Site to Site VPN in OpenContrail
This article talks about establishing a Site to Site VPN connection with one end being any office/private network and the other end being a private network in the cloud. This article targets the OpenStack/OpenContrail environment.
Before reading further please have a look into this article OpenVPN in VM in OpenContrail
Lets assume the subnet of the office/private network is 10.0.0.0/24 and the subnet of the cloud private network is 172.168.0.0/24. The goal is to establish a Site to Site VPN connection between these two networks.
- We need a VM running OpenVPN server in the cloud private network
- We need a host/VM running OpenVPN client in the office/private network
- VM running OpenVPN server should have a floating ip associated to it.
apply_subnet_host_routes feature has been recently added in OpenContrail. Enable this feature by adding the below line in default section of the /etc/contrail/api_server.conf (or /etc/contrail/contrail-api.conf)
apply_subnet_host_routes=True
Create a private network and subnet
$ neutron net-create private $ neutron subnet-create private 172.168.0.0/24 --host-route destination=10.0.0.0/24,nexthop=172.168.0.2 or $ neutron subnet-create private 172.168.0.0/24 --host_routes type=dict list=true destination=10.0.0.0/24,nexthop=172.168.0.2
If you have already created a private network and subnet, then you can update the subnet with the host routes
$ neutron subnet-update <SUBNET_ID> --host-route destination=10.0.0.0/24,nexthop=172.168.0.2
or
$ neutron subnet-update <SUBNET_ID> --host_routes type=dict list=true destination=10.0.0.0/24,nexthop=172.168.0.2
The VM running the OpenVPN server should have the IP address of the nexthop defined during the subnet create/update. The OpenStack APIs offer three different solutions to do that:
- One way to do this is to create a port with the nexthop IP on Neutron API, which is 172.168.0.2 in our example
neutron port-create <NETWORK_ID> --fixed-ip subnet_id=<SUBNET_ID>,ip_address=172.168.0.2and then create the VM with the--nic port-id=<PORT_ID>option of Nova boot CLI command. - The other way is to specify the desired IP when we create the VM through the Nova API with option
--nic net-id=<NETWORK_ID>,v4-fixed-ip=172.168.0.2in our example - And the last way is to update the subnet with the proper host-route options once the VM with OpenVPN server is setup with the delivered IP.
Below are the steps in brief to set up the OpenVPN on the VM. For more details please refer this article OpenVPN in VM in OpenContrail
- Create a VM with the cloud private network and associate floating ip to it.
- Install OpenVPN packages and setup the OpenVPN keys. Refer https://openvpn.net/index.php/open-source/documentation/howto.html to setup the server and client keys.
- Configure the OpenVPN server configuration file. Add the below lines in the configuration file:
push "route 172.168.0.0 255.255.255.0" client-config-dir /etc/openvpn/ccd route 10.0.0.0 255.255.255.0
- Create a ccd file for the client. Suppose you have configured the client name as 'client1', then create a file called /etc/openvpn/ccd/client1 and add the below line:
iroute 10.0.0.0 255.255.255.0
- Start the OpenVPN server.
You can set up OpenVPN client either on a physical machine or on a virtual machine. Below are the steps in brief.
- Install OpenVPN in the client machine.
- Copy all the required OpenVPN keys to the client machine.
- Install OpenVPN in the client machine.
- Copy all the required OpenVPN keys to the client machine.
- Configure the client OpenVPN client configuration file and add the IP address of the OpenVPN server.
- Start the OpenVPN client.
- Configure your private network so that all the traffic to the cloud private network (172.168.0.0/24) is routed to the OpenVPN client machine.
You should now be able to ping and/or ssh your VMs (or host machines in the office/private network) directly with their internal IPs (check you authorized the office/private subnet to ICMP'ed on the security group of the cloud private network ports).