All Products
Search
Document Center

VPN Gateway:Enable two-factor authentication for Linux clients

Last Updated:Dec 15, 2023

This topic describes how to enable two-factor authentication for Linux clients to access virtual private clouds (VPCs).

Prerequisites

Before you start, make sure that the following requirements are met:

  • An Identity as a Service (IDaaS) instance is purchased, and the user information of the IDaaS instance is updated on Alibaba Cloud. For more information, see Create Account or Organization.

    Important

    Two-factor authentication supports only IDaaS instances of earlier versions.

    If you do not have and cannot create IDaaS instances of earlier versions, you cannot enable two-factor authentication.

  • A VPC is created. For more information, see Create and manage a VPC.

Background information

In this example, a company has created a VPC in the China (Hangzhou) region and the CIDR block of the VPC is 192.168.1.0/24. To meet business requirements, employees on business trips need to access resources that are deployed in the VPC from Linux clients.

双因子认证 As shown in the preceding figure, you can create a VPN gateway on Alibaba Cloud, configure an SSL server, and then enable two-factor authentication. To access a VPC from a Linux client over an SSL-VPN connection, you must pass both SSL client certificate authentication and two-factor authentication. This improves the security and manageability of SSL-VPN connections. Two-factor authentication is implemented by using the username and password of an IDaaS instance.

Procedure

双因子认证

Step 1: Create a VPN gateway

VPN Gateway is an Internet-based service that connects enterprise data centers, office networks, or Internet-facing terminals to Alibaba Cloud VPCs over encrypted connections.

Important

Skip this step if you have created a VPN gateway and you want to use the created VPN gateway in this example. Make sure that your VPN gateway meets the following requirements:

  • If your VPN gateway was created before 00:00 on March 5, 2020 and has not been updated, you must update your VPN gateway before you can use the two-factor authentication feature. For more information, see Upgrade a VPN gateway.

    • If your VPN gateway was created before 00:00 on March 5, 2020 and has been updated, you can directly use the two-factor authentication feature.

    • If your VPN gateway was created after 00:00 on March 5, 2020, you can directly use the two-factor authentication feature.

  • SSL-VPN is enabled for your VPN gateway. For more information, see the Enable SSL-VPN section of the "Enable IPsec-VPN and SSL-VPN" topic.

  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region in which the VPC to be accessed is deployed.

    In this example, China (Hangzhou) is selected.

    Note

    Make sure that the VPN gateway and the VPC are deployed in the same region.

  3. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.

  4. On the VPN Gateways page, click Create VPN Gateway.

  5. On the buy page, configure the parameters that are described in the following table and click Buy Now to complete the payment.

    Parameter

    Description

    Name

    Enter a name for the VPN gateway.

    Region

    Select the region in which you want to create the VPN gateway. In this example, China (Hangzhou) is selected.

    Gateway Type

    Select a gateway type.

    Network Type

    Select a network type. In this example, Public is selected.

    Tunnels

    The tunnel mode supported by IPsec-VPN connections in the region is displayed.

    VPC

    Select the VPC in which you want to create the VPN gateway.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Select a maximum public bandwidth for the VPN gateway.

    Unit: Mbit/s.

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    For more information, see Billing rules. In this example, the default value is used.

    IPsec-VPN

    You can enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between a data center and a VPC or between two VPCs. In this example, Disable is selected.

    SSL-VPN

    You can enable or disable the SSL-VPN feature. After you enable this feature, you can connect to VPCs from clients over SSL-VPN connections. In this example, Enable is selected.

    SSL Connections

    Select the maximum number of concurrent SSL-VPN connections that the VPN gateway supports. In this example, 5 is selected.

    Note

    This parameter is displayed only if you enable SSL-VPN.

    Duration

    Select a billing cycle for the VPN gateway. Default value: By Hour.

    Service-linked Role

    Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

Step 2: Create an SSL server

SSL-VPN is based on the OpenVPN framework. You must use an SSL server to specify the CIDR blocks to which you want to connect and the CIDR blocks that clients use, and enable two-factor authentication.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.

  3. In the top navigation bar, select the region in which you want to create the SSL server.

    In this example, China (Hangzhou) is selected.

  4. On the SSL Servers page, click Create SSL Server.

  5. In the Create SSL Server panel, configure the following parameters for the SSL server and click OK:

    • Name: Enter a name for the SSL server.

    • VPN Gateway: Select the VPN gateway that you created in Step 1 from the drop-down list.

