OpenStack-Multa Part 4: setting up OpenVPN and accessing your VMs
In parts 1 - 3 of this blog series, I covered how to deploy VMs using nested virtualisation followed by OpenStack installation, all fully automated using Heat and Ansible. In this final instalment, I’ll explain how you can access the instances you’ve deployed on this installation of OpenStack.
The challenge is that whilst your deployment has a provider network, it’s using an RFC 1918 address space - concealed from the public cloud it’s running on - so there’s no direct path into the network, or the VMs connected to it.
The best solution is to use a VPN to tunnel into the provider networks, which is exactly how we deploy most of our OpenStack Private Cloud deployments. However, rather than leveraging enterprise grade firewalls, I utilised OpenVPN which is an open source solution.
Connect to the GW VM and then download and install the latest version of OpenVPN – at the time of writing 2.5.2 was the latest version available for servers running the Ubuntu operating system.
Note, a full list of available packages is available here: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
Then install it by running:
dpkg -i openvpn-as-2.5.2-Ubuntu16.amd_64.deb
Once installed, set a new password for the openvpn user:
Unfortunately, release 2.5.2. contains a bug which results in a very slow user interface (UI) so run the following commands before trying to access the UI:
./sacli --key vpn.client.client_sockbuf --value 0 ConfigPut ./sacli --key vpn.server.server_sockbuf_tcp --value 0 ConfigPut ./sacli --key vpn.server.server_sockbuf_udp --value 0 ConfigPut ./sacli start
Now, connect to the public IP of the GW VM and use the UI to configure the VPN. Log in using openvpn as the username, and the password you configured in the previous step.
The following settings should be changed:
- Configuration/VPN Settings/Routing > replace existing CIDRs with the Flat Network CIDR which is "172.29.252.0/22" unless you have changed it
- Configuration/VPN Settings/Routing > 'Should client Internet traffic be routed through the VPN?' > Set to ‘No’
- Configuration/VPN Settings/DNS Settings > 'Do not alter clients DNS server settings' > Set to ‘Yes’
You should now be able to access the VPN by installing the appropriate openvpn client, and by downloading the connection profile directly from the server. Whilst you could use the openvpn account, I opted to create a new 'user' which has a descriptive name for the environment I’m connecting to, useful if you have more than one deployment.
With the VPN connected you can access any VM which has a floating IP on the provider network - just remember to configure the appropriate security groups and allocate them to your VMs.