Connect a client to a VPC by using SSL-VPN - VPN Gateway

This topic describes how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a virtual private cloud (VPC). This way, the client can access resources in the VPC.

Background information

The following figure provides an example on how to use SSL-VPN to connect a client that runs Linux, macOS, Windows, or Android to a VPC. 客户端远程接入VPC

Prerequisites

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create an Alibaba Cloud account.
The private CIDR block of the client does not overlap with the private CIDR block of the VPC.
The client can access the Internet.
You have learned about the security group rules that apply to the Elastic Compute Service (ECS) instances in the VPC. Make sure that the security group rules allow the client to access the ECS instances. For more information, see View security group rules and Add a security group rule.

Procedure

客户端连接VPC流程图

Step 1: Create a VPN gateway

Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.

On the VPN Gateway page, set the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Instance Name	The name of the VPN gateway.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage resources in a resource group in the Resource Management console. For more information, see What is Resource Management?
Region and Zone	The region in which you want to create the VPN gateway. Note Make sure that the VPN gateway and the VPC reside in the same region.
Gateway Type	The type of the VPN gateway. In this example, Standard is selected.
Network Type	The network type of the VPN gateway. In this example, Public is selected.
Tunnels	The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region.
VPC	The VPC to be connected.
vSwitch	The vSwitch with which you want to associate the VPN gateway in the associated VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. Note By default, the system selects a vSwitch. You can change or use the default vSwitch. After you create a VPN gateway, you cannot change the vSwitch that is associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2	The second vSwitch with which you want to associate the VPN gateway in the associated VPC. Ignore this parameter if you select Single-tunnel for the Tunnels parameter.
Peak Bandwidth	The maximum bandwidth of the VPN gateway. Unit: Mbit/s.
Traffic	By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN	Specifies whether to enable the IPsec-VPN feature for the VPN gateway. In this example, Disable is selected.
SSL-VPN	Specifies whether to enable the SSL-VPN feature for the VPN gateway. In this example, Enable is selected.
SSL Connections	The number of clients to be connected. Note The SSL Connections parameter is available only after you enable the SSL-VPN feature.
Subscription Duration	By default, the VPN gateway is billed on an hourly basis.
Service-linked Role	The service-linked role of VPN Gateway. Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created and you do not need to create it again.

Return to the VPN Gateways page to view the VPN gateway that you created.
The VPN gateway that you create in the previous step is in the Preparing state. After about 1 to 5 minutes, the VPN gateway enters the Normal state. The Normal state indicates that the VPN gateway is ready for use.

Step 2: Create an SSL server

In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.
In the top navigation bar, select the region in which you want to create an SSL server.
Note
Make sure that the SSL server and the VPN gateway that you created reside in the same region.
On the SSL Server page, click Create SSL Server.
In the Create SSL Server panel, set the following parameters for the SSL server, and click OK.
- Name: The name of the SSL server.
- Resource Group: The resource group to which the VPN gateway belongs. By default, the resource group to which the SSL server belongs is the same as the resource group to which the VPN gateway belongs.
- VPN Gateway: The VPN gateway that you want to associate with the SSL server.
- Local Network: The CIDR block of the VPC to which you want to connect.
  You can click Add Local Network to add more CIDR blocks. You can add the CIDR block of a VPC, a vSwitch, or an on-premises network.
- Client CIDR Block: The CIDR block that your client uses to connect to the SSL server.
  Important
  The subnet mask of the client CIDR block must be 16 to 29 bits in length.
  Make sure that the local CIDR block and the client CIDR block do not overlap with each other.
  We recommend that you use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information, see the What is a user CIDR block? and How do I configure a user CIDR block? sections of the "FAQ" topic.
  After you create an SSL server, the system automatically adds routes that point to the client CIDR block to the VPC route table. Do not add routes that point to the client CIDR block to the VPC route table again. Otherwise, SSL-VPN connections cannot work as expected.
- Advanced Configuration: The default settings are used in this example.
For more information, see Create and manage an SSL server.

Step 3: Create and download an SSL client certificate

In the left-side navigation pane, choose Interconnections > VPN > SSL Clients.
On the SSL Client page, click Create SSL Client.
In the Create SSL Client panel, enter the name of the SSL client certificate, select the resource group to which the SSL server belongs and the SSL server with which you want to associate the SSL client certificate, and then click OK.
On the SSL Client page, find the SSL client certificate that you create and click Download in the Actions column.

Step 4: Configure the client

The following section describes how to configure a client that runs Linux, Windows, macOS, or Android.

Configure a client that runs Linux

Open the CLI.

Run the following command to install OpenVPN:

# Run the following command to install OpenVPN on CentOS:
yum install -y openvpn
# Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. 
cd /etc/openvpn # Go to the openvpn/ directory.
ls              # Check whether the conf/ directory is created in the openvpn/ directory.
mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory. 

# Run the following command to install OpenVPN on Ubuntu:
apt-get update
apt-get install -y openvpn
# Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. 
cd /etc/openvpn # Go to the openvpn/ directory.
ls              # Check whether the conf/ directory is created in the openvpn/ directory.
mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory.

