SSL-VPN connects a client (Windows, Linux, Android, or macOS) to a VPC's private network for secure access over the internet.
For iOS and iPadOS clients, see Connect an iPhone or iPad to a VPC by using an SSL-VPN connection.
Use case
Objective: Create an SSL-VPN-enabled VPN Gateway that enables a local client to securely access an ECS instance in a VPC by using its private IP address.
This scenario uses the following resources:
-
VPC
-
Name:
vpc-demo -
Region: China (Hangzhou)
-
CIDR block: 10.0.0.0/16
-
vSwitches: Two vSwitches named
vsw1andvsw2.-
vsw1is in zone J with the CIDR block 10.0.0.0/24. -
vsw2is in zone K with the CIDR block 10.0.1.0/24.
-
-
ECS: An ECS instance with the private IP address 10.0.0.1, running the
Alibaba Cloud Linux 3.2104 LTS 64-bitoperating system.
-
-
Client's on-premises network: 172.16.0.0/16
Step 1: Configure cloud VPN resources
Before connecting a client to the VPC, create and configure a VPN Gateway, an ssl server, and an ssl client on the Alibaba Cloud console.
1. Create a VPN Gateway
A VPN Gateway is the cloud-side entry and exit point for SSL-VPN connections.
-
Go to the VPN Gateway page and click Create VPN Gateway.
-
On the VPN Gateway page, configure the following parameters:
-
Instance Name:
vpn-demo -
Region: China (Hangzhou).
-
VPC: Select the VPC that you want the client to access.
-
vSwitch 1/vSwitch 2: Select
vsw1andvsw2respectively.VPN Gateway instances use a dual-active architecture. To ensure cross-zone high availability in a region that supports multiple zones, your VPC must have at least two vSwitches in different zones. If this requirement is not met, create a vSwitch first.
-
Maximum Bandwidth: 10 Mbps
-
IPsec-VPN: Disabled (This option is available only after you enable SSL-VPN below.)
-
SSL-VPN: Enable.
-
SSL-VPN Connections: 5.
-
Service-linked Role: If a service-linked role does not exist, click Create Service-linked Role.
For detailed parameter descriptions, see Create and manage a VPN Gateway instance.
-
-
After completing the purchase, the VPN Gateway instance appears on the VPN Gateway page.
A newly created VPN Gateway instance is in the Preparing state. The state changes to Normal in about 1 to 5 minutes. The instance is then ready for use.
2. Create an SSL server
An SSL server defines the cloud network that clients can access and configures the client IP address pool.
-
Go to the SSL Servers page. In the top navigation bar, select the China (Hangzhou) region, and then click Create SSL Server.
-
In the Create SSL Server panel, configure the following settings:
-
Name: Enter
server-demo. -
VPN Gateway: Select the VPN Gateway instance that you just created.
-
Local Network: Enter the VPC's CIDR block:
10.0.0.0/16.This CIDR block defines the cloud network that clients can access. This is typically the CIDR block of your VPC.
Keep the other options at their default values. For detailed parameter descriptions, see Create and manage an ssl server.
-
3. Create an SSL client and download certificate
An SSL client manages client certificates. Each client that needs to connect must import a certificate for authentication and encryption.
-
In the left-side navigation pane, choose Interconnections > VPN > SSL Clients. In the top navigation bar, ensure that the China (Hangzhou) region is selected. On the SSL Client page, click Create SSL Client.
-
In the Create SSL Client panel, enter
client-demofor Name, selectserver-demofor SSL Server, and then click OK. -
On the SSL Client page, find the ssl client that you created and, in the Actions column, click Download Certificate.
Step 2: Configure the client
Follow the instructions for your client's operating system.
Windows client
-
Download and install the OpenVPN client for your Windows version:
-
Windows 64-bit (Intel/AMD): OpenVPN client (Windows 64-bit).
-
Windows ARM64: OpenVPN client (Windows ARM64).
If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.
-
-
Unzip the downloaded SSL client certificate package and copy all extracted files to the OpenVPN configuration directory.
-
Default path:
C:\Program Files\OpenVPN\config -
Note: If you changed the installation path, copy the files to the config folder in the installation directory.

-
-
Open the
config.ovpnfile with a text editor and add the following line to the end of the file:disable-dco.The Data Channel Offload (DCO) feature introduced in OpenVPN 2.6 is incompatible with some Windows systems, such as specific versions of Windows 10 and Windows 11. Disabling DCO resolves potential connection issues on these devices.
client dev tun proto tcp remote 121.41.xxx resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert vsc-bp1xxx.crt key vsc-bp1xxx.key cipher AES-128-CBC ;comp-lzo verb 4 disable-dco -
In the system tray, right-click the OpenVPN icon and then click Connect.
-
The connection is successful when the status is "Connected" and an IP address is assigned.
Linux client
-
Run the following commands to install the OpenVPN client and create the
confdirectory.CentOS
yum install -y openvpn mkdir -p /etc/openvpn/confUbuntu
apt-get update apt-get install -y openvpn mkdir -p /etc/openvpn/conf -
Unzip the downloaded SSL client certificate package and copy the extracted files to the /etc/openvpn/conf/ directory.

