VPN Gateway:Create and manage an SSL server

1. Log on to the VPN Gateway console.

2. In the left-side navigation pane, choose Network Interconnection > VPN > SSL Servers.

3. In the top navigation bar, select the region where you want to create the SSL server.

   The SSL server must be in the same region as the associated VPN Gateway instance.

4. On the SSL Servers page, click Create SSL Server.

5. In the Create SSL Server panel, configure the parameters and click OK.

   Parameter	Description
   Name	Enter a name for the SSL server.
   Resource Group	Select the resource group to which the VPN Gateway instance belongs. The system automatically adds the SSL server to the same resource group as the VPN Gateway instance.
   VPN Gateway	Select the VPN Gateway instance to associate with the SSL server. Make sure that the SSL-VPN feature is enabled for the selected VPN Gateway instance.
   Local Network	The destination CIDR blocks that clients can access through the SSL-VPN connection. The local network can be the CIDR block of a Virtual Private Cloud (VPC), a vSwitch, a data center connected to the VPC over an Express Connect circuit, or a cloud service such as Object Storage Service (OSS) or ApsaraDB RDS. Click Add Local CIDR Block to add multiple CIDR blocks. You can add up to five local networks. The following IP address ranges cannot be used for a local network: 127.0.0.0 to 127.255.255.255 169.254.0.0 to 169.254.255.255 224.0.0.0 to 239.255.255.255 255.0.0.0 to 255.255.255.255 Note The prefix length of the local network must be 8 to 32 bits.
   Client CIDR Block	The IP address pool from which the VPN Gateway instance assigns IP addresses to client virtual network interfaces. This pool is separate from the client's private network. When a client connects, the VPN Gateway instance assigns it an IP address from this pool for accessing cloud resources. Ensure that the client CIDR block provides at least four times the number of IP addresses as the maximum number of concurrent SSL connections supported by the VPN Gateway instance. Click to view the reason. For example, if you specify 192.168.0.0/24 as the client CIDR block, the system carves out a /30 subnet, such as 192.168.0.4/30, to handle a connection. One IP address from this subnet is assigned to the client, while the other three are reserved by the system for network communication. Therefore, each client connection consumes four IP addresses from the pool. To ensure that all clients can connect, the total number of available IP addresses in your client CIDR block must be at least four times the maximum number of SSL connections for the VPN Gateway instance. Click to view unsupported CIDR blocks. 100.64.0.0 to 100.127.255.255 127.0.0.0 to 127.255.255.255 169.254.0.0 to 169.254.255.255 224.0.0.0 to 239.255.255.255 255.0.0.0 to 255.255.255.255 Click to view recommended client CIDR blocks for different numbers of SSL connections. For 5 SSL connections, the recommended prefix length is 27 or less. Example: 10.0.0.0/27 or 10.0.0.0/26. For 10 SSL connections, the recommended prefix length is 26 or less. Example: 10.0.0.0/26 or 10.0.0.0/25. For 20 SSL connections, the recommended prefix length is 25 or less. Example: 10.0.0.0/25 or 10.0.0.0/24. For 50 SSL connections, the recommended prefix length is 24 or less. Example: 10.0.0.0/24 or 10.0.0.0/23. For 100 SSL connections, the recommended prefix length is 23 or less. Example: 10.0.0.0/23 or 10.0.0.0/22. For 200 SSL connections, the recommended prefix length is 22 or less. Example: 10.0.0.0/22 or 10.0.0.0/21. For 500 SSL connections, the recommended prefix length is 21 or less. Example: 10.0.0.0/21 or 10.0.0.0/20. For 1,000 SSL connections, the recommended prefix length is 20 or less. Example: 10.0.0.0/20 or 10.0.0.0/19. Important The prefix length of the client CIDR block must be 16 to 29 bits. Ensure that the client CIDR block does not overlap with the Local Network, the VPC CIDR block, or any route CIDR blocks associated with the client. Use private CIDR blocks such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets. If you must use a public IP address range, you must configure it as a user-defined CIDR block for the VPC to ensure proper routing. For more information, see VPC FAQ and VPC FAQ. After you create the SSL server, the system automatically adds a route for the client CIDR block to the VPC's route table. Do not manually add this route, as it can cause disruptions to SSL-VPN traffic.
   Advanced Configuration
   Protocol	The protocol for the SSL-VPN connection. Valid values: UDP TCP (Default)
   Port	The port used by the SSL server. The value must be an integer from 1 to 65535. The default value is 1194. Note The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500.
   Encryption Algorithm	The encryption algorithm for the SSL-VPN connection. If the client uses Tunnelblick or an OpenVPN client of version 2.4.0 or later, the encryption algorithm is dynamically negotiated. The negotiation prioritizes the most secure algorithm supported by both the server and client. The algorithm specified for the SSL server does not take effect. If the client uses an OpenVPN client earlier than version 2.4.0, the client uses the algorithm specified for the SSL server. Supported algorithms include: AES-128-CBC (Default) AES-192-CBC AES-256-CBC none This option disables encryption.
   Compressed	Enable or disable data compression for the SSL-VPN connection. Valid values: Yes No (Default)
   Two-factor Authentication	Enable or disable two-factor authentication. This feature is disabled by default. Two-factor authentication adds a second layer of security to SSL-VPN connections. It requires clients to pass two separate authentication checks: the default SSL client certificate authentication and a username/password authentication against an IDaaS EIAM instance. A client gains access only after it successfully passes both checks. This dual-authentication mechanism enhances security by protecting against identity theft and unauthorized connections, which safeguards sensitive data within your VPC. For a tutorial, see SSL-VPN two-factor authentication. After you enable this feature, you must select an IDaaS EIAM instance and an IDaaS application ID for authentication. Click to learn about the two-factor authentication process The client initiates an SSL-VPN connection request. The VPN Gateway instance receives the request and performs SSL client certificate authentication. After verifying the certificate, the gateway prompts the client for a username and password. After you enter the username and password on the client, the VPN software sends the credentials to the VPN Gateway instance. The VPN Gateway instance receives the credentials and forwards them to IDaaS for authentication. IDaaS authenticates the username and password and returns the result to the VPN Gateway instance. Based on the result from IDaaS, the VPN Gateway instance either allows or denies the SSL-VPN connection. Note When using the two-factor authentication feature for the first time, you must first grant the required permissions. For more information, see Authorization. When you create an SSL server in the UAE (Dubai) region, bind it to an IDaaS EIAM 2.0 instance in the Singapore region to reduce cross-region latency. IDaaS EIAM 1.0 instances are no longer available for purchase. If your Alibaba Cloud account has an IDaaS EIAM 1.0 instance, you can still bind it after you enable two-factor authentication. If your Alibaba Cloud account does not have an IDaaS EIAM 1.0 instance, you can bind only IDaaS EIAM 2.0 instances. When you bind an IDaaS EIAM 2.0 instance, you may be required to upgrade your VPN Gateway instance. For more information, see [Notice] IDaaS EIAM 2.0 is now supported for SSL-VPN two-factor authentication.

What to do next

After you create the SSL server, you must create and download an SSL client certificate. You then install this certificate on the client device to authenticate the client and encrypt data. For more information, see Create and manage an SSL client certificate.