Configuring a Server
Scenario
A server provides configuration management and connection authentication capabilities. After a P2C VPN gateway is created, you need to complete the server configuration for it.
Prerequisites
The VPN gateway where a server is to be deployed has been created.
Limitations and Constraints
- You can configure a server only when the VPN gateway is in Normal state.
- A VPN gateway can have only one server associated.
Procedure
- Log in to the management console.
- Click
in the upper left corner and select the desired region and project.
- Click
in the upper left corner, and choose .
- In the navigation pane on the left, choose .
- Click the P2C VPN Gateways tab. The P2C VPN gateway list is displayed.
- Click Configure Server in the Operation column of the target VPN gateway. Alternatively, click the target VPN gateway name, and then click the Server tab.
- Set parameters as prompted.
Table 1 describes the server parameters.
Table 1 Server parameters Area
Parameter
Description
Example Value
Basic Information
Local CIDR Block
Destination CIDR block that clients need to access through the P2C VPN gateway. The CIDR block can be within or connected to a Huawei Cloud VPC.
A maximum of 20 local CIDR blocks can be specified. The local CIDR block cannot be set to 0.0.0.0. The local CIDR block cannot overlap or conflict with the following special CIDR blocks: 0.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, and 127.0.0.0/8.
- Select subnet
- Enter CIDR block
Enter subnets of the local VPC or subnets of the VPC that establishes a peering connection with the local VPC.
NOTE:After the local CIDR block is modified, clients need to be reconnected.
192.168.0.0/24
Client CIDR Block
CIDR block for assigning IP addresses to virtual NICs of clients. It cannot overlap with the local CIDR block or the CIDR blocks in the route table of the VPC where the VPN gateway is located.
The client CIDR block must be in the format of dotted decimal notation/mask. The mask length ranges from 16 bits to 26 bits. When assigning an IP address to a client, the system assigns a smaller CIDR block with the mask of 30 to ensure proper network communication. As such, ensure that the number of available IP addresses in the specified client CIDR block is at least four times the number of VPN connections.
The recommended client CIDR blocks vary according to the number of VPN connections. For details, see Table 2.
NOTE:- The client CIDR block cannot contain reserved CIDR blocks, such as 100.64.0.0/10, 100.64.0.0/12, and 214.0.0.0/8. The reserved CIDR blocks vary according to regions and are subject to those displayed on the console.
If you need to use 100.64.0.0/10 or 100.64.0.0/12, submit a service ticket.
- After the client CIDR block is modified, clients need to be reconnected.
172.16.0.0/16
Tunnel Type
Secure Sockets Layer (SSL) is a transport layer protocol used to establish a secure channel between a client and a server.
The value is fixed at OpenVPN (SSL).
OpenVPN (SSL)
Authentication Information
Server Certificate
SSL certificate of the server. Clients use this certificate to verify the server's identity.
- Service self-signed certificate
- Existing certificate
- To upload a new certificate, choose Upload from the drop-down list box to go to the Cloud Certificate Manager (CCM) service page. Upload a server certificate as prompted. For details, see Uploading an External Certificate to SCM.
- It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096.
NOTE:If you delete the referenced server certificate in CCM after configuring the server, the availability of the server certificate is not affected.
Set this parameter based on the actual condition.
Client Authentication Mode
Mode in which the server verifies the client identity. The options include Certificate authentication and Password authentication (local).
- Select Certificate authentication.
Click Upload CA Certificate, open the CA certificate file in PEM format as a text file, and copy the certificate content to the Content text box in the Upload CA Certificate dialog box. A maximum of 10 client CA certificates can be added.
It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.
After a CA certificate is verified, you can view its basic information, including the name, serial number, signature algorithm, issuer, subject, and expiration time.
- Select Password authentication (local).
When the client authentication mode is password authentication, you need to create a user.
A created user can access all resources on the cloud by default. If you need to customize the scope of accessible resources, create a user group and create an access policy.
NOTE:The access policy default applies to all users in the user group default. You can delete the access policy default and create a custom access policy.
Set this parameter based on the actual condition.
Advanced Settings
Protocol
Protocol used by P2C VPN connections.
TCP (default)
TCP
Port
Port used by P2C VPN connections.
- 443 (default)
- 1194
443
Encryption Algorithm
Encryption algorithm used by P2C VPN connections.
- AES-128-GCM (default)
- AES-256-GCM
AES-128-GCM
Authentication Algorithm
Authentication algorithm used by P2C VPN connections.
- When the encryption algorithm is AES-128-GCM, the authentication algorithm is SHA256.
- When the encryption algorithm is AES-256-GCM, the authentication algorithm is SHA384.
SHA256
Compression
Specify whether to compress the transmitted data.
By default, this function is disabled and cannot be modified.
Disabled
Domain Name Access
Specify whether to enable domain name access.
- Enabled
Configure a DNS server address so that the client can access the cloud network using a domain name. For details about how to deploy a DNS server, see Domain Name Service.
Configure a valid DNS server address, which must meet the following requirements:- Not 0.0.0.0
- Non-loopback address. The loopback address range is 127.0.0.0 to 127.255.255.255.
- Non-multicast address. The broadcast address range is 224.0.0.0 to 239.255.255.255.
- Address not starting or ending with 0
- Non-duplicate DNS server address
- Not 255.255.255.255
- Disabled
Enabled
Set this parameter to the actual DNS server address.
Table 2 Recommended client CIDR blocks Number of VPN Connections
Recommended Client CIDR Block
10
CIDR blocks with the mask less than or equal to 26
Example: 10.0.0.0/26 and 10.0.0.0/25
20
CIDR blocks with the mask less than or equal to 25
Example: 10.0.0.0/25 and 10.0.0.0/24
50
CIDR blocks with the mask less than or equal to 24
Example: 10.0.0.0/24 and 10.0.0.0/23
100
CIDR blocks with the mask less than or equal to 23
Example: 10.0.0.0/23 and 10.0.0.0/22
200
CIDR blocks with the mask less than or equal to 22
Example: 10.0.0.0/22 and 10.0.0.0/21
500
CIDR blocks with the mask less than or equal to 21
Example: 10.0.0.0/21 and 10.0.0.0/20
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot