Configuring VPNaaS for DevStack

Multinode vs All-In-One

Devstack typically runs in single or “All-In-One” (AIO) mode. However, it can also be deployed to run on multiple nodes. For VPNaaS, running on an AIO setup is simple, as everything happens on the same node. However, to deploy to a multinode setup requires the following things to happen:

  1. Each controller node requires database migrations in support of running VPNaaS.
  2. Each network node that would run the L3 agent needs to run the Neutron VPNaaS agent in its place.

Therefore, the devstack plugin script needs some extra logic.

How to Configure

To configure VPNaaS, it is only necessary to enable the neutron-vpnaas devstack plugin by adding the following line to the [[local|localrc]] section of devstack’s local.conf file:

enable_plugin neutron-vpnaas <GITURL> [BRANCH]

<GITURL> is the URL of a neutron-vpnaas repository
[BRANCH] is an optional git ref (branch/ref/tag).  The default is master.

For example::

    enable_plugin neutron-vpnaas https://git.openstack.org/openstack/neutron-vpnaas stable/kilo

The default implementation for IPSEC package under DevStack is ‘openswan’. However, depending upon the Linux distribution, you may need to override this value. Select ‘libreswan’ for Fedora/RHEL/CentOS or ‘strongswan’ for Ubuntu 14.4.04+:

For example, install libreswan for CentOS/RHEL 7::

    IPSEC_PACKAGE=libreswan

This VPNaaS devstack plugin code will then

  1. Install the common VPNaaS configuration and code,
  2. Apply database migrations on nodes that are running the controller (as determined by enabling the q-svc service),
  3. Run the VPNaaS agent on nodes that would normally be running the L3 agent (as determined by enabling the q-l3 service).