Configuring a VPN Tunnel to an Instance

Your organization may need VPN services for designated networks in your cloud infrastructure. For example, you may need a Metacloud instance to communicate directly and securely with your data center.  

To set up a VPN using IP security (IPsec) protocol for traffic to and from an instance, take the following steps.

Create an IPsec Configuration File

Create an ipsec.conf file on the host of the instance to define IPsec VPN traffic attributes. The instructions for this action are beyond the scope of this article, which covers the Openstack configuration actions required to make the VPN connectivity work. Available resources include http://www.ipsec-howto.org/t1.html.

Create a Security Group for the IPsec Instance to Accept VPN Traffic

Security groups are sets of rules that define networking access for all instances in a project. To create the security group: 

  1. Create a group with a name and description that indicate that it is for VPN traffic:
    openstack security-group-create VPN_traffic \
    --description "For permitting VPN traffic"
  2. On all ports, enable ingress for protocol numbers 50 and 51 for ESP and AH protocols, respectively, which IPsec uses for transmission of data: 
    openstack security group rule create VPN_traffic \
    --ingress --protocol 50 --dst-port -1:-1
    +-------------------+-------------------+
    | Field             | Value             |

    +-------------------+-------------------+
    | direction         | ingress           |
    | ethertype         | IPv4              |
    | headers           |                   |
    | id                | <ID> |
    | port_range_max    | 65535             |
    | port_range_min    | 1                 |
    | project_id        | <ID>    |
    | protocol          | 50               |
    | remote_group_id   | None              |
    | remote_ip_prefix  | 0.0.0.0/0        |
    | security_group_id | <ID> |
    +-------------------+-------------------+ $ openstack security group rule create VPN_traffic \
    --ingress --protocol 51 --dst-port -1:-1
    +-------------------+-------------------+
    | Field             | Value             |

    +-------------------+-------------------+
    | direction         | ingress           |
    | ethertype         | IPv4              |
    | headers           |                   |
    | id                | <ID> |
    | port_range_max    | 65535             |
    | port_range_min    | 1                 |
    | project_id        | <ID>     |
    | protocol          | 51                |
    | remote_group_id   | None              |
    | remote_ip_prefix  | 0.0.0.0/0         |
    | security_group_id | <ID> |
    +-------------------+-------------------+
  3. Enable ingress on UDP port 500 for Internet Security Association and Key Management Protocol (isakmp), which provides authentication and key exchange:
    openstack security group rule create VPN_traffic \
    --ingress --protocol UDP --dst-port 500:500

    +-------------------+-------------------+
    | Field             | Value             |

    +-------------------+-------------------+
    | direction         | ingress           |
    | ethertype         | IPv4              |
    | headers           |                   |
    | id                | <ID> |
    | port_range_max    | 500              |
    | port_range_min    | 500              |
    | project_id        | <ID>     |
    | protocol          | udp               |
    | remote_group_id   | None              |
    | remote_ip_prefix  | 0.0.0.0/0         |
    | security_group_id | <ID> |
    +-------------------+-------------------+
  4. Enable ingress on UDP port 4500 for IPsecNAT-T traversal:
    $ openstack security group rule create VPN_traffic \
    --ingress --protocol UDP --dst-port 4500:4500

    +-------------------+-------------------+
    | Field             | Value            |

    +-------------------+-------------------+
    | direction         | ingress           |
    | ethertype         | IPv4              |
    | headers           |                   |
    | id                | <ID> |
    | port_range_max    | 4500              |
    | port_range_min    | 4500              |
    | project_id        | <ID>     |
    | protocol          | udp               |
    | remote_group_id   | None              |
    | remote_ip_prefix  | 0.0.0.0/0         |
    | security_group_id | <ID> |
    +-------------------+-------------------+
  5. Add the security group to the instance to which you will connect VPN tunnel:

    openstack server add security group \
     <INSTANCE_NAME> VPN_traffic

For more information working with security groups, see Configuring Access and Security for Instances with CLI.

Allow the IPsec VPN Instance to Source Packets from the Remote Network

Specify the allowed address pair of the remote network on the IPsec VPN instance, so that it will accept traffic from that network.

NOTES: You must have Metacloud administrative permissions and use the neutron client to run this command. Also, the allowed-address-pairs attribute is not additive, so you must list all networks with every update. Use the entire command when adding networks.

  1. Locate the UUID of the neutron (network) port for your IPsec VPN instance. In the Networks tab of the Dashboard, click the name of the tenant network. Scroll down to the PORTS area and find the network port by its fixed IP. Click the hyperinked port name to view its UUID.

    Inline hypermedia

    Inline hypermedia

  2. Update the port with the allowed networks:
    neutron port-update <NEUTRON_PORT_UUID> \
    --allowed-address-pairs type=dict \
    list=true ip_address=172.16.0.0/24
      

Create Security Groups for VMs on Each Side of the VPN Tunnel

VMs in the tenant network must be able to reference VMs in the remote network and vice versa. Configure a security group for tenant VMs to reference VMs in the remote network. Then configure a security group for remote VMs to reference VMs in the tenant network.

In the following example, the security group will simply allow ingress on all ports, but you can include more granular rules as your security needs dictate. 

  1. Create a group with a name and description that indicate that it is for permitting remote network ingress:
    openstack security-group-create remote_ingress \
    --description "For permitting remote network ingress"
  2. On all ports, enable ingress for all nodes in the remote network address:
    openstack security group rule create remote_ingress \
    --ingress --dst-port -1:-1 --remote-ip 172.16.0.0/24
    +-------------------+-------------------+
    | Field            | Value            |

    +-------------------+-------------------+
    | direction         | ingress           |
    | ethertype         | IPv4              |
    | headers           |                   |
    | id                | <ID> |
    | port_range_max    | 65535             |
    | port_range_min    | 1                 |
    | project_id        | <ID>     |
    | protocol          | tcp               |
    | remote_group_id   | None              |
    | remote_ip_prefix  | 172.16.0.0/24    |
    | security_group_id | <ID> |
    +-------------------+-------------------+
  3. Add the security group to each instance in the tenant network:
    openstack server add security group \
    <INSTANCE_NAME> remote_ingress
  4. Perform the preceding steps for VMs in the remote network, this time allowing ingress for the tenant network.

NOTE: Your IPsec endpoint will not be the IP address of the originator of communication, so you must configure your remote network as an ACL as you would for any external resource directly, using its IP address and range.

Inline hypermedia

Have more questions? Submit a request
Powered by Zendesk