Listing Thumbnail

    Valdras Gate - VPN Gateway

     Info
    Deployed on AWS
    AWS Free Tier
    Enterprise-ready OpenVPN server that deploys in minutes with automated user management and email delivery of VPN profiles via AWS SES. No per-user fees, unlimited users.
    5

    Overview

    Valdras Gate is a production-ready OpenVPN AMI that removes the usual hassle of setting up and running a VPN. You can launch a secure server in minutes, with built-in user management, automated email delivery of VPN profiles, and strong security out of the box. There are no per-user fees and no complicated setup. Just start the AMI and begin adding users with simple CLI commands.

    The server is fully configured on first boot. It creates client certificates and VPN profiles automatically, then sends them to users through AWS SES. You can add or remove users with a single command, track certificate expiration, and control who can reach your private AWS resources.

    Valdras Gate supports both split-tunnel and full-tunnel modes, handles unlimited users without extra charges, and manages certificates automatically. You only pay for the EC2 instance itself-no subscriptions, no per-user pricing, and no lock-in. It gives you secure remote access in minutes while removing the ongoing overhead of running a VPN service.

    OpenVPN® is a registered trademark of OpenVPN, Inc. and neither 0x4447™ nor its product is affiliated with or endorsed by OpenVPN, Inc.

    Highlights

    • Production-ready OpenVPN server that's fully configured and operational on first boot. No complex setup, no certificate generation hassles, no firewall rules to configure. Launch the AMI, add users with simple CLI commands, and your team is connected securely within minutes.
    • Built-in user lifecycle management automatically generates VPN profiles and delivers them directly to users via AWS SES. Add or remove users with single commands, track expiration dates, and maintain complete control over access to your private AWS resources.
    • Pay only for your EC2 instance costs with no recurring per-user licensing fees or subscription charges. Manage unlimited VPN users without vendor lock-in. Support both split-tunnel and full-tunnel traffic modes based on your security requirements.

    Details

    Delivery method

    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)

    Latest version

    Operating system
    AmazonLinux 2023

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Valdras Gate - VPN Gateway

     Info
    Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.
    If you are an AWS Free Tier customer with a free plan, you are eligible to subscribe to this offer. You can use free credits to cover the cost of eligible AWS infrastructure. See AWS Free Tier  for more details. If you created an AWS account before July 15th, 2025, and qualify for the Legacy AWS Free Tier, Amazon EC2 charges for Micro instances are free for up to 750 hours per month. See Legacy AWS Free Tier  for more details.

    Usage costs (14)

     Info
    Dimension
    Cost/hour
    t3.small
    Recommended
    $0.1375
    t3.micro
    $0.1375
    t3.large
    $0.1375
    t3a.xlarge
    $0.1375
    t3a.large
    $0.1375
    t3a.2xlarge
    $0.1375
    t3.medium
    $0.1375
    t3.2xlarge
    $0.1375
    t3a.medium
    $0.1375
    t3a.nano
    $0.1375

    Vendor refund policy

    none

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Version release notes

    Valdras Gate v1.1.0

    Summary

    Auto-renew release. v1.1.0 adds a daily systemd timer that watches user profiles for upcoming expiry and re-issues a fresh .ovpn to anyone you opted into the auto-renew flag, before their old profile dies. The renewed profile is emailed via the same SES path the gateway already uses, so users see a normal mail with the new .ovpn attached and switch over on their own time. Existing users carry forward unchanged -- the auto-renew flag defaults off; nothing renews until you opt a user in.

    The release also ships three new operator commands. ov_user_audit is a single read-only lens over the user database -- active users, supersession history, expired profiles, revoked users, and the new "stuck" state the renewal job uses when it cannot roll a partial failure all the way back. ov_user_resend re-mails the currently active profile for a user (use it when SES bounced the original, when the user lost the mail, or when SMTP was misconfigured at issue time and got fixed later). ov_user_auto_renew flips the auto-renew flag on or off for an existing user without going through delete + re-add.

    ov_user_delete now soft-deletes: the user row is kept and marked revoked, the certificate is revoked and added to the CRL exactly as before, and the OpenVPN service is restarted. Functionally identical from the customer's perspective (the revoked user is locked out immediately) -- the row retention gives ov_user_audit a complete history view.

    How to upgrade

    There is no in-place upgrade. This version replaces the AMI, and all operator-unique state (user database, CA private key, client certificates, CRL, email settings, split-DNS config) lives on the gateway's root volume. To move to v1.1.0, take a backup on the old gateway, launch a new instance from the v1.1.0 AMI, restore the backup onto it, and move the Elastic IP across. No client profiles need to be reissued.

    The restore step automatically migrates the user database from the v1.0.x schema to the v1.1.0 schema during ov_restore. Every existing user is preserved with auto_renew=false and status=active; you opt users in afterwards with ov_user_auto_renew --email <addr> --traffic <all|partial> --enable once they are on the new gateway.

