Configuring a Server

Scenario

A server provides configuration management and connection authentication capabilities. After a P2C VPN gateway is created, you need to complete the server configuration for it.

Prerequisites

The VPN gateway where a server is to be deployed has been created.

Limitations and Constraints

You can configure a server only when the VPN gateway is in Normal state.
A VPN gateway can have only one server associated.

Procedure

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
Click the P2C VPN Gateways tab. Then, click Configure Server in the Operation column of the target VPN gateway, or click the name of the target VPN gateway and click the Server tab.

Set parameters as prompted and click OK.

Table 1 describes the server parameters.

**Table 1** Server parameters
Area	Parameter	Description	Example Value
Basic Information	Local CIDR Block	Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC. A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC. NOTE: After the local CIDR block is modified, clients need to be reconnected.	192.168.0.0/24
	Client CIDR Block	CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC to which the VPN gateway is located. The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections. The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 2. NOTE: After the client CIDR block is modified, clients need to be reconnected.	172.16.0.0/16
	Tunnel Type	Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server. The value is fixed at OpenVPN (SSL).	OpenVPN (SSL)
Authentication Information	Server Certificate	SSL certificate of the server. Clients use this certificate to verify the server's identity. To use an uploaded certificate, select a certificate from the drop-down list box. To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate. It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. NOTE: If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.	Set this parameter based on the actual condition.
Authentication Information	Client Authentication Mode	Mode in which the server verifies the client identity. The options include Certificate authentication and Password authentication (local). Select Certificate authentication. Click Upload Client CA Certificate, open the CA certificate file in .pem format as a text file, and copy the certificate content to the Content text box in the Upload Client CA Certificate dialog box. A maximum of 10 client CA certificates can be added. It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates. After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time. Select Password authentication (local). Click the User Management and User Groups tabs in sequence, and click Create User Group. Click the User Management tab. On the Users tab page, click Create User. Click the Access Policies tab, and click Create Policy.	Set this parameter based on the actual condition.
Advanced Settings	Protocol	Protocol used by P2C VPN connections. TCP (default)	TCP
	Port	Port used by P2C VPN connections. 443 (default) 1194	443
	Encryption Algorithm	Encryption algorithm used by P2C VPN connections. AES-128-GCM (default) AES-256-GCM	AES-128-GCM
	Authentication Algorithm	Authentication algorithm used by P2C VPN connections. When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256. When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.	SHA256
	Compression	Whether to compress the transmitted data. By default, this function is disabled and cannot be modified.	Disabled

**Table 2** Recommended client CIDR blocks
Number of VPN Connections	Recommended Client CIDR Block
10	CIDR blocks with the mask less than or equal to 26 Example: 10.0.0.0/26 and 10.0.0.0/25
20	CIDR blocks with the mask less than or equal to 25 Example: 10.0.0.0/25 and 10.0.0.0/24
50	CIDR blocks with the mask less than or equal to 24 Example: 10.0.0.0/24 and 10.0.0.0/23
100	CIDR blocks with the mask less than or equal to 23 Example: 10.0.0.0/23 and 10.0.0.0/22
200	CIDR blocks with the mask less than or equal to 22 Example: 10.0.0.0/22 and 10.0.0.0/21
500	CIDR blocks with the mask less than or equal to 21 Example: 10.0.0.0/21 and 10.0.0.0/20