This topic describes how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a virtual private cloud (VPC).

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create an Alibaba Cloud account.
  • The private CIDR block of the client does not overlap with the private CIDR block of the VPC.
  • The client can access the Internet.
  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow gateway devices in the data center to access cloud resources. For more information, see Query security group rules and Add security group rules.
  • You have read and understand the security group rules that apply to the ECS instances in VPCs, and the security group rules allow the client to access cloud resources. For more information, see Query security group rules and Add security group rules.

Background information

The scenario in the following figure is used as an example to describe how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a VPC. Connect a client to a VPC

Procedure

Procedure

Step 1: Create a VPN gateway

  1. Log on to the VPN gateway console.
  2. On the VPN Gateways page, click Create VPN Gateway.
  3. On the VPN Gateway page, set the following parameters and click Buy Now to complete the payment:
    • Name: Enter a name for the VPN gateway.
    • Region: Select the region where you want to deploy the VPN gateway.
      Note Make sure that the VPN gateway and the VPC are deployed in the same region.
    • VPC: Select the VPC to be connected.
    • Specify VSwitch: Select whether to specify a vSwitch for the VPN gateway. In this example, No is selected.
    • Maximum Bandwidth: Select a maximum bandwidth value for the VPN gateway.

      The bandwidth is used to limit the data transfer rate over the Internet.

    • Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Pay-as-you-go.
    • IPsec-VPN: Specify whether to enable the IPsec-VPN feature. In this example, Disable is selected.
    • SSL-VPN: Specify whether to enable the SSL-VPN feature. In this example, Enable is selected.
    • SSL Connections: Specify the number of clients that you want to connect to the VPN gateway.
      Note The SSL Connections parameter is available only after you enable the SSL-VPN feature.
    • Duration: By default, the VPN gateway is billed on an hourly basis.
  4. Return to the VPN Gateways page to view the VPN gateway that you created.

    The VPN gateway that you created is in the Preparing state. The VPN gateway changes to the Normal state after about 1 to 5 minutes. After the VPN gateway changes to the Normal state, the VPN gateway is ready for use.

Step 2: Create an SSL server

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  2. In the top navigation bar, select the region where you want to create an SSL server.
    Note Make sure that the SSL server and the VPN gateway that you created are deployed in the same region.
  3. On the SSL Server page, click Create SSL Server.
  4. In the Create SSL Server panel, set the following parameters and click OK:
    • Name: Enter a name for the SSL server.
    • VPN Gateway: Select the VPN gateway that you created.
    • Local Network: Enter the CIDR block of the network to which you want to connect.

      Click Add Local Network to add more CIDR blocks. You can add the CIDR block of a VPC, a vSwitch, or an on-premises network.

    • Client Subnet: Enter the CIDR block that the client uses to connect to the SSL server.
      Notice
      • Make sure that the CIDR block of the destination network and the client CIDR block do not overlap with each other.
      • Make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

        For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24. 192.168.0.4/30, which provides up to four IP addresses, is used as the subnet CIDR block in this example. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses that the client CIDR block provides is at least four times the number of SSL-VPN connections.

    • Advanced Configuration: The default settings are used in this example.
    For more information, see Create an SSL server.

Step 3: Create and download an SSL client certificate

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
  2. On the SSL Client page, click Create Client Certificate.
  3. In the Create Client Certificate panel, enter a name for the SSL client certificate, select an SSL server, and then click OK.
  4. On the SSL Client page, find the SSL client certificate that you created and click Download in the Actions column.

Step 4: Configure the client

The following section describes how to configure a client that runs Linux, Windows, macOS, or Android.

Configure a client that runs Linux

  1. Open the command-line interface (CLI).
  2. Run the following command to install the OpenVPN client: 
    yum install -y openvpn
  3. Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
  4. Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection: 
    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

Configure a client that runs Windows

  1. Download and install the OpenVPN client for Windows.
  2. Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the OpenVPN\confi directory.
    In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the directory where the OpenVPN client is installed.
  3. Start the OpenVPN client and click Connect to establish a connection.

Use Tunnelblick to connect a client that runs macOS

The following section describes how to use Tunnelblick to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.

  1. Download Tunnelblick.
    In this example, Tunnelblick of version 3.8.6a is used.
  2. Install Tunnelblick.
    1. Double-click the installation package that you downloaded.
    2. Double-click the Tunnelblick icon.
    3. Select I have configuration files.
    4. Click OK.
  3. Decompress the SSL client certificate package that you downloaded in Step 3.
  4. Upload the config.ovpn file to Tunnelblick to establish an SSL-VPN connection.
    1. Double-click the Tunnelblick icon to open Tunnelblick.
    2. Drag the config.ovpn file to the Configurations folder.
    3. Select Only Me.
    4. Click Connect.

Use OpenVPN to connect a client that runs macOS

The following section describes how to use OpenVPN to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.

  1. Open the CLI.
  2. If Homebrew is not installed on your client, run the following command to install Homebrew: 
    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  3. Run the following command to install the OpenVPN client: 
    brew install openvpn
  4. Copy the SSL client certificate package that you downloaded in Step 3 to the configuration directory of the OpenVPN client and decompress the package.
    1. Back up all configuration files in the /usr/local/etc/openvpn folder.
    2. Run the following command to delete the configuration files of the OpenVPN client: 
      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the SSL client certificate package that you downloaded to the configuration directory of OpenVPN: 
      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory to which the SSL client certificate package is downloaded in Step 3. For example: /Users/example/Downloads/certs6.zip.

  5. Run the following command to decompress the package: 
    cd  /usr/local/etc/openvpn/
unzip /usr/local/etc/openvpn/certs6.zip
  6. Run the following command to establish an SSL-VPN connection: 
    sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Configure a client that runs Android

  1. Download and install the OpenVPN client for Android.
    In this example, a client that runs Android 9.0 and an OpenVPN client of version 3.0.5 are used.
  2. Transfer the SSL client certificate package that you downloaded in Step 3 to the client that runs Android and decompress the package.
    Note
    • If your client that runs Android does not have an application to decompress the package, you can decompress the certificate on your computer and then transfer the decompressed files to the client.
    • Make sure that the decompressed files belong to the same folder. The following figure shows an example.
    The folder where the decompressed files are stored
  3. Open the OpenVPN client, import the config.ovpn file, and add an SSL-VPN connection.
    Import the config.ovpn file
    No. Description
    Select OVPN Profile.
    Find the config.ovpn file.
    Click IMPORT to import the config.ovpn file.
    The system reads information from the config.ovpn file and displays the public IP address of the VPN gateway to be connected. Click ADD to add an SSL-VPN connection.
  4. Turn on the switch to establish an SSL-VPN connection.
    Establish a connection by using OpenVPN

Step 5: Test the network connectivity

To test the network connectivity, connect to an Elastic Compute Service (ECS) instance in the VPC.

FAQ

After I use OpenVPN to establish an SSL-VPN connection on a client that runs macOS, how do I close the connection?

  1. Open the CLI on the client that runs macOS.
  2. Run the following command to search for the OpenVPN process and record the process number: 
    ps aux | grep openvpn
  3. Run the following command to close the OpenVPN process: 
    kill -9 <Process number>

How do I use OpenVPN to establish an SSL-VPN connection on a client that runs macOS and uses an M1 chip?

If you use a client that runs macOS and uses an M1 chip, we recommend that you use Tunnelblick to establish an SSL-VPN connection. For more information, see Use Tunnelblick to connect a client that runs macOS.