SSL-VPN is a virtual private network (VPN) that is created by using the Secure Sockets Layer (SSL) protocol based on OpenVPN. After you deploy the required resources, you need to only load the SSL client certificate on OpenVPN and initiate an SSL-VPN connection between OpenVPN and a virtual private cloud (VPC) to access applications and services that are deployed in the VPC from OpenVPN. This topic describes how to use SSL-VPN to connect an OpenVPN client to the secure office network (formerly called workspace) of a cloud computer in Elastic Desktop Service. This way, you can access the cloud computer from the OpenVPN client over a private network.
Preparations
Before you begin, read the Access a cloud computer over a private network topic and make sure that the following preparations are complete:
A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.
A virtual private cloud (VPC) is created. If you do not have a VPC, create a VPC and attach it to the CEN instance before you proceed. For more information, see Create a VPC and a vSwitch or Manage network instances.
An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create and manage a convenience office network or Create and manage an enterprise AD office network.
ImportantBefore you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.
If you already have a convenience office network, you must attach the convenience office network to the CEN instance.
If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, Elastic Desktop Service can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.
An end user and a cloud computer are created. The cloud computer is assigned to the end user.
If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.
For information about how to create an end user, see Create a convenience account or Create and manage an enterprise AD office network.
For information about how to create and assign a cloud computer, see Create cloud computers or Assign cloud computers to users.
An on-premises device is prepared to install the OpenVPN client and the Alibaba Cloud Workspace client. Make sure that the clients are installed on the same device.
NoteThe SSL-VPN solution can be used on a Windows client or a macOS client of Alibaba Cloud Workspace.
An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.
Step 1: Configure SSL-VPN
When you configure SSL-VPN, you must create a VPN gateway, create an SSL server, publish the CIDR block of the Alibaba Cloud Workspace client to Cloud Enterprise Network (CEN), and then create an SSL client certificate. This section describes how to configure SSL-VPN.
Create a VPN gateway and enable SSL-VPN. For more information, see Create a VPN gateway.
The following table describes the parameters when you create a VPN gateway.
Parameter
Description
Example
Instance Name
Enter a name for the VPN gateway.
test-vpn
Region
Select the region where you want to deploy the VPN gateway.
The VPN gateway must be deployed in the same region as the VPC that you want to associate with the VPN gateway.
China (Hangzhou)
Network Type
Select the network type of the VPN gateway.
Public: The VPN gateway can be used to establish VPN connections over the Internet.
Private: The VPN gateway can be used to establish VPN connections over a private network.
Public
VPC
Select the VPC with which you want to associate the VPN gateway.
test-vpc
Specify VSwitch
Specify whether to associate the VPN gateway with a specified vSwitch.
No: does not associate the VPN gateway with a specified vSwitch. If you select No, the VPN gateway is associated with a random vSwitch of the VPC.
Yes: associates the VPN gateway with a specified vSwitch. If you select Yes, the VPN gateway is associated with the specified vSwitch of the VPC.
No
Peak Bandwidth
Specify a peak bandwidth for the VPN gateway. Unit: Mbit/s.
200 Mbit/s
Traffic
Select a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
Pay-by-data-transfer
IPsec-VPN
Specify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable.
You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between VPCs.
Disable
SSL-VPN
Specify whether to enable SSL-VPN for the VPN gateway. Default value: Disable.
SSL-VPN allows you to establish secure connections between clients and servers without the need to configure customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.
Enable
SSL connections
Select the maximum number of concurrent SSL-VPN connections for the VPN gateway.
NoteThis parameter is valid only after you enable SSL-VPN.
5
Duration
Specify the billing cycle. Default value: By Hour.
1 Month
Service-linked Role
Click Create Service-linked Role. Then, the system automatically creates the service-linked role AliyunServiceRoleForVpn.
The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.
If Created is displayed, the service-linked role is created. You no longer need to create a service-linked role.
/
Create an SSL server. For more information, see Create and manage an SSL server.
The following table describes the parameters when you create an SSL server.
Parameter
Description
Example
Name
Enter a name for the SSL server.
The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). The name must start with a letter.
test-ssl
VPN Gateway
Select the VPN gateway that you want to associate with the SSL server.
Make sure that SSL-VPN is enabled for the VPN gateway.
test-vpn
Local Network
Enter the local CIDR block that a client needs to access by using the SSL-VPN connection.
The local CIDR block can be the CIDR block of a VPC, a vSwitch, a cloud service, such as Object Storage Service (OSS) or ApsaraDB RDS, or a data center that is connected by using a VPC or an Express Connect circuit.
Click Add Local Network to add more local CIDR blocks.
NoteThe subnet mask of a local CIDR block must be 8 to 32 bits in length.
