Use SSL-VPN to access cloud desktops from an Alibaba Cloud Workspace client over a private network - Elastic Desktop Service

SSL-VPN is a virtual private network (VPN) that is created by using the Secure Sockets Layer (SSL) protocol based on OpenVPN. After you deploy the required resources, you need to load the SSL client certificate on OpenVPN and initiate an SSL-VPN connection between OpenVPN and a virtual private cloud (VPC). Then, you can access applications and services that use the VPC from OpenVPN. This topic describes how to use SSL-VPN to connect to the secure office network of a cloud desktop in Elastic Desktop Service (EDS) by using OpenVPN on an on-premises device. In this case, you can connect to the cloud desktop over a private network from an Alibaba Cloud Workspace client.

Preparations

Before you get started, read Access a cloud desktop over a private network and make sure that the following preparations are complete.

A Cloud Enterprise Network (CEN) instance is available. If you do not have a CEN instance, create a CEN instance before you proceed. For more information about specific operations, see Create a CEN instance.
A VPC is available. If you do not have an available VPC, you must create a VPC and attach it to a CEN instance. For more information about specific operations, see Create a VPC and a vSwitch or Manage network instances.
A workspace is available. If you do not have a valid workspace, create a convenience or an Active Directory (AD) workspace and attach the workspace VPC to the CEN instance. For more information about specific operations, see Create or delete a convenience workspace or Create and configure an AD workspace.
Important
- To prevent CIDR blocks from overlapping between a workspace and a CEN instance or a data center, plan the IPv4 CIDR block of the workspace before you create the workspace. For more information, see Create or delete a convenience workspace.
- If you use a workspace of the convenience account type, you can attach the workspace VPC to the CEN instance on the Secure Office Network page in the Elastic Desktop Service (EDS) console.
- If the AD system of an enterprise is deployed on an Elastic Compute Service (ECS) instance, you must attach the VPC that is used by the AD server to the CEN instance. If the AD system of an enterprise is deployed on an on-premises server, you must establish network connectivity between on-premises and off-premises networks before EDS can connect to the AD system of the enterprise. You can create a workspace of the enterprise AD account type and configure an AD domain after the on-premises and off-premises networks are connected.
A user is created, and a cloud desktop is assigned to the user.
- For more information about how to create a user, see Create a convenience user or Create and configure an AD workspace.
- For more information about how to create and assign a cloud desktop, see Create a cloud desktop or Assign cloud desktops to end users.
A device to install OpenVPN and an Alibaba Cloud Workspace client in Elastic Desktop Service (EDS) is available. Make sure that both OpenVPN and the Alibaba Cloud Workspace client in Elastic Desktop Service (EDS) are installed on the same device.
Note
- SSL-VPN is suitable for the Windows client or macOS client of Alibaba Cloud Workspace.
- To check whether you can connect to a cloud desktop in Elastic Desktop Service (EDS) over private networks, you must log on to the client. You can log on to the following clients: Windows client, macOS client, iOS client, Android client, or Web client. Then, you can connect to the cloud desktop in Elastic Desktop Service (EDS) over the enterprise private network.

Step 1: Configure SSL-VPN

When you configure SSL-VPN, you must create a VPN gateway, create an SSL server, publish the CIDR block of the Alibaba Cloud Workspace client to CEN, and then create an SSL client certificate.

Create a VPN gateway and enable SSL-VPN. For more information about specific operations, see Create a VPN gateway.

The following table describes the related parameters.


Parameter	Description	Example
Name	Enter a name for the VPN gateway.	test-vpn
Region	Select the region where you want to deploy the VPN gateway. The VPN gateway must be deployed in the same region as the VPC that you want to associate with the VPN gateway.	China (Hangzhou)
Network Type	Select the network type of the VPN gateway. Public: The VPN gateway can be used to establish VPN connections over the Internet. Private: The VPN gateway can be used to establish VPN connections over private networks.	Internet
VPC	Select the VPC with which you want to associate the VPN gateway.	test-vpc
Specify VSwitch	Specify whether you want to associate the VPN gateway with a specified vSwitch. No: does not associate the VPN gateway with a specified vSwitch. If you select No, the VPN gateway is associated with a random vSwitch of the VPC. Yes: associates the VPN gateway with a specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch of the VPC.	No
Maximum Bandwidth	Specify a maximum bandwidth for the VPN gateway. Unit: Mbit/s.	200 Mbit/s
Traffic	Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.	Pay-by-data-transfer
IPsec-VPN	Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable. You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between two VPCs.	Disable
SSL-VPN	Specify whether to enable SSL-VPN. Default value: Disable. SSL-VPN allows you to establish secure connections between clients and servers without the need to configure customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.	Enable
SSL Connections	Select the maximum number of concurrent SSL-VPN connections for the VPN gateway. Note This parameter is valid only after you enable SSL-VPN.	5
Duration	Specify the billing cycle. Default value: By Hour.	1 Month
Service-linked roles	Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn. For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn. If Created is displayed, it indicates that the service-linked role is created, and you do not need to create it again.	N/A

Creates an SSL server. For more information about specific operations, see Create an SSL server.

The following table describes the related parameters.


