All Products
Search
Document Center

VPN Gateway:Connect a client to a VPC by using SSL-VPN

Last Updated:Jan 14, 2025

If your businesses are deployed on the cloud and you want to access resources deployed in VPCs through encrypted connections, you can use SSL-VPN. In office automation scenarios, you can use a client to access internal office automation systems or file servers through SSL-VPN connections. This topic demonstrates how to use a client to access an ECS instance through SSL-VPN.

Note

This topic introduces how to configure Windows, Linux, Android, and macOS clients. If you use an iPhone as a client, refer to Connect an iOS device to a VPN gateway by using the built-in VPN software.

Scenarios

In the following figure, an ECS instance is deployed. You want to connect a local client to the ECS instance over the VPC. To do this, you can deploy a VPN gateway in the VPC of the ECS instance.

image

Before you start, you must complete subnetting. This example uses the following subnetting plan:

  • VPC:

    • Region: China (Hangzhou)

    • CIDR block: 10.0.0.0/16

    • vSwitch 1 in Zone J. CIDR block: 10.0.0.0/24

    • vSwitch 2 in Zone K CIDR block: 10.0.1.0/24

    • ECS instance: 10.0.0.1. OS: Alibaba Cloud Linux 3.2104 LTS 64-bit

  • Client CIDR block: 192.168.0.0/16

    After a connection is created, the VPN gateway assigns an IP address from the client CIDR block to the virtual NIC of the client.

Important

To deploy resources on demand, make sure that the following conditions are met:

  • To ensure cross-zone high availability, the VPC must have vSwitches residing in at least two zones. If this condition is not met, create vSwitches.

  • The client CIDR block must not overlap with the vSwitch CIDR block or routes associated with the local client device.

Step 1: Configure a VPN gateway

Before you connect the client to the VPC, you must deploy the VPN gateway in the VPC.

Create a VPN gateway

  1. Log on to the VPN Gateway console. On the VPN Gateways page, click Create VPN Gateway.

    image

  2. On the VPN Gateway page, configure the following parameters and keep the default setting for other parameters, and click Buy Now and complete the payment.

    Name: Enter a name for the VPN gateway. In this example, VPN gateway 1 is entered.

    Region: Select China (Hangzhou).

    Gateway Type: Standard.

    VPC: Select the VPC to which the client connects.

    vSwitch 1: Select vSwitch 1.

    vSwitch 2: Select vSwitch 2.

    Maximum Bandwidth: Select 5 Mbit/s.

    Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.

    IPsec-VPN: Select Disable.

    SSL-VPN: Select Enable.

    SSL Connections: Select 5.

    Duration: By default, the VPN gateway is billed on an hourly basis.

    Service-linked Role: Click Create Service-linked Role. If Created is displayed, the service-linked role is created and you do not need to create it again.

  3. Return to the VPN Gateway console. You can find that the VPN gateway is created.

    image

    The VPN gateway that you create in the previous step is in the Preparing state. After about 1 to 5 minutes, the VPN gateway enters the Normal state. The Normal state indicates that the VPN gateway is ready for use.

Create an SSL server

You can use an SSL server to allow or disallow specific networks and resources to be accessed by clients.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers. In the top navigation bar, select the China (Hangzhou) region. On the SSL Server page, click Create SSL Server.image

  2. In the Create SSL Server panel, configure the following parameters and keep the default settings for other parameters, and click OK.

    Name: Enter SSL Server 1.

    VPN Gateway: Select VPN Gateway 1 that you created in the preceding step.

    Local Network: Enter 10.0.0.0/16, which is the CIDR block of the VPC.

    Client CIDR Block: Enter 192.168.0.0/16.

    Note

    Local Network: the CIDR block that the client needs to access through SSL-VPN.

