Procedure

Prerequisites

• Cloud side
  • A VPC has been created. For details about how to create a VPC, see Creating a VPC and Subnet.
  • Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.
• Data center side
  • The VPN client software has been configured on a user terminal. For details, see Administrator Guide.

Limitations and Constraints

A maximum of 10 client CA certificates can be added.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
4. Configure a VPN gateway.
   1. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
   2. Click the P2C VPN Gateways tab, and then click Buy P2C VPN Gateway.
   3. Set parameters as prompted and click Buy Now.

      Table 1 describes the VPN gateway parameters.

      Table 1 Description of VPN gateway parameters

      Parameter	Description	Example Value
      Region	For low network latency and fast resource access, select the region nearest to your target users. Resources cannot be shared across regions.	Set this parameter based on the actual condition.
      Name	Enter the name of a VPN gateway.	p2c-vpngw-001
      VPC	Select a VPC.	vpc-001(192.168.0.0/16)
      Interconnection Subnet	This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses.	192.168.66.0/24
      Specification	Only Professional 1 is supported. Maximum bandwidth: 300 Mbit/s Maximum number of VPN connections: 500	Professional 1
      AZ	An availability zone (AZ) is a geographic location with independent power supply and network facilities in a region. AZs in the same VPC are interconnected through private networks and are physically isolated. If two or more AZs are available, select two AZs. The VPN gateway deployed in two AZs has higher availability. You are advised to select the AZs where resources in the VPC are located. If only one AZ is available, select this AZ.	AZ1, AZ2
      Connections	Ten VPN connections are included free of charge with the purchase of a VPN gateway. You can select or customize the number of required VPN connections.	10
      EIP	Set the EIP used by the VPN gateway to communicate with clients. Create now: Buy a new EIP. The billing mode of a new EIP is pay-per-use. Use existing: Use an existing EIP. Only EIPs with dedicated bandwidth are supported. NOTE: If an existing EIP is used, its billing mode can be pay-per-use or yearly/monthly.	Create now
      EIP Type	This parameter is available only when a new EIP is created. Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. For more information about EIP types, see What Is an EIP?.	Dynamic BGP
      Bandwidth (Mbit/s)	This parameter is available only when a new EIP is created. Specify the bandwidth of the EIP. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range. Some regions support only 300 Mbit/s bandwidth by default. If higher bandwidth is required, select 300 Mbit/s bandwidth and then submit a service ticket for capacity expansion.	20 Mbit/s
      Bandwidth Name	This parameter is available only when a new EIP is created. Specify the name of the EIP bandwidth.	p2c-vpngw-bandwidth1

5. Configure a server.
   1. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
   2. Click the P2C VPN Gateways tab. Then, click Configure Server in the Operation column of the target VPN gateway, or click the name of the target VPN gateway and click the Server tab.
   3. Set parameters as prompted and click OK.

      Table 2 describes the server parameters.

      Table 2 Server parameters

      Area	Parameter	Description	Example Value
      Basic Information	Local CIDR Block	Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC. A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC. NOTE: After the local CIDR block is modified, clients need to be reconnected.	192.168.0.0/24
      	Client CIDR Block	CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located. The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections. The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 3. NOTE: After the client CIDR block is modified, clients need to be reconnected.	172.16.0.0/16
      	Tunnel Type	Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server. The value is fixed at OpenVPN (SSL).	OpenVPN (SSL)
      Authentication Information	Server Certificate	SSL certificate of the server. Clients use this certificate to verify the server's identity. To use an uploaded certificate, select it from the drop-down list box. To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate. It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. NOTE: If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.	Set this parameter based on the actual condition.
      	Client Authentication Mode	Select Certificate authentication. Click Upload Client CA Certificate, open the CA certificate file in .pem format as a text file, and copy the certificate content to the Content text box in the Upload Client CA Certificate dialog box. A maximum of 10 client CA certificates can be added. It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates. After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time. NOTE: After the CA certificate is deleted, clients cannot connect to the server.	Certificate authentication
      Advanced Settings	Protocol	Protocol used by P2C VPN connections. TCP (default)	TCP
      	Port	Port used by P2C VPN connections. 443 (default) 1194	443
      	Encryption Algorithm	Encryption algorithm used by P2C VPN connections. AES-128-GCM (default) AES-256-GCM	AES-128-GCM
      	Authentication Algorithm	Authentication algorithm used by P2C VPN connections. When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256. When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.	SHA256
      	Compression	Whether to compress the transmitted data. By default, this function is disabled and cannot be modified.	Disabled

