FRITZBOX_WAN_IP=111.1.2.3 FRITZBOX_CIDR=192.168.178.0/24 PSK=PASS1234 openstack vpn ike policy create ikepolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 openstack vpn ipsec policy create ipsecpolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 ROUTER_ID=$(openstack router list -c ID -f value) openstack vpn service create vpn \ --router ${ROUTER_ID} SUBNET_ID=$(openstack subnet list -c ID -f value) openstack vpn endpoint group create ep_subnet \ --type subnet \ --value ${SUBNET_ID} openstack vpn endpoint group create ep_cidr \ --type cidr \ --value ${FRITZBOX_CIDR} openstack vpn ipsec site connection create conn \ --vpnservice vpn \ --ikepolicy ikepolicy \ --ipsecpolicy ipsecpolicy \ --peer-address ${FRITZBOX_WAN_IP} \ --peer-id ${FRITZBOX_WAN_IP} \ --psk ${PSK} \ --local-endpoint-group ep_subnet \ --peer-endpoint-group ep_cidr
Add ingress ssh security rule
openstack security group rule create default \ --protocol tcp \ --dst-port 22 \ --remote-ip 192.168.178.0/24
Create S2S VPN connection on Fritz!Box
Fritz!Box Admin Internet > Freigaben > VPN VPN-Verbindung hinzufügen Ihr Heimnetz mit einem anderen FRITZ!Box-Netzwerk verbinden (LAN-LAN-Kopplung) VPN-Kennwort (Preshared Key): <psk> Internet-Adresse: OpenStack VPN Services IPv4
Optional: AVM VPN import
vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = "88.3.4.5"; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 88.3.4.5; remote_virtualip = 0.0.0.0; localid { ipaddr = 111.1.2.3; } remoteid { ipaddr = 88.3.4.5; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "PASS1234"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.178.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 10.0.1.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 10.0.1.0 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }
Links
https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html
https://mlohr.com/fritzbox-lan-2-lan-vpn-with-pfsense/