OpenStack-Multa Part 4: setting up OpenVPN and accessing your VMs

In parts 1 – 3 of this blog series, I covered how to deploy VMs using nested virtualisation followed by OpenStack installation, all fully automated using Heat and Ansible. In this final instalment, I’ll explain how you can access the instances you’ve deployed on this installation of OpenStack.

The challenge is that whilst your deployment has a provider network, it’s using an RFC 1918 address space – concealed from the public cloud it’s running on – so there’s no direct path into the network, or the VMs connected to it.

The best solution is to use a VPN to tunnel into the provider networks, which is exactly how we deploy most of our OpenStack Private Cloud deployments.  However, rather than leveraging enterprise grade firewalls, I utilised OpenVPN which is an open source solution.

Connect to the GW VM and then download and install the latest version of OpenVPN – at the time of writing 2.5.2 was the latest version available for the Ubuntu platform.

Note, a full list of available packages is available here: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

wget http://swupdate.openvpn.org/as/openvpn-as-2.5.2-Ubuntu16.amd_64.deb

Then install it by running:

dpkg -i openvpn-as-2.5.2-Ubuntu16.amd_64.deb

Once installed, set a new password for the openvpn user:

passwd openvpn

Unfortunately, release 2.5.2. contains a bug which results in a very slow user interface (UI) so run the following commands before trying to access the UI:

cd /usr/local/openvpn_as/scripts
./sacli --key vpn.client.client_sockbuf --value 0 ConfigPut

./sacli --key vpn.server.server_sockbuf_tcp --value 0 ConfigPut

./sacli --key vpn.server.server_sockbuf_udp --value 0 ConfigPut

./sacli start

Now, connect to the public IP of the GW VM and use the UI to configure the VPN. Log in using openvpn as the username, and the password you configured in the previous step.

https://nn.nn.nn.nn/admin

The following settings should be changed:

  1. Configuration/VPN Settings/Routing > replace existing CIDRs with the Flat Network CIDR which is “172.29.252.0/22” unless you have changed it
  2. Configuration/VPN Settings/Routing > ‘Should client Internet traffic be routed through the VPN?’ > Set to ‘No’
  3. Configuration/VPN Settings/DNS Settings > ‘Do not alter clients DNS server settings’ > Set to ‘Yes’

You should now be able to access the VPN by installing the appropriate openvpn client, and by downloading the connection profile directly from the server. Whilst you could use the openvpn account, I opted to create a new ‘user’ which has a descriptive name for the environment I’m connecting to, useful if you have more than one deployment.

With the VPN connected you can access any VM which has a floating IP on the provider network – just remember to configure the appropriate security groups and allocate them to your VMs.

Learn more about Rackspace or get in touch with our experts today, wherever you might be on your migration journey.

LEAVE A REPLY

Please enter your comment!
Please enter your name here