure. Launch the AMI, add users with simple CLI commands, and your team is connected securely within minutes.
- Built-in user lifecycle management automatically generates VPN profiles and delivers them directly to users via AWS SES. Add or remove users with single commands, track expiration dates, and maintain complete control over access to your private AWS resources.
- Pay only for your EC2 instance costs with no recurring per-user licensing fees or subscription charges. Manage unlimited VPN users without vendor lock-in. Support both split-tunnel and full-tunnel traffic modes based on your security requirements.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Cost/hour |
|---|---|
t3.small Recommended | $0.1375 |
t3.micro | $0.1375 |
t3.large | $0.1375 |
t3a.xlarge | $0.1375 |
t3a.large | $0.1375 |
t3a.2xlarge | $0.1375 |
t3.medium | $0.1375 |
t3.2xlarge | $0.1375 |
t3a.medium | $0.1375 |
t3a.nano | $0.1375 |
Vendor refund policy
none
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Valdras Gate v1.1.0
Summary
Auto-renew release. v1.1.0 adds a daily systemd timer that watches user profiles for upcoming expiry and re-issues a fresh .ovpn to anyone you opted into the auto-renew flag, before their old profile dies. The renewed profile is emailed via the same SES path the gateway already uses, so users see a normal mail with the new .ovpn attached and switch over on their own time. Existing users carry forward unchanged -- the auto-renew flag defaults off; nothing renews until you opt a user in.
The release also ships three new operator commands. ov_user_audit is a single read-only lens over the user database -- active users, supersession history, expired profiles, revoked users, and the new "stuck" state the renewal job uses when it cannot roll a partial failure all the way back. ov_user_resend re-mails the currently active profile for a user (use it when SES bounced the original, when the user lost the mail, or when SMTP was misconfigured at issue time and got fixed later). ov_user_auto_renew flips the auto-renew flag on or off for an existing user without going through delete + re-add.
ov_user_delete now soft-deletes: the user row is kept and marked revoked, the certificate is revoked and added to the CRL exactly as before, and the OpenVPN service is restarted. Functionally identical from the customer's perspective (the revoked user is locked out immediately) -- the row retention gives ov_user_audit a complete history view.
How to upgrade
There is no in-place upgrade. This version replaces the AMI, and all operator-unique state (user database, CA private key, client certificates, CRL, email settings, split-DNS config) lives on the gateway's root volume. To move to v1.1.0, take a backup on the old gateway, launch a new instance from the v1.1.0 AMI, restore the backup onto it, and move the Elastic IP across. No client profiles need to be reissued.
The restore step automatically migrates the user database from the v1.0.x schema to the v1.1.0 schema during ov_restore. Every existing user is preserved with auto_renew=false and status=active; you opt users in afterwards with ov_user_auto_renew --email <addr> --traffic <all|partial> --enable once they are on the new gateway.
1. Back up the old gateway
SSH into the old gateway as ec2-user and run:
sudo ov_backupov_backup produces a single archive (/home/ec2-user/backup-<host>-<timestamp>.tar.gz) containing the user database, CA private key, every client certificate, the operational CRL, the TLS-auth PSK, the SES email credentials, the split-DNS configuration, and every issued .ovpn profile on disk. It also prints ready-to-paste scp commands for copying the archive off the box.
scp the archive off the gateway. Treat it as a master secret -- it contains the CA private key, every user's private key, and your SES SMTP credentials. Encrypt at rest, transfer over SSH only, never email it, never commit it to git.
2. Launch the v1.1.0 instance
Launch a new EC2 instance from the v1.1.0 AMI in the same VPC. Same security group, same subnet, same instance type as before is fine.
Wait for first boot to finish before restoring. First boot generates a throwaway CA and seeds /etc/openvpn/udp-server.conf with DNS push lines for the new VPC's resolvers. Confirm completion by checking that /opt/0x4447/.done exists.
3. Restore onto the new gateway
scp the backup archive to the new instance (/home/ec2-user/), SSH in, and run:
sudo ov_restore <archive>.tar.gzov_restore runs four pre-flight checks (whitelist, presence, CA-cert sanity, sibling-path) before touching the filesystem. On success it stops the service, extracts the archive, re-asserts permissions on every secret file, migrates the user database in place from the v1.0.x schema to the v1.1.0 schema, re-applies the saved split-DNS rules, restarts the service, and prints a restore summary. If any pre-flight fails, nothing is written and the tool aborts with a specific error.
The schema migration is idempotent -- re-running ov_restore against the same archive is safe.
Delete the archive once you are done: rm -f <archive>.tar.gz.
4. Move the IP
Reassign the Elastic IP from the old gateway to the new one before users reconnect. Existing .ovpn profiles bake in the public IP at issue time -- same IP means every existing profile keeps working with no client-side change. Different IP means every profile must be reissued with ov_user_add.
5. Verify
The user list must match the old gateway. Then verify the CRL survived the restore:
sudo openssl crl -in /etc/openvpn/server/crl.pem -text -noout | grep -c 'Serial Number'The count must match the number of users you have revoked over the lifetime of the old gateway. A zero or low count means revoked users will reconnect -- investigate before moving on.
Confirm the migration landed on schema v1.1.0:
sudo sqlite3 /opt/0x4447/db/users.db "SELECT value FROM schema_meta WHERE key='schema_version';"Must print 1.1.0.
Finally, connect a test client using an .ovpn profile issued by the old gateway and confirm it authenticates. If you have a revoked profile on hand, confirm it is rejected.
Once everything checks out, stop and terminate the old instance.
6. Opt users into auto-renew (optional)
The migration carries every user forward with auto-renew disabled. Pick the users you want renewed automatically and run:
sudo ov_user_auto_renew --email <addr> --traffic <all|partial> --enableThe daily renewal job fires at 00:00 UTC with a one-hour jitter window and re-issues profiles whose expiration_date is within 10 days. The new profile is emailed via SES; the old profile keeps working until its own expiry, giving the user time to switch clients.
Each renewed profile keeps the user's original validity length: the new certificate expires one original term beyond the old expiry date, not one default term beyond the renewal moment. A user issued a 365-day profile and renewed a week early comes out with a certificate still good for ~372 days -- so users stay on their original renewal cadence instead of drifting earlier every cycle.
Auto-renew needs SES configured. If /opt/0x4447/configs/email.conf does not have SMTP_USERNAME and SMTP_PASSWORD filled in, the renewal still runs -- a fresh certificate is issued and becomes the user's active profile -- but the new .ovpn is not emailed; the job logs email_skipped and the profile waits on the gateway under /home/ec2-user/openvpn_users/. The user keeps working on their old profile until it expires, but never receives the replacement, so they are locked out at expiry unless you step in. Configure SES before you opt users in. If a renewal already fired while SES was down, fix the credentials and run sudo ov_user_resend --email <addr> --traffic <all|partial> to mail the active profile.
Compliance considerations
This release preserves the v1.0.x revocation guarantees. ov_user_delete revokes the user's certificate, regenerates the CRL, copies it into /etc/openvpn/server/crl.pem, restarts the OpenVPN service, and marks the user row revoked in the database. The certificate is rejected by the server immediately, not on next renewal -- the soft-delete is a database-audit-trail addition, not a softening of the revocation gate.
For SOC 1, SOC 2, and PCI DSS environments: backups produced by ov_backup continue to contain the CA private key and every user's private key. Encrypt them at rest (S3 + KMS is fine), transfer them only over SSH, and rotate the gateway CA if a backup is ever exposed. The ov_user_audit command provides a complete read-only history of every certificate ever issued -- useful evidence for access-review controls.
