This topic describes how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a virtual private cloud (VPC).
Background information
The scenario in the following figure is used as an example to describe how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a VPC.
Prerequisites
- An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create an Alibaba Cloud account.
The private CIDR block of the client does not overlap with the private CIDR block of the VPC.
The client can access the Internet.
You have learned about the security group rules that apply to the Elastic Compute Service (ECS) instances in the VPC. Make sure that the security group rules allow the client to access the ECS instances. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Create a VPN gateway
- Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.
On the VPN Gateway page, set the following parameters, click Buy Now, and then complete the payment:
Parameter
Description
Name
Enter a name for the VPN gateway.
Region
Select the region where you want to create the VPN gateway.
NoteMake sure that the VPN gateway and the VPC are deployed in the same region.
Gateway Type
Select a type for the VPN gateway. In this example, Standard is selected.
Network Type
Select the network type of the VPN gateway. In this example, Public is selected.
Tunnels
The supported tunnel modes are automatically displayed.
VPC
Select the VPC to be connected.
VSwitch
Select a vSwitch from the selected VPC.
- If you select Single-tunnel, you need to specify one vSwitch.
- If you select Dual-tunnel, you need to specify two vSwitches.
Note- The system selects a vSwitch by default. You can change or use the default vSwitch.
- After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
Select another vSwitch from the selected VPC.
Ignore this parameter if you select Single-tunnel.
Maximum Bandwidth
Select a maximum bandwidth value for the VPN gateway. Unit: Mbit/s.
Traffic
By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN
Specify whether to enable the IPsec-VPN feature. In this example, Disable is selected.
SSL-VPN
Specify whether to enable the SSL-VPN feature for the VPN gateway. In this example, Enable is selected.
SSL Connections
Select the number of clients to be connected.
NoteThe SSL Connections parameter is available only after you enable the SSL-VPN feature.
Duration
By default, the VPN gateway is billed on an hourly basis.
Service-linked Role
Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, it indicates that the service-linked role is created and you do not need to create it again.
Return to the VPN Gateways page to view the VPN gateway that you created.
A newly created VPN gateway is in the Preparing state. After about 1 to 5 minutes, it enters the Normal state. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.
Step 2: Create an SSL server
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create an SSL server.
NoteMake sure that the SSL server and the VPN gateway that you created are deployed in the same region.
On the SSL Server page, click Create SSL Server.
In the Create SSL Server panel, set the following parameters for the SSL server, and click OK.
Name: Enter a name for the SSL server.
VPN Gateway: Select the VPN gateway that you created.
Local Network: Enter the CIDR block of the VPC to which you want to connect.
Click Add Local Network to add more CIDR blocks. You can add the CIDR block of a VPC, a vSwitch, or an on-premises network.
Client Subnet: Enter the CIDR block that the client uses to connect to the SSL server.
ImportantThe subnet mask of the client CIDR block must be 16 to 29 bits in length.
Make sure that the local CIDR block and the client CIDR block do not overlap with each other.
We recommend that you use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information, see the What is a user CIDR block? and How do I configure a user CIDR block? sections of the "FAQ" topic.
After you create an SSL server, the system automatically adds routes that point to the client CIDR block to the VPC route table that is not displayed in the console by default. Do not add routes that point to the client CIDR block to the VPC route table again. Otherwise, SSL-VPN connections cannot work as expected.
Advanced Configuration: The default settings are used in this example.
For more information, see Create and manage an SSL server.
Step 3: Create and download an SSL client certificate
In the left-side navigation pane, choose .
On the SSL Client page, click Create SSL Client Certificate.
In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then click OK.
On the SSL Client page, find the SSL client certificate that you created and click Download in the Actions column.
Step 4: Configure the client
The following section describes how to configure a client that runs Linux, Windows, macOS, or Android.
Configure a client that runs Linux
Open the command-line interface (CLI).
Run the following command to install OpenVPN:
yum install -y openvpn
Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Configure a client that runs Windows
Download and install the OpenVPN client for Windows.
Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.
In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the directory where the OpenVPN client is installed.
Start the OpenVPN client and click Connect to establish a connection.
Use Tunnelblick to connect a client that runs macOS
The following section describes how to use Tunnelblick to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.
Download Tunnelblick.
We recommend that you use an official version, such as 3.8.8b, 3.8.8a, and 3.8.6a. We recommend that you download Tunnelblick in DMG format, which can be directly installed and used.
In this example, Tunnelblick of version 3.8.6a is used.
Install Tunnelblick.
Number
Description
①
Double-click the installation package that you downloaded.
②
Double-click the Tunnelblick icon.
③
Select I have configuration files.
④
In the message that appears, click OK.
Decompress the SSL client certificate package that you downloaded in Step 3.
Upload the
config.ovpn
file to Tunnelblick to establish an SSL-VPN connection.Number
Description
①
Double-click the Tunnelblick icon to open Tunnelblick.
②
Drag the
config.ovpn
file to the Configurations folder.③
Select Only Me.
④
Click Connect.
Use OpenVPN to connect a client that runs macOS
The following section describes how to use OpenVPN to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.
Open the command-line interface (CLI).
If Homebrew is not installed on your client, run the following command to install Homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Run the following command to install OpenVPN:
brew install openvpn
Copy the SSL client certificate package that you downloaded in Step 3 to the configuration directory of the OpenVPN client and decompress the package.
Back up all configuration files in the /usr/local/etc/openvpn folder.
Run the following command to delete the configuration files of OpenVPN:
rm /usr/local/etc/openvpn/*
Run the following command to copy the downloaded SSL client certificate package to the configuration directory of OpenVPN:
cp cert_location /usr/local/etc/openvpn/
In the preceding command, replace
cert_location
with the directory to which the SSL client certificate package is downloaded in Step 3. For example: /Users/example/Downloads/certs6.zip.
Run the following commands to extract the certificate:
cd /usr/local/etc/openvpn/ unzip /usr/local/etc/openvpn/certs6.zip
Run the following command to establish a VPN connection:
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
Configure a client that runs Android
Download and install the OpenVPN client for Android.
In this example, a client that runs Android 9.0 and an OpenVPN client of version 3.0.5 are used.
Transfer the SSL client certificate package that you downloaded in Step 3 to the client that runs Android and decompress the package.
NoteIf your client that runs Android does not have an application to decompress the package, you can decompress the certificate on your computer and then transfer the decompressed files to the client.
Make sure that the decompressed files belong to the same folder. The following figure shows an example.
Open the OpenVPN client, import the
config.ovpn
file, and add an SSL-VPN connection.Number
Description
①
Select OVPN Profile.
②
Find the
config.ovpn
file.③
Click IMPORT to import the
config.ovpn
file.④
The system reads information from the
config.ovpn
file and displays the public IP address of the VPN gateway to be connected. Click ADD to add an SSL-VPN connection.Turn on the switch to establish an SSL-VPN connection.
Step 5: Test the network connectivity
To test the network connectivity, attempt to access an ECS instance in the VPC from a client.
FAQ
After I use OpenVPN to establish an SSL-VPN connection on a client that runs macOS, how do I close the connection?
Open the CLI on the client that runs macOS.
Run the following command to search for the OpenVPN process and record the process number:
ps aux | grep openvpn
Run the following command to close the OpenVPN process:
kill -9 <Process number>
How do I use OpenVPN to establish an SSL-VPN connection on a client that runs macOS and uses an M1 chip?
If you use a client that runs macOS and uses an M1 chip, we recommend that you use Tunnelblick to establish an SSL-VPN connection. For more information, see Use Tunnelblick to connect a client that runs macOS.