Overview

Supported Regions

The supported regions are subject to those available on the console.

Scenario

Enterprise employee A on a business trip needs to access a service website, for which the website server is deployed on Huawei Cloud. Employee A wants to use a VPN client on a PC to access this website server.

To meet business development requirements, enterprise A needs to implement communication between its on-premises data center and its VPC. In this case, enterprise A can use the VPN service to create connections between the on-premises data center and the VPC.

Limitations and Constraints

The client CIDR block cannot overlap with the destination CIDR block in the VPC to be accessed, and cannot contain special CIDR blocks such as 100.64.0.0/10 and 214.0.0.0/8.
The client device can access the Internet.

Prerequisites

You have obtained the server certificate and private key, created a user, and configured a password for the user. For details about how to issue a certificate, see Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate).
The server certificate has been hosted by the Cloud Certificate Manager (CCM). For details about how to host a server certificate, see Using the CCM to Manage a Server Certificate.

Data Plan

**Table 1** Data plan
Category	Item	Data
VPC	Subnet to be interconnected	192.168.0.0/16
VPN gateway	Interconnection subnet	Subnet used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has three or more assignable IP addresses. 192.168.2.0/24
	Maximum number of connections	10
	EIP	An EIP is automatically generated when you buy it. In this example, the EIP 11.xx.xx.11 is generated.
Server	Local CIDR block	192.168.1.0/24
	Server certificate	cert-server (name of the server certificate hosted by the CCM)
	SSL parameters	Protocol: TCP Port: 443 Encryption algorithm: AES-128-GCM Authentication algorithm: SHA256 Compression: disabled
Client	Client CIDR block	172.16.0.0/16
Client	Client authentication mode	Default mode: password authentication (local) User group Name: Testgroup_01 User Name: Test_01 Password: Set it based on the site requirements. User group: Testgroup_01 Access policy Name: Policy_01 Destination CIDR block: 192.168.1.0/24 User group: Testgroup_01

Operation Process

Figure 1 shows the process of configuring the VPN service to allow a client to remotely access a VPC.

Figure 1 Operation process
Click to enlarge

**Table 2** Operation process description
No.	Step	Description
1	Step 1: Creating a VPN Gateway	A VPN gateway needs to have an EIP bound. If you have purchased an EIP, you can directly bind it to the VPN gateway.
2	Step 2: Configuring a Server	Specify the CIDR block used by the client (client CIDR block) to access a specified destination CIDR block (local CIDR block). Select the server certificate and client authentication mode used for identity authentication during VPN connection establishment. The client authentication mode can be set to Certificate authentication or Password authentication (local). Configure SSL parameters (such as the protocol, port, authentication algorithm, and encryption algorithm) for the VPN connection.
3	Step 3: Configuring a Client	Download the client configuration from the management console, modify the configuration file as required, and import it to the VPN client.
4	Step 4: Verifying Connectivity	Open the command-line interface (CLI) on the client device, and run the ping command to verify the connectivity.