All Products
Search
Document Center

VPN Gateway:Establish an SSL-VPN connection by using LDAP authentication

Last Updated:Oct 19, 2023

This topic describes how to establish an SSL-VPN connection by using the Lightweight Directory Access Protocol (LDAP) authentication feature of Identity as a Service (IDaaS).

Background information

A company has created a virtual private cloud (VPC) in the US (Silicon Valley) region. The CIDR block of the VPC is 192.168.0.0/16. Due to business requirements, staff on business trips need to access resources deployed in the VPC from remote clients.LDAP认证架构图

The company has built an Active Directory (AD) system. For security purposes, the company requires that staff must pass identity authentication provided by the AD system before the staff can access resources deployed in the VPC.

You can create a VPN gateway in the cloud, configure the SSL server, enable two-factor authentication, and specify an IDaaS instance to perform LDAP authentication. Before an employee can log on to the OpenVPN client and establish an SSL-VPN connection, the employee must pass the LDAP authentication provided by the IDaaS system. The LDAP authentication sends the username and password provided by the employee to the AD system, and returns a result. Only after the employee passes the authentication, the VPN gateway establishes an SSL-VPN connection for the employee to access resources in the VPC.

Preparations

Before you start, make sure that the following requirements are met:

  • A Standard Edition IDaaS instance is purchased.

    In this example, a Standard Edition IDaaS instance is purchased in the Singapore region.

    Important

    Two-factor authentication supports only IDaaS instances of earlier versions.

    If you do not have and cannot create IDaaS instances of earlier versions, you cannot enable two-factor authentication.

  • A VPC is created. For more information, see Create and manage a VPC.

    In this example, a VPC is created in the US (Silicon Valley) region and the CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the Elastic Compute Service (ECS) instance is 192.168.0.0/24.

  • The public IP address and service port of the server (LDAP server) where the AD system is deployed are obtained.

    In this example, the AD system is deployed in a server that runs the Windows Server 2019 operating system. The public IP address of the LDAP server is 47.XX.XX.8 and the service port is 389.

  • The Base DN of the LDAP server is obtained.

    In this example, the Base DN of the LDAP server is dc=zxtest,dc=com.

  • The DN, username, and password of the administrator of the LDAP server are obtained.

    In this example, the administrator username is Administrator and the password is 1****2. The administrator DN is cn=Administrator,cn=Users,dc=zxtest,dc=com, as shown in the following figure.管理员DN

Procedure

LDAP配置步骤

Step 1: Enable LDAP authentication

Before you can establish an SSL-VPN connection, you must enable LDAP authentication in the IDaaS instance and synchronize Alibaba Cloud account data for further authentication.

  1. Add the LDAP authentication source.

    1. Log on to the IDaaS console .

    2. On the EIAM page, click the Legacy Version tab and find the instance ID.

    3. In the left-side navigation pane, click Authentication Sources.

    4. In the upper-right corner of the Authentication Sources page, click Add Authentication Source.

    5. On the Add Authentication Source page, find LDAP图标 and click Add Authentication Source in the Actions column.

    6. In the Add Authentication Source (LDAP) panel, set the following parameters and click Submit.

      • ID: This value is automatically generated by the system.

      • Name: Enter a custom name.

      • LDAP URL: Enter the URL of the LDAP server. The LDAP server refers to the server where the AD system is deployed. Format: ldap://127.0.0.1:389/. Example: ldap://47.XX.XX.8:389/.

        If the server uses an IPv6 address, set the value in the following format: ldap://[0000:0000:0000:0000:0000:0000:0001]:389/.

        Note

        IDaaS can be accessed only over the Internet. The LDAP server must provide a public IP address and open port 389. You can configure the security group of the LDAP server to allow only the public IP address of IDaaS to access the LDAP server. For more information about the public IP address of IDaaS, submit a ticket to the IDaaS team.

      • LDAP Base: Enter the Base DN of the LDAP server. dc=zxtest,dc=com is used in this example.

      • LDAP Account: Enter the administrator account DN of the LDAP server. cn=Administrator,cn=Users,dc=zxtest,dc=com is used in this example.

      • LDAP account password: Enter the password of the administrator of the LDAP server.

      • Filter Condition: Enter the filter condition used to query account names. (sAMAccountName=$username$) is used in this example.

        For more information about filter conditions, see LDAP Filters. $username$ specifies the IDaaS username and is a fixed value.

    7. On the Authentication Sources page, find the authentication source and click 启用 in the Status column. In the dialog box that appears, click OK to enable the LDAP authentication source.

  2. Configure LDAP account synchronization to import account data from the LDAP server to the IDaaS system.

    1. In the left-side navigation pane, click Organizations and Groups.

    2. In the upper-right corner of the Organizations and Groups page, click Configure LDAP. In the Configure LDAP panel, click Create.