You must add the following CIDR blocks:
CIDR block of the office network VPC: 172.16.111.0/24
CIDR block of the user VPC: 192.168.0.0/16
The CIDR block of the DNS server in a VPC and the CIDR block of Alibaba Cloud OpenAPI. The CIDR blocks have a fixed value of 100.64.0.0/10.
Client CIDR Block
Enter the CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of a client. Do not enter the private CIDR block of the client. When the client accesses the destination network by using an SSL-VPN connection, a VPN gateway allocates an IP address from the client CIDR block to the client.
Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections that can be initiated based on the VPN gateway.
ImportantThe subnet mask of the client CIDR block must be 16 to 29 bits in length.
Make sure that the local CIDR block and the client CIDR block do not overlap with each other.
We recommend that you use the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of a VPC. This way, the VPC can access the public CIDR block. For more information, see What is customer CIDR block? and the "How do I configure a user CIDR block?" section of the FAQ topic.
10.10.111.0/24
Advanced Configuration
In the Advanced Configuration section, you can configure advanced settings, including the protocol and encryption algorithm, of the SSL server. In this example, we do not provide advanced settings details.
You can use default values.
Publish the client CIDR block that you specified in the SSL-VPN server to CEN.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, find the VPC to which you want to connect and click the ID of the route table instance that uses the VPC.
On the page that appears, choose Route Entry List > Custom Route.
Find the client CIDR block and click Publish.
If Advertised is displayed in the Route Status in CEN column, the CIDR block is published.
Create an SSL client certificate. For more information, see Create and manage an SSL client certificate.
On the SSL Clients page, find the SSL client certificate that you want to download and click Download in the Actions column.
The SSL client certificate is downloaded to your local computer and is used when you configure the OpenVPN client in the following steps.
Step 2: Configure OpenVPN on a local computer for private network connection
You must install OpenVPN on a local computer and log on to OpenVPN. After you configure DNS settings on your local computer, you can connect to a cloud computer from the OpenVPN client over a private network with a few clicks. The following section describes how to configure the DNS settings.
Install OpenVPN on the local computer.
We recommend that you use OpenVPN to connect to a VPC. The following section describes how to install OpenVPN on a local computer that runs Windows or macOS.
Windows
Click OpenVPN to download OpenVPN.
Install OpenVPN.
Decompress the package of the SSL client certificate that you downloaded and copy the SSL client certificate to the OpenVPN\config directory.
ImportantCopy the certificate to the corresponding directory in which OpenVPN is installed. For example, if OpenVPN is installed in the C:\Program Files\OpenVPN directory, you must decompress the certificate package, and then copy the certificate to the C:\Program Files\OpenVPN\config directory.
macOS
Run the following command to install OpenVPN:
brew install openvpn
Before you perform the following operations, you must install Homebrew.
Decompress the package of the SSL client certificate and copy the certificate to the \config directory of OpenVPN.
Launch OpenVPN and initiate a connection.
Windows: Launch OpenVPN and initiate a connection.
macOS: Run the following command to initiate a connection:
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
Configure DNS settings on the local computer.
Before you configure DNS settings, you can run the following command to test whether the domain name in the command can be resolved.
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
If an IP address is returned, the domain name can be resolved as expected. Then, you can skip this step. If no IP address is returned, perform the following steps to configure DNS settings:
Add 100.100.2.136 or 100.100.2.138 to the DNS server list.
In this example, a local computer that runs Windows 10 is used.
Go to Control Panel and open Network and Sharing Center.
In the left-side navigation pane, click Change adapter settings.
Right-click the network adapter that corresponds to OpenVPN and select Properties.
In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
In the dialog box that appears, specify a DNS server that you want to manage.
You can set the Preferred DNS server parameter to 100.100.2.136 and the Alternative DNS server parameter to 100.100.2.138.
Run the following command to check whether the DNS settings take effect.
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
Step 3: Check whether you can access a cloud computer over a private network
The SSL-VPN solution can be used on a Windows client or a macOS client of Alibaba Cloud Workspace.
In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used to check whether the access to a cloud computer over a VPC is allowed. You can also use another client to access your cloud computer over a VPC based on your business requirements.
Obtain information, such as the office network ID, username, and password, that is required to log on to the Windows client from the received email.
Double-click the icon to open the Windows client.
Follow the on-screen instructions to enter the username and password.
ImportantIf you log on to a client by using only an office network ID, select Alibaba Cloud VPC.
Click Connection Type, select Alibaba Cloud VPC, and then click Confirm.
Click Next.
Follow the on-screen instructions to enter the username and password. Then, click Next.
Connect to the cloud computer.
If the client logon is successful, your cloud computer is displayed as a card on your screen. You can click Connect Cloud Computer on the card to connect to your cloud computer. If the connection is successful, you can view and use your cloud computer in a new window.
ImportantIf a network request timeout error is reported, the network is inaccessible. In this case, you need to check your parameter settings. After you confirm your parameter settings, you can log on to your client and connect to your cloud computer again.