    1. Back up the old gateway

    SSH into the old gateway as ec2-user and run:

    sudo ov_backup

    ov_backup produces a single archive (/home/ec2-user/backup-<host>-<timestamp>.tar.gz) containing the user database, CA private key, every client certificate, the operational CRL, the TLS-auth PSK, the SES email credentials, the split-DNS configuration, and every issued .ovpn profile on disk. It also prints ready-to-paste scp commands for copying the archive off the box.

    scp the archive off the gateway. Treat it as a master secret -- it contains the CA private key, every user's private key, and your SES SMTP credentials. Encrypt at rest, transfer over SSH only, never email it, never commit it to git.

    2. Launch the v1.1.0 instance

    Launch a new EC2 instance from the v1.1.0 AMI in the same VPC. Same security group, same subnet, same instance type as before is fine.

    Wait for first boot to finish before restoring. First boot generates a throwaway CA and seeds /etc/openvpn/udp-server.conf with DNS push lines for the new VPC's resolvers. Confirm completion by checking that /opt/0x4447/.done exists.

    3. Restore onto the new gateway

    scp the backup archive to the new instance (/home/ec2-user/), SSH in, and run:

    sudo ov_restore <archive>.tar.gz

    ov_restore runs four pre-flight checks (whitelist, presence, CA-cert sanity, sibling-path) before touching the filesystem. On success it stops the service, extracts the archive, re-asserts permissions on every secret file, migrates the user database in place from the v1.0.x schema to the v1.1.0 schema, re-applies the saved split-DNS rules, restarts the service, and prints a restore summary. If any pre-flight fails, nothing is written and the tool aborts with a specific error.

    The schema migration is idempotent -- re-running ov_restore against the same archive is safe.

    Delete the archive once you are done: rm -f <archive>.tar.gz.

    4. Move the IP

    Reassign the Elastic IP from the old gateway to the new one before users reconnect. Existing .ovpn profiles bake in the public IP at issue time -- same IP means every existing profile keeps working with no client-side change. Different IP means every profile must be reissued with ov_user_add.

    5. Verify

    sudo ov_user_list

    The user list must match the old gateway. Then verify the CRL survived the restore:

    sudo openssl crl -in /etc/openvpn/server/crl.pem -text -noout | grep -c 'Serial Number'

    The count must match the number of users you have revoked over the lifetime of the old gateway. A zero or low count means revoked users will reconnect -- investigate before moving on.

    Confirm the migration landed on schema v1.1.0:

    sudo sqlite3 /opt/0x4447/db/users.db "SELECT value FROM schema_meta WHERE key='schema_version';"

    Must print 1.1.0.

    Finally, connect a test client using an .ovpn profile issued by the old gateway and confirm it authenticates. If you have a revoked profile on hand, confirm it is rejected.

    Once everything checks out, stop and terminate the old instance.

    6. Opt users into auto-renew (optional)

    The migration carries every user forward with auto-renew disabled. Pick the users you want renewed automatically and run:

    sudo ov_user_auto_renew --email <addr> --traffic <all|partial> --enable

    The daily renewal job fires at 00:00 UTC with a one-hour jitter window and re-issues profiles whose expiration_date is within 10 days. The new profile is emailed via SES; the old profile keeps working until its own expiry, giving the user time to switch clients.

    Each renewed profile keeps the user's original validity length: the new certificate expires one original term beyond the old expiry date, not one default term beyond the renewal moment. A user issued a 365-day profile and renewed a week early comes out with a certificate still good for ~372 days -- so users stay on their original renewal cadence instead of drifting earlier every cycle.

    Auto-renew needs SES configured. If /opt/0x4447/configs/email.conf does not have SMTP_USERNAME and SMTP_PASSWORD filled in, the renewal still runs -- a fresh certificate is issued and becomes the user's active profile -- but the new .ovpn is not emailed; the job logs email_skipped and the profile waits on the gateway under /home/ec2-user/openvpn_users/. The user keeps working on their old profile until it expires, but never receives the replacement, so they are locked out at expiry unless you step in. Configure SES before you opt users in. If a renewal already fired while SES was down, fix the credentials and run sudo ov_user_resend --email <addr> --traffic <all|partial> to mail the active profile.

    Compliance considerations

    This release preserves the v1.0.x revocation guarantees. ov_user_delete revokes the user's certificate, regenerates the CRL, copies it into /etc/openvpn/server/crl.pem, restarts the OpenVPN service, and marks the user row revoked in the database. The certificate is rejected by the server immediately, not on next renewal -- the soft-delete is a database-audit-trail addition, not a softening of the revocation gate.

    For SOC 1, SOC 2, and PCI DSS environments: backups produced by ov_backup continue to contain the CA private key and every user's private key. Encrypt them at rest (S3 + KMS is fine), transfer them only over SSH, and rotate the gateway CA if a backup is ever exposed. The ov_user_audit command provides a complete read-only history of every certificate ever issued -- useful evidence for access-review controls.

