SSL-VPN is a virtual private network (VPN) that is created by using the Secure Sockets Layer (SSL) protocol based on OpenVPN. After you deploy the required resources, you need to load the SSL client certificate on OpenVPN and initiate an SSL-VPN connection between OpenVPN and a virtual private cloud (VPC). Then, you can access applications and services that use the VPC from OpenVPN. This topic describes how to use SSL-VPN to connect to the secure office network of a cloud desktop in Elastic Desktop Service (EDS) by using OpenVPN on an on-premises device. In this case, you can connect to the cloud desktop over a private network from an Alibaba Cloud Workspace client.
Preparations
Before you get started, read Access a cloud desktop over a private network and make sure that the following preparations are complete.
- A Cloud Enterprise Network (CEN) instance is available. If you do not have a CEN instance, create a CEN instance before you proceed. For more information about specific operations, see Create a CEN instance.
- A VPC is available. If you do not have an available VPC, you must create a VPC and attach it to a CEN instance. For more information about specific operations, see Create a VPC and a vSwitch or Manage network instances.
- A workspace is available. If you do not have a valid workspace, create a convenience or an Active Directory (AD) workspace and attach the workspace VPC to the CEN instance. For more information about specific operations, see Create or delete a convenience workspace or Create and configure an AD workspace. Important
- To prevent CIDR blocks from overlapping between a workspace and a CEN instance or a data center, plan the IPv4 CIDR block of the workspace before you create the workspace. For more information, see Create or delete a convenience workspace.
- If you use a workspace of the convenience account type, you can attach the workspace VPC to the CEN instance on the Secure Office Network page in the Elastic Desktop Service (EDS) console.
- If the AD system of an enterprise is deployed on an Elastic Compute Service (ECS) instance, you must attach the VPC that is used by the AD server to the CEN instance. If the AD system of an enterprise is deployed on an on-premises server, you must establish network connectivity between on-premises and off-premises networks before EDS can connect to the AD system of the enterprise. You can create a workspace of the enterprise AD account type and configure an AD domain after the on-premises and off-premises networks are connected.
- A user is created, and a cloud desktop is assigned to the user.
- For more information about how to create a user, see Create a convenience user or Create and configure an AD workspace.
- For more information about how to create and assign a cloud desktop, see Create a cloud desktop or Assign cloud desktops to end users.
- A device to install OpenVPN and an Alibaba Cloud Workspace client in Elastic Desktop Service (EDS) is available. Make sure that both OpenVPN and the Alibaba Cloud Workspace client in Elastic Desktop Service (EDS) are installed on the same device. Note
- SSL-VPN is suitable for the Windows client or macOS client of Alibaba Cloud Workspace.
- To check whether you can connect to a cloud desktop in Elastic Desktop Service (EDS) over private networks, you must log on to the client. You can log on to the following clients: Windows client, macOS client, iOS client, Android client, or Web client. Then, you can connect to the cloud desktop in Elastic Desktop Service (EDS) over the enterprise private network.
Step 1: Configure SSL-VPN
When you configure SSL-VPN, you must create a VPN gateway, create an SSL server, publish the CIDR block of the Alibaba Cloud Workspace client to CEN, and then create an SSL client certificate.
- Create a VPN gateway and enable SSL-VPN. For more information about specific operations, see Create a VPN gateway. The following table describes the related parameters.
Parameter Description Example Name Enter a name for the VPN gateway. test-vpn Region Select the region where you want to deploy the VPN gateway. The VPN gateway must be deployed in the same region as the VPC that you want to associate with the VPN gateway.
China (Hangzhou) Network Type Select the network type of the VPN gateway. - Public: The VPN gateway can be used to establish VPN connections over the Internet.
- Private: The VPN gateway can be used to establish VPN connections over private networks.
Internet VPC Select the VPC with which you want to associate the VPN gateway. test-vpc Specify VSwitch Specify whether you want to associate the VPN gateway with a specified vSwitch. - No: does not associate the VPN gateway with a specified vSwitch. If you select No, the VPN gateway is associated with a random vSwitch of the VPC.
- Yes: associates the VPN gateway with a specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch of the VPC.
No Maximum Bandwidth Specify a maximum bandwidth for the VPN gateway. Unit: Mbit/s. 200 Mbit/s Traffic Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer. Pay-by-data-transfer IPsec-VPN Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable. You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between two VPCs.
Disable SSL-VPN Specify whether to enable SSL-VPN. Default value: Disable.
SSL-VPN allows you to establish secure connections between clients and servers without the need to configure customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.
Enable SSL Connections Select the maximum number of concurrent SSL-VPN connections for the VPN gateway. Note This parameter is valid only after you enable SSL-VPN.5 Duration Specify the billing cycle. Default value: By Hour.
1 Month Service-linked roles Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.
If Created is displayed, it indicates that the service-linked role is created, and you do not need to create it again.
N/A - Creates an SSL server. For more information about specific operations, see Create an SSL server. The following table describes the related parameters.
Parameter Description Example Name Enter a name for the SSL server. The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.
test-ssl VPN Gateway Select the VPN gateway that you want to associate with the SSL server. Make sure that SSL-VPN is enabled for the VPN gateway.
test-vpn Local Network Enter the local CIDR block that your client needs to access by using the SSL-VPN connection. The local CIDR block can be the CIDR block of a VPC, a vSwitch, a cloud service, such as Object Storage Service (OSS), a database service, or a data center that is connected by using a VPC and an Express Connect circuit.
Click Add Local Network to add more local CIDR blocks.
Note The subnet mask of the specified local CIDR block must be 8 to 32 bits in length.You need to add the following CIDR blocks: - CIDR block of the workspace VPC: 172.16.111.0/24
- CIDR block of the user VPC: 192.168.0.0/16
- The CIDR block of the DNS network in the VPC and the CIDR block of the Alibaba Cloud OpenAPI that can be accessed from the internal network. Both of the CIDR blocks are fixed as 100.64.0.0/10.
Client Subnet Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network by using an SSL-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client. Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway.
Important- The subnet mask of the client CIDR block must be 16 to 29 bits in length.
- Make sure that the local CIDR block and the client CIDR block do not overlap with each other.
- We recommend that you use the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information about user CIDR blocks, see What is a user CIDR block? and How do I configure a user CIDR block?.
10.10.111.0/24 Advanced Configuration In the Advanced Configuration section, you can configure advanced settings, such as protocols and encryption algorithms. You can use default values. - Publish the client CIDR block that is specified on the SSL-VPN server to CEN.
- Creates an SSL client certificate. For more information about specific operations, see Create an SSL client certificate.
- On the SSL Clients page, find the SSL client certificate that you want to download and click Download in the Actions column. The SSL client certificate is downloaded to your local computer and is used when you configure the OpenVPN client in the following steps.
Step 2: Configure networks on your local computer for private network connection
You must install OpenVPN on a local computer and log on to OpenVPN. After you configure DNS server settings on your local computer, you can connect to your cloud desktop from the Alibaba Cloud Workspace client with a few clicks. The following section describes how to configure the DNS server settings.
- Install OpenVPN on your local computer. We recommend that you use OpenVPN to connect to a VPC. The following section describes how to install OpenVPN on a local computer that runs Windows or macOS.
- Windows
- Click Download OpenVPN.
- Install OpenVPN.
- Decompress the package of the SSL client certificate that you downloaded and copy the SSL client certificate to the OpenVPN\config directory. Important Copy the certificate to the corresponding directory in which OpenVPN is installed. For example, if OpenVPN is installed in the C:\Program Files\OpenVPN directory, you must decompress the certificate package, and then copy the certificate to the C:\Program Files\OpenVPN\config directory.
- macOS
- Run the following command to install OpenVPN:
You must install Homebrew before you perform the following operations.brew install openvpn
- Decompress the package of the SSL client certificate and copy the certificate to the \config directory of OpenVPN.
- Run the following command to install OpenVPN:
- Windows
- Launch OpenVPN on your local computer and initiate a connection.
- Windows: Launch OpenVPN and initiate a connection.
- macOS: Run the following command to initiate a connection:
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
- Configure DNS server settings on your local computer. Before you configure DNS server settings, you can run the following command to test whether the EDS domain name can be resolved.
If an IP address is returned, the domain name can be resolved as expected and you can skip this step. If no IP address is returned, perform the following steps to configure DNS:nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
Step 3: Check whether a cloud desktop can be connected over a private network
SSL-VPN is suitable for the Windows client or macOS client of Alibaba Cloud Workspace.
- Obtain the required information, such as the workspace ID, account, and password, to log on to the client based on the email to connect to a cloud desktop in Elastic Desktop Service (EDS).
- Connect to a cloud desktop. After you log on to the client, the cloud desktops that belong to the workspace in Elastic Desktop Service (EDS) are displayed as desktop cards. Find the desired cloud desktop and click Connect Desktop. After the cloud desktop is connected, you can view and use the cloud desktop.Important If a network request timeout error occurs, the network is unavailable. Check whether the configurations are valid. Then, log on to the client again and connect to the cloud desktop.