Documentation
Full documentation, including the ov_user_audit lenses, the auto-renew SES setup walkthrough, and troubleshooting for the new commands, lives at:
https://products.0x4447.com/product/gate/documentation/1.1.x/
Additional details
Usage instructions
Valdras Gate - Usage
Full and up-to-date documentation lives at:
https://products.0x4447.com/product/gate/documentation/1.1.x/
That page covers initial setup, the ov_user_* commands for issuing, revoking, and auto-renewing client profiles, the ov_backup / ov_restore migration flow, split-DNS configuration, and troubleshooting. It is the canonical reference and is updated independently of the AMI.
Quick start
- Launch the AMI in your VPC. Default username is ec2-user.
- Open UDP port 1194 to your client networks in the instance's security group.
- Wait for first boot to complete - confirm /opt/0x4447/.done exists before issuing the first profile.
- SSH in and run sudo ov_user_add <name> <email> to issue the first VPN profile. The signed .ovpn file is emailed to the recipient via SES (configure /opt/0x4447/configs/email.conf first if you have not already).
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Customer reviews
Streamlined access to private resources has reduced manual profile work and improved compliance
What is our primary use case?
I use 0x4447 Valdras Gate to access private resources in private subnets like RDS and EC2 servers, which is my main use case. I access EC2 servers over SSH to configure them, access database data while developing, and fix problems in production using 0x4447 Valdras Gate to access those private resources.
What is most valuable?
I appreciate the feature of 0x4447 Valdras Gate where I can create a profile that automatically renews before it expires, so I don't have to manage it and remember to renew profiles for people.
I find the auto-renewing profile feature to be one of the best features 0x4447 Valdras Gate offers. I can set it up to renew every three months, every year, or every week, and the system will automatically email those new profiles to the users. This is incredibly useful because I don't have to think about it while still remaining compliant with SOC 2.
The simplicity of 0x4447 Valdras Gate is another feature I found handy, as I find it very quick to deploy and very quick to create a new profile and have it up and running. I also appreciate that the price is very well structured, allowing me to deploy multiple copies in different environments quickly and keep management happy.
Cost reduction and receiving more time to do other more important things is how 0x4447 Valdras Gate has impacted my organization positively. Since this profile can auto-renew, I set it up once and I don't think about it afterward. I only have to remember to add or delete users, while the whole chain of recreating profiles is taken care of. This frees me and our team to do other more important things.
What needs improvement?
I think 0x4447 Valdras Gate could be improved by having a dashboard with metrics to see how many users are actively connected, what the traffic is, and other usage data. That would be a nice addition, but currently, the commands that the application has are more than enough to do all the daily work.
For how long have I used the solution?
I have been using 0x4447 Valdras Gate for about three months.
What do I think about the stability of the solution?
0x4447 Valdras Gate is stable in my opinion regarding stability.
What do I think about the scalability of the solution?
Regarding scalability, there is just a VPN server for 0x4447 Valdras Gate, so we picked the correct size for our needs and it just works. If we need to have more bandwidth or CPU, we can change the EC2 type, which demonstrates its scalability.
How are customer service and support?
Everything just works, which is how I would describe my experience with 0x4447 Valdras Gate's customer support, as I required no support.
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
The deployment of 0x4447 Valdras Gate in my environment was very easy.
The configuration process was very easy because the documentation is very basic and it was as simple as copy and paste. I basically copied, replaced the values with the values that I wanted, pasted it, and I was up and running with the first profile.
What was our ROI?
I have seen a return on investment since using 0x4447 Valdras Gate, as employees have more free time doing more important things.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing was basic and simple, with no surprises or unexpected costs.
Which other solutions did I evaluate?
I did not evaluate other options before choosing 0x4447 Valdras Gate.
What other advice do I have?
0x4447 Valdras Gate integrates well with other AWS services I use without any integration challenges, and everything just works.
My experience with the procurement process for 0x4447 Valdras Gate was easy.
The metering and billing experience was clear and straightforward, with basic functionality and nothing special.
I would advise others looking into using 0x4447 Valdras Gate to simply use it. I would rate this review five out of five stars.