Use Limits

Release Notes

Jul. 29, 2021 -  Authentication Upgrade for VPN-related APIs

Apr. 6, 2022 - SSL VPN Commercialized

Release Notes and Announcements

Overview

Components

Application Scenarios

Related products

Product Introduction

Billing Overview

Purchase Methods

Expiration Notifications

Purchase Guide 

Establishing a Connection Between VPC and IDC (SPD policy)

Connecting VPC to IDC (Destination route)

Connecting VPC to IDC (Dynamic BGP)

 IPSec VPN

Connecting the Mobile Client to VPC

SSL VPN

Getting Started

IPSec VPN Gateway

SSL VPN Gateway

VPN Gateway

Creating a VPN Tunnel

Viewing VPN Tunnels

Configuring Health Checks

Generate Peer End Configuration

Viewing Tunnel Logs

Modifying VPN Tunnel

Deleting VPN Tunnel

VPN Tunnel

Creating Customer Gateways

Viewing Customer Gateways

Modifying Customer Gateways

Deleting Customer Gateways

Customer Gateway

Creating the SSL VPN Server

Viewing the SSL VPN Server

Deleting the SSL VPN Server

Export SSL server list

SSO Authentication

Enabling Access Control

Disabling Access Control

Configuring Access Control Policy

SSL VPN Server

Creating SSL VPN Client

Viewing SSL VPN Client

Deleting SSL VPN Client

Downloading SSL VPN Client Configuration

Managing SSL VPN Client Certificate

SSL VPN Client

Binding an Anti-DDoS Instance

Setting Alarms

Viewing Monitoring Data

Alarming and Monitoring

SSL VPN Configuration Guide

IPSec VPN Configuration Guidelines

IPSec VPN Configuration Guide

Operations Overview

Operation Guide 

Connect via Direct Connect or VPN Connection to Interconnect  the Primary and Replica Links for Redundant Communication (Auto-Switch)

Hybrid Cloud Primary/Secondary Communication (DC and VPN)

Connecting IDC to CCN

Local Gateway Configurations

Connecting IDC to a Single Tencent Cloud VPC for Primary/Secondary Disaster Recovery

Dedicated Private Network Traffic Encrypted Via a Private Network VPN Gateway

Establishing a VPN Connection between Tencent Cloud and Azure China

Establishing Connection Between IDC and Cloud Resources (Dynamic BGP)

IPsec VPN

Connecting Client to VPC

SSL VPN Access Control Guide（okta）

Practical Tutorial

API Documentation

Concepts

Scenarios

Generic class

Billing

About IPsec gateways

About SSL

FAQs

VPN Tunnel Unconnected

VPN Tunnel Connected Yet Private Network Unconnected

IPSec VPN Error Description for Negotiation Failure

Troubleshooting

Service Level Agreement

Service Agreement

Contact Us

Glossary

VPN Connections

Note the following when using a VPN connection:

After configuring VPN parameters, you need to add routing policies for your VPN gateway in the route table associated with the subnet, so that network requests from CVMs in the subnet to access the peer IP range can reach the customer gateway through the VPN tunnel.

For a VPN gateway v1.0, after configuring the route table, you need to ping an IP address in the peer IP range from a CVM in the VPC to activate the VPN tunnel.

The stability of the VPN connection depends on the ISP's public network.

The VPN connection only supports the PSK authentication method rather than CA authentication.

SPD or route IP ranges of the VPN connection cannot be specified as the following IP ranges:

Multicast addresses that are all 0, all 225, or start with 224.

VPN Connections is a region-level service, but you can also connect to your VPN gateway in any region over the internet.

You cannot specify a public IP or the ISP of the public IP for the VPN gateway. IPv6 and anycast IP addresses are also not supported.

The bandwidth allocated by Tencent Cloud for inbound and outbound traffic is equivalent to the bandwidth purchased by the user.

Currently, only VPN 4.0 gateways with specifications of 200 Mbps, 500 Mbps, 1,000 Mbps and 3,000 Mbps support the dynamic BGP feature.

Routing priority: Static routing > dynamic BGP routing.

Private VPN: Only VPC type IPSec VPN 4.0 version is supported. If you need to use a private VPN, 

You must specify the IP address of the customer gateway. The public IP of the customer gateway cannot be the following IP addresses:

IP Addresses with host bits being all 0 or all 1, for example:

Class-A IP addresses that start with 1-126, such as 

Class-B IP addresses that start with 128-191, such as 

Class-C IP addresses that start with 192-223, such as 

If you use an IPsec VPN connection to interconnect resources in two VPCs, the VPCs are each other's customer gateway, and their IP ranges cannot overlap.

The server supports only UDP but not TCP.

To modify information such as port, authentication method, and encryption algorithm, you need to download the client configuration again.

The client and local IP ranges cannot overlap.

Identity verification relies on an EIAM application and cannot be directly interconnected with other identity providers (IdPs) for verification. You can use EIAM to interconnect with the verification source of your enterprise. You can also select a verification method supported by EIAM, such as SMS, WeCom, and AD. Currently, identity verification is in beta test. To try it out, 

https://console.tencentcloud.com/workorder/category

You can use CAM if identity verification is enabled.

You need to prepare the client on your own. An SSL VPN connection supports the open-source OpenVPN client or other compatible commercial clients.

Each client can use only one SSL client configuration certificate. You cannot use the same certificate for multiple clients.

Identity verification is supported only by OpenVPN 3.x or other compatible clients.

In a Windows environment, should your client's OpenVPN be version 3.4.0 or higher, it becomes imperative to configure both encryption and authentication algorithms for the SSL server setup. It is noteworthy that the authentication algorithm exclusively supports SHA1.

In a single operation, up to 100 SSL clients can be created in bulk.

The private VPN gateway currently does not support dynamic BGP routing.

tencent cloud