Procedure

Prerequisites

• Cloud side
  • A VPC has been created. For details, see Creating a VPC and Subnet.
  • Security group rules have been configured for the VPC, and ECSs can communicate with other devices on the cloud. For details about how to configure security group rules, see Security Group Rules.
• Data center side

  The VPN client software has been configured on a user terminal. For details, see Administrator Guide.

Precautions

Changing the client authentication mode will interrupt existing VPN connections. Exercise caution when performing this operation.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and select the desired region and project.
3. Click in the upper left corner of the page, and choose Management & Governance > Identity and Access Management.
4. Create a user group, grant permission to the user group, and create an IAM user.
   1. Create a user group.
      1. Choose User Groups from the navigation pane.
      2. On the User Groups page, click Create User Group.
      3. Configure user group information, such as the user group name.
      4. Click OK. The user group is created.

         You can view the created user group in the user group list.

   2. Grant permission to the user group.
      1. Click Authorize in the Operation column of the created user group.
      2. In the search box in the upper right corner, search for VPN SSOAccessPolicy and select it.
      3. Click Next and select the authorization scope as required.
      4. Click OK. The permission is grated to the user group.
   3. Create an IAM user.
      1. Choose Users from the navigation pane.
      2. On the Users page, click Create User.
      3. Configure user information as prompted.

         For details about how to configure user information, see Creating an IAM User.

      4. Click Next.
      5. (Optional) Select the user group to which the user is to be added.

         After being added to a user group, a user inherits the permission granted to the user group.

5. Click in the upper left corner, and choose Networking > Virtual Private Network.
6. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
7. Click the P2C VPN Gateways tab. The P2C VPN gateway list is displayed.
8. Configure a VPN gateway.
   1. On the P2C VPN Gateways page, click Buy P2C VPN Gateway.
   2. Set parameters as prompted and click Buy Now.

      Table 1 describes the VPN gateway parameters.

      Table 1 Description of VPN gateway parameters

      Parameter	Description	Example Value
      Region	For low network latency and fast resource access, select the region nearest to your target users. Resources cannot be shared across regions.	Set this parameter based on the actual condition.
      Name	Enter the name of a VPN gateway.	p2c-vpngw-001
      VPC	Select a VPC.	vpc-001(192.168.0.0/16)
      Interconnection Subnet	This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses.	192.168.66.0/24
      Specification	Two options are available: Professional 1 and Professional 2. For details about the differences between specifications, see Specifications Introduction.	Professional 1
      AZ	An AZ is a geographic location with independent power supply and network facilities in a region. AZs in the same VPC are interconnected through private networks and are physically isolated. If two or more AZs are available, select two AZs. The VPN gateway deployed in two AZs has higher availability. You are advised to select the AZs where resources in the VPC are located. If only one AZ is available, select this AZ.	AZ1, AZ2
      Connections	Ten VPN connections are included free of charge with the purchase of a VPN gateway. You can select or customize the number of required VPN connections.	10
      EIP	Set the EIP used by the VPN gateway to communicate with clients. Create now: Buy a new EIP. The billing mode of a new EIP is pay-per-use. Use existing: Use an existing EIP. Only EIPs with dedicated bandwidth are supported. NOTE: If an existing EIP is used, its billing mode can be pay-per-use or yearly/monthly.	Create now
      EIP Type	This parameter is available only when a new EIP is created. Dynamic BGP: Dynamic BGP provides automatic failover and chooses the optimal path when a network connection fails. For more information about EIP types, see What Is Elastic IP?.	Dynamic BGP
      Bandwidth (Mbit/s)	This parameter is available only when a new EIP is created. Specify the bandwidth of the EIP. All VPN connections created using the EIP share the bandwidth of the EIP. The total bandwidth consumed by all the VPN connections cannot exceed the bandwidth of the EIP. If network traffic exceeds the bandwidth of the EIP, network congestion may occur and VPN connections may be interrupted. As such, ensure that you configure enough bandwidth. You can configure alarm rules on Cloud Eye to monitor the bandwidth. You can customize the bandwidth within the allowed range. Some regions support only 300 Mbit/s bandwidth by default. If higher bandwidth is required, select 300 Mbit/s bandwidth and then submit a service ticket for capacity expansion.	20 Mbit/s
      Bandwidth Name	This parameter is available only when a new EIP is created. Specify the name of the EIP bandwidth.	p2c-vpngw-bandwidth1

9. Configure a server.
   1. On the P2C VPN Gateways page, click Configure Server in the Operation column of the target VPN gateway. Alternatively, click the name of the target VPN gateway and then click the Server tab.
   2. Set parameters as prompted and click OK.

