All Products
Search
Document Center

VPN Gateway:Connect to a VPC using SSL-VPN

Last Updated:Jun 20, 2026

SSL-VPN connects a client (Windows, Linux, Android, or macOS) to a VPC's private network for secure access over the internet.

For iOS and iPadOS clients, see Connect an iPhone or iPad to a VPC by using an SSL-VPN connection.

Use case

Objective: Create an SSL-VPN-enabled VPN Gateway that enables a local client to securely access an ECS instance in a VPC by using its private IP address.

image

This scenario uses the following resources:

  • VPC

    • Name: vpc-demo

    • Region: China (Hangzhou)

    • CIDR block: 10.0.0.0/16

    • vSwitches: Two vSwitches named vsw1 and vsw2.

      • vsw1 is in zone J with the CIDR block 10.0.0.0/24.

      • vsw2 is in zone K with the CIDR block 10.0.1.0/24.

    • ECS: An ECS instance with the private IP address 10.0.0.1, running the Alibaba Cloud Linux 3.2104 LTS 64-bit operating system.

  • Client's on-premises network: 172.16.0.0/16

Step 1: Configure cloud VPN resources

Before connecting a client to the VPC, create and configure a VPN Gateway, an ssl server, and an ssl client on the Alibaba Cloud console.

1. Create a VPN Gateway

A VPN Gateway is the cloud-side entry and exit point for SSL-VPN connections.

  1. Go to the VPN Gateway page and click Create VPN Gateway.

  2. On the VPN Gateway page, configure the following parameters:

    • Instance Name: vpn-demo

    • Region: China (Hangzhou).

    • VPC: Select the VPC that you want the client to access.

    • vSwitch 1/vSwitch 2: Select vsw1 and vsw2 respectively.

      VPN Gateway instances use a dual-active architecture. To ensure cross-zone high availability in a region that supports multiple zones, your VPC must have at least two vSwitches in different zones. If this requirement is not met, create a vSwitch first.
    • Maximum Bandwidth: 10 Mbps

    • IPsec-VPN: Disabled (This option is available only after you enable SSL-VPN below.)

    • SSL-VPN: Enable.

    • SSL-VPN Connections: 5.

    • Service-linked Role: If a service-linked role does not exist, click Create Service-linked Role.

    For detailed parameter descriptions, see Create and manage a VPN Gateway instance.
  3. After completing the purchase, the VPN Gateway instance appears on the VPN Gateway page.

    A newly created VPN Gateway instance is in the Preparing state. The state changes to Normal in about 1 to 5 minutes. The instance is then ready for use.

2. Create an SSL server

An SSL server defines the cloud network that clients can access and configures the client IP address pool.

  1. Go to the SSL Servers page. In the top navigation bar, select the China (Hangzhou) region, and then click Create SSL Server.

  2. In the Create SSL Server panel, configure the following settings:

    • Name: Enter server-demo.

    • VPN Gateway: Select the VPN Gateway instance that you just created.

    • Local Network: Enter the VPC's CIDR block: 10.0.0.0/16.

      This CIDR block defines the cloud network that clients can access. This is typically the CIDR block of your VPC.

    Keep the other options at their default values. For detailed parameter descriptions, see Create and manage an ssl server.

3. Create an SSL client and download certificate

An SSL client manages client certificates. Each client that needs to connect must import a certificate for authentication and encryption.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients. In the top navigation bar, ensure that the China (Hangzhou) region is selected. On the SSL Client page, click Create SSL Client.

  2. In the Create SSL Client panel, enter client-demo for Name, select server-demo for SSL Server, and then click OK.

  3. On the SSL Client page, find the ssl client that you created and, in the Actions column, click Download Certificate.

Step 2: Configure the client

Follow the instructions for your client's operating system.

Windows client

  1. Download and install the OpenVPN client for your Windows version:

    If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.
  2. Unzip the downloaded SSL client certificate package and copy all extracted files to the OpenVPN configuration directory.

