OpenStack VPNaaS with multiple subnets
LEFT (DEV env)
vpn
WireGuard
Server
sudo apt install -y wireguard cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey /etc/wireguard/wg0.conf [Interface] Address = 192.168.6.1/24 ListenPort = 1194 PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28= AllowedIPs = 192.168.6.2/32 sudo ufw allow 1194/udp sudo ufw status sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0 # watch connections watch -n1 wg
Client
Create anyconnect VPN connection on command line with nmcli
Create connection
VPN_GATEWAY=vpn1.example.com VPN_USER=foo VPN_ROUTES=192.168.11.0/24 nmcli connection add \ connection.id vpn1 \ connection.type vpn \ connection.permissions "user:${USER}" \ ipv4.routes "${VPN_ROUTES}" \ ipv4.ignore-auto-routes yes \ vpn.service-type org.freedesktop.NetworkManager.openconnect \ vpn.data " protocol = anyconnect, authtype = cert, gateway = ${VPN_GATEWAY}, cacert = ${HOME}/vpn1/ca.pem, usercert = ${HOME}/vpn1/certificate.pem, userkey = ${HOME}/vpn1/priv.pem, cookie-flags = 2 " \ vpn.secrets " form:main:group_list=CLIENTGROUP, form:main:username=${VPN_USER}, save_passwords=yes "
Start connection and enter password once
nmcli connection up vpn1
Debug
#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702 journalctl -fxe -t NetworkManager cat /etc/NetworkManager/system-connections/vpn1.nmconnection nmcli con show vpn1
Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html
LXD: Create WireGuard container
Create container
CONTAINER=wireguard # Add ubuntu-minimal repository lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ # Create LXD container #lxc launch ubuntu-minimal:lts ${CONTAINER} lxc launch ubuntu-minimal:22.04 ${CONTAINER} # update APT packages lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt update && apt -y dist-upgrade && apt -y autoremove" # Install WireGuard lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt install -y wireguard iptables iputils-ping"
Configure UDP 4000 port forward to wireguard container
lxc config device add ${CONTAINER} udp51820 proxy listen=udp:0.0.0.0:51820 connect=udp:127.0.0.1:51820
Configure WireGuard
Create OpenStack VPNaaS with Terraform
terraform.tfvars
os_user = "foo" psk = "pass1234" fritzbox_wan_ip = "1.2.3.4" fritzbox_cidr = "192.168.178.0/24"
terraform.tf
Side2Side IPSec VPN connection between OpenStack VPN and AVM Fritz!Box
Define variables for OpenStack VPN configuration
FRITZBOX_EXTERNAL_IP=x.x.x.x # curl ipinfo.io/ip FRITZBOX_NETWORK=192.168.178.0/24 # Heimnetz > Netzwerk > Netzwerkeinstellungen > IPv4-Einstellungen PASSWORD='xxxxxxxx' # apg -m 32 OPENSTACK_SUBNET_ID=$(openstack subnet list -c ID -f value) OPENSTACK_ROUTER_ID=$(openstack router list -c ID -f value)
Define variables
OpenStack Debug VPN
Find the VPN server and the relevant router UUID
# get VPN connection ID openstack vpn ipsec site connection list | grep foo openstack vpn ipsec site connection list --long | grep <project_id> VPN_CONNECTION_ID=142dc25f-13bb-4fda-b093-edf13df98ed8 openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -c 'VPN Service' -f value) openstack vpn service show ${VPN_SERVICE_ID} # get router ID ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value) echo "ROUTER_ID=${ROUTER_ID}"
Find the ctl Node where the active router is running
ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway -f value -c id --router ${ROUTER_ID}) CONTROL_NODE=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value) echo "CONTROL_NODE: ${CONTROL_NODE}" echo "ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip a s"
Connect to that ctl node and "jump" in its neutron-l3-agent docker container
VPN
nmcli con show --active | grep -i vpn
Links
https://www.networkinghowtos.com/howto/common-vpn-ports-and-protocols/
Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)
Setup
# install sudo apt-get install -y strongswan # Left (Peer client, behind NAT) Ubuntu Client IP: 212.8.9.10 Ubuntu net: 192.168.178.0/24 OpenStack VPN IP: 217.50.60.70 OpenStack Net: 10.0.1.0/24
Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpn-fritzbox
/etc/ipsec.conf
OpenStack: VPNaaS (VPN)
# show VPN objects openstack vpn ipsec site connection list openstack vpn endpoint group list openstack vpn service list openstack vpn ipsec policy list openstack vpn ike policy list # show IP openstack vpn service list --long openstack vpn service list -c ID -f value | xargs -i openstack vpn service show {} openstack vpn ipsec site connection list -c ID -f value | xargs -L1 openstack vpn ipsec site connection show
Restart VPN
openstack vpn ipsec site connection set --disable vpn-conn1 openstack vpn ipsec site connection set --enable vpn-conn1
Check VPN peer address