This topic describes how to connect a macOS client to a virtual private cloud (VPC) through SSL-VPN connections.

Prerequisites

Before you start, make sure that the following requirements are met:

  • A VPC is created.
  • The CIDR block of the VPC must be different from that of the on-premises device.
  • Your client can access the Internet.

Step 1: Create a VPN gateway

Perform the following operations to create a VPN gateway:

  1. Log on to the VPN Gateway console .
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, set the following parameters, click Buy Now, and complete the payment.
    • Name: Enter a name for the VPN gateway.

      The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

    • Region:Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPN gateway and the VPC are deployed in the same region.
    • VPC:Select the VPC to be associated with the VPN gateway.
    • Specify vSwitch: Specify whether to create the VPN gateway in a vSwitch of the VPC. No is selected in this example.

      If you select Yes, you must also specify a vSwitch.

    • Peak Bandwidth: Specify a maximum bandwidth value for the VPN gateway. The bandwidth is used for data transfer over the Internet.
    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Specify whether to enable IPsec-VPN for the VPN gateway. After IPsec-VPN is enabled, you can establish IPsec-VPN connections between a data center and a VPC, or between different VPCs.
    • SSL-VPN: Specify whether to enable SSL-VPN for the VPN gateway. The SSL-VPN feature allows you to connect to a VPC from a client regardless of the location.
    • SSL Connections: Specify the maximum number of concurrent SSL-VPN connections that the VPN gateway supports.
      Note You can set this parameter only after SSL-VPN is enabled.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  5. Return to the VPN Gateways page to view the VPN gateway.
    The newly created VPN gateway is in the Preparing state. Its state changes to Normal after about 2 minutes. If the state of the VPN gateway is Normal, it indicates that the VPN gateway is initialized and ready for use.
    Note It takes about 1 to 5 minutes to create a VPN gateway.

Step 2: Create an SSL server

Perform the following steps to create an SSL server:

  1. In the left navigation pane, choose VPN > SSL Servers.
  2. In the top navigation bar, select the region where you want to create the SSL server.
  3. On the SSL Servers page, click Create SSL Server.
  4. In the Create SSL Server panel, set the following parameters for the SSL server, and click OK.
    • Name: Enter a name for the SSL server.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • VPN Gateway: Select a VPN gateway from the drop-down list.
    • Local Network: Enter the CIDR block of the network to which you want to connect. Click Add Local Network to add more CIDR blocks. You can add the CIDR block of a VPC, a vSwitch, and an on-premises network.
    • Client Subnet: Enter the CIDR block of the client. The client connects to the SSL server from the specified CIDR block.
      Notice
      • Make sure that the server CIDR block and the client CIDR block do not overlap with each other.
      • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

        For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

    • Advanced Configuration: Use default advanced configurations.

Step 3: Create and download an SSL client certificate

  1. In the left navigation pane, choose VPN > SSL Clients.
  2. In the top navigation bar, select the region where the SSL client is deployed.
  3. On the SSL Clients page, click Create Client Certificate.
  4. In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then click OK.
  5. On the SSL Clients page, find the SSL client certificate and click Download in the Actions column.

    The SSL client certificate is downloaded to your on-premises device.

Step 4: Configure the client

Perform the following steps to configure the macOS client:

  1. Run the following command to install the OpenVPN client: 
    brew install openvpn
    Note Make sure that homebrew is installed before you install OpenVPN.
  2. Extract the certificate that you downloaded in Step 3 and copy it to the directory where the OpenVPN client is installed. Then, initiate an SSL-VPN connection.
    1. Back up the default configuration file.
    2. Run the following command to delete the default configuration file: 
      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the file to the configuration directory: 
      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory where the certificate is downloaded in Step 3. For example: /Users/example/Downloads/certs6.zip.

    4. Run the following command to decompress the SSL client certificate package: 
      cd  /usr/local/etc/openvpn/
unzip /usr/local/etc/openvpn/certs6.zip
    5. Run the following command to initiate a connection: 
      sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Step 5: Test the connectivity

Run the ping command to test the connectivity between the client and an Elastic Compute Service (ECS) instance in the VPC.
Note Make sure that the security group rules of the ECS instance allow remote access from Linux clients. For more information, see Scenarios for security groupsConfiguration guide for ECS security groups.