However, since we first released v14.0, the Debian OpenVPN package had a security update which changed the default package config a bit. That broke some of our initial config helper scripts in v14.1 (which we've fixed in v14.2).

I'm almost certain, that your issue is related to the v14.1 bug that we fixed in v14.2. If you are open to re-configuring your AWSMP server (just the initial TurnKey OpenVPN initialisation, not the whole setup from scratch), then you could try working around this by downloading the updated config script and redoing the initial TurnKey OpenVPN config. If you log into your AWSMP server via SSH, then this should do the trick:

SCRIPT=/usr/lib/inithooks/bin/openvpn-server-init.sh
URL=https://raw.githubusercontent.com/turnkeylinux-apps/openvpn/master/overlay${SCRIPT}
sudo wget $URL -O $SCRIPT
sudo /usr/lib/inithooks/bin/openvpn.py

Note, the sudo prefix for the last 2 commands is only needed/wanted on the AWSMP server. All other builds default to using the root account and don't even have sudo installed.

If you test out my workaround and it works as expected, please let me know. Regardless, I've opened a bug on our tracker, to ensure that your issue doesn't get forgotten.

Either way, I'll get the AWSMP AMI updated as soon as possible and if the issue still exists, we'll look into it further.

Also, thanks again for reporting the issue! It's one of the best things that users can do to make TurnKey better for everyone!

Sorry on the radio silence. I only just realised that I hadn't replied to your latest message. :(

Unfortunately, I do not understand why that would be occurring. The only thought I have is, whilst your firewall rules may be explicitly set up the way you want, have you enabled the firewall?

I know that may sound like a dumb suggestion (and you are possibly already all over it) but whilst TurnKey ships with pre-configured firewall rules, it's disabled by default.

For AWS servers, if you use the default/suggested security group (provided by us), then the AWS security group should more-or-less mirror our default firewall rules, however iptables (the Linux firewall) will still be disabled by default.

If you are already all over that (or you've now enabled it on both ends) and you're still having issues, then I'm not sure. I'd need to try to recreate your issue and see if I can match your experience. If we can reproduce a bug, we can fix it; or at least develop a work around.

I'm pretty under the pump at the moment trying to finalise the v14.2 release and start work on the v15.0 release (I'm currently blocking all our app dev guys from starting work on v15.0 release of appliances). And perhaps updating the AWSMP server to v14.2 may even address this issue (I may be reaching here as no one else has reported this)? So I'm not sure when I'll be able to do that. But the more info you can share about how you've configured things, the easier it will be for me to match your settings and hopefully reproduce your issue.