Set up two-factor authentication to authenticate access from Windows clients

Procedure

Step 1: Create a VPN Gateway instance

1. Log on to the VPN gateway console.
2. In the left-side navigation pane, choose VPN > VPN Gateways.
3. On the VPN Gateways page, click Create VPN Gateway.
4. On the buy page, set the following parameters and click Buy Now to complete the payment:
   • Name: Enter a name for the VPN Gateway instance.
   • Region: Select the region where the instance will be deployed. In this example, select China (Hangzhou).
     Note The VPC network that you want to connect and the VPN Gateway instance must be located in the same region.
   • VPC: Select the VPC network that you want to connect.
   • Peak Bandwidth: Select the maximum bandwidth of the VPN Gateway instance. This value is the upper limit of public network bandwidth supported by the VPN Gateway instance. In this example, select 5Mbps.
   • IPsec-VPN: Enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between an on-premises data center and a VPC network or between two VPC networks. In this example, select Disable.
   • SSL-VPN: You can enable or disable SSL-VPN feature. After you enable this feature, you can connect to the VPC network from a client in any region. In this example, select Enable.
   • SSL connections: Select the maximum number of concurrent SSL Certificates Service connections. In this example, select 5.
     Note You can configure SSL Certificates Service connections only when SSL-VPN authentication is enabled.
   • Billing Cycle: Select a billing cycle for the VPN Gateway instance.

Step 2: Create an SSL Certificates Service server

SSL-VPN is based on the OpenVPN framework. You must use an SSL Certificates Service server to specify the CIDR blocks that you want to connect to and the CIDR blocks that the client uses, and enable two-factor authentication.

1. In the left-side navigation pane, click VPN > SSL Servers.
2. In the top navigation bar, select the region of the SSL Certificates Service server.
   In this example, select China (Hangzhou).
3. On the SSL Servers page, click Create SSL Server.
4. On the Create SSL Server page, set the following parameters and click OK:
   • Name: Enter a name for the SSL Certificates Service server.
   • VPN Gateway: Select the VPN Gateway instance that is specified in step 1.
   • Local Network: Enter the CIDR blocks used in the connections by the client through SSL-VPN. In this example, enter 192.168.1.0/24.
   • Client Subnet: Enter a CIDR block to be used by the client to connect to the server. In this example, enter 10.10.10.0/24.
   • Advanced Configuration: In advanced settings, set the following parameters:
     • Protocol: Select the protocol of SSL Certificates Service connections. Supported protocols include UDP and TCP. In this example, select the default protocol.
     • Port: The port used in SSL Certificates Service connections. In this example, use the default port.
     • Encryption Algorithm: The encryption algorithm used in SSL Certificates Service connections. Supported encryption algorithms include AES-128-CBC, AES-192-CBC, and AES-256-CBC. In this example, select the default algorithm.
     • Enable Compression: Select whether to compress the transmitted data. In this example, use the default setting.
     • Two-factor Authentication: Enable two-factor authentication and select an IDaaS instance.

       Alibaba Cloud Identity as a Service (IDaaS) is a unified identity authentication service. IDaaS allows one account to access all services. Two-factor authentication for the SSL dialing client is implemented after you create and select an IDaaS instance. Apart from certificate key authentication, you must complete two-factor authentication, where the user name and password are authenticated. After you pass them, a dial-up connection is initiated from the SSL client and you can access the resources deployed in the cloud.

       Note If this is your first time using two-factor authentication, you must grant the VPN Gateway instance the permission to access the IDaaS instance before you create the SSL Certificates Service server.

   

Optional. Step 3: Configure Active Directory (AD) authentication for cloud services.

By default, the user name and password of the IDaaS instance can be used for two-factor authentication. You can configure AD authentication. After you complete the configuration, SSL-VPN supports AD authentication. If you only use the user name and password of the IDaaS instance for authentication, skip this step.

1. Log on to the as an administrator.
2. On the Instances page, find the IDaaS instance you want to manage and click Management in the Actions column.
3. In the left-side navigation pane, choose Authentication > Authentication Source and click Add Authentication Source.
4. In the Add Authentication Source dialog box that appears, find LDAP and click Add Authentication Source in the Actions column.
5. In the Add Authentication Source (LDAP) dialog box that appears, create an LDAP authentication source.
   For more information, see LDAP as Authentication Source.

   After authentication sources are created, you can view them.
6. On the Authentication Source page, find the authentication source that you want to manage, click in the Status column, and then click OK in the dialog box that appears.
7. In the left-side navigation pane, choose Settings > Security Settings.
8. On the Security Settings page, click the Cloud product AD certification tab.
9. Select the AD authentication source that you have created, enable this feature, and then click Save.
   

Step 4: Create and download an SSL Certificates Service client certificate

To create and download an SSL Certificates Service client certificate based on the SSL Certificates Service server configuration, follow these instructions:

1. In the left-side navigation pane, choose VPN > SSL Clients.
2. On the top of the page, select the region of the SSL Certificates Service client.
   In this example, select China (Hangzhou).
3. On the SSL Clients page, click Create Client Certificate.
4. On the Create Client Certificate page, configure the SSL Certificates Service client certificate based on the following information and click OK:
   • Name: Enter a name for the SSL Certificates Service client certificate.
   • SSL Server: Select the SSL Certificates Service server that you have created in step 2.
5. On the SSL Clients page, find the created SSL Certificates Service client certificate, and click Download in the Actions column.
   The SSL Certificates Service client certificate is downloaded to your local device.

Step 5: Configure the Windows client

The following steps show how to configure a Windows client.

1. Download and install the OpenVPN client.
   Download OpenVPN.
2. Extract the certificate from the package downloaded in step 4 and copy it to OpenVPN\config.
   In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the actual installation directory.
3. Start the OpenVPN client and enter the user name and password for authentication.
   

Step 6: Test the connectivity

Complete the following steps to test the connectivity between the Windows client and VPC network.

1. Open the command prompt in the Windows client.
2. Run the ping command to ping the IP address of the VPC-connected Elastic Computer Service (ECS) instance. This command tests the connectivity between the Windows client and VPC network.
   Note Make sure that the security group rules of the ECS instance allow remote access from Windows clients. For more information, see Scenarios for security groupsConfiguration guide for ECS security groups.

   The test result indicates that the Windows client can access the ECS instance.