    3. On the Server Connection tab of the Configure LDAP panel, set the following parameters and click Save.

      • AD/LDAP Name: Enter a custom name.

      • Server Address: Enter the public IP address of the LDAP server. 47.XX.XX.8 is used in this example.

      • Port Number: Enter the number of the port used by the LDAP server to provide services. 389 is used in this example.

      • Base DN: Enter the node DN of the account with which you want to synchronize. dc=zxtest,dc=com is used in this example.

        Note

        If Base DN is changed when IDaaS is synchronizing data with the LDAP or AD server, the system may fail to synchronize data due to unmatched organization directories. Therefore, do not modify Base DN after you set it. If you want to synchronize data with more than one directory, we recommend that you configure LDAP multiple times.

      • Administrator DN: Enter the administrator DN. cn=Administrator,cn=Users,dc=zxtest,dc=com is used in this example.

      • Password: Enter the password of the administrator.

      • Select Type: Select the type of your LDAP server. Windows AD is selected in this example.

      • Owned OU node: Select the IDaaS organization node to which account data is imported. If you ignore this parameter, data is imported to the root organization unit (OU). This parameter is ignored in this example.

      • From LDAP to IDaaS: If you select Enable, you can manually synchronize data from the LDAP server to the IDaaS system. Enable is selected in this example.

      • Provision from IDaaS to LDAP: If you select Enable, data from the IDaaS system can be automatically synchronized to the LDAP server. Enable is selected in this example.

      After you set the preceding parameters, you can click Connection to test the connectivity. If the test fails, check the network connectivity and whether the parameters are correctly set.

    4. On the Field Matching Rules tab of the Configure LDAP panel, set the following parameters and click Save.

      Field matching rules are used to match the fields of the IDaaS system with the attributes of the LDAP server. For example, the cn field of the LDAP server corresponds to the username of the IDaaS system.

      • Username: cn is used in this example.

        Note

        If the value of the cn field is set in Chinese in the AD system, the field cannot be matched with the IDaaS system. We recommend that you use the sAMAccountName field.

      • External ID: If the type of the LDAP server is Windows AD, enter objectGUID. If the type of the LDAP server is OpenLdap, enter uid. objectGUID is used in this example.

      • Password Attribute: If the type of the LDAP server is Windows AD, enter unicodePwd. If the type of the LDAP server is OpenLdap, enter userPassword. unicodePwd is used in this example.

      • User Unique Identifier: If the type of the LDAP server is Windows AD, enter DistinguishedName. If the type of the LDAP server is OpenLdap, enter EntryDN. DistinguishedName is used in this example.

      • Email: mail is used in this example.

    5. On the OUs and Groups page, choose Import > LDAP > OU.

    6. In the LDAP List panel, find the LDAP server and click Import. In the message that appears, click OK. In the OU Temporary Data panel, confirm the organization information and click Confirm Import.

    7. In the OUs section, select the organization. In the Details section, choose Import > LDAP > Account.

    8. In the LDAP List panel, find the LDAP server and click Import. In the message that appears, click OK. In the Account Temporary Data LDAP List panel, confirm the account information and click Confirm Import to synchronize the account information from the LDAP server to the IDaaS system.

  3. Enable LDAP authentication for cloud services.

    1. In the left-side navigation pane, choose Settings > Security Settings.

    2. On the Security Settings page, click the Cloud Product AD Authentication tab.

    3. Select the LDAP authentication source that you created, enable this feature, and then click Save.

      认证源

Step 2: Deploy SSL-VPN

After you enable LDAP authentication, you can deploy SSL-VPN, enable two-factor authentication for SSL-VPN, and associate the IDaaS instance. Then, you can establish an SSL-VPN connection after you pass the LDAP authentication.

  1. Create a VPN gateway.

    1. Log on to the VPN Gateway console.

    2. In the left-side navigation pane, choose VPN > VPN Gateways.

    3. On the VPN Gateways page, click Create VPN Gateway.

    4. On the buy page, set the following parameters and click Buy Now to complete the payment:

      • Name: Enter a name for the VPN gateway.

      • Region: Select the region where you want to deploy the VPN gateway. US (Silicon Valley) is selected in this example.

        Note

        Make sure that the VPN gateway and the VPC are deployed in the same region.

      • Gateway Type: Select the type of NAT gateway that you want to create. In this example, Standard is selected.

      • Network Type: Select the network type of the VPN gateway. Public is selected in this example.

      • Tunnels: The system displays the mode supported by the IPsec-VPN connection in the region.

      • VPC: Select the VPC where you want to deploy the VPN gateway.

      • vSwitch: Select a vSwitch from the VPC.

      • vSwitch 2: Select another vSwitch from the VPC.

        Ignore this parameter if you select Single-tunnel.

      • Maximum Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet. 10 Mbit/s is selected in this example.

      • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.

      • IPsec-VPN: You can enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between a data center and a VPC or between two VPCs. In this example, Disable is selected.

      • SSL-VPN: You can enable or disable the SSL-VPN feature. After you enable this feature, you can connect to the VPC from a client regardless of the location. In this example, Enable is selected.

      • SSL Connections: Select the maximum number of concurrent SSL connections that the VPN gateway supports. 5 is selected in this example.

        Note

        This parameter is available only if you enable SSL-VPN.

      • Duration: By default, the VPN gateway is billed on an hourly basis.

      • Service-linked Role: Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

        The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

  2. Create an SSL server

    1. In the left-side navigation pane, choose VPN > SSL Servers.

    2. In the top navigation bar, select the region where you want to create the SSL server.

      US (Silicon Valley) is selected in this example.

    3. On the SSL Servers page, click Create SSL Server.

    4. In the Create SSL Server panel, set the following parameters for the SSL server, and click OK.

      • Name: Enter a name for the SSL server.

        The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      • VPN Gateway: Select the VPN gateway that you created.

      • Local Network: Enter the CIDR block to be accessed by the client over the SSL-VPN connection. 192.168.0.0/24 is used in this example.

      • Client CIDR Block: Enter the CIDR block that the client uses to connect to the SSL server. 10.0.0.0/24 is used in this example.

      • Advanced Configuration: Enable advanced configurations and set the following parameters.

        • Protocol: Select the protocol for the SSL-VPN connection. Valid values: UDP and TCP. The default value TCP is used in this example.

        • Port: Specify the port used by the SSL-VPN connection. The default value 1194 is used in this example.

        • Encryption Algorithm: The encryption algorithm used in the SSL-VPN connection. Supported encryption algorithms include AES-128-CBC, AES-192-CBC, and AES-256-CBC. The default algorithm AES-128-CBC is used in this example.

        • Compressed: Specify whether to compress the data that is transmitted over the SSL-VPN connection. The default settings No is selected in this example.

        • Two-factor Authentication: Enable two-factor authentication and select an IDaaS instance.

          • IDaaS Instance Region: the region where the IDaaS instance resides. Singapore is selected in this example.

          • IDaaS Instance: Select an IDaaS instance.

          Note

          If this is your first time using two-factor authentication, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.

  3. Create and download an SSL client certificate.

    1. In the left-side navigation pane, choose VPN > SSL Clients.

    2. In the top navigation bar, select the region where the SSL client is deployed.

      US (Silicon Valley) is selected in this example.

    3. On the SSL Clients page, click Create SSL Client Certificate.

    4. In the Create SSL Client Certificate panel, set the following parameters and click OK.

      • Name: Enter a name for the SSL client certificate.

        The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      • SSL Server: Select the SSL server that you created.

    5. On the SSL Clients page, find the SSL client certificate that you created and click Download in the Actions column.

      The SSL client certificate is downloaded to your on-premises device.

Step 3: Configure the client

  • If you use a Windows client, perform the following steps:

    1. Download and install OpenVPN.

      Download OpenVPN.

    2. Decompress the downloaded SSL client certificate package and copy the SSL client certificate to the OpenVPN\config directory. In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the directory where OpenVPN is installed.

    3. Start the OpenVPN client and enter the username and password for authentication.LDAP客户端验证

  • If you use a Linux client, perform the following steps:

    1. Run the following command to install the OpenVPN client:

      yum install -y openvpn
    2. Extract and copy the downloaded SSL client certificate to the /etc/openvpn/conf/ directory.

    3. Run the following command to start the OpenVPN client and enter the username and password for authentication.

      openvpn --config /etc/openvpn/conf/config.ovpn --daemon
      启动OpenVPN
  • If you use a Mac client, perform the following steps:

    1. Run the following command to install the OpenVPN client:

      brew install openvpn
      Note

      If Homebrew is not installed, install Homebrew first.

    2. Run the following command to delete the default configuration file:

      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the file to the configuration directory:

      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory where the SSL client certificate is downloaded. For example, /Users/example/Downloads/certs.zip.

    4. Run the following command to decompress the downloaded certificate and copy it to the configuration directory.

      cd  /usr/local/etc/openvpn
      unzip /usr/local/etc/openvpn/certs.zip
    5. Run the following command to establish a connection and enter the username and password for authentication.

      sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
      Mac客户端双因子认证

Step 4: Test the network connectivity

After you complete the preceding steps, you can run the ping command to test the connectivity between the client and VPC. A Windows client is used in the following example to describe how to test the connectivity between the client and the VPC.

  1. Open the CLI on the Windows client.

  2. Run the ping command to ping the IP address of an ECS instance deployed in the VPC. This command is used to test the connectivity between the Windows client and the VPC.

    Note

    Make sure that the security group rules of the ECS instance allow remote access from the Windows client. For more information, see Security groups for different use cases.

    The test result shows that the Windows client can access the ECS instance.测试连通性