All Products
Search
Document Center

WUYING Workspace:Use SSL-VPN to access cloud computers from a WUYING client over a private network

Last Updated:Dec 18, 2023

SSL-VPN is a virtual private network (VPN) that is created by using the Secure Sockets Layer (SSL) protocol based on OpenVPN. After you deploy the required resources, you need to only load the SSL client certificate on OpenVPN and initiate an SSL-VPN connection between OpenVPN and a virtual private cloud (VPC) to access applications and services that are deployed in the VPC from OpenVPN. This topic describes how to use SSL-VPN to connect an OpenVPN client to the secure office network (formerly called workspace) of a cloud computer in WUYING Workspace. This way, you can access the cloud computer from the OpenVPN client over a private network.

Preparations

Before you begin, read the Access a cloud computer over a private network topic and make sure that the following preparations are complete:

  • A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.

  • A virtual private cloud (VPC) is created. If you do not have a VPC, create a VPC and attach it to the CEN instance before you proceed. For more information, see Create a VPC and a vSwitch or Manage network instances.

  • An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create or delete a convenience office network or Create and configure an AD office network.

    Important
    • Before you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.

    • If you already have a convenience office network, you must attach the convenience office network to the CEN instance.

    • If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, WUYING Workspace can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.

  • An end user and a cloud computer are created. The cloud computer is assigned to the end user.

    If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.

  • An on-premises device is prepared to install the OpenVPN client and the Alibaba Cloud Workspace client. Make sure that the clients are installed on the same device.

    Note
    • The SSL-VPN solution can be used on a Windows client or a macOS client of Alibaba Cloud Workspace.

    • An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.

Step 1: Configure SSL-VPN

When you configure SSL-VPN, you must create a VPN gateway, create an SSL server, publish the CIDR block of the Alibaba Cloud Workspace client to Cloud Enterprise Network (CEN), and then create an SSL client certificate. This section describes how to configure SSL-VPN.

  1. Create a VPN gateway and enable SSL-VPN. For more information, see Create a VPN gateway.

    The following table describes the parameters when you create a VPN gateway.

    Parameter

    Description

    Example

    Instance Name

    Enter a name for the VPN gateway.

    test-vpn

    Region

    Select the region where you want to deploy the VPN gateway.

    The VPN gateway must be deployed in the same region as the VPC that you want to associate with the VPN gateway.

    China (Hangzhou)

    Network Type

    Select the network type of the VPN gateway.

    • Public: The VPN gateway can be used to establish VPN connections over the Internet.

    • Private: The VPN gateway can be used to establish VPN connections over a private network.

    Public

    VPC

    Select the VPC with which you want to associate the VPN gateway.

    test-vpc

    Specify VSwitch

    Specify whether to associate the VPN gateway with a specified vSwitch.

    • No: does not associate the VPN gateway with a specified vSwitch. If you select No, the VPN gateway is associated with a random vSwitch of the VPC.

    • Yes: associates the VPN gateway with a specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch of the VPC.

    No

    Peak Bandwidth

    Specify a peak bandwidth for the VPN gateway. Unit: Mbit/s.

    200 Mbit/s

    Traffic

    Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.

    Pay-by-data-transfer

    IPsec-VPN

    Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable.

    You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between VPCs.

    Disable

    SSL-VPN

    Specify whether to enable SSL-VPN for the VPN gateway. Default value: Disable.

    SSL-VPN allows you to establish secure connections between clients and servers without the need to configure customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.

    Enable

    SSL connections

    Select the maximum number of concurrent SSL-VPN connections for the VPN gateway.

    Note

    This parameter is valid only after you enable SSL-VPN.

    5

    Duration

    Specify the billing cycle. Default value: By Hour.

    1 Month

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created. You no longer need to create a service-linked role.

    /

  2. Create an SSL server. For more information, see Create an SSL server.

    The following table describes the parameters when you create an SSL server.

    Parameter

    Description

    Example

    Name

    Enter a name for the SSL server.

    The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). The name must start with a letter.

    test-ssl

    VPN Gateway

    Select the VPN gateway that you want to associate with the SSL server.

    Make sure that SSL-VPN is enabled for the VPN gateway.

    test-vpn

    Local Network

    Enter the local CIDR block that a client needs to access by using the SSL-VPN connection.

    The local CIDR block can be the CIDR block of a VPC, a vSwitch, a cloud service, such as Object Storage Service (OSS) or ApsaraDB RDS, or a data center that is connected by using a VPC or an Express Connect circuit.

    Click Add Local Network to add more local CIDR blocks.

    Note

    The subnet mask of a local CIDR block must be 8 to 32 bits in length.

    You must add the following CIDR blocks:

    • CIDR block of the office network VPC: 172.16.111.0/24

    • CIDR block of the user VPC: 192.168.0.0/16

    • The CIDR block of the DNS server in a VPC and the CIDR block of Alibaba Cloud OpenAPI. The CIDR blocks have a fixed value of 100.64.0.0/10.

