Procedure

Prerequisites

• Cloud side
  • A VPC has been created. For details, see Creating a VPC and Subnet.
  • Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.
• Data center side
  • The VPN client software has been configured on a user terminal. For details, see Administrator Guide.
  • An identity provider has been configured. Currently, only identity providers for virtual user SSO via SAML are supported. For details about how to configure an identity provider for virtual user SSO, see Virtual User SSO via SAML.
    One or more identity conversion rules must have been configured for the identity provider. When configuring identity conversion rules, select the user group with the VPN SSOAccessPolicy permission. For details about how to create a user group, see Creating a User Group and Granting Permission.

    

    When you configure or modify an identity conversion rule by editing a JSON file, the username cannot contain only spaces.

Precautions

Changing the client authentication mode or identity provider will interrupt existing VPN connections. Exercise caution when performing this operation.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner, and choose Networking > Virtual Private Network.
4. Click in the upper left corner of the page, and choose Management & Governance > Identity and Access Management.
5. Create a user group and grant permission to it.
   1. Create a user group.
      1. Choose User Groups from the navigation pane.
      2. On the User Groups page, click Create User Group.
      3. Configure user group information, such as the user group name.
      4. Click OK. The user group is created.

         You can view the created user group in the user group list.

   2. Grant permission to the user group.
      1. Click Authorize in the Operation column of the created user group.
      2. In the search box in the upper right corner, search for VPN SSOAccessPolicy and select it.
      3. Click Next and select the authorization scope as required.
      4. Click OK. The permission is grated to the user group.

6. Click in the upper left corner, and choose Networking > Virtual Private Network.
7. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
8. Click the P2C VPN Gateways tab. The P2C VPN gateway list is displayed.
9. Configure a VPN gateway.
   1. On the P2C VPN Gateways page, click Buy P2C VPN Gateway.
   2. Set parameters as prompted and click Buy Now.

      Table 1 describes the VPN gateway parameters.

      Table 1 Description of VPN gateway parameters

      Parameter	Description	Example Value
      Region	For low network latency and fast resource access, select the region nearest to your target users. Resources cannot be shared across regions.	Set this parameter based on the actual condition.
      Name	Enter the name of a VPN gateway.	p2c-vpngw-001
      VPC	Select a VPC.	vpc-001(192.168.0.0/16)
      Interconnection Subnet	This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses.	192.168.66.0/24
      Specification	Two options are available: Professional 1 and Professional 2. For details about the differences between specifications, see Specifications Introduction.	Professional 1
      AZ	An AZ is a geographic location with independent power supply and network facilities in a region. AZs in the same VPC are interconnected through private networks and are physically isolated. If two or more AZs are available, select two AZs. The VPN gateway deployed in two AZs has higher availability. You are advised to select the AZs where resources in the VPC are located. If only one AZ is available, select this AZ.	AZ1, AZ2
      Connections	Ten VPN connections are included free of charge with the purchase of a VPN gateway. You can select or customize the number of required VPN connections.	10
      EIP	Set the EIP used by the VPN gateway to communicate with clients. Create now: Buy a new EIP. The billing mode of a new EIP is pay-per-use. Use existing: Use an existing EIP. Only EIPs with dedicated bandwidth are supported. NOTE: If an existing EIP is used, its billing mode can be pay-per-use or yearly/monthly.	Create now
      EIP Type	This parameter is available only when a new EIP is created. Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. For more information about EIP types, see What Is Elastic IP?.	Dynamic BGP
      Bandwidth (Mbit/s)	This parameter is available only when a new EIP is created. Specify the bandwidth of the EIP. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range. Some regions support only 300 Mbit/s bandwidth by default. If higher bandwidth is required, select 300 Mbit/s bandwidth and then submit a service ticket for capacity expansion.	20 Mbit/s
      Bandwidth Name	This parameter is available only when a new EIP is created. Specify the name of the EIP bandwidth.	p2c-vpngw-bandwidth1

10. Configure a server.
    1. On the P2C VPN Gateways page, click Configure Server in the Operation column of the target VPN gateway. Alternatively, click the name of the target VPN gateway and then click the Server tab.
    2. Set parameters as prompted and click OK.