      Table 2 describes the server parameters.

      Table 2 Server parameters

      Area	Parameter	Description	Example Value
      Basic Information	Local CIDR Block	Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC. A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8. Select subnet Select subnets of the local VPC. Enter CIDR block Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC. NOTE: After the local CIDR block is modified, clients need to be reconnected.	192.168.0.0/24
      	Client CIDR Block	CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located. The client CIDR block must be in the format of dotted decimal notation/mask. The mask ranges from 16 to 26. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections. The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 3. NOTE: After the client CIDR block is modified, clients need to be reconnected.	172.16.0.0/16
      	Tunnel Type	SSL is a transport layer protocol used to establish a secure channel between a client and a server. The value is fixed at OpenVPN (SSL).	OpenVPN (SSL)
      Authentication Information	Server Certificate	Select Service self-signed certificate.	Service self-signed certificate
      	Client Authentication Mode	Select IAM authentication.	IAM authentication
      Advanced Settings	Protocol	Protocol used by P2C VPN connections. TCP (default)	TCP
      	Port	Port used by P2C VPN connections. 443 (default) 1194	443
      	Encryption Algorithm	Encryption algorithm used by P2C VPN connections. AES-128-GCM (default) AES-256-GCM	AES-128-GCM
      	Authentication Algorithm	Authentication algorithm used by P2C VPN connections. When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256. When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.	SHA256
      	Compression	Whether to compress the transmitted data. By default, this function is disabled and cannot be modified.	Disabled

      Table 3 Recommended client CIDR blocks

      Number of VPN Connections	Recommended Client CIDR Block
      10	CIDR blocks with the mask less than or equal to 26 Example: 10.0.0.0/26 and 10.0.0.0/25
      20	CIDR blocks with the mask less than or equal to 25 Example: 10.0.0.0/25 and 10.0.0.0/24
      50	CIDR blocks with the mask less than or equal to 24 Example: 10.0.0.0/24 and 10.0.0.0/23
      100	CIDR blocks with the mask less than or equal to 23 Example: 10.0.0.0/23 and 10.0.0.0/22
      200	CIDR blocks with the mask less than or equal to 22 Example: 10.0.0.0/22 and 10.0.0.0/21
      500	CIDR blocks with the mask less than or equal to 21 Example: 10.0.0.0/21 and 10.0.0.0/20

   3. Click OK.

10. Download the client configuration.
    1. On the P2C VPN Gateways page, click Download Client Configuration in the Operation column of the target VPN gateway.
    2. Decompress the package to obtain the client_config.conf, client_config.ovpn, and README.md files.
       • The client_config.conf file applies to the Linux operating system.
       • The client_config.ovpn file applies to the Windows, macOS, and Android operating systems.

11. Configure a client.
    

    This example describes how to configure a client on the Windows operating system. The configuration process varies according to the type and version of the VPN client software.

    • Operating system: Windows 10
    • Client software: OpenVPN Connect 3.4.2 (3160)

      Only clients running 3.4.0 and later versions support IAM authentication.

    For more client configuration cases, see Configuring a Client.

    1. Download OpenVPN Connect from the OpenVPN official website, and install it as prompted.
    2. Start the OpenVPN Connect client, click BROWSE on the FILE tab page, and upload the client configuration file.
       Figure 1 Uploading a configuration file
       
    3. Click CONNECT to establish a VPN connection. If information similar to the following is displayed, the connection is successfully established.
       Figure 2 Connection established
       
    4. Use the IAM username and password to log in to the web client.
       • If the login page displays a message indicating that the authentication is successful, the VPN connection has been established successfully.
       • If the login page displays a message indicating that the authentication fails, you can modify the configuration based on the error information. For details about the error information, see Troubleshooting.

Verification

1. Press win+R and enter cmd to open the CLI of the client device.
2. Run the following command to verify the connectivity:

   ping 192.168.1.10

   192.168.1.10 is the IP address of an ECS. Replace it with the actual IP address.

3. If information similar to the following is displayed, the client can communicate with the ECS:

   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=28ms TTL=245
   Reply from xx.xx.xx.xx: bytes=32 time=27ms TTL=245