Help Center> CloudTable Service> User Guide> Cluster Mode> Preparing a Client Operating Environment> Preparing a Local Windows Environment (VPN Connection Mode)
View PDF

Preparing a Local Windows Environment (VPN Connection Mode)

If client tools run on Windows, you can use VPN on the local Windows host to connect to a CloudTable cluster through a Linux ECS.

Apply for a Linux ECS and bind it to an EIP. Install the IPSec VPN service on the Linux ECS so that it can be used as a VPN server. Use the local Windows environment as a client host and set up a VPN connection to connect to the VPN server (Linux ECS). After the connection is successful, you can connect to CloudTable clusters using the intranet link in the local environment. Before connecting to CloudTable, you need to install the JDK and client tools in the local Windows environment.

Advantages of the VPN connection mode:

  1. IPSec is a secure VPN protocol and has two layers of authentication.
  2. The function is stable. After the connection is successful, the internal IP address of the ECS in the CloudTable cluster can be properly accessed.

Preparing a Linux ECS and Installing and Configuring the VPN

  1. Create and log in to a Linux ECS. The Linux ECS functions as a VPN server for installing the IPSec VPN service.

    For details, see Preparing an ECS. When creating an ECS, you need to bind an EIP. The ECS must have the same region, AZ, VPC, and subnet as the CloudTable cluster.

  2. On the Linux ECS, download the installation script of the IPSec VPN service to the specified directory.

    For CentOS, run the following command to download and execute the script:

    wget https://git.io/vpnsetup-centos -O vpnsetup.sh

    For Red Hat and SUSE, run the following command to download and execute the script:

    wget https://git.io/vpnsetup -O vpnsetup.sh

  3. Set the pre-shared key (PSK), username, and password for the VPN service.

    Run the vi command to open the vpnsetup.sh script, locate the parameters shown in the following figure, and modify their values as required.

    Figure 1 Configuring VPN parameters

    You can also leave these parameters blank. The default username is vpnuser, and the password and PSK are generated randomly. After the installation is complete, a prompt is displayed, as shown in the following figure.

    Figure 2 Prompt

  4. Configure iptables firewall rules.

    In the vpnsetup.sh script, locate the parameters shown in the following figure and set them to the iptables network segment that is the same as that of the Linux ECS subnet.

    Figure 3 Configuring iptables rules

    The ECS subnet can be obtained from the NIC information in the ECS details.

    Figure 4 NIC information

  5. Run the vpnsetup.sh script to install the IPSec VPN service and wait until the installation is complete. 

    sudo sh vpnsetup.sh

    When the installation is complete, the Server IP, IPsec PSK, Username, and Password information is displayed. Record the information because you will use it when you set up a VPN connection.

    After the installation is successful, you can run the service ipsec status command to check the service status. If the status is active (running), the service is running properly.

Setting Up a VPN Connection in the Local Windows Environment

The Windows 7 system is used as an example in the following operations.

  1. In the local Windows environment, you need to install the Java JDK first.

    Visit the official website of Java to download the JDK 1.8.0 or a later version that matches the local Windows OS, and then install the JDK.

  2. Configure a security group rule to allow the local PC to connect to the VPN when accessing a CloudTable cluster.

    Log in to the CloudTable management console and choose Cluster Mode. Locate the required cluster in the cluster list, and click the cluster name to access the basic information page. In the Network Configuration area, click the security group name. On the displayed security group setting page, add the following two security group rules:

    Table 1 Security group inbound rule

    Direction

    Protocol

    Port/Range

    Source/Security Group

    Usage

    Inbound

    UDP

    500

    0.0.0.0/0

    Allows the local PC to connect to the VPN when accessing a CloudTable cluster.

    Inbound

    UDP

    4500

    0.0.0.0/0

    Allows the local PC to connect to the VPN when accessing a CloudTable cluster.

  3. In the local Windows environment, choose Control Panel > Network & Internet > Network and Sharing Center and click Set up a new connection or network.

    Figure 5 Network and Sharing Center page

  4. In the displayed dialog box, select Connect to a workplace, click Next, and then select Use my Internet connection (VPN).

    Figure 6 Setting up a connection or network

  5. Enter the EIP of the Linux ECS in the Internet address text box, select Don't connect now; just set it up so I can connect later, and click Next.

    Figure 7 Setting a VPN connection

  6. Enter the VPN username and password set in 3 in Preparing a Linux ECS and Installing and Configuring the VPN, and click Create. After the creation is successful, click Close to complete the creation of the VPN connection.

    Figure 8 Setting the VPN username and password.

  7. Choose Control Panel > Network & Internet > Connect to a network. Right-click VPN Connection displayed in the lower right corner and choose Properties from the shortcut menu.

    On the Security tab page of the VPN Connection Properties dialog box, set Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
    Figure 9 VPN connection properties

    Click Advanced settings. In the Advanced Properties dialog box shown in the following figure, select the first option and enter the L2TP pre-shared key (PSK).

    Figure 10 Advanced properties

  8. Log in to the local Windows OS as an administrator and click Start. Enter cmd in the search box and press Enter to open the command prompt window. Then, run the following statements to modify the registry. After the modification, restart the computer. 

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f

  9. Click the Internet access icon in the lower right corner of the system, select the created VPN connection, and click Connect to connect to VPN. Wait until the VPN is successfully connected.

Setting a Mapping Between the Intranet Domain Name and IP Address of CloudTable

Because the domain name in the link, for example, the ZK link of the CloudTable cluster is a HUAWEI CLOUD intranet domain name, the local PC cannot resolve it. Therefore, you need to submit a service ticket to obtain the mapping between the domain name and the IP address, and configure it in the local hosts file.

  1. Log in to the CloudTable management console, and choose More > Service Tickets > Create Service Ticket in the upper right corner. Enter the mapping between the intranet domain name of the CloudTable link and the IP address.
  2. Add the mapping between the CloudTable intranet domain name and the IP address obtained in 1 to the hosts file and save the file.

    The following is an example of the mapping between the ZK link and the IP address of a CloudTable cluster. In the local Windows environment, open the C:\Windows\System32\drivers\etc\hosts file and add the following information:

    192.168.0.239 cloudtable-demo-hmaster-2-1-Ie8OM83R.cloudtable.com
192.168.0.175 cloudtable-demo-regionserver-1-1-ZMD2WAGl.cloudtable.com
192.168.0.135 cloudtable-demo-regionserver-2-1-PRmohdbB.cloudtable.com
192.168.0.220 cloudtable-demo-hmaster-1-1-PJ0Qo8E0.cloudtable.com
192.168.0.147 cloudtable-demo-zk1-PJ0Qo8E0.cloudtable.com
192.168.0.231 cloudtable-demo-zk2-Ie8OM83R.cloudtable.com
192.168.0.232 cloudtable-demo-zk3-ZMD2WAGl.cloudtable.com

  3. Click Start and enter cmd to open the CLI. Run the ping command to ping a CloudTable link. If it can be pinged, the CloudTable link can be accessed.