      Table 3 Recommended client CIDR blocks

      Number of VPN Connections	Recommended Client CIDR Block
      10	CIDR blocks with the mask less than or equal to 26 Example: 10.0.0.0/26 and 10.0.0.0/25
      20	CIDR blocks with the mask less than or equal to 25 Example: 10.0.0.0/25 and 10.0.0.0/24
      50	CIDR blocks with the mask less than or equal to 24 Example: 10.0.0.0/24 and 10.0.0.0/23
      100	CIDR blocks with the mask less than or equal to 23 Example: 10.0.0.0/23 and 10.0.0.0/22
      200	CIDR blocks with the mask less than or equal to 22 Example: 10.0.0.0/22 and 10.0.0.0/21
      500	CIDR blocks with the mask less than or equal to 21 Example: 10.0.0.0/21 and 10.0.0.0/20

   4. Upload a server certificate.
      1. On the Server tab page, click Upload in the Server Certificate drop-down list box. The Cloud Certificate Manager page is displayed.
      2. On the SSL Certificate Manager page, click the Hosted Certificates tab, click Upload Certificate, and enter related information as prompted.
         Table 4 describes the parameters for uploading a certificate.

         Table 4 Parameters for uploading an international standard certificate

         Parameter	Description
         Certificate standard	Select International.
         Certificate Name	User-defined name of a certificate.
         Enterprise Project	Select the enterprise project to which the SSL certificate is to be added.
         Certificate File	Open the .pem file in the certificate to be uploaded as a text file, and copy the certificate content in the file to this text box. You need to upload a combined certificate file that contains both the server certificate content and CA certificate content. The CA certificate content must be pasted below the server certificate content. For the format of the certificate file content to be uploaded, see Figure 1.
         Private Key	Open the .key file in the certificate to be uploaded as a text file, and copy the private key in the file to this text box. You only need to upload the private key of the server certificate. For the format of the private key content to be uploaded, see Figure 1.

         Figure 1 Format of the certificate content to be uploaded
         

         

         The common name (CN) of a server certificate must be in the domain name format.

      3. Click Submit. The certificate is uploaded.
      4. In the certificate list, verify that the certificate status is Hosted.
   5. Upload a client CA certificate.
      1. On the Server tab page, choose Certificate authentication from the Client Authentication Mode drop-down list box, and click Upload Client CA Certificate.
      2. Set parameters as prompted.

         Table 5 Parameters for uploading a CA certificate

         Parameter	Description	Example Value
         Name	This parameter can be modified.	ca-cert-xxxx
         Content	Open the signature certificate file (.pem) as a text file, and copy the content in the file to this text box. NOTE: It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.	-----BEGIN CERTIFICATE----- Certificate content -----END CERTIFICATE-----

      3. Click OK.
         

         A maximum of 10 client CA certificates can be added.

6. Download the client configuration.
   1. Log in to the management console.
   2. Click in the upper left corner and select the desired region and project.
   3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
   4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
   5. Click the P2C VPN Gateways tab. In the VPN gateway list, locate the target VPN gateway, and click Download Client Configuration in the Operation column.

      Decompress the package to obtain the client_config.conf, client_config.ovpn, and README.md files.

      • The client_config.conf file applies to the Linux operating system.
      • The client_config.ovpn file applies to the Windows, macOS, and Android operating systems.

7. Add certificate information.
   1. Open the client_config.ovpn file as a text file.
   2. Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively.

      <cert>
      Client certificate content
      </cert>
      <key>
      Private key of the client certificate
      </key>

   3. Save the file and exit.

8. Configure a client.
   

   This example describes how to configure a client on the Windows operating system. The configuration process varies according to the type and version of the VPN client software.

   • Operating system: Windows 10
   • Client software: OpenVPN Connect 3.4.2 (3160)
   1. Download OpenVPN Connect from the OpenVPN official website, and install it as prompted.
   2. Start the OpenVPN Connect client, click BROWSE on the FILE tab page, and upload the client configuration file.
      Figure 2 Uploading a configuration file
      
   3. Click CONNECT to establish a VPN connection. If information similar to the following is displayed, the connection is successfully established.
      Figure 3 Connection established
      

Verification

1. Open the CLI on the client device.
2. Run the ping 192.168.1.10 command to test connectivity.

   192.168.1.10 is the IP address of an ECS. Replace it with the actual IP address.

3. If information similar to the following is displayed, the client can communicate with the ECS:

   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=27ms TTL=245