All Products
Search
Document Center

VPN Gateway:Establish SSL-VPN connections to access resources in classic networks

Last Updated:Nov 06, 2023

This topic describes how to establish SSL-VPN connections between Alibaba Cloud classic networks and clients that run Linux, macOS, or Windows. These clients can access resources in Alibaba Cloud classic networks over SSL-VPN connections.

Scenarios

The following figure shows the scenario that is used in this example. You must first establish SSL-VPN connections between the clients and a virtual private cloud (VPC). Then, use the ClassicLink feature of the VPC to connect a classic network to the VPC. This way, the clients are connected to the classic network over the VPC.

架构图

Procedure

流程图
Note

If SSL-VPN is already configured, you can connect the clients to the classic network by establishing ClassicLink connections between the VPC and Elastic Compute Service (ECS) instances in the classic network. For more information, see Step 5: Establish a ClassicLink connection.

Prerequisites

  • A VPC is created. For more information, see Create a VPC with an IPv4 CIDR block.
    The CIDR block of the VPC must meet the requirements described in the following table.
    VPC CIDR blockLimit
    172.16.0.0/12The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    10.0.0.0/8
    • The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    • Make sure that the CIDR block of the vSwitch to communicate with the classic network-connected ECS instances is within 10.111.0.0/16.
    192.168.0.0/16
    • The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    • Add a custom route entry to the ECS instance that is deployed in the classic network. The destination CIDR block of the route entry is 192.168.0.0/16 and the next hop is the private network interface controller (NIC). You can add the route by using the provided script. Download routing script.
      Note Before you run the script, read the readme.txt file.
  • The private CIDR block of the data center that needs to communicate with the classic network must fall within the CIDR block of the VPC and cannot conflict with the CIDR blocks of vSwitches in the VPC. Otherwise, the data center and the VPC cannot communicate with each other.

Step 1: Create a VPN gateway

Before you can use SSL-VPN, you must first create a VPN gateway. After you create a VPN gateway, a public IP address is assigned to the VPN gateway.

  1. Log on to the VPN Gateway console.

  2. On the VPN Gateways page, click Create VPN Gateway.

  3. On the VPN Gateway page, set the following parameters, click Buy Now, and then complete the payment:

    Parameter

    Description

    Name

    Enter a name for the VPN gateway.

    Region

    Select the region where you want to create the VPN gateway.

    Note

    The VPN gateway and the VPC must belong to the same region.

    Gateway Type

    Select a type for the VPN gateway. In this example, Standard is selected.

    Network Type

    Select a network type for the VPN gateway. In this example, Public is selected.

    Tunnels

    The tunnel modes supported in this region are automatically displayed.

    VPC

    Select the VPC where you want to create the VPN gateway.

    VSwitch

    Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.

    vSwitch 2

    Select another vSwitch from the selected VPC.

    Ignore this parameter if you select Single-tunnel.

    Maximum Bandwidth

    Specify a maximum bandwidth value for the VPN gateway. The bandwidth is used by the VPN gateway for data transfer over the Internet.

    Traffic

    By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.

    IPsec-VPN

    Specify whether to enable the IPsec-VPN feature. Disable is selected in this example.

    SSL-VPN

    Specify whether to enable the SSL-VPN feature. In this example, Enable is selected.

    SSL Connections

    Select the maximum number of concurrent SSL connections that the VPN gateway supports.

    Duration

    By default, the VPN gateway is billed on an hourly basis.

    Service-linked Role

    Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

  4. Return to the VPN Gateways page to view the VPN gateway that you created.VPN Gateways

    It takes about 1 to 5 minutes to create a VPN gateway. A newly created VPN gateway is in the Preparing state. After about 2 minutes, it enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.

Step 2: Create an SSL server

After you create a VPN gateway, you must create an SSL server. The SSL server is used to establish an SSL-VPN connection.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.

  2. In the top navigation bar, select the region of the SSL server.

  3. On the SSL Server page, click Create SSL Server.

  4. In the Create SSL Server panel, set the parameters and click OK.

    Parameter

    Description

    Name

    Enter a name for the SSL server.

    VPN Gateway

    In this example, the VPN gateway that is created in Step 1 is selected.

    Local Network

    Enter the private CIDR block of the ECS instance that is deployed in the classic network that you want to access. Click Add Local Network to add more CIDR blocks.

    In this example, 10.1.0.0/16 and 10.2.0.0/16 are entered.

    Note

    If the IP address of an ECS instance does not fall within the specified private CIDR blocks, you must add the private CIDR block to which the IP address of the ECS instance belongs.

