This topic describes how to enable two-factor (username and password) authentication to authenticate SSL-VPN requests from Linux clients to virtual private clouds (VPCs).

Prerequisites

Before you start, make sure that the following requirements are met:
  • An Identity as a Service (IDaaS) instance is purchased and the user information of the IDaaS instance is updated on Alibaba Cloud. For more information, see Organizations and Accounts.
    Note IDaaS is a unified identity authentication service. IDaaS allows one account to access all services. After you enable and select an IDaaS instance, you must pass certificate key authentication and two-factor authentication when you use OpenVPN to initiate SSL-VPN connections. Then, you can access cloud resources in the cloud. This prevents unauthorized access and reinforces security.
  • A VPC is created. For more information, see Create and manage a VPC.

Scenario

In this example, a company has created a VPC in the China (Hangzhou) region and the CIDR block of the VPC is 192.168.1.0/24. Due to business requirements, employees on business trips need to access resources deployed in the VPC from Linux clients.
Two-factor authentication You can create a VPN gateway on Alibaba Cloud as shown in the preceding figure, configure an SSL-VPN server, and then enable two-factor authentication. To access resources in the VPC from Linux clients over SSL-VPN connections, you must first pass certificate key authentication and two-factor authentication. This reinforces security and facilitates management of VPN connections.

Procedure

Two-factor authentication

Step 1: Create a VPN gateway

VPN Gateway is an Internet-based service that connects enterprise data centers, office networks, or Internet-facing terminals to Alibaba Cloud VPCs over encrypted connections.
Notice Make sure that the VPN gateway was created after 00:00, March 5, 2020. Otherwise, two-factor authentication is not supported.
  1. Log on to the VPN gateway console.
  2. In the top navigation bar, select the region where the VPC is deployed.
    In this example, the China (Hangzhou) region is selected.
    Note Make sure that the VPN gateway and the VPC are deployed in the same region.
  3. In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
  4. On the VPN Gateways page, click Create VPN Gateway.
  5. On the buy page, set the following parameters and click Buy Now to complete the payment.
    Parameter Description
    Name Enter a name for the VPN gateway.
    Region Select the region where you want to create the VPN gateway. In this example, the China (Hangzhou) region is selected.
    VPC Select the VPC where you want to create the VPN gateway.
    Specify VSwitch Specify whether to deploy the VPN gateway in a vSwitch of the VPC. In this example, No is selected.
    Peak Bandwidth Select a maximum bandwidth value for the VPN gateway.

    Unit: Mbit/s.

    Traffic Default value: Pay By Traffic.
    IPsec-VPN You can enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between a data center and a VPC or between two VPCs. In this example, No is selected.
    SSL-VPN You can enable or disable the SSL-VPN feature. After you enable this feature, you can connect to VPCs from clients over SSL-VPN connections. In this example, No is selected.
    SSL connections Select the maximum number of concurrent SSL connections that the VPN gateway supports. 5 is selected in this example.
    Note This parameter is available only if you choose to enable SSL-VPN.
    Duration Select a subscription duration.

    You can select only By Hour.

Step 2: Create an SSL server

SSL-VPN is based on the OpenVPN framework. You must use an SSL server to specify the CIDR blocks that you want to connect to and the CIDR blocks that clients use, and enable two-factor authentication.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
  3. In the top navigation bar, select the region where you want to create the SSL server.
    In this example, the China (Hangzhou) region is selected.
  4. On the SSL Servers page, click Create SSL Server.
  5. In the Create SSL Server panel, set the following parameters and click OK.
    • Name: Enter a name for the SSL server.
    • VPN Gateway: Select the VPN gateway that you created in Step 1.
    • Local Network: Enter the CIDR block to be accessed by the client over the SSL-VPN connection. 192.168.0.0/24 is used in this example.
    • Client Subnet: Enter a CIDR block that the client uses when the client is connected to the SSL server. 10.0.0.0/24 is used in this example.
    • Advanced Configuration: Enable advanced configurations and set the following parameters.
      • Protocol: Select the protocol for the SSL-VPN connection. Valid values: UDP and TCP. In this example, the default setting is used.
      • Port: Enter the port number used in the SSL-VPN connection. In this example, the default setting is used.
      • Encryption Algorithm: The encryption algorithm used in the SSL-VPN connection. Supported encryption algorithms include AES-128-CBC, AES-192-CBC, and AES-256-CBC. In this example, the default setting is used.
      • Enable Compression: Specify whether to compress the transmitted data. In this example, the default setting is used.
      • Two-factor Authentication: Enable two-factor authentication and select an IDaaS instance.
        Note If this is your first time using two-factor authentication, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.

Step 3 (optional): Configure Active Directory (AD) authentication for cloud services

By default, you can use the username and password of IDaaS for two-factor authentication. You can also use Active Directory (AD) authentication. After you complete the configuration, SSL-VPN supports AD authentication. If you only use the username and password of the IDaaS instance for authentication, skip this step.

  1. Log on to the IDaaS console.
  2. On the Instances page, find the IDaaS instance you want to manage and click Management in the Actions column.
  3. In the left-side navigation pane, choose Authentication > Authentication Source and click Add Authentication Source.
  4. On the Add Authentication Source page, find LDAP and click Add Authentication Source in the Actions column.
  5. In the Add Authentication Source (LDAP) dialog box, create an LDAP authentication source.
    For more information, see LDAP as Authentication Source.
    After you create an authentication source, you can view it. The authentication source
  6. On the Authentication Source page, find the authentication source that you want to manage, click Enable in the Status column, and then click OK in the dialog box that appears.
  7. In the left-side navigation pane, choose Settings > Security Settings.
  8. On the Security Settings page, click the Cloud Product AD Authentication tab.
  9. Select the AD authentication source that you have created, enable this feature, and then click Save.
    The authentication source

Step 4: Create and download an SSL client certificate

Create and download an SSL client certificate based on the configurations of the SSL server.

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
  3. In the top navigation bar, select the region where the SSL client is deployed.
    In this example, the China (Hangzhou) region is selected.
  4. On the SSL Clients page, click Create Client Certificate.
  5. In the Create Client Certificate panel, set the following parameters and click OK.
    • Name: Enter a name for the SSL client certificate.
    • SSL Server: Select the SSL server created in Step 2.
  6. On the SSL Clients page, find the SSL client certificate and click Download in the Actions column.
    The SSL client certificate is downloaded to your on-premises machine.

Step 5: Configure the client

Perform the following steps to configure the Linux client:

  1. Run the following command on the Linux client to install OpenVPN:
    yum install -y openvpn
  2. Extract and copy the certificate downloaded in Step 4 to the /etc/openvpn/conf/ directory.
    1. Run the following command to copy the file to the configuration directory:
      cp cert_location /usr/local/etc/openvpn/conf/
    2. Run the following command to extract the certificate:
      unzip /usr/local/etc/openvpn/conf/certs6.zip
  3. Run the following command to start OpenVPN, and enter the username and password for authentication:
    openvpn --config /etc/openvpn/conf/config.ovpn --daemon
    Start OpenVPN

Step 6: Test the connectivity

Perform the following steps to test the connectivity between the Linux client and the VPC:

  1. Log on to the Linux client.
  2. Run the ping command to ping the IP address of an Elastic Compute Service (ECS) instance in the VPC to test the connectivity.
    Note Make sure that the security group rules of the ECS instance allow remote access from Linux clients. For more information, see Use cases of ECS security groups.

    The test result shows that the Linux client can access the ECS instance.