This topic describes how to establish SSL-VPN connections between Alibaba Cloud classic
networks and clients that run Linux, macOS, or Windows. These clients can access resources
in Alibaba Cloud classic networks over SSL-VPN connections.
Scenarios
The following scenario is used as an example. You must first establish SSL-VPN connections
between the clients and a virtual private cloud (VPC). Then, use the ClassicLink feature
of the VPC to connect a classic network to the VPC. This way, the clients are connected
to the classic network over the VPC.
Procedure

Note If SSL-VPN is already configured, you can connect the clients to the classic network
by establishing ClassicLink connections between the VPC and Elastic Compute Service
(ECS) instances in the classic network. For more information, see
Step 5: Establish a ClassicLink connection.
Prerequisites
- A VPC is created. For more information, see Create an IPv4 VPC.
The CIDR block of the VPC must meet the requirements described in the following table.
VPC CIDR block |
Limit |
172.16.0.0/12 |
The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
|
10.0.0.0/8 |
- The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
- Make sure that the CIDR block of the vSwitch to communicate with the classic network-connected
ECS instances is within 10.111.0.0/16.
|
192.168.0.0/16 |
- The VPC does not contain a custom route entry whose destination CIDR block is 10.0.0.0/8.
- Add a custom route entry to the ECS instance that is deployed in the classic network.
The destination CIDR block of the route entry is 192.168.0.0/16 and the next hop is
the private network interface controller (NIC). You can add the route by using the
provided script. Download routing script.
Note Before you run the script, read the readme.txt file.
|
- The private CIDR block of the data center that needs to communicate with the classic
network must fall within the CIDR block of the VPC and cannot conflict with the CIDR
blocks of vSwitches in the VPC. Otherwise, the data center and the VPC cannot communicate
with each other.
Step 1: Create a VPN gateway
Before you can use SSL-VPN, you must first create a VPN gateway. After you create
a VPN gateway, a public IP address is assigned to the VPN gateway.
- Log on to the VPN Gateway console.
- On the VPN Gateways page, click Create VPN Gateway.
- On the VPN Gateway page, set the following parameters, click Buy Now, and then complete the payment.
Parameter |
Description |
Name |
Enter a name for the VPN gateway. |
Region |
The region where you want to create the VPN gateway.
Note The VPN gateway and the VPC must belong to the same region.
|
Gateway Type |
Select a type for the VPN gateway. In this example, Standard is selected.
|
Network Type |
Select a network type for the VPN gateway. In this example, Public is selected.
|
VPC |
Select the VPC where you want to create the VPN gateway. |
Specify VSwitch |
Specify whether to select a vSwitch for the VPN gateway. In this example, No is selected.
|
Maximum Bandwidth |
Specify a maximum bandwidth value for the VPN gateway. The bandwidth is used to limit
the data transfer rate over the Internet.
|
Traffic |
By default, the VPN gateway uses the pay-by-data-transfer metering method. For more
information, see Pay-as-you-go.
|
IPsec-VPN |
Specify whether to enable the IPsec-VPN feature. In this example, Disable is selected.
|
SSL-VPN |
Specify whether to enable the SSL-VPN feature. In this example, Enable is selected.
|
SSL Connections |
Select the maximum number of concurrent SSL connections that the VPN gateway supports.
|
Duration |
By default, the VPN gateway is billed on an hourly basis. |
Service-linked Role |
Click Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.
For more information about how a VPN gateway assumes the role to access other cloud
resources, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created and you do not need to create it
again.
|
- Return to the VPN Gateways page to view the VPN gateway that you created.
It takes about 1 to 5 minutes to create a VPN gateway. A newly created VPN gateway
is in the Preparing state. After about 2 minutes, it enters the Normal state. The
Normal state indicates that the VPN gateway is initialized and ready for use.
Step 2: Create an SSL server
After you create a VPN gateway, you must create an SSL server. The SSL server is used
to establish an SSL-VPN connection.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region of the SSL server.
- On the SSL Server page, click Create SSL Server.
- In the Create SSL Server panel, set the following parameters and click OK.
Parameter |
Description |
Name |
Enter a name for the SSL server. |
VPN Gateway |
In this example, the VPN gateway that is created in Step 1 is selected.
|
Local Network |
Enter the private CIDR block of the ECS instance that is deployed in the classic network
that you want to access. Click Add Local Network to add more CIDR blocks.
In this example, 10.1.0.0/16 and 10.2.0.0/16 are entered.
