Establishment and use of SSL VPN (OpenVPN)

One 、 Create Tencent cloud SSL VPN gateway

Protocol type selection SSL, Select to open the cloud VPC The Internet , Here's the picture ：

Two 、 establish SSL Server side

At present, Tencent cloud supports SSL VPN The agreement is only UDP, Temporary does not support TCP; Fill in the local network segment as follows ( To get through VPC Network segment ) And peer network segment ( Client intranet segment ), Fill in the port 、 Authentication algorithm 、 Encryption algorithm and other information ：

3、 ... and 、 establish SSL client

Select the server created in the previous step , Fill in the remarks and click OK ：

Four 、 add to VPC route

When visiting from the cloud to the cloud , I'll look for VPC The routing table points to , Therefore, it is necessary to set the corresponding VPC Add a rule to the off cloud client network segment in the routing table , The next jump points to SSL VPN gateway .

On the private network console , Select the corresponding in the routing table VPC, Corresponding routing table ：

After entering the routing table , Select the new routing policy ：

To this cloud SSL VPN All operations have been completed .

5、 ... and 、SSL Configuration file download

openvpn yes Linux Open source pioneer under , It provides good performance and friendly users GUI, It is also officially recommended openvpn As ssl vpn Client side usage , The following will be shown in Windows、Debian、Centos How to configure... In the system openvpn client , The client configuration file is being created SSL It will be generated after the client , stay SSL Download the client page ：

6、 ... and 、Windows To configure OpenVpn Client

1. Download and install

First of all to openvpn Official download page download openvpn connect（ Be careful connect It's just openvpn client , Don't become a server ）：

choice Windows This column , And click the Download that will do , If the download page cannot be opened by the wall , Can be found in This link download .

2. Configure and import

Install the option Import Profile, Import profile ：

Unzip the configuration file , hold .ovpn Drag and drop the final configuration file ：

3. Verify connectivity

Click... After importing connect, And verify connectivity ：

adopt route print The command can be seen openvpn After normal operation , The route will be automatically distributed to the peer gateway , meanwhile ping Opposite end VPC Network segment connectivity is normal , There is inflow and outflow , It indicates that it has been opened normally . If ping No cloud vpc machine , Make sure the machine is not prohibited ping、 Security group 、acl The intranet segment of the client is normally released .

At this time to use wireshark Grab a bag and see , It can be found that when interacting with the peer intranet , It's actually the opposite end vpn Gateway interaction , Therefore, it also depends on the public network quality at both ends ：

7、 ... and 、Debian/Centos To configure OpenVpn Client

1.Debian Install software source 、 Repository keys and openvpn client

Make sure Debian Support https transmission ：

apt install apt-transport-https

install openvpn Official repository key ：

curl -fsSL https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/openvpn-repo-pkg-keyring.gpg

Install the software source corresponding to the system version code ：

curl -fsSL https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list >/etc/apt/sources.list.d/openvpn3.list
apt-get update

Officially supported release code ：

Here we use Debian9 stretch As a demonstration , The same applies to other distributions , Therefore, the software source installation should be ：

curl -fsSL https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-stretch.list >/etc/apt/sources.list.d/openvpn3.list
apt-get update

Domestic machines due to GFW reason , The above software sources may not be available , Or limited by speed , You can refer to This article Set up a proxy server to use .

apt install openvpn3 

2.Centos install openvpn client

Centos、Redhat The release code supported by the series ：

install yum copr modular ：

yum install yum-plugin-copr  

Enable Copr The repository ：

yum copr enable dsommers/openvpn3

install Openvpn client：

yum install openvpn3-client

3. Import the configuration file and run

From Tencent cloud SSL The configuration exported from the client console is uploaded to Debian, After decompression, run with the following command ：

openvpn3 config-import --config ${MY_CONFIGURATION_FILE}  # Import profile , So that subsequent sessions can reuse 
openvpn3 session-start --config ${MY_CONFIGURATION_FILE}  # Open a session 

sslvpnclient.ovpn Replace it with the correct one ovpn The configuration file , The configuration file name of Tencent cloud official website should be SSLVpnClientConfiguration.ovpn, You can see connected Description connected .

Here we are openvpn It is running normally , Open another one tty Test connectivity ：

4.openvpn session management

openvpn Allow multiple profiles and sessions to run simultaneously , You can manage the session by using the following command ：

openvpn3 sesstions-list  # View the list of currently running sessions 

Restart the session ：

openvpn3 session-manage --config ${CONFIGURATION_PROFILE_NAME} --restart

Disconnect session ：

openvpn3 session-manage --session-path /net/openvpn/v3/sessions/..... --disconnect

After the session is disconnected, the traffic usage details will be counted .

View session status ：

openvpn3 session-stats --config ${CONFIGURATION_PROFILE_NAME}
openvpn3 session-stats --session-path /net/openvpn/v3/sessions/...

View the session log ：

openvpn3 log --config ${CONFIGURATION_PROFILE_NAME}

Incidental PDF edition ：

#SSLVPN Construction and use .pdf##SSLVPN Construction and use openvpn- Bright color plate .pdf#