All Products
Search
Document Center

VPN Gateway:Create and manage an SSL server

Last Updated:Jun 28, 2024

This topic describes how to create and manage an SSL server. You can use an SSL server to allow or disallow specific networks and resources to be accessed by clients. Before you can use the SSL-VPN feature, you must create an SSL server.

Prerequisites

A VPN gateway is created, and the SSL-VPN feature is enabled for the VPN gateway. For more information, see Create and manage a VPN gateway.

If you disable the SSL-VPN feature for the VPN gateway when you create the VPN gateway, you can enable the SSL-VPN feature for the VPN gateway after you create the VPN gateway. For more information, see Enable SSL-VPN.

Create an SSL server

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.

  3. In the top navigation bar, select the region in which the SSL server resides.

  4. On the SSL Servers page, click Create SSL Server.

  5. In the Create SSL Server panel, configure the parameters that are described in the following table and click OK.

    Parameter

    Description

    Name

    The name of the SSL server.

    Resource Group

    The resource group to which the VPN gateway belongs.

    The resource group to which the SSL server belongs must be the same as the resource group to which the VPN gateway belongs.

    VPN Gateway

    The VPN gateway that you want to associate with the SSL server.

    Make sure that the SSL-VPN feature is enabled for the VPN gateway.

    Local Network

    The local CIDR block that your client needs to access by using the SSL-VPN connection.

    The CIDR block can be the CIDR block of a virtual private cloud (VPC), a vSwitch, a cloud service such as Object Storage Service (OSS) or ApsaraDB RDS, or a data center that is connected to a VPC over an Express Connect circuit.

    You can click Add Local Network to add up to five local CIDR blocks. You cannot specify the following CIDR blocks as the local CIDR blocks:

    • 100.64.0.0~100.127.255.255

    • 127.0.0.0~127.255.255.255

    • 169.254.0.0~169.254.255.255

    • 224.0.0.0~239.255.255.255

    • 255.0.0.0~255.255.255.255

    Note

    The subnet mask of the specified local CIDR block must be 8 to 32 bits in length.

    Client CIDR Block

    The CIDR block from which an IP address is assigned to the virtual network interface controller (NIC) of the client. Do not enter the private CIDR block of the client. If the client accesses the SSL server over an SSL-VPN connection, the VPN gateway assigns an IP address from the specified client CIDR block to the client. The client uses the assigned IP address to access cloud resources.

    Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway.

    • Reason

      For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask that is 30 bits in length from 192.168.0.0/24, such as 192.168.0.4/30, which provides up to four IP addresses. Then, the system assigns an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address is assigned to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway with which the SSL server is associated.

    • Unsupported CIDR blocks

      • 100.64.0.0~100.127.255.255

      • 127.0.0.0~127.255.255.255

      • 169.254.0.0~169.254.255.255

      • 224.0.0.0~239.255.255.255

      • 255.0.0.0~255.255.255.255

    • Recommended client CIDR blocks for different numbers of SSL-VPN connections

      • If the number of SSL-VPN connections is 5, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 27 bits in length. Examples: 10.0.0.0/27 and 10.0.0.0/26.

      • If the number of SSL-VPN connections is 10, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 26 bits in length. Examples: 10.0.0.0/26 and 10.0.0.0/25.

      • If the number of SSL-VPN connections is 20, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 25 bits in length. Examples: 10.0.0.0/25 and 10.0.0.0/24.

      • If the number of SSL-VPN connections is 50, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 24 bits in length. Examples: 10.0.0.0/24 and 10.0.0.0/23.

      • If the number of SSL-VPN connections is 100, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 23 bits in length. Examples: 10.0.0.0/23 and 10.0.0.0/22.

      • If the number of SSL-VPN connections is 200, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 22 bits in length. Examples: 10.0.0.0/22 and 10.0.0.0/21.

      • If the number of SSL-VPN connections is 500, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 21 bits in length. Examples: 10.0.0.0/21 and 10.0.0.0/20.

      • If the number of SSL-VPN connections is 1,000, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 20 bits in length. Examples: 10.0.0.0/20 and 10.0.0.0/19.

    Important
    • The subnet mask of the client CIDR block must be 16 to 29 bits in length.

    • Make sure that the local CIDR block and the client CIDR block do not overlap with each other.

    • We recommend that you use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information, see the What is a user CIDR block? and How do I configure a user CIDR block? sections of the "FAQ" topic.

    • After you create an SSL server, the system automatically adds routes that point to the client CIDR block to the VPC route table. Do not add routes that point to the client CIDR block to the VPC route table again. Otherwise, SSL-VPN connections cannot work as expected.

