SSL-VPN is a virtual private network (VPN) that is created by using the Secure Sockets Layer (SSL) protocol based on OpenVPN. After you deploy the required resources, you can load the SSL client certificate on your client and initiate an SSL-VPN connection between the client and a virtual private cloud (VPC). This way, your client can access applications and services that reside in the VPC. This topic describes how to use SSL-VPN to connect an Elastic Desktop Service (EDS) client to the secure office network of a cloud desktop. This enables you to access the cloud desktop over private networks from the EDS client.

Background information

You can choose to connect to a cloud desktop from an EDS client over the Internet or private networks. The properties of the workspace to which the cloud desktop belongs determine the available network connection methods. You can use the following connection methods to access the cloud desktop from the client:
  • If you set Connection Method to Internet, the client can access the cloud desktop only over the Internet.
  • If you set Connection Method to VPC, the client can access the cloud desktop only over a VPC.
  • If you set Connection Method to Internet and VPC, the client can access the cloud desktop over the Internet or a VPC.
Alibaba Cloud PrivateLink is used to establish private connections between VPCs and Alibaba Cloud services. This simplifies network architectures and ensures the security of data transmission.
Note You can use PrivateLink for free. If you set Connection Method to VPC or Internet and VPC, PrivateLink is automatically activated.

To use the VPC connection method, you must enable network connectivity between the on-premises network to which the client belongs and the secure office network of the cloud desktop. Alibaba Cloud provides Express Connect, Smart Access Gateway (SAG), and VPN Gateway to enable network connectivity between on-premises and off-premises networks. VPN gateways includes IPsec-VPN and SSL-VPN. In this topic, SSL-VPN is used to access cloud desktops from the client over private networks.

Note Cloud desktops support multiple types of clients such as the software client on computers, the browser client, the hardware client, and the mobile client. Before you use SSL-VPN, you must install OpenVPN. The SSL-VPN solution is applicable only to software clients on Windows and macOS computers.

Network architecture

SSL-VPN enables network connectivity between on-premises and off-premises networks. The following figure shows how the client on your computer use SSL-VPN to access cloud desktops over private networks.
Note When you use VPN Gateway to connect on-premises and off-premises networks, make sure that the client on your computer can access the Internet.
SSL-VPN network architecture
The following information describes the networks in the preceding figure:
  • VPCs are logically isolated private networks in the cloud. The network architecture of EDS consists of management VPCs, desktop service VPCs, and workspace VPCs. Alibaba Cloud maintains all of these VPCs. You can use the management VPCs and desktop service VPCs to deploy management components and desktop resources. The system creates a workspace VPC based on the CIDR block that you specify when you create the workspace. If you use the SSL-VPN solution to connect to a VPC, you must create a VPC as the user VPC.
  • Cloud Enterprise Network (CEN) can build private communication channels between VPCs. Alibaba Cloud maintains the management CEN instances. You must create user CEN instances to implement network connectivity between user VPCs and workspace VPCs.
  • Each cloud desktop has two network interface controllers (NICs): eth0 and eth1. eth0 is the internal NIC that is used to control traffic between clients and cloud desktops. The IP addresses of eth0 are assigned by EDS. eth1 is the common NIC used to access resources in a VPC or the Internet. The IP addresses of eth1 are assigned by the system from the CIDR blocks of the workspace VPC.
  • VPC depends on PrivateLink, which provides secure and stable private networks to connect the workspace VPC (endpoint) and the desktop service VPC (service endpoint).
Before you perform the following operations, make sure that the CIDR block of the user VPC and the CIDR block of the workspace VPC do not overlap with each other. In this example, the following CIDR blocks are used:
  • Workspace VPC: 172.16.111.0/24
  • User VPC: 192.168.0.0/16

Preparations

In EDS, workspaces are classified into the workspaces of the convenience account type and the workspaces of the enterprise AD account type by account type. You need to perform the following operations before you attach a VPC to a CEN instance:
  • Workspace of the convenience account type
    1. Create a CEN instance. For more information, see Create a CEN instance.
    2. Create a user VPC and attach the user VPC to the CEN instance. For more information, see Create a VPC and Attach a network instance.
    3. Create a workspace of the convenience account type and attach the workspace VPC to the CEN instance. For more information, see Create a workspace of the convenience account type.

