This topic describes how to connect a client to a virtual private cloud (VPC) by using SSL-VPN.

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create an Alibaba Cloud account.
  • The private CIDR block of the client and the private CIDR block of the VPC do not overlap. Otherwise, the client and the VPC cannot communicate with each other.
  • The client can access the Internet.
  • You have read and understand the security group rules that apply to the ECS instances in the VPC, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules.

Background information

The scenario in the following figure is used as an example to describe how Linux, Windows, and Mac clients connect to a VPC by using SSL-VPN. Connect a client to a VPC

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the buy page, set the parameters of the VPN gateway, click Buy Now, and then complete the payment.
    • Name: Enter a name for the VPN gateway.
    • Region:Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPC and the VPN gateway are deployed in the same region.
    • VPC:Select the VPC to be associated with the VPN gateway.
    • Specify VSwitch: Specify whether to create the VPN gateway in a vSwitch of the VPC. No is selected in this example.

      If you select Yes, you must specify a vSwitch.

    • Peak Bandwidth: Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s. The bandwidth is used for data transfer over the Internet.
    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer billing method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway. In this example, Disable is selected.
    • SSL-VPN: Specify whether to enable SSL-VPN for the VPN gateway. In this example, Enable is selected.
    • SSL connections: Specify the maximum number of concurrent SSL-VPN connections that the VPN gateway supports.
      Note This parameter is available only after you enable the SSL-VPN feature.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  4. Return to the VPN Gateways page to view the VPN gateway that you created.

    The newly created VPN gateway is in the Preparing state. The VPN gateway changes to the Normal state after about 1 to 5 minutes. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

Step 2: Create an SSL server

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  2. In the top navigation bar, select the region where you want to create the SSL server.
    Note Make sure that the SSL server and the VPN gateway that you created are deployed in the same region.
  3. On the SSL Server page, click Create SSL Server.
  4. In the Create SSL Server panel, set the following parameters and click OK.
    • Name: Enter a name for the SSL server.
    • VPN Gateway: Select that VPN gateway that you created.
    • Local Network: Enter the CIDR block of the network to which you want to connect. Click Add Local Network to add more CIDR blocks. You can add the CIDR block of a VPC, a vSwitch, or an on-premises network.
    • Client Subnet: Enter the CIDR block that the client uses to connect to the SSL server.
      Notice
      • Make sure that the CIDR block of the destination network and the client CIDR block do not overlap with each other.
      • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

        For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

    • Advanced Configuration: Use default advanced configurations.
    For more information, see Create an SSL server.

Step 3: Create and download an SSL client certificate

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
  2. On the SSL Client page, click Create Client Certificate.
  3. In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then click OK.
  4. On the SSL Client page, find the SSL client certificate that you created and click Download in the Actions column.

    The SSL client certificate is downloaded to your on-premises device.

Step 4: Configure the client

The following section describes how to configure Linux, Mac, and Windows clients.

  • Linux client
    1. Run the following command to install OpenVPN:
      yum install -y openvpn
    2. Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to /etc/openvpn/conf/.
    3. Go to the /etc/openvpn/conf/ directory and run the following command to start the OpenVPN client:
      openvpn --config /etc/openvpn/conf/config.ovpn --daemon
  • Windows client
    1. Download and install the OpenVPN client.

      Download OpenVPN.

    2. Decompress the downloaded SSL client certificate package and copy the SSL client certificate to the OpenVPN\config directory.

      In this example, the certificate is copied to the C:\Program Files\OpenVPN\config directory. You must copy the certificate to the directory where the OpenVPN client is installed.

    3. Start the OpenVPN client and click Connect to initiate a connection.
  • Mac client
    1. Run the following command to install OpenVPN:
      brew install openvpn
      Note Make sure that homebrew is installed before you install OpenVPN.
    2. Copy the SSL client certificate package that you downloaded in Step 3 to the configuration directory of the OpenVPN client and decompress the package. Then, initiate an SSL-VPN connection.
      1. Back up all configuration files in the /usr/local/etc/openvpn folder.
      2. Run the following command to delete the configuration files of the OpenVPN client:
        rm /usr/local/etc/openvpn/*
      3. Run the following command to copy the downloaded SSL client certificate package to the configuration directory of the OpenVPN client:
        cp cert_location /usr/local/etc/openvpn/

        In the preceding command, replace cert_location with the directory to which the SSL client certificate package is downloaded in Step 3. For example: /Users/example/Downloads/certs6.zip.

      4. Run the following command to decompress the SSL client certificate package:
        cd  /usr/local/etc/openvpn/
        unzip /usr/local/etc/openvpn/certs6.zip
      5. Run the following command to initiate a connection:
        sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Step 5: Test the connectivity

  1. Open the CLI on the client.
  2. To test the connectivity, you can run the ping command to access an Elastic Compute Service (ECS) instance in the VPC.