    Advanced Configuration

    Protocol

    The protocol that is used by the SSL-VPN connection. Default value: TCP(Recommended). Valid values:

    • UDP

    • TCP(Recommended)

    Port

    The port that is used by the SSL server. Valid values are in the range of 1 to 65535. Default value: 1194.

    Note

    The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500.

    Encryption Algorithm

    The encryption algorithm that is used by the SSL-VPN connection. Default value: AES-128-CBC.

    • If the client uses Tunnelblick or OpenVPN V2.4.0 or later, the SSL server dynamically negotiates with the client about the encryption algorithm and uses the most secure encryption algorithm that is supported by the SSL server and the client. The encryption algorithm that you specify for the SSL server does not take effect.

    • If the client uses OpenVPN of a version that is earlier than 2.4.0, the SSL server and the client use the encryption algorithm that you specify for the SSL server. You can specify one of the following encryption algorithms for the SSL server:

      • AES-128-CBC

      • AES-192-CBC

      • AES-256-CBC

      • none

        A value of none indicates that no encryption algorithm is used.

    Compressed

    Specifies whether to compress the data that is transmitted over the SSL-VPN connection. Default value: No. Valid values:

    • Yes

    • No

    Two-factor Authentication

    Specifies whether to enable two-factor authentication for the VPN gateway. By default, two-factor authentication is disabled.

    If you enable two-factor authentication, you must specify an Identity as a Service (IDaaS) instance and an IDaaS application. After you enable two-factor authentication, the system performs two-factor authentication on your client when an SSL-VPN connection is created between the client and the VPN gateway. The first authentication is performed based on the default SSL client certificate. After the client passes the SSL client certificate authentication, the second authentication uses the username and password of the specified IDaaS instance to authenticate the client. The second authentication does not support the Short Message Service (SMS) authentication feature of IDaaS. The SSL-VPN connection is created only after two-factor authentication is passed. This effectively enhances the SSL-VPN connection security. For more information, see Two-factor authentication.

      Note
      • If you use the two-factor authentication feature for the first time, you must first authorize VPN to access cloud resources.

      • You can no longer purchase IDaaS EIAM 1.0 instances. If your Alibaba Cloud account has an IDaaS EIAM 1.0 instance, you can still specify the IDaaS EIAM 1.0 instance after you enable the two-factor authentication feature.

        If your Alibaba Cloud account has no IDaaS EIAM 1.0 instance, you can specify only an IDaaS EIAM 2.0 instance after you enable the two-factor authentication feature.

      • You may need to update the VPN gateway to associate it with an IDaaS EIAM 2.0 instance. For more information, see Announcement on the change of supporting IDaaS EIAM 2.0 instances for two-factor authentication of SSL-VPN connections.

What to do next

After the SSL server is created, you need to create an SSL client certificate based on the SSL server and install the SSL client certificate on the client for identity authentication and data encryption. For more information, see Create and manage an SSL client certificate.

Modify an SSL server

After an SSL server is created, you can modify the configurations of the SSL server. After you modify the configurations of the SSL server, you may need to download and install the SSL client certificate again or reinitiate an SSL-VPN connection.

Important
  • If you change the value of the Protocol, Compressed, or Two-factor Authentication parameter in the Advanced Configuration section for an SSL server, the SSL client certificate that is associated with the SSL server becomes invalid. In this case, you need to create a new SSL client certificate, install the certificate on the client, and then reinitiate an SSL-VPN connection.

  • If you change the value of the Local Network or Client CIDR Block parameter for an SSL server, all SSL-VPN connections to the SSL server are interrupted. In this case, you need to reinitiate an SSL-VPN connection from the client.

  1. Log on to the VPN gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.

  3. In the top navigation bar, select the region where you want to create the SSL server.
  4. On the SSL Servers page, find the SSL server that you want to modify and click Edit in the Actions column.

  5. In the Modify SSL Server panel, modify the name, local CIDR block, client CIDR block, or advanced settings of the SSL server, and click OK.

Delete an SSL server.

You can delete an SSL server that you no longer need. After an SSL server is deleted, the system automatically deletes all SSL client certificates that are associated with the SSL server. In this case, the SSL-VPN connections of the clients on which the SSL client certificates are installed are automatically disconnected.

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > SSL Servers.

  3. In the top navigation bar, select the region of the SSL server.
  4. On the SSL Servers page, find the SSL server that you want to delete and click Delete in the Actions column.

  5. In the message that appears, confirm the information and click Delete.

Create and manage an SSL server by calling API operations

You can call API operations to create, query, modify, or delete an SSL server by using Alibaba Cloud SDKs, Alibaba Cloud CLI, Terraform, or Resource Orchestration Service (ROS). We recommend that you call API operations by using Alibaba Cloud SDKs. For more information about the related API operations, see the following topics: