This topic describes how to establish SSL-VPN connections between Alibaba Cloud classic networks and clients that run Linux, macOS, or Windows. These clients can access resources in Alibaba Cloud classic networks over SSL-VPN connections.

Scenarios

The following scenario is used as an example. You must first establish SSL-VPN connections between the clients and a virtual private cloud (VPC). Then, use the ClassicLink feature of the VPC to connect a classic network to the VPC. This way, the clients are connected to the classic network over the VPC.

ssl-vpn

Procedure

flowchart
Note If SSL-VPN is already configured, you can connect the clients to the classic network by establishing ClassicLink connections between the VPC and Elastic Compute Service (ECS) instances in the classic network. For more information, see Step 5: Establish a ClassicLink connection.

Prerequisites

  • A VPC is created. For more information, see Create an IPv4 VPC.
    The CIDR block of the VPC must meet the requirements described in the following table.
    VPC CIDR block Limit
    172.16.0.0/12 The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    10.0.0.0/8
    • The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    • Make sure that the CIDR block of the vSwitch to communicate with the classic network-connected ECS instances is within 10.111.0.0/16.
    192.168.0.0/16
    • The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
    • Add a custom route entry to the ECS instance that is deployed in the classic network. The destination CIDR block of the route entry is 192.168.0.0/16 and the next hop is the private network interface controller (NIC). You can add the route by using the provided script. Download routing script.
      Note Before you run the script, read the readme.txt file.
  • The private CIDR block of the data center that needs to communicate with the classic network must fall within the CIDR block of the VPC and cannot conflict with the CIDR blocks of vSwitches in the VPC. Otherwise, the data center and the VPC cannot communicate with each other.

Step 1: Create a VPN gateway

Before you can use SSL-VPN, you must first create a VPN gateway. After you create a VPN gateway, a public IP address is assigned to the VPN gateway.

  1. Log on to the VPN Gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the VPN Gateway page, set the following parameters, click Buy Now, and then complete the payment.
    Parameter Description
    Name Enter a name for the VPN gateway.
    Region The region where you want to create the VPN gateway.
    Note The VPN gateway and the VPC must belong to the same region.
    Gateway Type Select a type for the VPN gateway. In this example, Standard is selected.
    Network Type Select a network type for the VPN gateway. In this example, Public is selected.
    VPC Select the VPC where you want to create the VPN gateway.
    Specify VSwitch Specify whether to select a vSwitch for the VPN gateway. In this example, No is selected.
    Maximum Bandwidth Specify a maximum bandwidth value for the VPN gateway. The bandwidth is used to limit the data transfer rate over the Internet.
    Traffic By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
    IPsec-VPN Specify whether to enable the IPsec-VPN feature. In this example, Disable is selected.
    SSL-VPN Specify whether to enable the SSL-VPN feature. In this example, Enable is selected.
    SSL Connections Select the maximum number of concurrent SSL connections that the VPN gateway supports.
    Duration By default, the VPN gateway is billed on an hourly basis.
    Service-linked Role Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    For more information about how a VPN gateway assumes the role to access other cloud resources, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

  4. Return to the VPN Gateways page to view the VPN gateway that you created.
    It takes about 1 to 5 minutes to create a VPN gateway. A newly created VPN gateway is in the Preparing state. After about 2 minutes, it enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.

Step 2: Create an SSL server

After you create a VPN gateway, you must create an SSL server. The SSL server is used to establish an SSL-VPN connection.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  2. In the top navigation bar, select the region of the SSL server.
  3. On the SSL Server page, click Create SSL Server.
  4. In the Create SSL Server panel, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the SSL server.
    VPN Gateway In this example, the VPN gateway that is created in Step 1 is selected.
    Local Network Enter the private CIDR block of the ECS instance that is deployed in the classic network that you want to access. Click Add Local Network to add more CIDR blocks.
    In this example, 10.1.0.0/16 and 10.2.0.0/16 are entered.
    Note If the IP address of an ECS instance does not fall within the specified private CIDR blocks, you must add the private CIDR block to which the IP address of the ECS instance belongs.
    Client Subnet Enter the CIDR block that is used by the client to connect to the SSL server. The system assigns an IP address from the CIDR block to the client. The client uses the IP address to access resources in the VPC. The client CIDR block must fall within the CIDR block of the VPC to which the VPN gateway belongs.

    In this example, 172.16.10.0/24 is entered.