Parameter	Description	Example
Name	Enter a name for the SSL server. The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.	test-ssl
VPN Gateway	Select the VPN gateway that you want to associate with the SSL server. Make sure that SSL-VPN is enabled for the VPN gateway.	test-vpn
Local Network	Enter the local CIDR block that your client needs to access by using the SSL-VPN connection. The local CIDR block can be the CIDR block of a VPC, a vSwitch, a cloud service, such as Object Storage Service (OSS), a database service, or a data center that is connected by using a VPC and an Express Connect circuit. Click Add Local Network to add more local CIDR blocks. Note The subnet mask of the specified local CIDR block must be 8 to 32 bits in length.	You need to add the following CIDR blocks: CIDR block of the workspace VPC: 172.16.111.0/24 CIDR block of the user VPC: 192.168.0.0/16 The CIDR block of the DNS network in the VPC and the CIDR block of the Alibaba Cloud OpenAPI that can be accessed from the internal network. Both of the CIDR blocks are fixed as 100.64.0.0/10.
Client Subnet	Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. When the client accesses the destination network by using an SSL-VPN connection, the VPN gateway allocates an IP address from the client CIDR block to the client. Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. Important The subnet mask of the client CIDR block must be 16 to 29 bits in length. Make sure that the local CIDR block and the client CIDR block do not overlap with each other. We recommend that you use the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information about user CIDR blocks, see What is a user CIDR block? and How do I configure a user CIDR block?.	10.10.111.0/24
Advanced Configuration	In the Advanced Configuration section, you can configure advanced settings, such as protocols and encryption algorithms.	You can use default values.

Publish the client CIDR block that is specified on the SSL-VPN server to CEN.
1. In the left-side navigation pane, click Route Tables.
2. On the Route Tables page, find the VPC to which you want to connect and click the ID of the route table instance that uses the VPC.
3. On the Route Entry List tab, click the Custom Route tab.
4. Find the client CIDR block that is configured in the SSL-VPN server settings and click Publish.
  If Published is displayed in the CEN Status column, the CIDR block is advertised.
Creates an SSL client certificate. For more information about specific operations, see Create an SSL client certificate.
On the SSL Clients page, find the SSL client certificate that you want to download and click Download in the Actions column.
The SSL client certificate is downloaded to your local computer and is used when you configure the OpenVPN client in the following steps.

Step 2: Configure networks on your local computer for private network connection

You must install OpenVPN on a local computer and log on to OpenVPN. After you configure DNS server settings on your local computer, you can connect to your cloud desktop from the Alibaba Cloud Workspace client with a few clicks. The following section describes how to configure the DNS server settings.

Install OpenVPN on your local computer.
We recommend that you use OpenVPN to connect to a VPC. The following section describes how to install OpenVPN on a local computer that runs Windows or macOS.
- Windows
  1. Click Download OpenVPN.
  2. Install OpenVPN.
  3. Decompress the package of the SSL client certificate that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.
    Important Copy the certificate to the corresponding directory in which OpenVPN is installed. For example, if OpenVPN is installed in the C:\Program Files\OpenVPN directory, you must decompress the certificate package, and then copy the certificate to the C:\Program Files\OpenVPN\config directory.
- macOS
  1. Run the following command to install OpenVPN:
    brew install openvpn
    You must install Homebrew before you perform the following operations.
  2. Decompress the package of the SSL client certificate and copy the certificate to the \config directory of OpenVPN.
Launch OpenVPN on your local computer and initiate a connection.
- Windows: Launch OpenVPN and initiate a connection.
- macOS: Run the following command to initiate a connection:
```
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
```
Configure DNS server settings on your local computer.
Before you configure DNS server settings, you can run the following command to test whether the EDS domain name can be resolved.
```
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
```
If an IP address is returned, the domain name can be resolved as expected and you can skip this step. If no IP address is returned, perform the following steps to configure DNS:
1. Specify 100.100.2.136 or 100.100.2.138 as the IP address of the DNS server.
  In this example, a computer that runs Windows 10 is used.
  1. Go to Control Panel and open Network and Sharing Center.
  2. In the left-side navigation pane, click Change adapter settings.
  3. Right-click the network adapter that corresponds to OpenVPN and select Properties.
  4. In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
  5. In the dialog box that appears, specify a DNS server that you want to manage.
    You can set the Preferred DNS server parameter to 100.100.2.136 and the Alternative DNS server parameter to 100.100.2.138.
2. Run the following command to check whether the DNS server settings take effect.
```
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
```

Step 3: Check whether a cloud desktop can be connected over a private network

SSL-VPN is suitable for the Windows client or macOS client of Alibaba Cloud Workspace.

Note The following section describes how to verify the desktop connection over a private network. In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used as an example to connect a cloud desktop. Select an appropriate type of client and connect to a cloud desktop based on your business requirements.

Obtain the required information, such as the workspace ID, account, and password, to log on to the client based on the email to connect to a cloud desktop in Elastic Desktop Service (EDS).
1. Double-click the Alibaba Cloud Workspace client before you connect to a cloud desktop in Elastic Desktop Service (EDS).
2. Enter the workspace ID as prompted.
  Important If you log on to the client by using the ID of a workspace, you can select Alibaba Cloud VPC.
3. Click Connection Type, select Alibaba Cloud VPC, and then click Confirm.
4. Click Next.
5. Enter the account and password as prompted, and then click Next.
Connect to a cloud desktop.
After you log on to the client, the cloud desktops that belong to the workspace in Elastic Desktop Service (EDS) are displayed as desktop cards. Find the desired cloud desktop and click Connect Desktop. After the cloud desktop is connected, you can view and use the cloud desktop.
Important If a network request timeout error occurs, the network is unavailable. Check whether the configurations are valid. Then, log on to the client again and connect to the cloud desktop.