This article talks about establishing a Site to Site VPN connection with one end being any office/private network and the other end being a private network in the cloud. This article targets the OpenStack/OpenContrail environment.
Before reading further please have a look into this article OpenVPN in VM in OpenContrail.
Lets assume the subnet of the office/private network is 10.0.0.0/24 and the subnet of the cloud private network is 192.168.0.0/24. The goal is to establish a Site to Site VPN connection between these two networks.
- We need a VM running OpenVPN server in the cloud private network
- We need a host/VM running OpenVPN client in the office/private network
- VM running OpenVPN server should have a floating ip associated to it.
apply_subnet_host_routes feature has been recently added in OpenContrail. Enable this feature by adding the below line in DEFAULTS section of the
/etc/contrail/api_server.conf (or /etc/contrail/contrail-api.conf) :
Create a private network and subnet
$ neutron net-create private $ neutron subnet-create private 192.168.0.0/24 --host_routes type=dict list=true list=true destination=0.0.0.0/0,nexthop=192.168.0.1 destination=10.0.0.0/24,nexthop=192.168.0.2
If you have already created a private network and subnet, then you can update the subnet with the host routes
$ neutron subnet-update <SUBNET_ID> --host_routes type=dict list=true list=true destination=0.0.0.0/0,nexthop=192.168.0.1 destination=10.0.0.0/24,nexthop=192.168.0.2
Remark: We re-defined the default route (gateway) in the host route list because OpenContrail does not provide anymore the default router option (code 3) when a class route option (code 121) is defined.
The VM running the OpenVPN server should have the IP address of the nexthop defined during the subnet create/update. The OpenStack APIs offer three different solutions to do that:
$ neutron port-create <NETWORK_ID> --fixed-ip subnet_id=<SUBNET_ID>,ip_address=192.168.0.2
and then create the VM with the
--nic port-id=<PORT_ID> option of Nova boot CLI command:
$ nova boot ... --nic port-id=<PORT_ID> ... VM_NAME
--nic net-id=<NETWORK_ID>,v4-fixed-ip=192.168.0.2in our example:
$ nova boot ... --nic net-id=<NETWORK_ID>,v4-fixed-ip=192.168.0.2` ... VM_NAME
$ neutron subnet-update <SUBNET_ID> --host_routes type=dict list=true destination=0.0.0.0/0,nexthop=192.168.0.1 destination=10.0.0.0/24,nexthop=192.168.0.2
Below are the steps in brief to set up the OpenVPN on the VM. For more details please refer this article OpenVPN in VM in OpenContrail
push "route 192.168.0.0 255.255.255.0" client-config-dir /etc/openvpn/ccd route 10.0.0.0 255.255.255.0
/etc/openvpn/ccd/client1and add the below line:
iroute 10.0.0.0 255.255.255.0
You can set up OpenVPN client either on a physical machine or on a virtual machine. Below are the steps in brief.
You should now be able to ping and/or ssh your VMs (or host machines in the office/private network) directly with their internal IPs (check you authorized the office/private subnet to ICMP’ed on the security group of the cloud private network ports).