[Openstack] VPNaaS

Oleg Lodygensky oleg.lodygensky at lal.in2p3.fr
Mon Apr 11 11:14:49 UTC 2016 

dear all,
I am trying to compare OpenVPN and VPNaaS usage in OpenStack.


I want to be able to create a VPN between VMs deployed in a single Openstack cloud to ensure communication privacy and security.
I also want to be able to connect with my PC to the VPN.


To use OpenVPN, post install scripts  work well :
-A- I can see 2 interaces on each VM: the public one and the one associated to the VPN
-B- my own PC can easily join



I want to do the same using VPNaaS (the script is below)
But:
-1- VPN is created but its status is « DOWN »
-2- I don’t see any VPN interface inside VMs
-3- I don’t undersand how my PC could join the VPN



Any help welcome,
Oleg Lodygensky







usage() {
	echo "Usage: $0 [start | stop | status] <configName>"
	exit 1
}

writeVariable() {
	echo $* >> ${CONFIG_FILE}
}

start() {
	CONFIG_NAME=$2
	CONFIG_FILE=$2
	if [ -f ${CONFIG_FILE} ] ; then
		echo "VPNAAS error : config already exist. Cowardingly refusing to overwrite it"
		exit 1
	fi

	touch ${CONFIG_FILE}

	KEY="NET1"
	NET1="${CONFIG_NAME}_net1"
	VALUE="${NET1}"
	neutron net-create ${NET1} && writeVariable "${KEY}=${VALUE}"
	KEY="SUBNET1"
	SUBNET1="${CONFIG_NAME}_subnet1"
	VALUE="${SUBNET1}"
	neutron subnet-create --name ${SUBNET1} ${NET1} 10.100.0.0/24 --gateway 10.100.0.1 && writeVariable "${KEY}=${VALUE}"
	KEY="ROUTER1"
	ROUTER1="${CONFIG_NAME}_router1"
	VALUE="${ROUTER1}"
	neutron router-create ${ROUTER1} && writeVariable "${KEY}=${VALUE}"
	neutron router-interface-add ${ROUTER1} ${SUBNET1}
	neutron router-gateway-set ${ROUTER1} public

	KEY="NET2"
	NET2="${CONFIG_NAME}_net2"
	VALUE="${NET2}"
	neutron net-create ${NET2} && writeVariable "${KEY}=${VALUE}"
	KEY="SUBNET2"
	SUBNET2="${CONFIG_NAME}_subnet2"
	VALUE="${SUBNET2}"
	neutron subnet-create --name ${SUBNET2} ${NET2} 20.200.0.0/24 --gateway 20.200.0.2 && writeVariable "${KEY}=${VALUE}"
	KEY="ROUTER2"
	ROUTER2="${CONFIG_NAME}_router2"
	VALUE="${ROUTER2}"
	neutron router-create ${ROUTER2} && writeVariable "${KEY}=${VALUE}"
	neutron router-interface-add ${ROUTER2} ${SUBNET2}
	neutron router-gateway-set ${ROUTER2} public

	PRIVATE_NET1=`neutron net-list | grep "${NET1}" | cut -f 2 -d' '`
	KEY="VM1"
	VM1="${CONFIG_NAME}_vm1"
	VALUE="${VM1}"
	nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic net-id=${PRIVATE_NET1} ${VM1}  && writeVariable "${KEY}=${VALUE}"
	FLOATINGIP1=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' -f 4`
	KEY="FLOATINGIP1"
	VALUE="${FLOATINGIP1}"
	nova add-floating-ip ${VM1} $FLOATINGIP1 && writeVariable "${KEY}=${VALUE}"

