百度智能云
All Product Document

          Cloud Compute Service

          • Cloud Compute Service
          • >
          • Environment Setup
          • >
          • Best Practices for Building AccessVPN

          Best Practices for Building AccessVPN

          Last Updated2020-09-24

          Demand Scenario

          You can realize the secure connection between the external network terminal and Baidu AI Cloud internal resources by the VPN dialing method. It is convenient for users to achieve remote and secure access to AI Cloud in any place.

          Demand scenario 1: For enterprise IT personnel (improve the management and maintenance of resources on cloud)
          It can simplify the operation and maintenance of resources on the cloud, and eliminate the operation and maintenance differences between resources on and off cloud.

          Demand scenario 2: For ordinary enterprise employees (provide mobile office solutions under the hybrid cloud)
          Accelerate the digital transformation of enterprise IT infrastructure, and realize the real mobile office. The company employees can access the enterprise IT system as in the company intranet in any place and at any time.

          Scheme Overview

          As shown in the figure below, the user can use BCC cloud server products to build Access VPN server as a client to remotely connect the VPN gateway of the resources on AI Cloud. Baidu AI Cloud provides users with the service integration image of the integrated open source Open VPN Access Server. When creating BCC, the user can use the image to quickly build Access VPN service.

          After building the service, the user can access VPN on the PC with VPN client installed to realize the demand scenario of accessing cloud server resources (cloud server A and cloud server B as shown in the figure below) in the remote intranet.

          Configuration Steps

          Configuration preparation

          • Client: PC or laptop which can be connected to Internet.
          • Service end: One BCC with a public network IP bound is used as the Access VPN gateway.
          • Recommendation on server configuration: It is recommended to use bcc.g3.c4m16 model(Intel Xeon(Skylake) Gold 6148, quad-core CPU to bear the load of 500-user concurrent connection scale. If only several operation and maintenance personnel log in, a lower configuring server (such as bcc.g3.c1m4) can be used.
          • Note The EIP bandwidth can be flexibly adjusted according to the actual usage of the users.

          Steps and examples for creation and configuration of server (Access VPN gateway)

          1.Baidu AI Cloud provides users with the service image of the integrated open source Open VPN Access Server to help users to quickly build the VPN gateway. The user purchases BCC in the console of Baidu AI Cloud, and uses the image to select "Service Integration Image>Access VPN CentOS 6.5 (64-bit) edition".

          image.png

          Note: The user can also select a suitable public image to download VPN server package and build the VPN gateway.

          2.In the purchase page, simultaneously select "Purchase an Elastic Public Network IP" and select a suitable charging mode and bandwidth peak value according to your requirements.

          image.png

          3.After creating the server, copy the public network IP of AccessVPN server created at the first step in the example list interface, 180.76.159.65 as shown in the figure below.

          image.png

          4.Log in to the AccessVPN server by ssh. Modify the public network IP of server in the fourth line of the /root/client.ovpn file.
          By taking the public network IP 187.76.159.65 in the example, you can use the command sed -ri "s. /remote\s+\s+1194/remote 187.76.159.65 1194/g" /root/client.ovpn. The command is for reference only. Other methods can be also used for modification.

          The modified client.ovpn file is as shown in the figure below:

          image.png

          5.Take the client.ovpn file from the AccessVPN server, and copy it to the machine where the client is located.

          6.If you need to issue the route and DNS configurations, you can log in to the AccessVPN server. Add the push configuration item in /etc/openvpn/server.conf, and then restart the vpn service in service openvpn restart.

          Configuration example of client (Open VPN Client)

          1.For Windows/Linux/MAC system, log in to the official website of Open VPN, download and install the client of the corresponding operating system.

          2.Load the configuration file client.ovpn copied from the server into the configuration.

          3.Start the Open VPN Client, select the loaded configuration file to connect, and log in successfully.

          Test Verification

          In the PC or laptop of user A completing all configurations, test and connect the intranet IP (the intranet IP address of cloud server A is 192.168.64.5, and the intranet IP address of cloud server B is 192.168.64.6) of Baidu Cloud Compute (BCC) by ping. If the ping is unblocked, it indicates that the VPN is built successfully.

          At this point, the user A successfully connects to the internal BCC resources of its Baidu AI Cloud by the Access VPN method.

          Previous
          Best Practices
          Next
          Build the FTP Service in the Linux System