If your businesses are deployed on the cloud and you want to access resources deployed in VPCs through encrypted connections, you can use SSL-VPN. In office automation scenarios, you can use a client to access internal office automation systems or file servers through SSL-VPN connections. This topic demonstrates how to use a client to access an ECS instance through SSL-VPN.
This topic introduces how to configure Windows, Linux, Android, and macOS clients. If you use an iPhone as a client, refer to Connect an iOS device to a VPN gateway by using the built-in VPN software.
Scenarios
In the following figure, an ECS instance is deployed. You want to connect a local client to the ECS instance over the VPC. To do this, you can deploy a VPN gateway in the VPC of the ECS instance.
Before you start, you must complete subnetting. This example uses the following subnetting plan:
VPC:
Region: China (Hangzhou)
CIDR block: 10.0.0.0/16
vSwitch 1 in Zone J. CIDR block: 10.0.0.0/24
vSwitch 2 in Zone K CIDR block: 10.0.1.0/24
ECS instance: 10.0.0.1. OS: Alibaba Cloud Linux 3.2104 LTS 64-bit
Client CIDR block: 192.168.0.0/16
After a connection is created, the VPN gateway assigns an IP address from the client CIDR block to the virtual NIC of the client.
To deploy resources on demand, make sure that the following conditions are met:
To ensure cross-zone high availability, the VPC must have vSwitches residing in at least two zones. If this condition is not met, create vSwitches.
The client CIDR block must not overlap with the vSwitch CIDR block or routes associated with the local client device.
Step 1: Configure a VPN gateway
Before you connect the client to the VPC, you must deploy the VPN gateway in the VPC.
Create a VPN gateway
Log on to the VPN Gateway console. On the VPN Gateways page, click Create VPN Gateway.
On the VPN Gateway page, configure the following parameters and keep the default setting for other parameters, and click Buy Now and complete the payment.
Name: Enter a name for the VPN gateway. In this example, VPN gateway 1 is entered.
Region: Select China (Hangzhou).
Gateway Type: Standard.
VPC: Select the VPC to which the client connects.
vSwitch 1: Select vSwitch 1.
vSwitch 2: Select vSwitch 2.
Maximum Bandwidth: Select 5 Mbit/s.
Traffic: By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN: Select Disable.
SSL-VPN: Select Enable.
SSL Connections: Select 5.
Duration: By default, the VPN gateway is billed on an hourly basis.
Service-linked Role: Click Create Service-linked Role. If Created is displayed, the service-linked role is created and you do not need to create it again.
Return to the VPN Gateway console. You can find that the VPN gateway is created.
The VPN gateway that you create in the previous step is in the Preparing state. After about 1 to 5 minutes, the VPN gateway enters the Normal state. The Normal state indicates that the VPN gateway is ready for use.
Create an SSL server
You can use an SSL server to allow or disallow specific networks and resources to be accessed by clients.
In the left-side navigation pane, choose
. In the top navigation bar, select the China (Hangzhou) region. On the SSL Server page, click Create SSL Server.In the Create SSL Server panel, configure the following parameters and keep the default settings for other parameters, and click OK.
Name: Enter SSL Server 1.
VPN Gateway: Select VPN Gateway 1 that you created in the preceding step.
Local Network: Enter 10.0.0.0/16, which is the CIDR block of the VPC.
Client CIDR Block: Enter 192.168.0.0/16.
NoteLocal Network: the CIDR block that the client needs to access through SSL-VPN.
Client CIDR Block: the CIDR block assigned to the virtual NIC of the client. It differs from the private CIDR block of the client. It must not overlap with the local CIDR block.
Create an SSL client and download a certificate
SSL clients are used to manage client certificates. Each client corresponds to one certificate. The certificates are used to verify the identities of clients and encrypt data. You need to first download a certificate and load the certificate to the client.
In the left-side navigation pane, choose
. In the top navigation bar, select the China (Hangzhou) region. On the SSL Client page, click Create SSL Client.In the Create SSL Client panel, enter
SSL Client 1
as the name, set SSL Server toSSL Server 1
, and click OK.On the SSL Client page, find the SSL client that you created and click Download Certificate in the Actions column.
Step 2: Configure the client
The configuration method varies based on the OS of the client.
Windows client
Download and install the OpenVPN client for Windows. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.
Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the
OpenVPN\config
directory.In this example, the certificate is copied to
C:\Program Files\OpenVPN\config
. You must copy the certificate to the directory where the client is installed.Double-click the OpenVPN GUI icon on your desktop to launch the client. The VPN icon is displayed in the lower-right system tray. Right-click the VPN icon in the system tray and click Connect to create an SSL-VPN connection.
If State displays Connected and IP address is allocated, the connection is created.
Linux client
Run the following command to install OpenVPN and create the
conf
directory.CentOS
yum install -y openvpn mkdir -p /etc/openvpn/conf
Ubuntu
apt-get update apt-get install -y openvpn mkdir -p /etc/openvpn/conf
Decompress the SSL client certificate package that you downloaded and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Android client
Download and install the OpenVPN client for Android. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.
In this example, a client that runs Android 9.0 and an OpenVPN client of version 3.0.5 are used.
Transfer the SSL client certificate package to the Android client and decompress the package.
NoteIf your Android client does not have an application to decompress the package, you can decompress the certificate on your computer and then transfer the decompressed files to the client.
Make sure that the decompressed files belong to the same folder. The following figure provides an example.
Open the OpenVPN client, import the
config.ovpn
file, and then add an SSL-VPN connection.Step
Description
①
Select OVPN Profile.
2
Find the
config.ovpn
file in the directory.3
Click IMPORT to import the
config.ovpn
file.4
The system reads information from the
config.ovpn
file and displays the public IP address of the VPN gateway to be connected. Click ADD to add an SSL-VPN connection.Turn on the switch to establish an SSL-VPN connection.
macOS client (GUI)
Go to the Tunnelblick Releases page, find
Tunnelblick 4.0.1 (build 5971)
, and download files in the.dmg
format in the Assets panel. If you fail to access the page, contact your account manager or Alibaba Cloud engineer.Install Tunnelblick.
Step
Description
①
Double-click the Tunnelblick installation package that you download.
2
Double-click the Tunnelblick icon.
3
Select I have configuration files.
4
Click OK.
Decompress the SSL client certificate package. Drag and drop the
config.ovpn
file to the Configurations panel to create an SSL-VPN connection.
Step | Description |
① | Double-click the Tunnelblick icon to open Tunnelblick. |
2 | Drag and drop the extracted |
3 | Select Only Me. |
4 | Click Connect. |
macOS client (CLI)
Open the Terminal prompt. If Homebrew is not installed on your client, run the following command to install Homebrew:
NoteThe Homebrew installation script contains sudo commands. Therefore, the system will prompt you to enter the administrator password. When "Press RETURN/ENTER to continue..." is prompted, Press Enter.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install OpenVPN.
brew install openvpn
Copy the SSL client certificate package that you downloaded to the configuration directory of the OpenVPN client.
Back up the /opt/homebrew/etc/openvpn directory.
cp -r /opt/homebrew/etc/openvpn /opt/homebrew/etc/openvpn_bak
Run the following command to delete the current configuration files of OpenVPN:
rm /opt/homebrew/etc/openvpn/*
Run the following command to copy the download SSL client certificate package to the configuration directory of OpenVPN:
cp /path/to/certs.zip /opt/homebrew/etc/openvpn/
Note/path/to/certs.zip
is the path of the SSL client certificate package downloaded when you create an SSL client. In most cases, the package locates in the user Downloads directory, such as/Users/example/Downloads/certs.zip
.
Run the following commands to decompress the certificate package:
cd /opt/homebrew/etc/openvpn/ unzip /opt/homebrew/etc/openvpn/certs.zip
Select a mode.
Run in the foreground
Run the following command to launch a client process to create an SSL-VPN connection.
sudo /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/config.ovpn
The command runs in the foreground. To close the connection, press Ctrl + C to terminate the command.
Run in the background
Run the following command to run the VPN client process as a service in the background and automatically launch it upon startups.
cp config.ovpn openvpn.conf sudo brew services start openvpn
To stop the process, run the following command.
sudo brew services stop openvpn
Step 3: Verify the connectivity
Before you start, make sure that the security group rules of the ECS instance allow ICMP messages. For more information, see View security group rules and Add a security group rule.
Ping the IP address of the ECS instance from the client.
ping 10.0.0.1
If the ping succeeds, the client is connected to the ECS instance.
FAQ
This section lists answers to some frequently asked questions. For more information, see FAQ about SSL-VPN connections.
Why does the client fail to create an SSL-VPN connection?
Make sure that the client is connected to the Internet.
Make sure that the certificate is loaded.
What do I do if the client is connected to the ECS instance but ping packets cannot reach the ECS instance?
Make sure that the security group of the ECS instance allows ICMP packets. For more information, see Query security group rules and Add security group rules.
What do I do if ping packets from the client can reach the ECS instance but the client cannot access the ECS port?
Make sure that listeners are listening on the ECS service port. Take port 80 in Linux as an example.
Make sure that the OS firewall of the ECS instance opens the port. Take port 80 in iptables as an example.
iptables -I INPUT -p 80 -j ACCEPT
Make sure that the security group of the ECS instance opens the port. For more information, see Query security group rules and Add security group rules.
What do I do if ping packets from the client can reach the ECS instance but ping from the ECS instance to the client fails?
In most cases, the OS firewall of the client blocks ping packets. Set the firewall to allow ping packets.
How does a Linux or macOS client close an SSL-VPN connection?
Open the CLI and run the following command to search for the OpenVPN process and record the process ID:
ps aux | grep openvpn
Run the following command to stop the OpenVPN process:
kill -9 <Process number>
How do I use OpenVPN to establish an SSL-VPN connection on a macOS client with M1 chip?
We recommend that you use the macOS client (GUI) method to create the connection.
How do I enable the OpenVPN process to automatically start on a Linux client when the client starts after I use OpenVPN to establish an SSL-VPN connection on the client?
Edit the /etc/rc.local file and add commands to the file.
# Open the /etc/rc.local file. vim /etc/rc.local # Press the I key to enter the insert mode, and add the following commands to the /etc/rc.local file: cd /etc/openvpn/conf/ openvpn --config /etc/openvpn/conf/config.ovpn --daemon # Press the ESC key to exit the insert mode, and run the following command to save and exit the file: :wq
Grant execution permissions on the /etc/rc.local file.
chmod +x /etc/rc.local