      If you have a workspace of the convenience account type, you can attach the workspace VPC to the CEN instance on the Secure office network page in the EDS console.

  • Workspace of the enterprise AD account type
    1. Create a CEN instance. For more information, see Create a CEN instance.
    2. Create a user VPC and attach the user VPC to the CEN instance. For more information, see Create a VPC and Attach a network instance.

      If an Active Directory (AD) system is deployed on an Elastic Compute Service (ECS) instance, the VPC to which the AD belongs is the user VPC. You need only to attach the VPC to the CEN instance.

    3. Create a workspace of the enterprise AD account type and attach the workspace VPC to the CEN instance. For more information, see Create a workspace of the enterprise AD account type.
      Note If an AD system is deployed on an on-premises server, you must enable network connectivity between on-premises and off-premises networks before you can connect the AD system to an AD workspace. You can create an AD workspace and configure the AD domain after on-premises and off-premises networks are connected.

Step 1: Configure SSL-VPN

To configure SSL-VPN, you must create a VPN gateway, create an SSL server, publish the CIDR block of the EDS client, and then create a certificate for the SSL client. To configure SSL-VPN, perform the following operations:

  1. Log on to the VPN Gateway console.
  2. Create a VPN gateway.
    1. On the VPN Gateways page, click Create VPN Gateway.
    2. On the buy page, configure the VPN gateway.
      The following table describes the parameters that you must configure to create a VPN gateway. For more information, see Create a VPN gateway.
      Parameter Description Example
      Name Enter a custom name for the VPN gateway. See the on-screen instructions for information about the naming conventions. test-vpn
      Region Select the region where the workspace resides. China (Hangzhou)
      VPC Select the CIDR block of the VPC that you want to connect to. test-vpc
      Specify VSwitch Select whether to specify a vSwitch within the VPC for the VPN gateway. In this example, No is selected. No
      Peak Bandwidth Select a peak bandwidth value for the VPN gateway. The peak bandwidth value is used for data transfer over the Internet. 10Mbps
      IPsec-VPN Specify whether to enable the IPsec-VPN feature. In this example, Disable is selected. Disable
      SSL-VPN Specify whether to enable the SSL-VPN feature. In this example, Enable is selected. Enable
      SSL connections Select the maximum number of concurrent SSL connections that the VPN gateway supports. 5
    3. Click Buy Now and complete the payment.
  3. Create an SSL server.
    1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
    2. On the SSL Servers page, click Create SSL Server.
    3. In the Create SSL Server panel, configure the SSL server.
      The following table describes the parameters. For more information, see Create an SSL server.
      Parameter Description Example
      Name Enter a custom name for the SSL server. See the on-screen instructions for information about the naming conventions. test-ssl
      VPN Gateway The VPN gateway that you created in Step 2. test-vpn
      Local Network The CIDR blocks of the on-premises network. You need to specify the following CIDR blocks:
      • The CIDR block of the workspace VPC.
      • The CIDR block of the user VPC to which you want to connect.
      • The CIDR block of the DNS network in the VPC and the CIDR block of the Alibaba Cloud OpenAPI that can be accessed from the internal network. Both of the CIDR blocks are fixed as 100.64.0.0/10.
      • 172.16.111.0/24
      • 192.168.0.0/16
      • 100.64.0.0/10
      Client Subnet The CIDR block that the client uses. You can specify a custom CIDR block. Make sure that the CIDR block of the destination network and the client CIDR block do not overlap with each other.
      Notice Do not enter the private CIDR block of the client. When the client accesses the destination network by using an SSL-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client.
      10.10.111.0/24
      Advanced Configuration In the Advanced Configuration section, you can configure advanced settings, such as protocols and encryption algorithms. In this example, this parameter is skipped. By default, this parameter is not configured.
    4. Click OK.
  4. Add the client CIDR block that is specified on the SSL-VPN server to the CEN instance.
    1. In the left-side navigation pane, click Route tables.
    2. On the Route Tables page, find the VPC to which you want to connect and click the ID of the route table instance that uses the VPC.
    3. On the Route Entry List tab, click the Custom tab.
    4. Find the client CIDR block that is specified on the SSL-VPN server and click Publish.
  5. Create a certificate for an SSL client.
    1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
    2. On the SSL Clients page, click Create Client Certificate.
    3. In the Create Client Certificate panel, enter a name for the SSL client certificate and select the SSL server for which you want to create the certificate, and then click OK.
    4. On the SSL Clients page, find the SSL client certificate that you created, and click Download in the Actions column.
      The SSL client certificate is downloaded to your computer and is used when you configure the client in the following steps.