    Client CIDR Block: the CIDR block assigned to the virtual NIC of the client. It differs from the private CIDR block of the client. It must not overlap with the local CIDR block.

    image

Create an SSL client and download a certificate

SSL clients are used to manage client certificates. Each client corresponds to one certificate. The certificates are used to verify the identities of clients and encrypt data. You need to first download a certificate and load the certificate to the client.

  1. In the left-side navigation pane, choose Interconnections > VPN > SSL Clients. In the top navigation bar, select the China (Hangzhou) region. On the SSL Client page, click Create SSL Client.

    image

  2. In the Create SSL Client panel, enter SSL Client 1 as the name, set SSL Server to SSL Server 1, and click OK.

    image

  3. On the SSL Client page, find the SSL client that you created and click Download Certificate in the Actions column.

    image

Step 2: Configure the client

The configuration method varies based on the OS of the client.

Windows client

  1. Download and install the OpenVPN client for Windows. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.

  2. Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.

    In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the directory where the client is installed.

  3. Double-click the OpenVPN GUI icon on your desktop to launch the client. The VPN icon is displayed in the lower-right system tray. Right-click the VPN icon in the system tray and click Connect to create an SSL-VPN connection.

  4. If State displays Connected and IP address is allocated, the connection is created.

Linux client

  1. Run the following command to install OpenVPN and create the conf directory.

    CentOS
    yum install -y openvpn
    mkdir -p /etc/openvpn/conf
    Ubuntu
    apt-get update
    apt-get install -y openvpn
    mkdir -p /etc/openvpn/conf
  2. Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the /etc/openvpn/conf/ directory.

  3. Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:

    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

Android client

  1. Download and install the OpenVPN client for Android. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.

    In this example, a client that runs Android 9.0 and an OpenVPN client of version 3.0.5 are used.

  2. Transfer the SSL client certificate package to the Android client and decompress the package.

    Note
    • If your Android client does not have an application to decompress the package, you can decompress the certificate on your computer and then transfer the decompressed files to the client.

    • Make sure that the decompressed files belong to the same folder. The following figure provides an example.

    文件保存位置

  3. Open the OpenVPN client, import the config.ovpn file, and then add an SSL-VPN connection.

    导入config文件

    Step

    Description

    Select OVPN Profile.

    2

    Find the config.ovpn file in the directory.

    3

    Click IMPORT to import the config.ovpn file.

    4

    The system reads information from the config.ovpn file and displays the public IP address of the VPN gateway to be connected. Click ADD to add an SSL-VPN connection.

  4. Turn on the switch to establish an SSL-VPN connection.

    开启OpenVPN

macOS client (GUI)

  1. Go to the Tunnelblick Releases page, find Tunnelblick 4.0.1 (build 5971), and download files in the .dmg format in the Assets panel. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.

  2. Install Tunnelblick.

    image

    Step

    Description

    Double-click the Tunnelblick installation package that you download.

    2

    Double-click the Tunnelblick icon.

    3

    Select I have configuration files.

    4

    Click OK.

  3. Decompress the SSL client certificate package. Drag and drop the config.ovpn file to the Configurations panel to create an SSL-VPN connection.

image

Step

Description

Double-click the Tunnelblick icon to open Tunnelblick.

2

Drag and drop the extracted config.ovpn file to the Configurations panel.

3

Select Only Me.

4

Click Connect.

macOS client (CLI)

  1. Open the Terminal prompt. If Homebrew is not installed on your client, run the following command to install Homebrew:

    Note

    The Homebrew installation script contains sudo commands. Therefore, the system will prompt you to enter the administrator password. When "Press RETURN/ENTER to continue..." is prompted, Press Enter.

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

  2. Install OpenVPN.

    brew install openvpn

  3. Copy the SSL client certificate package that you downloaded to the configuration directory of the OpenVPN client.

    1. Back up the /opt/homebrew/etc/openvpn directory.

      cp -r  /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak
    2. Run the following command to delete the current configuration files of OpenVPN:

      rm /opt/homebrew/etc/openvpn/*
    3. Run the following command to copy the download SSL client certificate package to the configuration directory of OpenVPN:

      cp /path/to/certs.zip /opt/homebrew/etc/openvpn/
      Note

      /path/to/certs.zip is the path of the SSL client certificate package downloaded when you create an SSL client. In most cases, the package locates in the user Downloads directory, such as /Users/example/Downloads/certs.zip.