    • Local Network: Enter the CIDR block to be accessed by your client over an SSL-VPN connection. In this example, 192.168.1.0/24 is used.

    • Client CIDR Block: Enter the CIDR block that your client uses to connect to the SSL server. In this example, 10.0.0.0/24 is used.

    • Advanced Configuration: Configure the following parameters for advanced configurations:

      • Protocol: Select the protocol used by an SSL-VPN connection. Valid values: UDP and TCP. In this example, the default value is used.

      • Port: Specify the port used by an SSL-VPN connection. In this example, the default value is used.

      • Encryption Algorithm: Select the encryption algorithm used by an SSL-VPN connection. Supported encryption algorithms include AES-128-CBC, AES-192-CBC, and AES-256-CBC. In this example, the default value is used.

      • Compressed: Specify whether to compress the data that is transmitted over an SSL-VPN connection. In this example, the default value is used.

      • Two-factor Authentication: Enable two-factor authentication and select an IDaaS instance.

        Note
        • If you use the two-factor authentication feature for the first time, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.

        • After two-factor authentication is enabled, the system authenticates your client based on two factors when an SSL-VPN connection is created between the client and the VPN gateway. The first authentication is based on the default SSL client certificate. After the client passes SSL client certificate authentication, two-factor authentication uses the username and password of the specified IDaaS instance to authenticate the client. Two-factor authentication does not support the Short Message Service (SMS) authentication feature of IDaaS. The SSL-VPN connection is created only after two-factor authentication is passed.

Step 3: (Optional) Configure AD authentication for cloud services

By default, you can use the username and password of an IDaaS instance for two-factor authentication. You can also use Active Directory (AD) authentication. After you complete the configuration, SSL-VPN supports AD authentication. Skip this step if you use only the username and password of an IDaaS instance for authentication.

  1. Log on to the IDaaS console.

  2. On the EIAM page, find the IDaaS instance that you want to manage and click Manage in the Actions column.

  3. In the left-side navigation pane, choose Authentication > Authentication Sources. On the Authentication Sources page, click Add Authentication Source.

  4. On the Add Authentication Source page, find LDAP and click Add Authentication Source in the Actions column.

  5. In the Add Authentication Source (LDAP) panel, create an LDAP authentication source.

    After authentication sources are created, you can view them on the Authentication Sources page.认证源

  6. On the Authentication Sources page, find the authentication source that you want to manage and click the 启用 icon in the Status column. In the message that appears, click OK.

  7. In the left-side navigation pane, choose Settings > Security Settings.

  8. On the Security Settings page, click the Cloud Product AD Authentication tab.

  9. Select the AD authentication source that you created from the drop-down list, enable this feature, and then click Save.

    认证源

Step 4: Create and download an SSL client certificate

Create and download an SSL client certificate based on the configurations of the SSL server.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.

  3. In the top navigation bar, select the region in which your client is deployed.

    In this example, China (Hangzhou) is selected.

  4. On the SSL Clients page, click Create SSL Client Certificate.

  5. In the Create SSL Client Certificate panel, configure the following parameters and click OK:

    • Name: Enter a name for the SSL client certificate.

    • SSL Server: Select the SSL server that you created in Step 2.

  6. On the SSL Clients page, find the SSL client certificate that you created and click Download in the Actions column.

    The SSL client certificate is downloaded to your on-premises machine.

Step 5: Configure the Linux client

Perform the following steps to configure the Linux client:

  1. Run the following command on the Linux client to install OpenVPN:

    yum install -y openvpn
  2. Extract the certificate from the package downloaded in Step 4 and copy the certificate to the /etc/openvpn/conf/ directory.

    1. Run the following command to copy the certificate package to the configuration directory:

      cp cert_location /usr/local/etc/openvpn/conf/

      In the preceding command, replace cert_location with the directory of the certificate downloaded in Step 4. Example: /Users/example/Downloads/certs6.zip.

    2. Run the following command to extract the certificate:

      unzip /usr/local/etc/openvpn/conf/certs6.zip
  3. Run the following command to start OpenVPN, and enter the username and password for authentication:

    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

    启动OpenVPN

Step 6: Test the connectivity

Perform the following steps to test the connectivity between the Linux client and the VPC:

  1. Log on to the Linux client.

  2. Run the ping command to test whether the IP address of an Elastic Compute Service (ECS) instance deployed in the VPC can be reached by PING messages.

    Note

    Make sure that the security group rules of the ECS instance allow remote access from Linux clients. For more information, see Configure security groups in different scenarios.

    The test result shows that the Linux client can access the ECS instance as expected.