VPN as a Service

VPN setup

VPNaaS is a Neutron extension for provisioning IPSec VPN servers in your OpenStack environment. VPN server requires a router.

For the purpose of this tutorial we wil setup following evironment:

  • private network (we use 10.1.1.0/24 in this tutorial)
  • router with external network connectivity

First of all we need to create an IKEv2 policy with AES-256 encryption:

OpenStack VPNaaS Policy IKE

In next step we will create IPSec policy with same encryption settings:

OpenStack VPNaaS Policy IPSec

Next step is to create a VPN service on our router:

OpenStack VPNaaS Service

And finally we will create a VPN server:

OpenStack VPNaaS VPN Site

Fill in the public IP address of remote side (client) in the Peer gateway public IPv4/IPv6 Address or FQDN and Peer router identity for authentication (Peer ID). Fill in remote side’s subnet/subnets to be routed in the field Remote peer subnet(s).

Client setup

This guide is designed for Debian 8 but with minor modifications it should be working for other Linux distributions as well.

Install strongswan VPN client:

apt-get install strongswan libcharon-extra-plugins libstrongswan-standard-plugins libstrongswan-extra-plugins

Configure it by editing the file /etc/ipsec.conf:

config setup

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  authby=psk
  mobike=yes
  aggressive=yes

conn openstack
  keyexchange=ikev2
  left=
  leftsubnet=__client_private_subnet_ip_with_netmask__
  leftid=
  leftfirewall=yes
  right=__openstack_router_ip__
  rightsubnet=__client_private_subnet_ip_with_netmask__
  rightid=__openstack_router_ip__
  auto=start

Set PSK (pre-shared key) in file /etc/ipsec.secrets:

__openstack_router_ip__ : PSK "__password__"

And launch the client:

ipsec start

Last modified: 0001-01-01