    Documentation

    Full documentation, including the ov_user_audit lenses, the auto-renew SES setup walkthrough, and troubleshooting for the new commands, lives at:

    https://products.0x4447.com/product/gate/documentation/1.1.x/ 

    Additional details

    Usage instructions

    Valdras Gate - Usage

    Full and up-to-date documentation lives at:

    https://products.0x4447.com/product/gate/documentation/1.1.x/ 

    That page covers initial setup, the ov_user_* commands for issuing, revoking, and auto-renewing client profiles, the ov_backup / ov_restore migration flow, split-DNS configuration, and troubleshooting. It is the canonical reference and is updated independently of the AMI.

    Quick start

    1. Launch the AMI in your VPC. Default username is ec2-user.
    2. Open UDP port 1194 to your client networks in the instance's security group.
    3. Wait for first boot to complete - confirm /opt/0x4447/.done exists before issuing the first profile.
    4. SSH in and run sudo ov_user_add <name> <email> to issue the first VPN profile. The signed .ovpn file is emailed to the recipient via SES (configure /opt/0x4447/configs/email.conf first if you have not already).

    Resources

    Vendor resources

    Support

    Vendor support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Customer reviews

    Ratings and reviews

     Info
    5
    1 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    100%
    0%
    0%
    0%
    0%
    1 AWS reviews
    Dawid Gatti

    Streamlined access to private resources has reduced manual profile work and improved compliance

    Reviewed on Jul 02, 2026
    Review from a verified AWS customer

    What is our primary use case?

    I use 0x4447 Valdras Gate  to access private resources in private subnets like RDS  and EC2  servers, which is my main use case. I access EC2  servers over SSH to configure them, access database data while developing, and fix problems in production using 0x4447 Valdras Gate  to access those private resources.

    What is most valuable?

    I appreciate the feature of 0x4447 Valdras Gate where I can create a profile that automatically renews before it expires, so I don't have to manage it and remember to renew profiles for people.

    I find the auto-renewing profile feature to be one of the best features 0x4447 Valdras Gate offers. I can set it up to renew every three months, every year, or every week, and the system will automatically email those new profiles to the users. This is incredibly useful because I don't have to think about it while still remaining compliant with SOC 2.

    The simplicity of 0x4447 Valdras Gate is another feature I found handy, as I find it very quick to deploy and very quick to create a new profile and have it up and running. I also appreciate that the price is very well structured, allowing me to deploy multiple copies in different environments quickly and keep management happy.

    Cost reduction and receiving more time to do other more important things is how 0x4447 Valdras Gate has impacted my organization positively. Since this profile can auto-renew, I set it up once and I don't think about it afterward. I only have to remember to add or delete users, while the whole chain of recreating profiles is taken care of. This frees me and our team to do other more important things.

    What needs improvement?

    I think 0x4447 Valdras Gate could be improved by having a dashboard with metrics to see how many users are actively connected, what the traffic is, and other usage data. That would be a nice addition, but currently, the commands that the application has are more than enough to do all the daily work.

    For how long have I used the solution?

    I have been using 0x4447 Valdras Gate for about three months.

    What do I think about the stability of the solution?

    0x4447 Valdras Gate is stable in my opinion regarding stability.

    What do I think about the scalability of the solution?

    Regarding scalability, there is just a VPN server for 0x4447 Valdras Gate, so we picked the correct size for our needs and it just works. If we need to have more bandwidth or CPU, we can change the EC2 type, which demonstrates its scalability.

    How are customer service and support?

    Everything just works, which is how I would describe my experience with 0x4447 Valdras Gate's customer support, as I required no support.

    Which solution did I use previously and why did I switch?

    I did not previously use a different solution.

    How was the initial setup?

    The deployment of 0x4447 Valdras Gate in my environment was very easy.

    The configuration process was very easy because the documentation is very basic and it was as simple as copy and paste. I basically copied, replaced the values with the values that I wanted, pasted it, and I was up and running with the first profile.

    What was our ROI?

    I have seen a return on investment since using 0x4447 Valdras Gate, as employees have more free time doing more important things.

    What's my experience with pricing, setup cost, and licensing?

    My experience with pricing, setup cost, and licensing was basic and simple, with no surprises or unexpected costs.

    Which other solutions did I evaluate?

    I did not evaluate other options before choosing 0x4447 Valdras Gate.

    What other advice do I have?

    0x4447 Valdras Gate integrates well with other AWS  services I use without any integration challenges, and everything just works.

    My experience with the procurement process for 0x4447 Valdras Gate was easy.

    The metering and billing experience was clear and straightforward, with basic functionality and nothing special.

    I would advise others looking into using 0x4447 Valdras Gate to simply use it. I would rate this review five out of five stars.

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    View all reviews