Decompress the SSL client certificate package that you download and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:
```
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
```

Configure a client that runs Windows

Download and install the OpenVPN client for Windows.
Decompress the SSL client certificate package that you download and copy the SSL client certificate to the OpenVPN\config directory.
In this example, the certificate is copied to the C:\Program Files\OpenVPN\config directory. You must copy the certificate to the directory in which the OpenVPN client is installed.
Start the OpenVPN client and click Connect to establish a connection.

Use Tunnelblick to configure a client that runs macOS

The following section describes how to use Tunnelblick to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.

Download Tunnelblick.
You can download a version of Tunnelblick based on your business requirements. We recommend that you use an official version, such as 3.8.8b, 3.8.8a, or 3.8.6a. We recommend that you download Tunnelblick in DMG format, which can be directly installed and used.
In this example, Tunnelblick 3.8.6a is used.
Install Tunnelblick.
No.
Operation
1
Double-click the installation package that you download.
2
Double-click the Tunnelblick icon.
3
Select I have configuration files.
4
Click OK.
Decompress the SSL client certificate package that you download in Step 3.
Upload the config.ovpn file to Tunnelblick to establish an SSL-VPN connection.
No.
Operation
1
Double-click the Tunnelblick icon to open Tunnelblick.
2
Drag the config.ovpn file to the Configurations folder.
3
Select Only Me.
4
Click Connect.

Use OpenVPN to configure a client that runs macOS

The following section describes how to use OpenVPN to establish an SSL-VPN connection between a client that runs macOS and a VPN gateway.

Open the CLI.

If Homebrew is not installed on your client, run the following command to install Homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Run the following command to install OpenVPN:
```
brew install openvpn
```
Copy the SSL client certificate package that you download in Step 3 to the configuration directory of the OpenVPN client and decompress the package.
1. Back up all configuration files in the /usr/local/etc/openvpn folder.
2. Run the following command to delete the configuration files of OpenVPN:
```
rm /usr/local/etc/openvpn/*
```
3. Run the following command to copy the download SSL client certificate package to the configuration directory of OpenVPN:
```
cp cert_location /usr/local/etc/openvpn/
```
  In the preceding command, replace cert_location with the directory to which the SSL client certificate package is downloaded in Step 3. Example: /Users/example/Downloads/certs6.zip.

Run the following commands to extract the certificate:

cd  /usr/local/etc/openvpn/
unzip /usr/local/etc/openvpn/certs6.zip

Run the following command to establish a VPN connection:

sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn

Configure a client that runs Android

Download and install the OpenVPN client for Android.
In this example, a client that runs Android 9.0 and an OpenVPN client of version 3.0.5 are used.
Transfer the SSL client certificate package that you download in Step 3 to the client that runs Android and decompress the package.
Note
- If your client that runs Android does not have an application to decompress the package, you can decompress the certificate on your computer and then transfer the decompressed files to the client.
- Make sure that the decompressed files belong to the same folder. The following figure provides an example.

Open the OpenVPN client, import the config.ovpn file, and then add an SSL-VPN connection.

导入config文件

No.	Operation
1	Select OVPN Profile.
2	Find the `config.ovpn` file in the storage directory.
3	Click IMPORT to import the `config.ovpn` file.
4	The system reads information from the `config.ovpn` file and displays the public IP address of the VPN gateway to be connected. Click ADD to add an SSL-VPN connection.

Turn on the switch to establish an SSL-VPN connection.

Step 5: Test network connectivity

To test the network connectivity, attempt to access an ECS instance in the VPC from a client.

FAQ

How do I close an SSL-VPN connection after I use OpenVPN to establish the connection on a client that runs macOS?

Open the CLI on the client that runs macOS.
Run the following command to search for the OpenVPN process and record the process ID:
```
ps aux | grep openvpn
```
Run the following command to stop the OpenVPN process:
```
kill -9 <Process number>
```

How do I use OpenVPN to establish an SSL-VPN connection on a client that runs macOS with M1 chip?

If you use a client that runs macOS with M1 chip, we recommend that you use Tunnelblick to establish an SSL-VPN connection. For more information, see the Use Tunnelblick to configure a client that runs macOS section of this topic.

How do I enable the OpenVPN process to automatically start on a client that runs Linux when the client starts after I use OpenVPN to establish an SSL-VPN connection on the client?

After you use OpenVPN to establish an SSL-VPN connection on the client that runs Linux, perform the following operations to enable the OpenVPN process to automatically start when the client starts:

Edit the /etc/rc.local file and add commands to the file.

# Open the /etc/rc.local file.
vim /etc/rc.local 
# Press the I key to enter the insert mode, and add the following commands to the /etc/rc.local file:
cd /etc/openvpn/conf/
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
# Press the ESC key to exit the insert mode, and run the following command to save and exit the file:
:wq

Grant execution permissions on the /etc/rc.local file.
```
chmod +x /etc/rc.local
```

No.	Operation
1	Double-click the installation package that you download.
2	Double-click the Tunnelblick icon.
3	Select I have configuration files.
4	Click OK.

No.	Operation
1	Double-click the Tunnelblick icon to open Tunnelblick.
2	Drag the `config.ovpn` file to the Configurations folder.
3	Select Only Me.
4	Click Connect.