Note If the IP address of an ECS instance does not fall within the specified private CIDR
blocks, you must add the private CIDR block to which the IP address of the ECS instance
belongs.
|
Client Subnet |
Enter the CIDR block that is used by the client to connect to the SSL server. The
system assigns an IP address from the CIDR block to the client. The client uses the
IP address to access resources in the VPC. The client CIDR block must fall within
the CIDR block of the VPC to which the VPN gateway belongs.
In this example, 172.16.10.0/24 is entered.
|
Advanced Configuration |
In this example, the default settings are used. |
Step 3: Create an SSL client certificate
After you create an SSL server, you must create an SSL client certificate based on
the configuration of the SSL server.
- In the left-side navigation pane, choose .
- On the SSL Client page, click Create Client Certificate.
- In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then
click OK.
- On the SSL Client page, find the client certificate that you created and click Download in the Actions column to download the client certificate.
Step 4: Configure the clients
After you download the SSL client certificate, you must install the client certificate
on the client. After you install the certificate, the client can connect to the VPN
gateway over an SSL-VPN connection. The following section describes how to configure
Linux, macOS, and Windows clients.
Configure a Linux client
- Run the following command to install OpenVPN:
- Extract and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
- Run the following command to start OpenVPN:
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Configure a macOS client
- Open the command-line interface (CLI).
- If Homebrew is not installed on your client, run the following command to install
Homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- Run the following command to install OpenVPN:
- Copy the SSL client certificate package that you downloaded to the configuration directory
of OpenVPN and decompress the package.
- Back up all configuration files in the /usr/local/etc/openvpn folder.
- Run the following command to delete the configuration files of OpenVPN:
rm /usr/local/etc/openvpn/*
- Run the following command to copy the SSL client certificate package to the /usr/local/etc/openvpn/ directory.
cp cert_location /usr/local/etc/openvpn/
In the preceding command, replace cert_location
with the directory of the SSL client certificate, for example, /Users/example/Downloads/certs6.zip.
- Run the following command to decompress the package:
cd /usr/local/etc/openvpn/
unzip /usr/local/etc/openvpn/certs6.zip
- Run the following command to establish an SSL-VPN connection:
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
Configure a Windows client
- Download and install OpenVPN.
- Extract and copy the SSL client certificate to the OpenVPN\config directory of OpenVPN.
- Start OpenVPN and click Connect to initiate a connection.
Step 5: Establish a ClassicLink connection
VPC provides the ClassicLink feature. This feature allows ECS instances in a classic
network to communicate with cloud resources in a VPC.
- Enable ClassicLink.
- Log on to the VPC console.
- In the top navigation bar, select the region where the VPC is deployed.
- On the VPCs page, find the VPC that you want to manage and click its ID.
- In the upper-right corner of the VPC details page, click Enable ClassicLink.
- In the Enable ClassicLink message, click OK.
After ClassicLink is enabled, the status of ClassicLink in the VPC Details section
changes to
Enabled.

- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Select the region where the ECS instance that you want to manage is deployed.
- Connect the ECS instance to the VPC.
- On the Instances page, find the ECS instance that you want to manage and choose in the Actions column.
- In the Connect to VPC dialog box, select a VPC and click OK.
- Configure a security group rule for ClassicLink.
- Click Go to the instance security group list and add ClassicLink rules, and click Add ClassicLink Rule.
- In the Add ClassicLink Rule dialog box, set the following parameters and click OK.
Parameter |
Description |
Classic Security Group |
Displays the name of the security group of the classic network. |
Select VPC Security Group |
Select a security group of the VPC. |
Authorization Method |
Select one of the following authorization methods:
- Classic <=> VPC: allows the ECS instance in the classic network and cloud resources
in the VPC to access each other. This method is recommended.
- Classic => VPC: allows the ECS instance in the classic network to access cloud resources
in the VPC.
- VPC => Classic: allows the cloud resources in the VPC to access the ECS instance in
the classic network.
|
Protocol Type |
Select the protocol for communication. |
Port Range |
Specify the ports that are used for communication. Specify the ports in the xx/xx
format. For example, to specify port 80, enter 80/80.
|
Priority |
Specify a priority for the rule. A smaller value specifies a higher priority. |
Description |
Enter a description for the security group. |
- Go back to the ECS console, and click the Column Filters icon in the upper-right corner.
In the dialog box that appears, select Link Status, and click OK to view the connection status of the ECS instance.