-
Change to the /etc/openvpn/conf/ directory and run the following command to establish the VPN connection.
openvpn --config /etc/openvpn/conf/config.ovpn --daemon -
(Optional) Configure the OpenVPN process to start automatically on boot.
-
Edit the /etc/rc.local file and add the following commands.
# Open the /etc/rc.local file in edit mode. vi /etc/rc.local # Press i to enter edit mode, then add the following commands to the /etc/rc.local file. cd /etc/openvpn/conf/ openvpn --config /etc/openvpn/conf/config.ovpn --daemon # Press Esc to exit edit mode, then enter the following command to save and exit the file. :wq Grant execute permissions to the /etc/rc.local file.
chmod +x /etc/rc.local
-
Android client
Download and install the OpenVPN client for Android.If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.
This example uses an Android 9.0 device with OpenVPN client v3.0.5 installed.
Transfer the downloaded SSL client certificate package to your Android device and unzip the package.
NoteIf your Android device does not have an unzip utility, you can unzip the certificate package on a computer and then transfer the extracted files to your Android client.
Ensure that all extracted files are in the same folder, as shown in the following figure.

Open the OpenVPN client, import the
config.ovpnfile, and add the VPN connection.
Step
Description
①
Select the OVPN Profile connection method.
②
Find the
config.ovpnfile in the storage directory.③
Click IMPORT to import the
config.ovpnfile.④
The system automatically reads the information from the
config.ovpnfile and displays the public IP address of the VPN gateway. Click ADD to add the VPN connection.Tap the toggle button to enable the VPN connection.

macOS (GUI)
Go to the Tunnelblick Releases page, find version
Tunnelblick 4.0.1 (build 5971), and download the.dmgfile from the Assets panel. If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.
Install the Tunnelblick software.

Step
Description
①
Double-click the downloaded Tunnelblick installer package.
②
Double-click the Tunnelblick icon.
③
Select I have configuration files.
④
Click OK.
Unzip the downloaded SSL client certificate package. Then, drag the extracted
config.ovpnfile to the Configurations panel.

Step | Description |
① | From Launchpad, click the Tunnelblick icon. |
② | Drag the extracted |
③ | Select Only Me. |
④ | Click Connect. |
macOS (CLI)
-
Open the Terminal app. If Homebrew is not installed on your Mac, run the following command to install it.
NoteThe Homebrew installation script includes the sudo command and will prompt you for your administrator password. When "Press RETURN/ENTER to continue..." appears, press Enter to proceed.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-
Run the following command to install the OpenVPN client.
brew install openvpn
-
Unzip the downloaded SSL client certificate package and copy the files to the configuration directory.
-
Back up the /opt/homebrew/etc/openvpn directory.
cp -r /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak -
Run the following command to delete the current OpenVPN configuration files.
rm /opt/homebrew/etc/openvpn/* -
Run the following command to copy the downloaded SSL client certificate package to the configuration directory.
cp /path/to/certs.zip /opt/homebrew/etc/openvpn/Note/path/to/certs.zipis the path to your downloaded SSL client certificate package. It is typically in the current user's Downloads directory, for example,/Users/example/Downloads/certs.zip.
-
-
Run the following commands to unzip the package.
cd /opt/homebrew/etc/openvpn/ unzip /opt/homebrew/etc/openvpn/certs.zip -
Grant execute permissions to the /etc/rc.local file.
chmod +x /etc/rc.local
Android client
-
This topic uses an Android 9.0 client with OpenVPN client 3.0.5 installed.
-
Transfer the downloaded SSL client certificate to your Android device and unzip the certificate.
Note-
If your Android device does not have software to unzip files, unzip the certificate on your computer. Then, transfer the unzipped files to the Android client.

-
-
Open the OpenVPN client, import the
config.ovpnfile, and add a VPN connection.
Number
Description
①
Select the OVPN Profile connection method.
②
Find the
config.ovpnfile in the storage directory.③
Click IMPORT to import the
config.ovpnfile.④
The system reads the
config.ovpnfile and displays the public IP address of the VPN gateway. Click ADD to add the VPN connection. -
Click the toggle button to enable the VPN connection.

Mac client (GUI, recommended for M-series chips)
-
Go to the Tunnelblick Releases page, find version
Tunnelblick 4.0.1 (build 5971), and download the.dmgfile from the Assets panel.If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.
-
Install the Tunnelblick software.