    • Default path: C:\Program Files\OpenVPN\config

    • Note: If you changed the installation path, copy the files to the config folder in the installation directory.

    image

  3. Open the config.ovpn file with a text editor and add the following line to the end of the file: disable-dco.

    The Data Channel Offload (DCO) feature introduced in OpenVPN 2.6 is incompatible with some Windows systems, such as specific versions of Windows 10 and Windows 11. Disabling DCO resolves potential connection issues on these devices.
    client
    dev tun
    proto tcp
    remote 121.41.xxx
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert vsc-bp1xxx.crt
    key vsc-bp1xxx.key
    cipher AES-128-CBC
    ;comp-lzo
    verb 4
    disable-dco
  4. In the system tray, right-click the OpenVPN icon and then click Connect.

  5. The connection is successful when the status is "Connected" and an IP address is assigned.

Linux client

  1. Run the following commands to install the OpenVPN client and create the conf directory.

    CentOS
    yum install -y openvpn
    mkdir -p /etc/openvpn/conf
    Ubuntu
    apt-get update
    apt-get install -y openvpn
    mkdir -p /etc/openvpn/conf
  2. Unzip the downloaded SSL client certificate package and copy the extracted files to the /etc/openvpn/conf/ directory.

    image

  3. Change to the /etc/openvpn/conf/ directory and run the following command to establish the VPN connection.

    openvpn --config /etc/openvpn/conf/config.ovpn --daemon
  4. (Optional) Configure the OpenVPN process to start automatically on boot.

    1. Edit the /etc/rc.local file and add the following commands.

      # Open the /etc/rc.local file in edit mode.
      vi /etc/rc.local 
      # Press i to enter edit mode, then add the following commands to the /etc/rc.local file.
      cd /etc/openvpn/conf/
      openvpn --config /etc/openvpn/conf/config.ovpn --daemon
      # Press Esc to exit edit mode, then enter the following command to save and exit the file.
      :wq
    2. Grant execute permissions to the /etc/rc.local file.

      chmod +x /etc/rc.local

Android client

  1. Download and install the OpenVPN client for Android.If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.

    This example uses an Android 9.0 device with OpenVPN client v3.0.5 installed.

  2. Transfer the downloaded SSL client certificate package to your Android device and unzip the package.

    Note
    • If your Android device does not have an unzip utility, you can unzip the certificate package on a computer and then transfer the extracted files to your Android client.

    • Ensure that all extracted files are in the same folder, as shown in the following figure.

    文件保存位置

  3. Open the OpenVPN client, import the config.ovpn file, and add the VPN connection.

    导入config文件

    Step

    Description

    Select the OVPN Profile connection method.

    Find the config.ovpn file in the storage directory.

    Click IMPORT to import the config.ovpn file.

    The system automatically reads the information from the config.ovpn file and displays the public IP address of the VPN gateway. Click ADD to add the VPN connection.

  4. Tap the toggle button to enable the VPN connection.

    开启OpenVPN

macOS (GUI)

  1. Go to the Tunnelblick Releases page, find version Tunnelblick 4.0.1 (build 5971), and download the .dmg file from the Assets panel. If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.

    image

  2. Install the Tunnelblick software.

    image

    Step

    Description

    Double-click the downloaded Tunnelblick installer package.

    Double-click the Tunnelblick icon.

    Select I have configuration files.

    Click OK.

  3. Unzip the downloaded SSL client certificate package. Then, drag the extracted config.ovpn file to the Configurations panel.

image

Step

Description

From Launchpad, click the Tunnelblick icon.

Drag the extracted config.ovpn file to the Configurations panel.

Select Only Me.

Click Connect.

macOS (CLI)

  1. Open the Terminal app. If Homebrew is not installed on your Mac, run the following command to install it.

    Note

    The Homebrew installation script includes the sudo command and will prompt you for your administrator password. When "Press RETURN/ENTER to continue..." appears, press Enter to proceed.

