Neutron/VPNaaS/HowToInstall
Contents
Installation
- apt-get install strongswan
- Replace binary neutron-l3-agent with neutron-vpn-agent
Note: you can use WIP devstack for VPNaaS Devstack review is here -> https://review.openstack.org/#/c/32174/ (WIP)
git clone https://github.com/openstack-dev/devstack.git cd devstack git review -d 32174
Set localrc ( q-vpn is added)
DEST=/opt/stack disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta enable_service neutron enable_service tempest enable_service q-vpn API_RATE_LIMIT=False VOLUME_BACKING_FILE_SIZE=4G FIXED_RANGE=10.1.0.0/24 FIXED_NETWORK_SIZE=256 VIRT_DRIVER=libvirt SWIFT_REPLICAS=1 export OS_NO_CACHE=True SCREEN_LOGDIR=/opt/stack/screen-logs SYSLOG=True SKIP_EXERCISES=boot_from_volume,client-env ROOTSLEEP=0 ACTIVE_TIMEOUT=60 Q_USE_SECGROUP=True BOOT_TIMEOUT=90 ASSOCIATE_TIMEOUT=60 ADMIN_PASSWORD=openstack MYSQL_PASSWORD=openstack RABBIT_PASSWORD=openstack SERVICE_PASSWORD=openstack SERVICE_TOKEN=tokentoken Q_PLUGIN=openvswitch Q_USE_DEBUG_COMMAND=True NETWORK_GATEWAY=10.1.0.1
- Checkout Test branches
Neutron : https://review.openstack.org/#/c/33148/
Neutron client : https://review.openstack.org/#/c/29811/
- Run Devstack
./stack.sh
- Install neutron client code (devstack installes package version of clients)
cd /opt/stack/python-neutronclient sudo python setup.py develop
Using Two DevStack Nodes for Testing
You can use two DevStack nodes connected by a common "public" network to test VPNaaS. The second node can be set up with the same public network as the first node, except it will use a different gateway IP (and hence router IP). In this example, we'll assume we have two DevStack nodes (East and West), each running on hardware (you can do the same thing with multiple VM guests, if desired).
Example Topology
A dedicated physical port can be used for the "public" network connection (e.g. eth2) interconnected by a physical switch. You'll need to add the port to the OVS bridge on each DevStack node (e.g. sudo ovs-vsctl add-port br-ex eth2
).
(10.1.0.0/24 - DevStack East) | | 10.1.0.1 [Quantum Router] | 172.24.4.226 | | 172.24.4.225 [Internet GW] | | [Internet GW] | 172.24.4.232 | | 172.24.4.233 [Quantum Router] | 10.2.0.1 | (10.2.0.0/24 DevStack West)
DevStack Configuration
For East you can use a stock localrc configuration, which will give you a private net of 10.1.0.0/24 and public network of 172.24.4.0/24. Just to make configuration easier, you can name the subnets with:
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet
For West you can add these lines to localrc to use a different local network, public GW (and implicitly router) IP:
PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1 PUBLIC_NETWORK_GATEWAY=172.24.4.232
VPNaaS Configuration
With DevStack running on East and West and connectivity confirmed (make sure you can ping one router/GW from the other), you can perform these VPNaaS CLI commands.
On East
neutron vpn-ikepolicy-create --name ikepolicy1 neutron vpn-ipsecpolicy-create --name ipsecpolicy1 neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.233 --peer_id 172.24.4.233 --peer_cidrs list=true 10.2.0.0/24 --psk secret
On West
neutron vpn-ikepolicy-create --name ikepolicy1 neutron vpn-ipsecpolicy-create --name ipsecpolicy1 neutron vpn-service-create --name myvpn --description "My vpn service" --subnet-id mysubnet --router_id router1
neutron vpn-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer_address 172.24.4.226 --peer_id 172.24.4.226 --peer_cidrs list=true 10.1.0.0/24 --psk secret
Verification
You can spin up VMs on each node, and then from the VM ping the far end router's public IP. With tcpdump running on one of the nodes, you can see that pings appear as encrypted packets (ESP). Note that BOOTP, IGMP, and the keepalive packets between the two nodes are not encrypted (nor are pings between the two external IP addresses).
Horizon Support
- Checkout Test branch
Horizon: https://review.openstack.org/#/c/34882/
- Enable VPN section in Horizon
NOTE: Currently this code is not working due to during renaming to neutron. Please use CLI for testing
Open/opt/stack/horizon/openstack_dashboard/local/local_settings.py
and replace
OPENSTACK_QUANTUM_NETWORK = { 'enable_vpn': False, }
with
OPENSTACK_QUANTUM_NETWORK = { 'enable_vpn': True, }
- Restart Apache to start using
- Test user scenarios