Agent Mode
English
    Listing Thumbnail

    Valdras Gate - VPN Gateway

     Info
    Sold by: 0x4447, LLC. 
    Deployed on AWS
    AWS Free Tier
    Enterprise-ready OpenVPN server that deploys in minutes with automated user management and email delivery of VPN profiles via AWS SES. No per-user fees, unlimited users.

    Overview

    Try agent mode
    Create proposal
    Ask question

    Valdras Gate is a production-ready OpenVPN AMI that removes the usual hassle of setting up and running a VPN. You can launch a secure server in minutes, with built-in user management, automated email delivery of VPN profiles, and strong security out of the box. There are no per-user fees and no complicated setup. Just start the AMI and begin adding users with simple CLI commands.

    The server is fully configured on first boot. It creates client certificates and VPN profiles automatically, then sends them to users through AWS SES. You can add or remove users with a single command, track certificate expiration, and control who can reach your private AWS resources.

    Valdras Gate supports both split-tunnel and full-tunnel modes, handles unlimited users without extra charges, and manages certificates automatically. You only pay for the EC2 instance itself-no subscriptions, no per-user pricing, and no lock-in. It gives you secure remote access in minutes while removing the ongoing overhead of running a VPN service.

    OpenVPN® is a registered trademark of OpenVPN, Inc. and neither 0x4447™ nor its product is affiliated with or endorsed by OpenVPN, Inc.

    Highlights

    • Production-ready OpenVPN server that's fully configured and operational on first boot. No complex setup, no certificate generation hassles, no firewall rules to configure. Launch the AMI, add users with simple CLI commands, and your team is connected securely within minutes.
    • Built-in user lifecycle management automatically generates VPN profiles and delivers them directly to users via AWS SES. Add or remove users with single commands, track expiration dates, and maintain complete control over access to your private AWS resources.
    • Pay only for your EC2 instance costs with no recurring per-user licensing fees or subscription charges. Manage unlimited VPN users without vendor lock-in. Support both split-tunnel and full-tunnel traffic modes based on your security requirements.

    Details

    Sold by
    0x4447, LLC. 
    Categories
    Security 
    Network Infrastructure 
    Delivery method
    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)
    Latest version
    Operating system
    AmazonLinux 2023
    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Learn more 
    Explore multi-product solutions
    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases
    View financing details

    Pricing

    Valdras Gate - VPN Gateway

     Info
    View purchase options
    Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.
    If you are an AWS Free Tier customer with a free plan, you are eligible to subscribe to this offer. You can use free credits to cover the cost of eligible AWS infrastructure. See AWS Free Tier  for more details. If you created an AWS account before July 15th, 2025, and qualify for the Legacy AWS Free Tier, Amazon EC2 charges for Micro instances are free for up to 750 hours per month. See Legacy AWS Free Tier  for more details.

    Usage costs (14)

     Info
    Dimension
    Cost/hour
    t3.small
    Recommended
    $0.1375
    t3.micro
    $0.1375
    t3.large
    $0.1375
    t3a.xlarge
    $0.1375
    t3a.large
    $0.1375
    t3a.2xlarge
    $0.1375
    t3.medium
    $0.1375
    t3.2xlarge
    $0.1375
    t3a.medium
    $0.1375
    t3a.nano
    $0.1375

    Vendor refund policy

    none

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Version release notes

    What's new in v1.0.3

    • One-command backup. sudo ov_backup produces a single archive of everything your gateway has - users, certs, revocation list, configs, email settings - plus ready-to-paste scp commands for copying it off the box. No more hand-rolled tar.
    • One-command restore. sudo ov_restore <archive> brings a fresh gateway up to the exact state of the old one. Refuses to touch anything if the archive is incomplete or has been tampered with.
    • Revoked users stay revoked. The revocation list travels with the backup. After a restore, every previously revoked profile is rejected on first connection attempt - no silent regression of access.
    • Side-by-side counters. Both tools print a matching summary block (users, issued certs, revoked profiles) so you can verify nothing was lost by eye-balling the two outputs.

    Compatibility

    • Drop-in upgrade from v1.0.2. No client-side changes if the Elastic IP is moved to the new gateway.
    • All user CLI commands (ov_user_add, ov_user_delete, ov_user_list, ov_user_list_expired) keep the same arguments and behaviour.
    • Archives produced by ov_backup on v1.0.3 are restorable on any v1.0.3+ gateway. Restoring onto v1.0.2 or older is not supported.