    Advanced Configuration In this example, the default settings are used.

Step 3: Create an SSL client certificate

After you create an SSL server, you must create an SSL client certificate based on the configuration of the SSL server.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
  2. On the SSL Client page, click Create Client Certificate.
  3. In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then click OK.
  4. On the SSL Client page, find the client certificate that you created and click Download in the Actions column to download the client certificate.

Step 4: Configure the clients

After you download the SSL client certificate, you must install the client certificate on the client. After you install the certificate, the client can connect to the VPN gateway over an SSL-VPN connection. The following section describes how to configure Linux, macOS, and Windows clients.

Configure a Linux client

  1. Run the following command to install OpenVPN: 
    yum install -y openvpn
  2. Extract and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
  3. Run the following command to start OpenVPN: 
    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

Configure a macOS client

  1. Open the command-line interface (CLI).
  2. If Homebrew is not installed on your client, run the following command to install Homebrew: 
    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  3. Run the following command to install OpenVPN: 
    brew install openvpn
  4. Copy the SSL client certificate package that you downloaded to the configuration directory of OpenVPN and decompress the package.
    1. Back up all configuration files in the /usr/local/etc/openvpn folder.
    2. Run the following command to delete the configuration files of OpenVPN: 
      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the SSL client certificate package to the /usr/local/etc/openvpn/ directory. 
      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory of the SSL client certificate, for example, /Users/example/Downloads/certs6.zip.

  5. Run the following command to decompress the package: 
    cd  /usr/local/etc/openvpn/
unzip /usr/local/etc/openvpn/certs6.zip
  6. Run the following command to establish an SSL-VPN connection: 
    sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Configure a Windows client

  1. Download and install OpenVPN.
  2. Extract and copy the SSL client certificate to the OpenVPN\config directory of OpenVPN.
  3. Start OpenVPN and click Connect to initiate a connection.

Step 5: Establish a ClassicLink connection

VPC provides the ClassicLink feature. This feature allows ECS instances in a classic network to communicate with cloud resources in a VPC.

  1. Enable ClassicLink.
    1. Log on to the VPC console.
    2. In the top navigation bar, select the region where the VPC is deployed.
    3. On the VPCs page, find the VPC that you want to manage and click its ID.
    4. In the upper-right corner of the VPC details page, click Enable ClassicLink.
    5. In the Enable ClassicLink message, click OK.
      After ClassicLink is enabled, the status of ClassicLink in the VPC Details section changes to Enabled. Enable ClassicLink
  2. Log on to the ECS console.
  3. In the left-side navigation pane, choose Instances & Images > Instances.
  4. Select the region where the ECS instance that you want to manage is deployed.
  5. Connect the ECS instance to the VPC.
    1. On the Instances page, find the ECS instance that you want to manage and choose More > Network and Security Group > Set classic link in the Actions column.
    2. In the Connect to VPC dialog box, select a VPC and click OK.
  6. Configure a security group rule for ClassicLink.
    1. Click Go to the instance security group list and add ClassicLink rules, and click Add ClassicLink Rule.
      Configure a security group rule for ClassicLink
    2. In the Add ClassicLink Rule dialog box, set the following parameters and click OK.
      Parameter Description
      Classic Security Group Displays the name of the security group of the classic network.
      Select VPC Security Group Select a security group of the VPC.
      Authorization Method Select one of the following authorization methods:
      • Classic <=> VPC: allows the ECS instance in the classic network and cloud resources in the VPC to access each other. This method is recommended.
      • Classic => VPC: allows the ECS instance in the classic network to access cloud resources in the VPC.
      • VPC => Classic: allows the cloud resources in the VPC to access the ECS instance in the classic network.
      Protocol Type Select the protocol for communication.
      Port Range Specify the ports that are used for communication. Specify the ports in the xx/xx format. For example, to specify port 80, enter 80/80.
      Priority Specify a priority for the rule. A smaller value specifies a higher priority.
      Description Enter a description for the security group.
  7. Go back to the ECS console, and click the Column Filters icon in the upper-right corner. In the dialog box that appears, select Link Status, and click OK to view the connection status of the ECS instance.
    Figure 1. Column Filters
    Column Filters
    Figure 2. Connection Status
    Connection Status
    Figure 3. Connection Status
    Connection Status
    After you complete the preceding configurations, your client can access the applications deployed on the ECS instance in the classic network.