Updated on 2024-11-07 GMT+08:00

Procedure

Prerequisites

  • Cloud side
    • A VPC has been created. For details about how to create a VPC, see Creating a VPC and Subnet.
    • Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.
  • Data center side
    • The VPN client software has been configured on a user terminal. For details, see Administrator Guide.

Limitations and Constraints

A maximum of 10 client CA certificates can be added.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. Configure a VPN gateway.

    1. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
    2. Click the P2C VPN Gateways tab, and then click Buy P2C VPN Gateway.
    3. Set parameters as prompted and click Buy Now.

      Table 1 describes the VPN gateway parameters.

      Table 1 Description of VPN gateway parameters

      Parameter

      Description

      Example Value

      Region

      For low network latency and fast resource access, select the region nearest to your target users.

      Resources cannot be shared across regions.

      Set this parameter based on the actual condition.

      Name

      Enter the name of a VPN gateway.

      p2c-vpngw-001

      VPC

      Select a VPC.

      vpc-001(192.168.0.0/16)

      Interconnection Subnet

      This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses.

      192.168.66.0/24

      Specification

      Only Professional 1 is supported.

      • Maximum bandwidth: 300 Mbit/s
      • Maximum number of VPN connections: 500

      Professional 1

      AZ

      An availability zone (AZ) is a geographic location with independent power supply and network facilities in a region. AZs in the same VPC are interconnected through private networks and are physically isolated.

      • If two or more AZs are available, select two AZs.

        The VPN gateway deployed in two AZs has higher availability. You are advised to select the AZs where resources in the VPC are located.

      • If only one AZ is available, select this AZ.

      AZ1, AZ2

      Connections

      Ten VPN connections are included free of charge with the purchase of a VPN gateway. You can select or customize the number of required VPN connections.

      10

      EIP

      Set the EIP used by the VPN gateway to communicate with clients.

      • Create now: Buy a new EIP. The billing mode of a new EIP is pay-per-use.
      • Use existing: Use an existing EIP. Only EIPs with dedicated bandwidth are supported.
        NOTE:

        If an existing EIP is used, its billing mode can be pay-per-use or yearly/monthly.

      Create now

      EIP Type

      This parameter is available only when a new EIP is created.

      Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails.

      For more information about EIP types, see What Is an EIP?.

      Dynamic BGP

      Bandwidth (Mbit/s)

      This parameter is available only when a new EIP is created.

      Specify the bandwidth of the EIP.

      • All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP.

        If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth.

      • You can configure alarm rules on Cloud Eye to monitor the bandwidth.
      • You can customize the bandwidth within the allowed range.
      • Some regions support only 300 Mbit/s bandwidth by default. If higher bandwidth is required, select 300 Mbit/s bandwidth and then submit a service ticket for capacity expansion.

      20 Mbit/s

      Bandwidth Name

      This parameter is available only when a new EIP is created.

      Specify the name of the EIP bandwidth.

      p2c-vpngw-bandwidth1

  5. Configure a server.

    1. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
    2. Click the P2C VPN Gateways tab. Then, click Configure Server in the Operation column of the target VPN gateway, or click the name of the target VPN gateway and click the Server tab.
    3. Set parameters as prompted and click OK.

      Table 2 describes the server parameters.

      Table 2 Server parameters

      Area

      Parameter

      Description

      Example Value

      Basic Information

      Local CIDR Block

      Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC.

      A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8.

      • Select subnet

        Select subnets of the local VPC.

      • Enter CIDR block

        Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.

      NOTE:

      After the local CIDR block is modified, clients need to be reconnected.

      192.168.0.0/24

      Client CIDR Block

      CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located.

      The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections.

      The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 3.

      NOTE:

      After the client CIDR block is modified, clients need to be reconnected.

      172.16.0.0/16

      Tunnel Type

      Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server.

      The value is fixed at OpenVPN (SSL).

      OpenVPN (SSL)

      Authentication Information

      Server Certificate

      SSL certificate of the server. Clients use this certificate to verify the server's identity.

      • To use an uploaded certificate, select it from the drop-down list box.
      • To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate.
      • It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096.
      NOTE:

      If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.

      Set this parameter based on the actual condition.

      Client Authentication Mode

      Select Certificate authentication.
      • Click Upload Client CA Certificate, open the CA certificate file in PEM format as a text file, and copy the certificate content to the Content text box in the Upload Client CA Certificate dialog box. A maximum of 10 client CA certificates can be added.

        It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.

      • After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time.
      NOTE:

      After the CA certificate is deleted, clients cannot connect to the server.

      Certificate authentication

      Advanced Settings

      Protocol

      Protocol used by P2C VPN connections.

      • TCP (default)

      TCP

      Port

      Port used by P2C VPN connections.

      • 443 (default)
      • 1194

      443

      Encryption Algorithm

      Encryption algorithm used by P2C VPN connections.

      • AES-128-GCM (default)
      • AES-256-GCM

      AES-128-GCM

      Authentication Algorithm

      Authentication algorithm used by P2C VPN connections.

      • When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256.
      • When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.

      SHA256

      Compression

      Whether to compress the transmitted data.

      By default, this function is disabled and cannot be modified.

      Disabled

      Table 3 Recommended client CIDR blocks

      Number of VPN Connections

      Recommended Client CIDR Block

      10

      CIDR blocks with the mask less than or equal to 26

      Example: 10.0.0.0/26 and 10.0.0.0/25

      20

      CIDR blocks with the mask less than or equal to 25

      Example: 10.0.0.0/25 and 10.0.0.0/24

      50

      CIDR blocks with the mask less than or equal to 24

      Example: 10.0.0.0/24 and 10.0.0.0/23

      100

      CIDR blocks with the mask less than or equal to 23

      Example: 10.0.0.0/23 and 10.0.0.0/22

      200

      CIDR blocks with the mask less than or equal to 22

      Example: 10.0.0.0/22 and 10.0.0.0/21

      500

      CIDR blocks with the mask less than or equal to 21

      Example: 10.0.0.0/21 and 10.0.0.0/20

    4. Upload a server certificate.
      1. On the Server tab page, click Upload in the Server Certificate drop-down list box. The Cloud Certificate Manager page is displayed.
      2. On the SSL Certificate Manager page, click the Hosted Certificates tab, click Upload Certificate, and enter related information as prompted.
        Table 4 describes the parameters for uploading a certificate.
        Table 4 Parameters for uploading an international standard certificate

        Parameter

        Description

        Certificate standard

        Select International.

        Certificate Name

        User-defined name of a certificate.

        Enterprise Project

        Select the enterprise project to which the SSL certificate is to be added.

        Certificate File

        Use a text editor (for example, Notepad++) to open the certificate file in PEM format to be uploaded, and copy the certificate content to this text box.

        You need to upload a combined certificate file that contains both the server certificate content and CA certificate content. The CA certificate content must be pasted below the server certificate content.

        For the format of the certificate file content to be uploaded, see Figure 1.

        Private Key

        Use a text editor (for example, Notepad++) to open the certificate file in KEY format to be uploaded, and copy the private key content to this text box.

        You only need to upload the private key of the server certificate.

        For the format of the private key content to be uploaded, see Figure 1.

        Figure 1 Format of the certificate content to be uploaded

        The common name (CN) of a server certificate must be in the domain name format.

      3. Click Submit. The certificate is uploaded.
      4. In the certificate list, verify that the certificate status is Hosted.
    5. Upload a client CA certificate.
      1. On the Server tab page, choose Certificate authentication from the Client Authentication Mode drop-down list box, and click Upload Client CA Certificate.
      2. Set parameters as prompted.
        Table 5 Parameters for uploading a CA certificate

        Parameter

        Description

        Example Value

        Name

        This parameter can be modified.

        ca-cert-xxxx

        Content

        Use a text editor (for example, Notepad++) to open the signature certificate file in PEM format, and copy the certificate content to this text box.

        NOTE:
        • It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096.
        • Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.

        -----BEGIN CERTIFICATE-----

        Certificate content

        -----END CERTIFICATE-----

      3. Click OK.

        A maximum of 10 client CA certificates can be added.

  6. Download the client configuration.

    1. Log in to the management console.
    2. Click in the upper left corner and select the desired region and project.
    3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
    4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
    5. Click the P2C VPN Gateways tab. In the VPN gateway list, locate the target VPN gateway, and click Download Client Configuration in the Operation column.

      Decompress the package to obtain the client_config.conf, client_config.ovpn, and README.md files.

      • The client_config.conf file applies to the Linux operating system.
      • The client_config.ovpn file applies to the Windows, macOS, and Android operating systems.

  7. Add certificate information.

    1. Use a text editor (for example, Notepad++) to open the client_config.ovpn file.
    2. Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively.
      <cert>
      Client certificate content
      </cert>
      <key>
      Private key of the client certificate
      </key>
    3. Save the file and exit.

  8. Configure a client.

    This example describes how to configure a client on the Windows operating system. The configuration process varies according to the type and version of the VPN client software.

    • Operating system: Windows 10
    • Client software: OpenVPN Connect 3.4.2 (3160)
    1. Download OpenVPN Connect from the OpenVPN official website, and install it as prompted.
    2. Start the OpenVPN Connect client, click BROWSE on the FILE tab page, and upload the client configuration file.
      Figure 2 Uploading a configuration file
    3. Click CONNECT to establish a VPN connection. If information similar to the following is displayed, the connection is successfully established.
      Figure 3 Connection established

Verification

  1. Open the CLI on the client device.
  2. Run the ping 192.168.1.10 command to test connectivity.

    192.168.1.10 is the IP address of an ECS. Replace it with the actual IP address.

  3. If information similar to the following is displayed, the client can communicate with the ECS:
    Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
    Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
    Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
    Reply from xx.xx.xx.xx: bytes=32 time=27ms TTL=245