Help Center/ Virtual Private Network/ User Guide/ P2C VPN/ P2C VPN Server Management/ Configuring a Server
Updated on 2024-12-04 GMT+08:00
View PDF
Share

Configuring a Server

Scenario

A server provides configuration management and connection authentication capabilities. After a P2C VPN gateway is created, you need to complete the server configuration for it.

Prerequisites

The VPN gateway where a server is to be deployed has been created.

Limitations and Constraints

  • You can configure a server only when the VPN gateway is in Normal state.
  • A VPN gateway can have only one server associated.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the P2C VPN Gateways tab. Then, click Configure Server in the Operation column of the target VPN gateway, or click the name of the target VPN gateway and click the Server tab.
  6. Set parameters as prompted and click OK.

    Table 1 describes the server parameters.

    Table 1 Server parameters

    Area

    Parameter

    Description

    Example Value

    Basic Information

    Local CIDR Block

    Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC.

    A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8.

    • Select subnet

      Select subnets of the local VPC.

    • Enter CIDR block

      Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.

    NOTE:

    After the local CIDR block is modified, clients need to be reconnected.

    192.168.0.0/24

    Client CIDR Block

    CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located.

    The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections.

    The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 2.

    NOTE:

    After the client CIDR block is modified, clients need to be reconnected.

    172.16.0.0/16

    Tunnel Type

    Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server.

    The value is fixed at OpenVPN (SSL).

    OpenVPN (SSL)

    Authentication Information

    Server Certificate

    SSL certificate of the server. Clients use this certificate to verify the server's identity.

    • To use an uploaded certificate, select it from the drop-down list box.
    • To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate.
    • It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096.
    NOTE:

    If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.

    Set this parameter based on the actual condition.

    Client Authentication Mode

    Mode in which the server verifies the client identity. The options include Certificate authentication and Password authentication (local).

    • Select Certificate authentication.
      • Click Upload Client CA Certificate, open the CA certificate file in PEM format as a text file, and copy the certificate content to the Content text box in the Upload Client CA Certificate dialog box. A maximum of 10 client CA certificates can be added.

        It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.

      • After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time.
    • Select Password authentication (local).
      • Click the User Management and User Groups tabs in sequence, and click Create User Group.
      • Click the User Management tab. On the Users tab page, click Create User.
      • Click the Access Policies tab, and click Create Policy.

    Set this parameter based on the actual condition.

    Advanced Settings

    Protocol

    Protocol used by P2C VPN connections.

    • TCP (default)

    TCP

    Port

    Port used by P2C VPN connections.

    • 443 (default)
    • 1194

    443

    Encryption Algorithm

    Encryption algorithm used by P2C VPN connections.

    • AES-128-GCM (default)
    • AES-256-GCM

    AES-128-GCM

    Authentication Algorithm

    Authentication algorithm used by P2C VPN connections.

    • When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256.
    • When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.

    SHA256

    Compression

    Whether to compress the transmitted data.

    By default, this function is disabled and cannot be modified.

    Disabled

    Domain Name Access
    Whether to enable domain name access.
    • Valid DNS server address:
      • Not 0.0.0.0
      • Non-loopback address. The loopback address range is 127.0.0.0 to 127.255.255.255.
      • Non-multicast address. The broadcast address range is 224.0.0.0 to 239.255.255.255.
      • Address not starting or ending with 0
      • Non-duplicate DNS server address

    Enabled
    Table 2 Recommended client CIDR blocks

    Number of VPN Connections

    Recommended Client CIDR Block

    10

    CIDR blocks with the mask less than or equal to 26

    Example: 10.0.0.0/26 and 10.0.0.0/25

    20

    CIDR blocks with the mask less than or equal to 25

    Example: 10.0.0.0/25 and 10.0.0.0/24

    50

    CIDR blocks with the mask less than or equal to 24

    Example: 10.0.0.0/24 and 10.0.0.0/23

    100

    CIDR blocks with the mask less than or equal to 23

    Example: 10.0.0.0/23 and 10.0.0.0/22

    200

    CIDR blocks with the mask less than or equal to 22

    Example: 10.0.0.0/22 and 10.0.0.0/21

    500

    CIDR blocks with the mask less than or equal to 21

    Example: 10.0.0.0/21 and 10.0.0.0/20