    Client CIDR Block

    Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of a client. Do not enter the private CIDR block of the client. When the client accesses the destination network by using an SSL-VPN connection, a VPN gateway allocates an IP address from the client CIDR block to the client.

    Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections that can be initiated based on the VPN gateway.

    Important
    • The subnet mask of the client CIDR block must be 16 to 29 bits in length.

    • Make sure that the local CIDR block and the client CIDR block do not overlap with each other.

    • We recommend that you use the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of a VPC. This way, the VPC can access the public CIDR block. For more information, see What is customer CIDR block? and the "How do I configure a user CIDR block?" section of the FAQ topic.

    10.10.111.0/24

    Advanced Configuration

    In the Advanced Configuration section, you can configure advanced settings, including the protocol and encryption algorithm, of the SSL server. In this example, we do not provide advanced settings details.

    You can use default values.

  3. Publish the client CIDR block that you specified in the SSL-VPN server to CEN.

    1. In the left-side navigation pane, click Route Tables.

    2. On the Route Tables page, find the VPC to which you want to connect and click the ID of the route table instance that uses the VPC.

    3. On the page that appears, choose Route Entry List > Custom Route.

    4. Find the client CIDR block and click Publish.

      If Advertised is displayed in the Route Status in CEN column, the CIDR block is published.

  4. Create an SSL client certificate. For more information, see Create an SSL client certificate.

  5. On the SSL Clients page, find the SSL client certificate that you want to download and click Download in the Actions column.

    The SSL client certificate is downloaded to your local computer and is used when you configure the OpenVPN client in the following steps.

Step 2: Configure OpenVPN on a local computer for private network connection

You must install OpenVPN on a local computer and log on to OpenVPN. After you configure DNS settings on your local computer, you can connect to a cloud computer from the OpenVPN client over a private network with a few clicks. The following section describes how to configure the DNS settings.

  1. Install OpenVPN on the local computer.

    We recommend that you use OpenVPN to connect to a VPC. The following section describes how to install OpenVPN on a local computer that runs Windows or macOS.

    • Windows

      1. Click OpenVPN to download OpenVPN.

      2. Install OpenVPN.

      3. Decompress the package of the SSL client certificate that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.

        Important

        Copy the certificate to the corresponding directory in which OpenVPN is installed. For example, if OpenVPN is installed in the C:\Program Files\OpenVPN directory, you must decompress the certificate package, and then copy the certificate to the C:\Program Files\OpenVPN\config directory.

    • macOS

      1. Run the following command to install OpenVPN:

        brew install openvpn

        Before you perform the following operations, you must install Homebrew.

      2. Decompress the package of the SSL client certificate and copy the certificate to the \config directory of OpenVPN.

  2. Launch OpenVPN and initiate a connection.

    • Windows: Launch OpenVPN and initiate a connection.

    • macOS: Run the following command to initiate a connection:

      sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
  3. Configure DNS settings on the local computer.

    Before you configure DNS settings, you can run the following command to test whether the domain name in the command can be resolved.

    nslookup ecd-vpc.cn-hangzhou.aliyuncs.com

    If an IP address is returned, the domain name can be resolved as expected. Then, you can skip this step. If no IP address is returned, perform the following steps to configure DNS settings:

    1. Add 100.100.2.136 or 100.100.2.138 to the DNS server list.

      In this example, a local computer that runs Windows 10 is used.

      1. Go to Control Panel and open Network and Sharing Center.

      2. In the left-side navigation pane, click Change adapter settings.

      3. Right-click the network adapter that corresponds to OpenVPN and select Properties.

      4. In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).

      5. In the dialog box that appears, specify a DNS server that you want to manage.

        You can set the Preferred DNS server parameter to 100.100.2.136 and the Alternative DNS server parameter to 100.100.2.138.

    2. Run the following command to check whether the DNS settings take effect.

      nslookup ecd-vpc.cn-hangzhou.aliyuncs.com

Step 3: Check whether you can access a cloud computer over a private network

The SSL-VPN solution can be used on a Windows client or a macOS client of Alibaba Cloud Workspace.

Note

In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used to check whether the access to a cloud computer over a VPC is allowed. You can also use another client to access your cloud computer over a VPC based on your business requirements.

  1. Obtain information, such as the office network ID, username, and password, that is required to log on to the Windows client from the received email.

    1. Double-click the 无影云电脑..png icon to open the Windows client.

    2. Follow the on-screen instructions to enter the username and password.

      Important

      If you log on to a client by using only an office network ID, select Alibaba Cloud VPC.

    3. Click Switch Connection Type, select Alibaba Cloud VPC, and then click OK.

    4. Click Next.

    5. Follow the on-screen instructions to enter the username and password. Then, click Next.

  2. Connect to the cloud computer.

    If the client logon is successful, your cloud computer is displayed as a card on your screen. You can click Connect Desktop on the card to connect to your cloud computer. If the connection is successful, you can view and use your cloud computer in a new window.

    Important

    If a network request timeout error is reported, the network is inaccessible. In this case, you need to check your parameter settings. After you confirm your parameter settings, you can log on to your client and connect to your cloud computer again.