Is it possible to 'vpn' into a neutron network?

asked 2014-05-12 15:19:26 -0500

don gravatar image

I have a situation where i have one more more stacks in a server somewhere. I would like to be able to make something in it the next-hop route (over layer 3) of my desktop. My desktop is not running nova/neutron etc, just a random windows laptop.

is it possible to run a vm on the windows laptop, have it participate in the neutron somehow and thus create a local ip that i can make the next-hop be?

or has anyone tried this w/ a pptp or openvpn or something?

its not to reach my virtual machines (that i can do w/ ssh), its that I want the windows laptop's traffic (all of it) to flow through one of the virtual machines (which is an l2 bridge) and from there to the internet. E.g. i want a new public IP on my laptop that is in the cloud.

Suggestions for where to look?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-07-23 18:20:16 -0500

don gravatar image

updated 2014-07-23 19:07:14 -0500

What i ended up doing was making a vm that ran an SSTP (softether). I bound it on one side to my bridge, an the other side I gave it an address that didn't have a default route, but could be reached via a proxy or port forward.

so I vpn to this device, and I do DHCP, which broadcasts out it, out my bridge, and to the far side [which has an external network w/ DHCP on it].

So now my client has an address from the far side of my bridge, and all traffic goes. This works well.

I made a simple SSTP proxy that would allow selecting the specific vpn (e.g. the instance). So I can connect the vpn as sstp://server/tenant/instance

If it will help, here is the proxy I wrote: which, if 'admin' is a member of your tenant, will let you vpn there.

The heat template info that makes the vpn is:

    type: OS::Nova::Server
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-vpn' } }
      key_name: { get_resource: key }
      image: "trusty"
      flavor: "m1.tiny"
      config_drive: "true"
        - network: "public"
        - network: { get_resource: data_sub_net }
      user_data_format: RAW
      user_data: |
        touch /tmp/cloud-init-started
        iptables -F
        sed -i -e '/eth1/d' /etc/network/interfaces
        cat <<EOF >>/etc/network/interfaces
        auto eth1
        iface eth1 inet manual
          up ip link set eth1 up promisc on
          down ip link set eth1 down promisc off
        ifup eth1

        cd /var/lib/softether
        stop softether
        rm -f vpn_server_config
        start softether
        cat <<EOF1 > vpn.cmd
        HubCreate vpn /PASSWORD:""
        hub vpn
        ServerCertRegenerate vk
        SstpEnable yes
        BridgeCreate vpn /DEVICE:eth1 /TAP:no
        UserCreate cloud /GROUP:none /REALNAME:none /NOTE:none
        UserPasswordSet user /PASSWORD:password
        vpncmd localhost /server /IN:vpn.cmd

and { data_sub_net } shares a network w/ one side of my bridge, 'public' is my internally reachable address (does not need floating or external ip). The sstp-proxy runs on the nova controller.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-05-12 15:19:26 -0500

Seen: 908 times

Last updated: Jul 23 '14