    Client CIDR Block

    Enter the CIDR block that is used by the client to connect to the SSL server. The system assigns an IP address from the CIDR block to the client. The client uses the IP address to access resources in the VPC. The client CIDR block must fall within the CIDR block of the VPC to which the VPN gateway belongs.

    In this example, 172.16.10.0/24 is entered.

    Advanced Configuration

    In this example, the default settings are used.

Step 3: Create an SSL client certificate

After you create an SSL server, you must create an SSL client certificate based on the configuration of the SSL server.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.

  2. On the SSL Client page, click Create SSL Client Certificate.

  3. In the Create SSL Client Certificate panel, enter a client certificate name, select an SSL server, and then click OK.

  4. On the SSL Client page, find the client certificate and click Download in the Actions column.

Step 4: Configure the client

After you download the SSL client certificate, you must install the client certificate on the client. After you install the certificate, the client can connect to the VPN gateway over an SSL-VPN connection. The following section describes how to configure Linux, macOS, and Windows clients.

Configure a Linux client

  1. Run the following command to install OpenVPN:

    yum install -y openvpn
  2. Extract and copy the SSL client certificate to the /etc/openvpn/conf/ directory.

  3. Run the following command to start OpenVPN:

    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

Configure a macOS client

  1. Open the CLI.

  2. If Homebrew is not installed on your client, run the following command to install Homebrew:

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  3. Run the following command to install OpenVPN:

    brew install openvpn
  4. Copy the SSL client certificate package that you downloaded to the configuration directory of OpenVPN and decompress the package.

    1. Back up all configuration files in the /usr/local/etc/openvpn folder.

    2. Run the following command to delete the configuration files of OpenVPN:

      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the SSL client certificate package to the /usr/local/etc/openvpn/ directory.

      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory of the SSL client certificate, for example, /Users/example/Downloads/certs6.zip.

  5. Run the following commands to extract the certificate:

    cd  /usr/local/etc/openvpn/
    unzip /usr/local/etc/openvpn/certs6.zip
  6. Run the following command to establish a VPN connection:

    sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Configure a Windows client

  1. Download and install the OpenVPN client.

  2. Extract and copy the SSL client certificate to the OpenVPN\config directory of OpenVPN.

  3. Start OpenVPN and click Connect to initiate a connection.

Step 5: Establish a ClassicLink connection

VPC provides the ClassicLink feature. This feature allows ECS instances in a classic network to communicate with cloud resources in a VPC.

  1. Enable ClassicLink.

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where the VPC is deployed.

    3. On the VPCs page, find the VPC that you want to view and click its ID.

    4. In the upper-right corner of the VPC details page, click Enable ClassicLink.

    5. In the Enable ClassicLink message, click OK.

      After ClassicLink is enabled, the status of ClassicLink in the VPC Details section changes to Enabled.p5221

  2. Log on to the ECS console.

  3. In the left-side navigation pane, choose Instances & Images > Instances.

  4. Select the region where the ECS instance is deployed.

  5. Connect the ECS instance to the VPC.

    1. On the Instances page, find the ECS instance that you want to manage and choose More > Network and Security Group > Set classic link in the Actions column.

    2. In the Connect to VPC dialog box, select a VPC and click OK.

  6. Configure a security group rule for ClassicLink.

    1. Click Go to the instance security group list and add ClassicLink rules, and click Add ClassicLink Rule.

      添加ClassicLink安全组规则
    2. In the Add ClassicLink Rule dialog box, set the following parameters and click OK.

      Parameter

      Description

      Classic Security Group

      Displays the name of the security group of the classic network.

      Select VPC Security Group

      Select a security group for the VPC.

      Authorization Method

      Select one of the following authorization methods:

      • Classic <=> VPC: allows the ECS instance in the classic network and cloud resources in the VPC network to access each other (recommended).

      • Classic => VPC: allows the ECS instance in the classic network to access cloud resources in the VPC network.

      • VPC => Classic: allows the cloud resources in the VPC network to access the ECS instance in the classic network.

      Protocol Type

      Select the protocol for communication.

      Port Range

      The ports that are used for communication. Specify the ports in the xx/xx format. For example, to specify port 80, enter 80/80.

      Priority

      Specify the priority of the rule. A smaller value indicates a higher priority.

      Description

      Enter a description for the security group.

  7. Go back to the ECS console, and click the Column Filters icon in the upper-right corner. In the dialog box that appears, select Link Status, and click OK to view the connection status of the ECS instance.

    Figure 1. Column Filters自定义列表选项

    Figure 2. Connection Status连接状态选项

    Figure 3. Connection Status已连接状态

    After you complete the preceding configurations, your client can access the applications deployed on the ECS instance in the classic network.