Overview

Supported Regions

The supported regions are subject to those available on the console.

Scenario

Enterprise employee A on a business trip needs to access a service website, for which the website server is deployed on Huawei Cloud. Employee A wants to use a VPN client on a PC to access this website server.

Notes and Constraints

The client CIDR block cannot overlap with the destination CIDR block in the VPC to be accessed, and cannot contain reserved CIDR blocks such as 100.64.0.0/10, 100.64.0.0/12, and 214.0.0.0/8. The reserved CIDR blocks vary according to regions and are subject to those displayed on the console.
If you need to use 100.64.0.0/10 or 100.64.0.0/12, submit a service ticket.
The client device can access the Internet.

Prerequisites

You have obtained the server certificate and private key, created a user, and configured a password for the user. For details about how to issue a certificate by yourself, see Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate).
The server certificate has been hosted by the Cloud Certificate Manager (CCM). For details about how to host a server certificate, see Using the CCM to Manage a Server Certificate.

Data Plan

**Table 1** Data plan
Category	Item	Data
VPC	Subnet to be interconnected	192.168.0.0/16
VPN gateway	Interconnection subnet	Subnet used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses. 192.168.2.0/24
	Maximum number of connections	10
	EIP	An EIP is automatically generated when you buy it. In this example, the EIP 11.xx.xx.11 is generated.
Server	Local CIDR block	192.168.1.0/24
	Server certificate	cert-server (name of the server certificate hosted by the CCM)
	SSL parameters	Protocol: TCP Port: 443 Encryption algorithm: AES-128-GCM Authentication algorithm: SHA256 Compression: disabled
Client	Client CIDR block	172.16.0.0/16
Client	Client authentication mode	Default mode: password authentication (local) User group Name: default User Name: Test_01 Password: Set it based on the site requirements. User group: default Access policy Name: default User group: default Destination CIDR block: 0.0.0.0/0

Operation Process

Figure 1 shows the process of configuring the VPN service to allow a client to remotely access a VPC.

Figure 1 Operation process
Click to enlarge

**Table 2** Operation process description
No.	Step	Description
1	Step 1: Creating a VPN Gateway	A VPN gateway needs to have an EIP bound. If you have purchased an EIP, you can directly bind it to the VPN gateway. If you have not purchased an EIP, you can create one and bind it to the VPN gateway.
2	Step 2: Configuring a Server	Specify the CIDR block used by the client (client CIDR block) to access a specified destination CIDR block (local CIDR block). Select the server certificate and client authentication mode used for identity authentication during VPN connection establishment. The server certificate can be a service self-signed certificate or an existing certificate. The client authentication mode can be set to Certificate authentication or Password authentication (local). Configure SSL parameters (such as the protocol, port, authentication algorithm, and encryption algorithm) for the VPN connection.
3	Step 3: Configuring a Client	Download the client configuration from the management console, modify the configuration file as required, and import it to the VPN client.
4	Step 4: Verifying Connectivity	Open the command-line interface (CLI) on the client device, and run the ping command to verify the connectivity.