       Table 2 describes the server parameters.

       Table 2 Server parameters

       Area	Parameter	Description	Example Value
       Basic Information	Local CIDR Block	Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC. A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC. NOTE: After the local CIDR block is modified, clients need to be reconnected.	192.168.0.0/24
       	Client CIDR Block	CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located. The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections. The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 3. NOTE: After the client CIDR block is modified, clients need to be reconnected.	172.16.0.0/16
       	Tunnel Type	SSL is a transport layer protocol used to establish a secure channel between a client and a server. The value is fixed at OpenVPN (SSL).	OpenVPN (SSL)
       Authentication Information	Server Certificate	Select Service self-signed certificate.	Service self-signed certificate
       	Client Authentication Mode	Select Federated authentication.	Federated authentication
       	Identity Provider	Select an existing identity provider. If no identity provider is available, you can click Create Identity Provider in the drop-down list to create one on the IAM console. For details about how to create an identity provider, see Creating an IdP Entity.	Set this parameter based on the actual condition.
       Advanced Settings	Protocol	Protocol used by P2C VPN connections. TCP (default)	TCP
       	Port	Port used by P2C VPN connections. 443 (default) 1194	443
       	Encryption Algorithm	Encryption algorithm used by P2C VPN connections. AES-128-GCM (default) AES-256-GCM	AES-128-GCM
       	Authentication Algorithm	Authentication algorithm used by P2C VPN connections. When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256. When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.	SHA256
       	Compression	Whether to compress the transmitted data. By default, this function is disabled and cannot be modified.	Disabled

       Table 3 Recommended client CIDR blocks

       Number of VPN Connections	Recommended Client CIDR Block
       10	CIDR blocks with the mask less than or equal to 26 Example: 10.0.0.0/26 and 10.0.0.0/25
       20	CIDR blocks with the mask less than or equal to 25 Example: 10.0.0.0/25 and 10.0.0.0/24
       50	CIDR blocks with the mask less than or equal to 24 Example: 10.0.0.0/24 and 10.0.0.0/23
       100	CIDR blocks with the mask less than or equal to 23 Example: 10.0.0.0/23 and 10.0.0.0/22
       200	CIDR blocks with the mask less than or equal to 22 Example: 10.0.0.0/22 and 10.0.0.0/21
       500	CIDR blocks with the mask less than or equal to 21 Example: 10.0.0.0/21 and 10.0.0.0/20

    3. Click OK.

11. Download the client configuration.
    1. On the P2C VPN Gateways page, click Download Client Configuration in the Operation column of the target VPN gateway.
    2. Decompress the package to obtain the client_config.conf, client_config.ovpn, and README.md files.
       • The client_config.conf file applies to the Linux operating system.
       • The client_config.ovpn file applies to the Windows, macOS, and Android operating systems.

12. Configure a client.
    

    This example describes how to configure a client on the Windows operating system. The configuration process varies according to the type and version of the VPN client software.

    • Operating system: Windows 10
    • Client software: OpenVPN Connect 3.4.2 (3160)

      Only clients running 3.4.0 and later versions support federated authentication.

    For more client configuration cases, see Configuring a Client.

    1. Download OpenVPN Connect from the OpenVPN official website, and install it as prompted.
    2. Start the OpenVPN Connect client, click BROWSE on the FILE tab page, and upload the client configuration file.
       Figure 1 Uploading a configuration file
       
    3. Click CONNECT to establish a VPN connection. If information similar to the following is displayed, the connection is successfully established.
       Figure 2 Connection established
       

13. Log in to the web client using the federated username and password.
    • If the login page displays a message indicating that the authentication is successful, the VPN connection has been established successfully.
    • If the login page displays a message indicating that the authentication fails, you can modify the configuration based on the error information. For details about the error information, see Troubleshooting.

Verification

1. Open the CLI on the client device.
2. Run the following command to verify the connectivity:

   ping 192.168.1.10

   192.168.1.10 is the IP address of an ECS. Replace it with the actual IP address.

3. If information similar to the following is displayed, the client can communicate with the ECS:

   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=27ms TTL=245