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

    image

  2. Run the following command to install the OpenVPN client.

    brew install openvpn

    image

  3. Unzip the downloaded SSL client certificate package and copy the files to the configuration directory.

    1. Back up the /opt/homebrew/etc/openvpn directory.

      cp -r  /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak
    2. Run the following command to delete the current OpenVPN configuration files.

      rm /opt/homebrew/etc/openvpn/*
    3. Run the following command to copy the downloaded SSL client certificate package to the configuration directory.

      cp /path/to/certs.zip /opt/homebrew/etc/openvpn/
      Note

      /path/to/certs.zip is the path to your downloaded SSL client certificate package. It is typically in the current user's Downloads directory, for example, /Users/example/Downloads/certs.zip.

  4. Run the following commands to unzip the package.

    cd /opt/homebrew/etc/openvpn/
    unzip /opt/homebrew/etc/openvpn/certs.zip
  5. Grant execute permissions to the /etc/rc.local file.

    chmod +x /etc/rc.local

Android client

  1. This topic uses an Android 9.0 client with OpenVPN client 3.0.5 installed.

  2. Transfer the downloaded SSL client certificate to your Android device and unzip the certificate.

    Note
    • If your Android device does not have software to unzip files, unzip the certificate on your computer. Then, transfer the unzipped files to the Android client.

    File save location

  3. Open the OpenVPN client, import the config.ovpn file, and add a VPN connection.

    Import config file

    Number

    Description

    Select the OVPN Profile connection method.

    Find the config.ovpn file in the storage directory.

    Click IMPORT to import the config.ovpn file.

    The system reads the config.ovpn file and displays the public IP address of the VPN gateway. Click ADD to add the VPN connection.

  4. Click the toggle button to enable the VPN connection.

    Enable OpenVPN

Mac client (GUI, recommended for M-series chips)

  1. Go to the Tunnelblick Releases page, find version Tunnelblick 4.0.1 (build 5971), and download the .dmg file from the Assets panel.If you cannot open the download link, contact your account manager or an Alibaba Cloud engineer.

    image

  2. Install the Tunnelblick software.

    image

    No.

    Description

    Double-click the downloaded Tunnelblick installation package.

    Double-click the Tunnelblick icon.

    Select I have configuration files.

    Click OK.

  3. Unzip the downloaded SSL client certificate. Drag the unzipped config.ovpn file to the Configurations panel to create the VPN connection.

image

No.

Description

In Launchpad, click the Tunnelblick icon to open the Tunnelblick software.

Drag the unzipped config.ovpn file to the Configurations panel.

Select Only Me.

Click Connect.

Mac client (command line)

  1. Open the Terminal window. If Homebrew is not installed, run the following command to install it.

    Note

    The Homebrew installation script includes the sudo command. You will be prompted to enter your administrator password. When prompted with "Press RETURN/ENTER to continue...", press Enter to continue.

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

    image

  2. Run the following command to install the OpenVPN client.

    brew install openvpn

    image

  3. Copy the downloaded SSL client certificate to the configuration directory.

    1. Back up the /opt/homebrew/etc/openvpn directory.

      cp -r  /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak
    2. Run the following command to delete the current OpenVPN configuration files.

      rm /opt/homebrew/etc/openvpn/*
    3. Run the following command to copy the downloaded SSL client certificate to the configuration directory.

      cp /path/to/certs.zip /opt/homebrew/etc/openvpn/
      Note

      /path/to/certs.zip is the path to the downloaded SSL client certificate. This is typically in the user's Downloads directory, such as /Users/example/Downloads/certs.zip.

  4. Run the following commands to unzip the certificate.

    cd /opt/homebrew/etc/openvpn/
    unzip /opt/homebrew/etc/openvpn/certs.zip
  5. Choose how to run the client.

    Run in the foreground

    Run the following command to start the client process and establish a VPN connection:

    sudo /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/config.ovpn

    After you run this command, it continues to run in the foreground. To disconnect, press Ctrl+C to stop the command.

