Configure the VPN Gateway and Client on Alibaba Cloud

VPN Gateway

VPN Gateway is an Internet-based service that securely and reliably connects enterprise data centers, office networks, and Internet terminals to Alibaba Cloud VPCs through encrypted channels. VPN Gateway supports both IPsec-VPN connection and SSL-VPN connection.

Note Alibaba Cloud VPN Gateway provides services according to national policies and laws and does not provide the function of accessing the Internet.

Connect a remote client to a VPC

You can connect a client to a VPC through an SSL-VPN tunnel to meet the needs of remote working. With SSL-VPN connections, you can securely access a VPC through the Internet at anytime, anywhere.

SSL-VPN connections support remote access from clients running Windows, Linux, Mac, IOS, or Android operating system.

For more information, see Linux client remote connectionWindows client remote connection, and Mac client remote connection.

Note The IP address ranges of the clients cannot conflict with the IP address range of the VSwitch in the VPC.

Limits

The following table describes the maximum limits of different functions of VPN Gateway.

 
Item Limit Can I adjust the limit?
The number of VPN Gateways per account 30 Yes (open a ticket)
The number of SSL client certificates per account 50 Yes (open a ticket)
The number of customer gateways in a region 100 No
The number of IPsec-VPN connections per VPN Gateway 10 Yes (open a ticket)
The number of policy-based routes per VPN Gateway 20 Yes (open a ticket)
The number of destination-based routes per VPN Gateway 20 Yes (open a ticket)
The number of SSL servers that can be associated with a VPN Gateway 1 No
SSL server ports

The following ports are not allowed:

22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, 4500

No
The validity period of an SSL client certificate 3 years No

Prerequisites

The following conditions must be met before you deploy a VPN Gateway:

  • The client and the VPC are not using the same private CIDR block.
  • The client is able to access the Internet.

Procedure

The following figure illustrates the work flow of how to connect a client to a VPC by using the SSL-VPN function.
  1. Create a VPN Gateway

    Create a VPN Gateway and enable the SSL-VPN function.

  2. Create an SSL server

    Specify the IP address range of the SSL server and the IP address range used by the client.

  3. Create a client certificate

    Create the client certificate according to server configurations, and then download the client certificate and configurations.

  4. Configure the client

    Download and install client VPN software in the client, load the client certificate and configurations, and initiate the connection.

  5. Configure security groups

    Make sure that the security group rules of ECS instances in the VPC allow remote access.

Configure Remote access from a Window client

Prerequisites

Before deploying the VPN Gateway, make sure that the following conditions are met:

  • The IP address ranges of the VPC and the remote computer are not in conflict.
  • The client can access the Internet.

Step 1: Create a VPN Gateway

To create a customer gateway, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose VPN > VPN Gateways.
  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the purchase page, configure the VPN Gateway according to the following information and click Buy Now.
  5. Go back to the VPN Gateways page, select Singapore region to view the created VPN Gateway. The initial status of a VPN Gateway is Preparing. It changes to Normal in about 2 minutes. When it changes to Normal, it indicates that the VPN Gateway is ready to use.

    Note It usually takes 1-5 minutes to create a VPN Gateway.

Step 2: Create an SSL server

Follow these steps to create an SSL server:

  1. In the left-side navigation pane, click VPN> SSL Servers.
  2. Select the target region.
  3. On the SSL Serverspage, click Create SSL Server.
  4. On the Create SSL Serverpage, configure the SSL server according to the following information and click OK.
  • Name: Enter a name for the SSL server.
  • VPN Gateway: Select the created VPN Gateway.
  • Local Network: Enter the CIDR block of the network to be connected. Click Add Local Networkto add multiple local networks. The local network can be the CIDR block of any VPC or VSwitch, or the CIDR block of the local network.
  • Client Subnet: Enter the IP addresses used by the client to connect the server in the form of CIDR block.
  • Advanced Configuration: Use the default advanced configuration.

Step 3: Create and download an SSL client certificate

  1. In the left-side navigation pane, click VPN > SSL Clients.
  2. Select the target region.
  3. On the SSL Clients page, click Create Client Certificate.
  4. On the Create Client Certificate page, enter a name, and then select the corresponding SSL server. Click OK.
  5. On the SSL Clients page, find the created SSL client certificate, and then click Download in the Actions column.

Step 4: Configure the Windows client

To configure a Windows client, follow these steps:

Notice You need to run the client as an administrator.

  1. Download and install the OpenVPN client.
  2. Click Import Config to initiate the connection.
  3. After import Config Click Connect.
  4. Connected Successfully

Step 5: Verify the connection

On the client, ping the private IP address of an ECS instance in the connected VPC network to verify the connection.