This topic describes how to create an SSL server. To use the SSL-VPN to establish point-to-site connections, you must create an SSL server.


You have created a VPN gateway and have SSL-VPN enabled. For more information, see Create a VPN gateway.


  1. Log on to the VPC console.
  2. In the left-side navigation pane, click VPN > SSL Servers.
  3. On the top of the page, select the region of the SSL server.
  4. On the SSL Servers page, click Create SSL Server.
  5. In the Create SSL Server dialog box that appears, configure the SSL server according to the following information, and then click OK.
    Parameter Description
    Name Enter a name for the SSL server.

    The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter or a Chinese character.

    VPN Gateway Select a VPN gateway that you want to associate with the SSL server.

    Ensure that SSL-VPN is enabled.

    Local Network Enter the CIDR blocks used in the connections by the client through SSL-VPN. This value can be the CIDR blocks of a VPC network, a VSwitch, an on-premises data center connected to a VPC through a leased line, or a cloud service such as ApsaraDB for RDS or Object Storage Service (OSS).

    Click +Add Local Network to add more local networks.

    Note The subnet mask of the local network must be 8-32 bits.
    Client Subnet The CIDR blocks from which an IP address will be allocated to the virtual network interface of the client. This value is not the existing internal CIDR blocks of the client. When the client accesses the local end, the client uses the IP address allocated from the client subnet by the VPN Gateway to access the local network.
    Note The client and the local end cannot use the same CIDR block.
    Advanced Configuration
    Protocol The protocol used by the SSL connection. Valid values: UDP or TCP.
    Port The port used by the SSL connection. Default value: 1194.
    Encryption Algorithm The encryption algorithm used by the SSL connection. Valid values: AES-128-CBC, AES-192-CBC and AES-256-CB
    Enable Compression Enable or disable compression.
    Two-factor Authentication Enable or disable two-factor authentication You must select an IDaaS instance after you enable two-factor authentication.

    By default, you can use the username and password of IDaaS for two-factor authentication. You can configure AD authentication. After you configure AD authentication, SSL-VPN can process the AD authentication feature.

    • The VPN gateways that support two-factor authentication must be created at a time later than 00:00 on March 5, 2020.
    • When you use the two-factor authentication for the first time, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.