    Run in the background

    Run the following commands to run the VPN client as a background service that starts automatically on boot:

    cp config.ovpn openvpn.conf
    sudo brew services start openvpn

    To stop the service, run the following command:

    sudo brew services stop  openvpn

Step 3: Test connectivity

  1. Configure security group rules

    To ensure that clients can access resources in the VPC, add an inbound rule to the security group associated with the ECS instance, allowing traffic from the Client CIDR Block (10.200.200.0/24).

    • For connectivity testing: Allow the ICMP protocol so that the ping command can work properly.

    • For service access: Allow specific ports required by your services, such as TCP 22 (SSH), TCP 3389 (RDP), and TCP 80/443 (web services).

  2. Ping test

    On your client, use the ping command to test connectivity to the ECS instance. A successful response indicates a private connection to the ECS instance:

    ping 10.0.0.1

    image

  3. Service port test

    To verify service access, access a service running on the ECS instance. For example, install and start a web service, such as Nginx, on the ECS instance:

    # Run on the ECS instance (example for Alibaba Cloud Linux 3):
    yum install -y nginx
    systemctl start nginx.service

    After you confirm that the security group associated with the ECS instance allows traffic from the client CIDR block on TCP port 80, access http://10.0.0.1 in the client browser.

    If the Nginx welcome page appears, your services are accessible.

    image

FAQ

Username and password authentication

You can enable two-factor authentication. This requires clients to authenticate using both a certificate and a username/password to establish an SSL-VPN connection.

Disconnect the VPN on Linux or macOS

  1. To find the OpenVPN process, open a command line and run the following command. Note the process ID.

    ps aux | grep openvpn
  2. To terminate the OpenVPN process, run the following command.

    kill -9 <process ID>

Troubleshoot connection issues

Symptom

Cause and resolution

Connection fails. For example, the client logs show AUTH_FAILED or TLS Handshake failed.

1. Network issue: Verify that your client device can access the internet. Ensure that your local network firewall or security software is not blocking the OpenVPN client from accessing the public IP address and port (default: TCP/1194) of the VPN Gateway.

2. Certificate issue: Verify that the imported config.ovpn file and its related certificate files are complete and unmodified. Try downloading the certificate from the console and importing it again.

Connection is successful, but you cannot ping an ECS instance in the VPC.

1. Security group rules: This is the most common cause. Log on to the ECS console and check the security group for the target instance. Ensure that it has an inbound rule that allows the ICMP protocol, with the source set to your Client CIDR Block (for example, 10.200.200.0/24).

2. Operating system firewall: Check whether the operating system firewall on the ECS instance (such as firewalld or iptables) is blocking ICMP requests.

Connection is successful and ping works, but you cannot access services (such as a website or SSH) on the ECS instance.

1. Security group rules: Check the security group for the ECS instance and ensure that it allows traffic from your Client CIDR Block on the required service ports (for example, TCP 80 and TCP 22).

2. Service listening status: Log on to the ECS instance and verify that the service is listening on the correct port. For example, on a Linux system, you can run the netstat -nltp command.

3. Operating system firewall: Log on to the ECS instance and verify that the operating system firewall allows traffic on the required port.

After you connect to the VPN, you cannot access your local network (for example, a printer) or the internet.

Routing conflict: This issue occurs if the Client CIDR Block that you configured on the SSL server conflicts with the CIDR block of your local network. Return to Step 1, change the Client CIDR Block on the SSL server to a less common range (such as 10.240.240.0/24), and then download the certificate and configure the client again.

The ECS instance cannot initiate a ping to the client.

This is expected behavior. For security reasons, the firewall on a client's operating system typically blocks unsolicited inbound requests from external sources, including the VPN endpoint. This does not affect the client's ability to access cloud resources. To allow inbound connections from cloud resources, you must configure the client's firewall to permit the necessary traffic (for example, ICMP for ping requests).

For more information, see the SSL-VPN connection FAQ.