Ask Your Question
2

VPN access to internal tenant network

asked 2015-02-05 15:17:43 -0500

FMM gravatar image

updated 2015-02-05 15:18:39 -0500

Hi,

after creating instances they're placed into internal subnet which is not reachable from outside. The only way to connect to VM is assigning a floating IP. Is there a way to access internal instances network without floating IP? I guess using VPN? Which is the best method?

Regards

edit retag flag offensive close merge delete

Comments

One solution would be to assign a floating ip to a single instance, and then from there you can connect to any other instances on the tenant private network.

larsks gravatar imagelarsks ( 2015-02-05 18:07:08 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-02-05 18:15:14 -0500

Tobias gravatar image

updated 2015-02-06 11:52:09 -0500

Hi,

you can use VPNaaS. It works, but there are some showstopper bugs, like restart of all VPN if a tenant changes vpn settings.

For site to site VPN you have to install packages neutron-vpn-agent and openswan on network node and change config files:

/etc/neutron/neutron.conf on netowrk node and controller node:

#add vpnaas to service_plugins like this:
[DEFAULT]
service_plugins = router,vpnaas,lbaas,metering

[service_providers]
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

cat /etc/neutron/vpn_agent.ini on network node:

[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also

# Settings from L3 Agent
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True
external_network_bridge = br-ex
#debug = True
#verbose = True

[vpnagent]
# vpn device drivers which vpn agent will use
# If we want to use multiple drivers,  we need to define this option multiple times.
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
# vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
# vpn_device_driver=another_driver

[ipsec]
# Status check interval
ipsec_status_check_interval=60

/etc/openstack-dashboard/local_settings.py on controller node

# set enable_vpn to true
OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': True,
    'enable_quotas': True,
    'enable_ipv6': True,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_lb': True,
    'enable_firewall': True,
    'enable_vpn': True,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
    # Set which provider network types are supported. Only the network types
    # in this list will be available to choose from when creating a network.
    # Network types include local, flat, vlan, gre, and vxlan.
    'supported_provider_types': ['*'],
}

Good luck :-)

edit flag offensive delete link more

Comments

Why note update this answer here with the setup details? That would be useful to everybody. Thanks!

larsks gravatar imagelarsks ( 2015-02-06 10:05:22 -0500 )edit

Whilst I have successfully tested VPNaaS (running Kilo) it's fair to say -as pointed out in the answer below- that it wasn't very suitable for site-to-client conns. Sadly it's deprecated as of Ocata. Hope this will be revisited!

sxc731 gravatar imagesxc731 ( 2017-06-02 02:38:29 -0500 )edit
1

answered 2015-02-06 05:36:23 -0500

FMM gravatar image

Hi, VPNaaS seems to be more elegant than jumping into the public instance.

I read the docs and It is not clear if I can configure VPNaaS like an OpenVPN server, instead of a Site-to-Site IPSEC which I see is the most common scenario.

I would like to connect to Openstack VPNaaS from clients (i.e. remote PC on the Internet with Openvpn client) in a client-server scenario.

edit flag offensive delete link more

Comments

1

Client-to-Site is not possible atm. There is a blue print and some code exists, too, but the implementation is frozen due to missing secure storage for PSK/passwords.

If you want to access from client, you have to use an instance serving a VPN service.

Tobias gravatar imageTobias ( 2015-02-06 09:52:37 -0500 )edit

What is the URL for the work that's going on there? I'd like to track it. For now, I suppose it's necessary to set up OpenVPN.

colan gravatar imagecolan ( 2017-06-01 21:58:23 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-05 15:17:43 -0500

Seen: 2,778 times

Last updated: Feb 06 '15