Updated on 2025-08-19 GMT+08:00

Configuring a Server

Scenario

A server provides configuration management and connection authentication capabilities. After a P2C VPN gateway is created, you need to complete the server configuration for it.

Prerequisites

The VPN gateway where a server is to be deployed has been created.

Limitations and Constraints

  • You can configure a server only when the VPN gateway is in Normal state.
  • A VPN gateway can have only one server associated.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the P2C VPN Gateways tab. The P2C VPN gateway list is displayed.
  6. Click Configure Server in the Operation column of the target VPN gateway. Alternatively, click the target VPN gateway name, and then click the Server tab.
  7. Set parameters as prompted.

    Table 1 describes the server parameters.

    Table 1 Server parameters

    Area

    Parameter

    Description

    Example Value

    Basic Information

    Local CIDR Block

    Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC.

    A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8.

    • Select subnet

      Select subnets of the local VPC.

    • Enter CIDR block

      Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.

    NOTE:

    After the local CIDR block is modified, clients need to be reconnected.

    192.168.0.0/24

    Client CIDR Block

    CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located.

    The client CIDR block must be in the format of dotted decimal notation/mask. The mask length ranges from 16 bits to 26 bits. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections.

    The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 2.

    NOTE:
    • The client CIDR block cannot contain reserved CIDR blocks, such as 100.64.0.0/10, 100.64.0.0/12, and 214.0.0.0/8. The reserved CIDR blocks vary according to regions and are subject to those displayed on the console.

      If you need to use 100.64.0.0/10 or 100.64.0.0/12, submit a service ticket.

    • After the client CIDR block is modified, clients need to be reconnected.

    172.16.0.0/16

    Tunnel Type

    Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server.

    The value is fixed at OpenVPN (SSL).

    OpenVPN (SSL)

    Authentication Information

    Server Certificate

    SSL certificate of the server. Clients use this certificate to verify the server's identity.

    • Service self-signed certificate
    • Existing certificate
      • To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate to SCM.
      • It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096.
    NOTE:

    If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.

    Set this parameter based on the actual condition.

    Client Authentication Mode

    Mode in which the server verifies the client identity. The options include Certificate authentication and Password authentication (local).

    • Select Certificate authentication.

      Click Upload CA Certificate, open the CA certificate file in PEM format as a text file, and copy the certificate content to the Content text box in the Upload CA Certificate dialog box. A maximum of 10 client CA certificates can be added.

      It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.

      After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time.

    • Select Password authentication (local).

      When the client authentication mode is password authentication, you need to create a user.

      A created user can access all resources on the cloud by default. If you need to customize the scope of accessible resources, create a user group and create an access policy.

      NOTE:

      The access policy default applies to all users in the user group default. You can delete the access policy default and create a custom access policy.

    Set this parameter based on the actual condition.

    Advanced Settings

    Protocol

    Protocol used by P2C VPN connections.

    TCP (default)

    TCP

    Port

    Port used by P2C VPN connections.

    • 443 (default)
    • 1194

    443

    Encryption Algorithm

    Encryption algorithm used by P2C VPN connections.

    • AES-128-GCM (default)
    • AES-256-GCM

    AES-128-GCM

    Authentication Algorithm

    Authentication algorithm used by P2C VPN connections.

    • When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256.
    • When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.

    SHA256

    Compression

    Specify whether to compress the transmitted data.

    By default, this function is disabled and cannot be modified.

    Disabled

    Domain Name Access

    Specify whether to enable domain name access.

    • Enabled

      Configure a DNS server address so that the client can access the cloud network using a domain name. For details about how to deploy a DNS server, see Domain Name Service.

      Configure a valid DNS server address, which must meet the following requirements:
      • Not 0.0.0.0
      • Non-loopback address. The loopback address range is 127.0.0.0 to 127.255.255.255.
      • Non-multicast address. The broadcast address range is 224.0.0.0 to 239.255.255.255.
      • Address not starting or ending with 0
      • Non-duplicate DNS server address
      • Not 255.255.255.255
    • Disabled

    Enabled

    Set this parameter to the actual DNS server address.

    Table 2 Recommended client CIDR blocks

    Number of VPN Connections

    Recommended Client CIDR Block

    10

    CIDR blocks with the mask less than or equal to 26

    Example: 10.0.0.0/26 and 10.0.0.0/25

    20

    CIDR blocks with the mask less than or equal to 25

    Example: 10.0.0.0/25 and 10.0.0.0/24

    50

    CIDR blocks with the mask less than or equal to 24

    Example: 10.0.0.0/24 and 10.0.0.0/23

    100

    CIDR blocks with the mask less than or equal to 23

    Example: 10.0.0.0/23 and 10.0.0.0/22

    200

    CIDR blocks with the mask less than or equal to 22

    Example: 10.0.0.0/22 and 10.0.0.0/21

    500

    CIDR blocks with the mask less than or equal to 21

    Example: 10.0.0.0/21 and 10.0.0.0/20

  8. Click OK.