OpenContrail now permits Site to Site VPN connections and we described How to configure a Site to Site VPN in OpenContrail
We now provide a HEAT template to configure a site 2 site OpenVPN server.
We will not explain how to spawn a VM, because if you read this, we consider that you have already gone through our Getting started documentation, and you already have an OpenStack Virtual network with some VMs running.
Download the OpenVPN server heat template:
List your images, and note the nova Ubuntu 14.04 image ID as [image_id]:
Look at the Ubuntu 14.04 image’s details and note the “minDisk”, “minRam”, and “OS-EXT-IMG-SIZE:size” it has:
glance image-show [image_id]
Warning: the above command shows ““OS-EXT-IMG-SIZE:size” in bytes and “minDisk” in Giga-bytes.
List available flavors and note down as [flavor_id] the flavor matching the requirements of the Ubuntu 14.04 image:
you need a flavor which has more disk than both “minRam”, and “OS-EXT-IMG-SIZE:size”, and more RAM than “minRam”.
List your ssh key pairs, and note your’s as [key_name]:
List your neutron networks and note the private and public network IDs as [private_net_id] and [public_net_id] respectively, and the private subnet ID as [private_subnet_id]:
View the private subnet and note the [cidr], [gateway_ip] and [host_routes]:
neutron subnet-show [private_subnet_id]
And note down also your [remote_net_cidr] which is the cidr of your own LAN (e.g.: 10.0.216.0/24)
Launch the OpenVPN Heat Stack:
heat stack-create -f openvpn_site2site.heat -P "key_name=[key_name];instance_type=[flavor_id];image_id=[image_id];public_net_id=[public_net_id];private_net_id=[private_net_id];vpn_cidr=10.8.0.0/24;remote_net_cidr=[remote_net_cidr]" openvpn
for [vpn_cidr] you have to chose a network CIDR which does not overlap with the private subnet’s [cidr] and your [remote_net_cidr].
We took 10.8.0.0/24 which is OpenVPN’s standard in the example above, but you can choose another CIDR as long as it’s in the RFC 1918.
Once done, note down the internal IP given to your OpenVPN instance as [openvpn_internal_ip] and external floating IP as [openvpn_floating_ip]:
And add routes to it:
neutron subnet-update [private_subnet_id] --host_routes type=dict list=true destination=0.0.0.0/0,nexthop=[gateway_ip] destination=[remote_net_cidr],nexthop=[openvpn_internal_ip] destination=10.8.0.0/24,nexthop=[openvpn_internal_ip]
The last “destination=10.8.0.0/24,nexthop=[openvpn_ip]” is if you want the VPN CLient itself to access (and be accessible from) the remote end.
Wait a several minutes for the VPN instance to be functional (the PKI generation takes several minutes) and then on your VPN client launch these commands:
scp cloud@[openvpn_floating_ip]:~/vpnaccess.tar.bz2 . sudo cp vpnaccess.tar.bz2 /etc/openvpn sudo su - cd /etc/openvpn tar -xvjpf vpnaccess.tar.bz2 service openvpn start
Your VPN is up and running.