  4. Run the following commands to decompress the certificate package:

    cd /opt/homebrew/etc/openvpn/
    unzip /opt/homebrew/etc/openvpn/certs.zip
  5. Select a mode.

    Run in the foreground

    Run the following command to launch a client process to create an SSL-VPN connection.

    sudo /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/config.ovpn

    The command runs in the foreground. To close the connection, press Ctrl + C to terminate the command.

    Run in the background

    Run the following command to run the VPN client process as a service in the background and automatically launch it upon startups.

    cp config.ovpn openvpn.conf
    sudo brew services start openvpn

    To stop the process, run the following command.

    sudo brew services stop  openvpn

Step 3: Verify the connectivity

Important

Before you start, make sure that the security group rules of the ECS instance allow ICMP messages. For more information, see View security group rules and Add a security group rule.

Ping the IP address of the ECS instance from the client.

ping 10.0.0.1

If the ping succeeds, the client is connected to the ECS instance.

If the client runs Android, click here to verify the connectivity.

  1. Install NGINX on the ECS instance. In this example, Alibaba Cloud Linux 3.2104 LTS 64-bit is installed.

    yum install -y nginx
    systemctl start nginx.service
  2. Open TCP port 80 in the security group of the ECS instance. For more information, see View security group rules and Add a security group rule.

  3. Access the private IP address 10.0.0.1 of the ECS instance from a browser. If the access is successful, the client is connected to the ECS instance.

    image

FAQ

This section lists answers to some frequently asked questions. For more information, see FAQ about SSL-VPN connections.

Why does the client fail to create an SSL-VPN connection?

  1. Make sure that the client is connected to the Internet.

  2. Make sure that the certificate is loaded.

What do I do if the client is connected to the ECS instance but ping packets cannot reach the ECS instance?

Make sure that the security group of the ECS instance allows ICMP packets. For more information, see Query security group rules and Add security group rules.

What do I do if ping packets from the client can reach the ECS instance but the client cannot access the ECS port?

  1. Make sure that listeners are listening on the ECS service port. Take port 80 in Linux as an example.

    image

  2. Make sure that the OS firewall of the ECS instance opens the port. Take port 80 in iptables as an example.

    iptables -I INPUT -p 80 -j ACCEPT
  3. Make sure that the security group of the ECS instance opens the port. For more information, see Query security group rules and Add security group rules.

What do I do if ping packets from the client can reach the ECS instance but ping from the ECS instance to the client fails?

In most cases, the OS firewall of the client blocks ping packets. Set the firewall to allow ping packets.

How does a Linux or macOS client close an SSL-VPN connection?

  1. Open the CLI and run the following command to search for the OpenVPN process and record the process ID:

    ps aux | grep openvpn
  2. Run the following command to stop the OpenVPN process:

    kill -9 <Process number>

How do I use OpenVPN to establish an SSL-VPN connection on a macOS client with M1 chip?

We recommend that you use the macOS client (GUI) method to create the connection.

How do I enable the OpenVPN process to automatically start on a Linux client when the client starts after I use OpenVPN to establish an SSL-VPN connection on the client?

  1. Edit the /etc/rc.local file and add commands to the file.

    # Open the /etc/rc.local file.
    vim /etc/rc.local 
    # Press the I key to enter the insert mode, and add the following commands to the /etc/rc.local file:
    cd /etc/openvpn/conf/
    openvpn --config /etc/openvpn/conf/config.ovpn --daemon
    # Press the ESC key to exit the insert mode, and run the following command to save and exit the file:
    :wq
  2. Grant execution permissions on the /etc/rc.local file.

    chmod +x /etc/rc.local