Step 2: Connect the client on your computer to a VPC

On your computer, you must install OpenVPN and log on to it. After you configure DNS, you can connect to a VPC with a few clicks. To connect the client on your computer to a VPC, perform the following operations:

  1. Install OpenVPN on your computer.
    We recommend that you use OpenVPN to connect to a VPC. Download OpenVPN based on the OS type of the computer on which the EDS client runs.
    • Windows
      1. Download OpenVPN.
      2. Install OpenVPN.
      3. Decompress the package of the SSL client certificate that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.

        Copy the certificate to the actual directory that you install OpenVPN to the directory where OpenVPN is installed. For example, if OpenVPN is installed in the C:\Program Files\OpenVPN directory, decompress the certificate package, and then copy the certificate to the C:\Program Files\OpenVPN\config directory.

    • macOS
      1. Run the following command to install OpenVPN:
        brew install openvpn
        If Homebrew is not installed, install Homebrew first.
      2. Decompress the package of the SSL client certificate and copy the certificate to the configuration directory.
  2. Launch OpenVPN on your computer and initiate a connection.
    • Windows: Launch OpenVPN and initiate a connection.
    • macOS: Run the following command to initiate a connection:
      sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
  3. Configure DNS on your computer.
    1. Add 100.100.2.136 or 100.100.2.138 to the list of DNS servers.
      To configure DNS, perform the following operations. In this example, Windows 10 is used.
      1. Open Network and Sharing Center in Control Panel.
      2. In the left-side navigation pane, click Change adapter settings.
      3. Right-click the network adapter that corresponds to OpenVPN and select Properties.
      4. In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
      5. In the dialog box that appears, specify the DNS server.

        You can set the IP address of your preferred DNS server to 100.100.2.136 and the IP address of your alternative DNS server to 100.100.2.138.

    2. Run the following command to check whether the DNS server works as expected:
      nslookup ecd-vpc.cn-beijing.aliyuncs.com

Step 3: Check whether the EDS client can access a cloud desktop over private networks

Before you perform the check, create regular users based on the workspace type and create and assign cloud desktops for the regular users.

The SSL-VPN solution is applicable only to your computer that runs Windows and macOS. The following information uses a Windows client as an example. Perform the following operations to check the connectivity:

  1. Install and launch the EDS client.
  2. On the Configuration page, enter the workspace ID, select Use VPC tunnel as Network Access Mode, and then click Next.
    If a request timeout error is reported, the network is inaccessible. Check whether the network configurations are valid.
  3. In the dialog box that appears, enter the username and password, and click Next.
  4. In the desktop card, select the cloud desktop in the Running state, and click Connect.
    If you can log on to the client and connect to the cloud desktop, the network configurations take effect.