An SSL server defines the networks and resources that clients can access over SSL-VPN. Create an SSL server before using SSL-VPN.
Prerequisites
A VPN Gateway instance with SSL-VPN enabled. Create and manage a VPN Gateway instance.
If SSL-VPN was not enabled during gateway creation, you can Enable the SSL-VPN feature later.
Create an SSL server
-
Log on to the VPN Gateway console.
-
In the left-side navigation pane, choose Network Interconnection > VPN > SSL Servers.
-
In the top navigation bar, select the region where you want to create the SSL server.
The SSL server must be in the same region as the associated VPN Gateway instance.
-
On the SSL Servers page, click Create SSL Server.
-
In the Create SSL Server panel, configure the following parameters and click OK.
Parameter
Description
Name
Enter a name for the SSL server.
Resource Group
Select the resource group of the VPN Gateway instance.
The SSL server is added to the same resource group as the gateway.
VPN Gateway
Select the VPN Gateway instance.
The selected instance must have SSL-VPN enabled.
Local Network
The CIDR blocks that clients can access through the SSL-VPN connection.
A local network can be the CIDR block of a VPC, a vSwitch, an on-premises data center connected to a VPC through Express Connect, or a cloud service such as Object Storage Service (OSS) or ApsaraDB RDS.
Click Add Local CIDR Block to add multiple CIDR blocks. You can add up to five local networks. The following IP address ranges are not supported:
-
127.0.0.0 to 127.255.255.255
-
169.254.0.0 to 169.254.255.255
-
224.0.0.0 to 239.255.255.255
-
255.0.0.0 to 255.255.255.255
NoteThe subnet mask of a local network must be 8 to 32 bits in length.
Client CIDR Block
The IP address pool from which the VPN Gateway assigns addresses to clients. Not the private CIDR block of the client.
The client CIDR block must provide at least four times the number of IP addresses as the maximum concurrent SSL connections supported by the VPN Gateway instance.
Important-
The subnet mask of the client CIDR block must be 16 to 29 bits in length.
-
The client CIDR block must not overlap with the Local Network, the VPC CIDR block, or any CIDR blocks routed on the client.
-
Use private CIDR blocks such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or their subnets. To use a public IP range, configure it as a user-defined CIDR block in the VPC for proper routing. VPC FAQ and VPC FAQ.
-
After you create the SSL server, the system adds a route for the client CIDR block to the VPC route table. Do not manually add this route, as it may disrupt SSL-VPN traffic.
Advanced Configuration
Protocol
The protocol for the SSL-VPN connection. Valid values:
-
UDP
-
TCP (default)
Port
The port used by the SSL server. Valid values: 1 to 65535. Default value: 1194.
NoteThe following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500.
Encryption Algorithm
The encryption algorithm for the SSL-VPN connection.
-
If the client runs Tunnelblick or OpenVPN 2.4.0 or later, the server and client dynamically negotiate the encryption algorithm, prioritizing the most secure mutually supported option. The algorithm specified here does not take effect.
-
If the client runs OpenVPN earlier than 2.4.0, the specified algorithm is used. Supported algorithms:
-
AES-128-CBC (default)
-
AES-192-CBC
-
AES-256-CBC
-
none
Disables encryption.
-
Compressed
Whether to compress SSL-VPN traffic. Valid values:
-
Yes
-
No (default)
Two-factor Authentication
Whether to enable two-factor authentication. Disabled by default.
Two-factor authentication requires clients to pass both SSL certificate verification and username/password authentication against an IDaaS EIAM instance. SSL-VPN two-factor authentication.
When enabled, select an IDaaS EIAM instance and application ID for authentication.
Note-
For first-time use, grant the required permissions through Authorization.
-
When creating an SSL server in the UAE (Dubai) region, bind an IDaaS EIAM 2.0 instance in the Singapore region to reduce cross-region latency.
-
IDaaS EIAM 1.0 instances are no longer available for purchase. If one exists in your account, you can still bind it after enabling two-factor authentication.
If no IDaaS EIAM 1.0 instance exists in your account, only IDaaS EIAM 2.0 instances can be bound.
-
Binding an IDaaS EIAM 2.0 instance may require a VPN Gateway upgrade. [Change Notice] SSL-VPN two-factor authentication supports IDaaS EIAM 2.0.
Custom Client DNS
Configure DNS settings for all clients centrally. Available in some regions only. Configure DNS settings for clients.
-
Next steps
After creating the SSL server, create and download an SSL client certificate to authenticate and encrypt client connections. Create and manage an SSL client certificate.
Modify an SSL server
You can modify an SSL server after creation. Some changes require downloading a new SSL client certificate or re-establishing connections.
-
If you modify the settings in the Advanced Configuration section of an SSL server for Protocol, Compressed, or Two-factor Authentication, the SSL client certificates associated with the SSL server are invalidated. You must create a new SSL client certificate, install the new certificate on the client, and then re-initiate the SSL-VPN connection.
-
Modifying the Local Network or Client CIDR Block terminates all active SSL-VPN connections on the SSL server. Clients must re-establish their connections.
-
Log on to the VPN Gateway console.
-
In the left-side navigation pane, choose Network Interconnection > VPN > SSL Servers.
-
In the top navigation bar, select the region of the SSL server.
-
On the SSL Servers page, find the SSL server to modify and click Edit in the Actions column.
-
In the Modify SSL Server panel, change the name, local network, client CIDR block, or Advanced configuration settings, and then click OK.
Delete an SSL server
Deleting an SSL server also deletes all associated SSL client certificates and immediately terminates all active client connections.
-
Log on to the VPN Gateway console.
-
In the left-side navigation pane, choose Network Interconnection > VPN > SSL Servers.
-
In the top navigation bar, select the region of the SSL server.
-
On the SSL Servers page, find the SSL server to delete and click Delete in the Actions column.
-
In the confirmation dialog box, review the information and click Delete.
Manage SSL servers by using API operations
Manage SSL servers programmatically with Alibaba Cloud SDK (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). API operations: