Configure VPN for cloud applications¶
TechPreview
This tutorial walks you through configuring a Virtual Private Network (VPN) for your cloud applications using the VPNaaS extension for the MOSK Networking service (OpenStack Neutron).
Overview¶
The VPN extension to the Networking service (OpenStack Neutron) lets you extend your OpenStack private networks securely over the internet to remote sites or devices. Encrypted tunnels, such as IPsec, and VPN policies are managed from the Networking service (OpenStack Neutron) API/CLI, so you get secure connectivity without deploying or operating dedicated VPN virtual machines (VMs). Typical use cases include connecting branch offices to cloud workloads, linking on-premises data centers to the cloud (hybrid cloud), and giving remote users or applications secure access to private networks.
The VPNaaS extension for the Networking service is not enabled by default. Contact the operator of your MOSK cloud to enable it. See Reference Architecture: VPNaaS for details.
Example application topology¶
As a reference, this tutorial uses an example application deployed in the following topology:
The example includes four VMs, each on its own network. Two networks
(left A and left B) attach to the left router router; the
other two (right A and right B) attach to the
right router router. The networks use non-overlapping address pools, and
left router and right router reach each other over the public network.
The left and right sites can be located in different OpenStack clouds or
in the same cloud.
VM1 has a floating IP for public access, so you can manage it remotely over
SSH.
Set up the example application¶
Before running the commands below, ensure that your OpenStack project has
a test_key keypair available. If you do not have one, create it.
Execute the following commands to set up the example application:
openstack network create left_net_A
openstack network create left_net_B
openstack network create right_net_A
openstack network create right_net_B
openstack subnet create left_subnet_A --network left_net_A --subnet-range 10.0.10.0/24 --allocation-pool start=10.0.10.2,end=10.0.10.20
openstack subnet create left_subnet_B --network left_net_B --subnet-range 192.168.10.0/24 --allocation-pool start=192.168.10.2,end=192.168.10.20
openstack subnet create right_subnet_A --network right_net_A --subnet-range 192.168.1.0/24 --allocation-pool start=192.168.1.2,end=192.168.1.20
openstack subnet create right_subnet_B --network right_net_B --subnet-range 10.0.20.0/24 --allocation-pool start=10.0.20.2,end=10.0.20.20
openstack router create left_router --external-gateway public
openstack router create right_router --external-gateway public
openstack router add subnet left_router left_subnet_A
openstack router add subnet left_router left_subnet_B
openstack router add subnet right_router right_subnet_A
openstack router add subnet right_router right_subnet_B
openstack security group create test_sg
openstack security group rule create test_sg --remote-ip 0.0.0.0/0
openstack port create --network left_net_A --fixed-ip subnet=left_subnet_A,ip-address=10.0.10.22 --security-group test_sg vm_port_1
openstack port create --network left_net_B --fixed-ip subnet=left_subnet_B,ip-address=192.168.10.22 --security-group test_sg vm_port_2
openstack port create --network right_net_A --fixed-ip subnet=right_subnet_A,ip-address=192.168.1.22 --security-group test_sg vm_port_3
openstack port create --network right_net_B --fixed-ip subnet=right_subnet_B,ip-address=10.0.20.22 --security-group test_sg vm_port_4
openstack floating ip create --port vm_port_1 public
for i in {1..4}; do \
openstack server create --image Cirros-6.0 --flavor m1.tiny --key-name test_key --port vm_port_${i} vm${i}; \
done
At this point, VM1 can reach VM2 over the private network but cannot
reach VM3 or VM4. You can verify this by connecting to VM1 over
SSH using its floating IP and pinging the other VMs.
Configure VPN connection¶
Now, let’s create the VPN connection between the left and right sites. First, configure the left site:
Create an IKE policy. Mirantis recommends creating an IKEv2 policy:
openstack vpn ike policy create --ike-version v2 ikepolicy
Example of a positive system response:
+-------------------------------+--------------------------------------+ | Field | Value | +-------------------------------+--------------------------------------+ | Authentication Algorithm | sha1 | | Description | | | Encryption Algorithm | aes-128 | | ID | 73149df6-6456-488d-9dfa-f436e5b978f9 | | IKE Version | v2 | | Lifetime | {'units': 'seconds', 'value': 3600} | | Name | ikepolicy | | Perfect Forward Secrecy (PFS) | group5 | | Phase1 Negotiation Mode | main | | Project | 04bdc8666b4a4defad6455a28f548ebd | +-------------------------------+--------------------------------------+
Create an IPsec policy:
openstack vpn ipsec policy create ipsecpolicy
Example of a positive system response:
+-------------------------------+--------------------------------------+ | Field | Value | +-------------------------------+--------------------------------------+ | Authentication Algorithm | sha1 | | Description | | | Encapsulation Mode | tunnel | | Encryption Algorithm | aes-128 | | ID | 92057a07-d011-4fe5-bd71-a62d619aca58 | | Lifetime | {'units': 'seconds', 'value': 3600} | | Name | ipsecpolicy | | Perfect Forward Secrecy (PFS) | group5 | | Project | 04bdc8666b4a4defad6455a28f548ebd | | Transform Protocol | esp | +-------------------------------+--------------------------------------+
Create a VPN service:
openstack vpn service create left_vpn --router left_router
Example of a positive system response:
+-------------+--------------------------------------+ | Field | Value | +-------------+--------------------------------------+ | Description | | | Ext v4 IP | 10.11.12.123 | | Ext v6 IP | 1001:db8:0:2::168 | | Flavor | None | | ID | 85b42ff5-5b7a-4ec6-835b-f2bc2f75e999 | | Name | left_vpn | | Project | 04bdc8666b4a4defad6455a28f548ebd | | Router | 3ff8886c-ecde-48b6-8771-890efa22c741 | | State | True | | Status | PENDING_CREATE | | Subnet | None | +-------------+--------------------------------------+
Create a local endpoint group:
openstack vpn endpoint group create --type subnet --value left_subnet_A --value left_subnet_B left_ep_subnet
Example of a positive system response:
+-------------+----------------------------------------------------------------------------------+ | Field | Value | +-------------+----------------------------------------------------------------------------------+ | Description | | | Endpoints | ['37acd5b8-9c27-4308-96f4-45fd67213abf', 'b40e62b6-3486-4865-a756-8db58c5b8b86'] | | ID | 22981be4-b35b-4ebf-9e17-ed88db2f3524 | | Name | left_ep_subnet | | Project | 04bdc8666b4a4defad6455a28f548ebd | | Type | subnet | +-------------+----------------------------------------------------------------------------------+
Create a peer endpoint group:
openstack vpn endpoint group create --type cidr --value 192.168.1.0/24 --value 10.0.20.0/24 left_ep_cidr
Example of a positive system response:
+-------------+--------------------------------------+ | Field | Value | +-------------+--------------------------------------+ | Description | | | Endpoints | ['10.0.20.0/24', '192.168.1.0/24'] | | ID | 1050a48b-2f1d-426c-b1c7-e99cfcf7f3cd | | Name | left_ep_cidr | | Project | 04bdc8666b4a4defad6455a28f548ebd | | Type | cidr | +-------------+--------------------------------------+
Repeat steps 1-5 for the right part. If you are configuring VPN between networks residing in a single OpenStack cloud, you can skip the IKE and IPsec policy steps (steps 1 and 2):
openstack vpn service create right_vpn --router right_router openstack vpn endpoint group create --type subnet --value right_subnet_A --value right_subnet_B right_ep_subnet openstack vpn endpoint group create --type cidr --value 192.168.10.0/24 --value 10.0.10.0/24 right_ep_cidr
Create a passphrase for the VPN site connections. In our example, we are using a simple word,
mysecret, but in production it should be a strong passphrase.Obtain the external IPv4 address of the
right_vpnservice. It is needed to configure the VPN connection in the left site:openstack vpn service show right_vpn -c "Ext v4 IP" -f value
Example of a positive system response:
10.11.12.185Create an IPSec site connection to the right router:
openstack vpn ipsec site connection create left_connection \ --vpnservice left_vpn \ --ikepolicy ikepolicy \ --ipsecpolicy ipsecpolicy \ --peer-address 10.11.12.185 \ --peer-id 10.11.12.185 \ --psk mysecret \ --local-endpoint-group left_ep_subnet \ --peer-endpoint-group left_ep_cidr
Example of a positive system response:
+--------------------------+----------------------------------------------------+ | Field | Value | +--------------------------+----------------------------------------------------+ | Authentication Algorithm | psk | | DPD | {'action': 'hold', 'interval': 30, 'timeout': 120} | | Description | | | ID | 6d5a801c-42b6-4b37-8c1a-391d2b2609c4 | | IKE Policy | 73149df6-6456-488d-9dfa-f436e5b978f9 | | IPSec Policy | 92057a07-d011-4fe5-bd71-a62d619aca58 | | Initiator | bi-directional | | Local Endpoint Group ID | 22981be4-b35b-4ebf-9e17-ed88db2f3524 | | Local ID | | | MTU | 1500 | | Name | left_connection | | Peer Address | 10.11.12.185 | | Peer CIDRs | | | Peer Endpoint Group ID | 1050a48b-2f1d-426c-b1c7-e99cfcf7f3cd | | Peer ID | 10.11.12.185 | | Pre-shared Key | mysecret | | Project | 04bdc8666b4a4defad6455a28f548ebd | | Route Mode | static | | State | True | | Status | PENDING_CREATE | | VPN Service | 85b42ff5-5b7a-4ec6-835b-f2bc2f75e999 | +--------------------------+----------------------------------------------------+
Repeat steps 8 and 9 in the right site:
openstack vpn service show left_vpn -c "Ext v4 IP" -f value openstack vpn ipsec site connection create right_connection \ --vpnservice right_vpn \ --ikepolicy ikepolicy \ --ipsecpolicy ipsecpolicy \ --peer-address 10.11.12.123 \ --peer-id 10.11.12.123 \ --psk mysecret \ --local-endpoint-group right_ep_subnet \ --peer-endpoint-group right_ep_cidr
Verify the VPN service status:
openstack vpn service list
Example of a positive system response:
+--------------------------------------+-----------+--------------------------------------+--------+--------+-------+--------+ | ID | Name | Router | Subnet | Flavor | State | Status | +--------------------------------------+-----------+--------------------------------------+--------+--------+-------+--------+ | 85b42ff5-5b7a-4ec6-835b-f2bc2f75e999 | left_vpn | 3ff8886c-ecde-48b6-8771-890efa22c741 | None | None | True | ACTIVE | | d9bed5f5-40b2-4f81-8b2b-dbdeea776c9e | right_vpn | 8ca1cf58-43d7-47d9-96d1-590cc3756acb | None | None | True | ACTIVE | +--------------------------------------+-----------+--------------------------------------+--------+--------+-------+--------+
Verify the VPN site connection status:
openstack vpn ipsec site connection list
Example of a positive system response:
+--------------------------------------+------------------+--------------+--------------------------+--------+ | ID | Name | Peer Address | Authentication Algorithm | Status | +--------------------------------------+------------------+--------------+--------------------------+--------+ | 004e9cab-59e2-4913-b117-6f0efe34033d | right_connection | 10.11.12.123 | psk | ACTIVE | | 6d5a801c-42b6-4b37-8c1a-391d2b2609c4 | left_connection | 10.11.12.185 | psk | ACTIVE | +--------------------------------------+------------------+--------------+--------------------------+--------+
Connect to the test VM over SSH using its floating IP and verify that it can reach all other VMs by their private IP addresses:
ssh -i test_key -l cirros ping 192.168.10.22 -c 3 ping 192.168.1.22 -c 3 ping 10.0.20.22 -c 3
Example of a positive system response:
$ ping 192.168.10.22 -c 3 PING 192.168.10.22 (192.168.10.22) 56(84) bytes of data. 64 bytes from 192.168.10.22: icmp_seq=1 ttl=63 time=6.45 ms 64 bytes from 192.168.10.22: icmp_seq=2 ttl=63 time=2.66 ms 64 bytes from 192.168.10.22: icmp_seq=3 ttl=63 time=2.99 ms --- 192.168.10.22 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 2.660/4.036/6.454/1.715 ms $ ping 192.168.1.22 -c 3 PING 192.168.1.22 (192.168.1.22) 56(84) bytes of data. 64 bytes from 192.168.1.22: icmp_seq=1 ttl=62 time=8.99 ms 64 bytes from 192.168.1.22: icmp_seq=2 ttl=62 time=5.08 ms 64 bytes from 192.168.1.22: icmp_seq=3 ttl=62 time=3.45 ms --- 192.168.1.22 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 3.447/5.838/8.990/2.325 ms $ ping 10.0.20.22 -c 3 PING 10.0.20.22 (10.0.20.22) 56(84) bytes of data. 64 bytes from 10.0.20.22: icmp_seq=1 ttl=62 time=9.70 ms 64 bytes from 10.0.20.22: icmp_seq=2 ttl=62 time=6.39 ms 64 bytes from 10.0.20.22: icmp_seq=3 ttl=62 time=3.63 ms --- 10.0.20.22 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 3.625/6.573/9.704/2.485 ms
Now, you have configured a site-to-site VPN for the example cloud application.
VM1 and VM2 can now reach VM3 and VM4 over the private network
using their private IP addresses, with traffic secured across the public
network. You can adjust the example to suit your needs, for example, to connect
your cloud application to a remote branch office or on-premise services.
For more options and advanced VPNaaS configuration, see the official OpenStack Neutron VPNaaS documentation.