    How to upgrade

    No in-place upgrade. Launch a new instance from the v1.0.3 AMI and restore the old v1.0.2 gateway's state onto it. Following this procedure preserves every user, certificate, revocation, and configuration setting - no profiles need to be reissued.

    1. Backup the old gateway

    SSH into the old v1.0.2 gateway as ec2-user and run:

    sudo tar -czhf backup.tar.gz \ -C / \ opt/0x4447/db/users.db \ opt/0x4447/configs/dns.conf \ opt/0x4447/configs/email.conf \ opt/0x4447/configs/mutt_ses.conf \ opt/0x4447/templates/vpn_profile_email.txt \ usr/share/easy-rsa/pki \ etc/openvpn/server sudo chown ec2-user:ec2-user backup.tar.gz chmod 600 backup.tar.gz

    This captures everything operator-unique: the user database, the CA private key and every client certificate, the operational CRL (so revoked users stay revoked), the TLS-auth PSK, the SES email credentials, and the split-DNS configuration. The -h flag dereferences the symlinks inside easy-rsa/pki/ so the archive is self-contained.

    scp the file off the box. Treat it as a master secret - it contains the CA private key, every user's private key, and your SES SMTP credentials. Encrypt at rest, transfer over SSH only, never email it, never commit it to git.

    2. Launch the v1.0.3 instance

    Launch a new EC2 instance from the v1.0.3 AMI in the same VPC. Same security group, same subnet, same instance type as before is fine.

    Wait for first boot to finish before restoring. First boot generates a throwaway CA and seeds /etc/openvpn/udp-server.conf with DNS push lines for the new VPC's resolvers. Confirm completion by checking that /opt/0x4447/.done exists.

    3. Restore onto the new gateway

    scp backup.tar.gz to the new instance (/home/ec2-user/), SSH in, and run:

    sudo ov_restore backup.tar.gz

    ov_restore runs three pre-flight checks (whitelist, presence, CA-cert sanity) before touching the filesystem. On success it stops the service, extracts the archive, re-asserts permissions on every secret file, re-applies the saved split-DNS rules, restarts the service, and prints a restore summary. If any pre-flight fails, nothing is written and the tool aborts with a specific error.

    Delete the archive once you are done: rm -f backup.tar.gz.

    4. Move the IP

    Reassign the Elastic IP from the old gateway to the new one before users reconnect. Existing .ovpn profiles bake in the public IP at issue time - same IP means every existing profile keeps working with no client-side change. Different IP means every profile must be reissued with ov_user_add.

    5. Verify

    sudo ov_user_list

    The user list must match the old gateway. Then verify the CRL survived the restore:

    sudo openssl crl -in /etc/openvpn/server/crl.pem -text -noout | grep -c 'Serial Number'

    The count must match the number of users you have revoked over the lifetime of the old gateway. A zero or low count means revoked users will reconnect - investigate before moving on.

    Finally, connect a test client using an .ovpn profile issued by the old gateway and confirm it authenticates. If you have a revoked profile on hand, confirm it is rejected.

    Once everything checks out, stop and terminate the old instance.

    Additional details

    Usage instructions

    Valdras Gate - Usage

    Full and up-to-date documentation lives at:

    https://products.0x4447.com/product/gate/documentation/1.0.x/ 

    That page covers initial setup, the ov_user_* commands for issuing and revoking client profiles, the ov_backup / ov_restore migration flow, split-DNS configuration, and troubleshooting. It is the canonical reference and is updated independently of the AMI.

    Quick start

    1. Launch the AMI in your VPC. Default username is ec2-user.
    2. Open UDP port 1194 to your client networks in the instance's security group.
    3. Wait for first boot to complete - confirm /opt/0x4447/.done exists before issuing the first profile.
    4. SSH in and run sudo ov_user_add <name> <email> to issue the first VPN profile. The signed .ovpn file is emailed to the recipient via SES (configure /opt/0x4447/configs/email.conf first if you have not already).

    Resources

    Vendor resources

    Full product details 

    Support

    Vendor support

    Get support

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Get support

    Customer reviews

    Leave a review 

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.