No.
Description
①
Double-click the downloaded Tunnelblick installation package.
②
Double-click the Tunnelblick icon.
③
Select I have configuration files.
④
Click OK.
-
Unzip the downloaded SSL client certificate. Drag the unzipped
config.ovpnfile to the Configurations panel to create the VPN connection.

|
No. |
Description |
|
① |
In Launchpad, click the Tunnelblick icon to open the Tunnelblick software. |
|
② |
Drag the unzipped |
|
③ |
Select Only Me. |
|
④ |
Click Connect. |
Mac client (command line)
-
Open the Terminal window. If Homebrew is not installed, run the following command to install it.
NoteThe Homebrew installation script includes the sudo command. You will be prompted to enter your administrator password. When prompted with "Press RETURN/ENTER to continue...", press Enter to continue.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-
Run the following command to install the OpenVPN client.
brew install openvpn
-
Copy the downloaded SSL client certificate to the configuration directory.
-
Back up the /opt/homebrew/etc/openvpn directory.
cp -r /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak -
Run the following command to delete the current OpenVPN configuration files.
rm /opt/homebrew/etc/openvpn/* -
Run the following command to copy the downloaded SSL client certificate to the configuration directory.
cp /path/to/certs.zip /opt/homebrew/etc/openvpn/Note/path/to/certs.zipis the path to the downloaded SSL client certificate. This is typically in the user's Downloads directory, such as/Users/example/Downloads/certs.zip.
-
-
Run the following commands to unzip the certificate.
cd /opt/homebrew/etc/openvpn/ unzip /opt/homebrew/etc/openvpn/certs.zip -
Choose how to run the client.
Run in the foreground
Run the following command to start the client process and establish a VPN connection:
sudo /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/config.ovpnAfter you run this command, it continues to run in the foreground. To disconnect, press Ctrl+C to stop the command.
Run in the background
Run the following commands to run the VPN client as a background service that starts automatically on boot:
cp config.ovpn openvpn.conf sudo brew services start openvpnTo stop the service, run the following command:
sudo brew services stop openvpn
Step 3: Test connectivity
-
Configure security group rules
To ensure that clients can access resources in the VPC, add an inbound rule to the security group associated with the ECS instance, allowing traffic from the Client CIDR Block (
10.200.200.0/24).-
For connectivity testing: Allow the ICMP protocol so that the
pingcommand can work properly. -
For service access: Allow specific ports required by your services, such as TCP 22 (SSH), TCP 3389 (RDP), and TCP 80/443 (web services).
-
-
Ping test
On your client, use the ping command to test connectivity to the ECS instance. A successful response indicates a private connection to the ECS instance:
ping 10.0.0.1
-
Service port test
To verify service access, access a service running on the ECS instance. For example, install and start a web service, such as Nginx, on the ECS instance:
# Run on the ECS instance (example for Alibaba Cloud Linux 3): yum install -y nginx systemctl start nginx.serviceAfter you confirm that the security group associated with the ECS instance allows traffic from the client CIDR block on TCP port 80, access
http://10.0.0.1in the client browser.If the Nginx welcome page appears, your services are accessible.

FAQ
Username and password authentication
You can enable two-factor authentication. This requires clients to authenticate using both a certificate and a username/password to establish an SSL-VPN connection.
Disconnect the VPN on Linux or macOS
-
To find the OpenVPN process, open a command line and run the following command. Note the process ID.
ps aux | grep openvpn -
To terminate the OpenVPN process, run the following command.
kill -9 <process ID>
Troubleshoot connection issues
|
Symptom |
Cause and resolution |
|
Connection fails. For example, the client logs show |
1. Network issue: Verify that your client device can access the internet. Ensure that your local network firewall or security software is not blocking the OpenVPN client from accessing the public IP address and port (default: TCP/1194) of the VPN Gateway. 2. Certificate issue: Verify that the imported |
|
Connection is successful, but you cannot |
1. Security group rules: This is the most common cause. Log on to the ECS console and check the security group for the target instance. Ensure that it has an inbound rule that allows the 2. Operating system firewall: Check whether the operating system firewall on the ECS instance (such as firewalld or iptables) is blocking ICMP requests. |
|
Connection is successful and |
1. Security group rules: Check the security group for the ECS instance and ensure that it allows traffic from your Client CIDR Block on the required service ports (for example, TCP 80 and TCP 22). 2. Service listening status: Log on to the ECS instance and verify that the service is listening on the correct port. For example, on a Linux system, you can run the 3. Operating system firewall: Log on to the ECS instance and verify that the operating system firewall allows traffic on the required port. |
|
After you connect to the VPN, you cannot access your local network (for example, a printer) or the internet. |
Routing conflict: This issue occurs if the Client CIDR Block that you configured on the SSL server conflicts with the CIDR block of your local network. Return to Step 1, change the Client CIDR Block on the SSL server to a less common range (such as |
|
The ECS instance cannot initiate a |
This is expected behavior. For security reasons, the firewall on a client's operating system typically blocks unsolicited inbound requests from external sources, including the VPN endpoint. This does not affect the client's ability to access cloud resources. To allow inbound connections from cloud resources, you must configure the client's firewall to permit the necessary traffic (for example, ICMP for ping requests). |
For more information, see the SSL-VPN connection FAQ.