	PRIVATE_NET2=`neutron net-list | grep "${NET2}" | cut -f 2 -d' '`
	KEY="VM2"
	VM2="${CONFIG_NAME}_vm2"
	VALUE="${VM2}"
	nova boot --key-name os-77345-demo --flavor 2 --image ubuntu14 --nic net-id=${PRIVATE_NET2} ${VM2} && writeVariable "${KEY}=${VALUE}"
	FLOATINGIP2=`nova floating-ip-create | grep -vE 'Pool|--'| cut -d ' ' -f 4`
	KEY="FLOATINGIP2"
	VALUE="${FLOATINGIP2}"
	nova add-floating-ip ${VM2} $FLOATINGIP2 && writeVariable "${KEY}=${VALUE}"

#Create VPN connections
	KEY="IKEPOLICY"
	IKEPOLICY="${CONFIG_NAME}_ikepolicy"
	VALUE="${IKEPOLICY}"
	neutron vpn-ikepolicy-create ${IKEPOLICY} && writeVariable "${KEY}=${VALUE}"
	KEY="IPSECPOLICY"
	IPSECPOLICY="${CONFIG_NAME}_ipsecpolicy"
	VALUE="${IPSECPOLICY}"
	neutron vpn-ipsecpolicy-create ${IPSECPOLICY} && writeVariable "${KEY}=${VALUE}"
	KEY="VPNSERVICE"
	VPNSERVICE="${CONFIG_NAME}_vpnservice"
	VALUE="${VPNSERVICE}"
	neutron vpn-service-create --name ${VPNSERVICE} --description "Mon service VPN1" ${ROUTER1} ${SUBNET1} && writeVariable "${KEY}=${VALUE}"

	KEY="CONNECTION"
	CONNECTION="${CONFIG_NAME}_connection"
	VALUE="${CONNECTION}"
#	neutron ipsec-site-connection-create --name ${CONNECTION} --vpnservice-id ${VPNSERVICE} \
#	   --ikepolicy-id ${IKEPOLICY} --ipsecpolicy-id ${IPSECPOLICY} --peer-address 172.24.4.227 \
#	   --peer-id 172.24.4.227 --peer-cidr 10.100.0.0/24 --psk secret && writeVariable "${KEY}=${VALUE}"

	[ ! -s ${CONFIG_FILE} ] && rm -f ${CONFIG_FILE}
}

stop() {
	CONFIG_FILE=$2
	if [ ! -f ${CONFIG_FILE} ] ; then
		echo "VPNAAS \"${CONFIG_FILE}\" error : config not found"
		exit 1
	fi

	. ${CONFIG_FILE}

	nova delete ${VM1}
	nova delete ${VM2}

	nova floating-ip-delete ${FLOATINGIP1}
	nova floating-ip-delete ${FLOATINGIP2}

	neutron ipsec-site-connection-delete ${CONNECTION}
	neutron vpn-service-delete ${VPNSERVICE}

	neutron vpn-ipsecpolicy-delete ${IPSECPOLICY}
	neutron vpn-ikepolicy-delete ${IKEPOLICY}

	for i in `neutron port-list | grep -vE 'fixed_ips|--' | cut -f 2 -d' '` ; do neutron port-delete $i  ; done

	neutron router-interface-delete ${ROUTER2} ${SUBNET2}
	neutron router-delete ${ROUTER2}
	neutron net-delete ${NET2}

	neutron router-interface-delete ${ROUTER1} ${SUBNET1}
	neutron router-delete ${ROUTER1}
	neutron net-delete ${NET1}

	rm -f ${CONFIG_FILE}
}

status() {
	CONFIG_FILE=$2
	if [ ! -f ${CONFIG_FILE} ] ; then
		echo "VPNAAS \"${CONFIG_FILE}\" error : config not found"
		exit 1
	fi

	echo "VNPAAS \"${CONFIG_FILE}\": started"
	cat ${CONFIG_FILE}
}

[ $# -ne 2 ] && usage

case $1 in
	"start" )
		start $*
		;;
	"stop" )
		stop $*
		;;
	"status" )
		status $*
		;;
esac


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160411/2635bde3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160411/2635bde3/attachment.sig>

More information about the Openstack mailing list