Skip to content

VM VPN Connection

Jump to bottom
Haydar Qarawlus edited this page Nov 22, 2019 · 5 revisions

VPN Connection Parameters

31.10.2019 - V1: Initial documentation

To solve the lack of public IPs and to allow the inter-connectivity between the VMs, and to allow Openstack's floating IPs to be reachable from the other VMs, I deployed an OpenVPN server to handle this task.

  • Main VPN Server: fgcn-backflip2.cs.upb.de
  • Client 1: fgcn-backflip3.cs.upb.de (OSM)
  • Client 2: fgcn-backflip9.cs.upb.de (OpenStack)

Installation Process:

I followed a tutorial online (https://blog.boyeau.com/cheat-sheet-establishing-a-vpn-tunnel-between-2-linux-servers/) as a base guide. This allowed me to create a VPN connection between the VMs.

Next step was to allow the connection of the floating IPs, which are considered to be a LAN behind the OpenStack VM, to be accessible through the VPN connection. Therefore, I used the concepts shown here (https://community.openvpn.net/openvpn/wiki/RoutedLans) to apply the concept of OpenVPN routed LANs to the VPN connection by making the Openstack VM connect to the VPN server through a dedicated certificate to be identifiable by the server. This, combined with a 'ccd' configuration on the server will push a route to the LAN behind the Openstack VM to the other nodes. Combining this with ip_forwarding in linux will allow the floating IPs to be reached by all VMs connected to the VPN.

Routed LAN example

root@fgcn-backflip2:/etc/openvpn/ccd# cat backflip9
iroute 172.16.0.0 255.240.0.0
root@fgcn-backflip2:/etc/openvpn/ccd#

Also need to update the server.conf file in the following section

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 172.16.0.0 255.255.0.0"
;push "route 10.8.0.0 255.255.255.0"


# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir ccd
route 172.16.0.0 255.255.0.0

tng-bench --generator osm

Clone this wiki locally