Enable Neutron VPN as Service

Include the URL of your launchpad blueprint:

https://blueprints.launchpad.net/openstack-chef/+spec/neutron-vpnaas-enablement

Problem description

VPN service is a key feature provided by Neutron to enable Secured Private connection to OpenStack cloud. The reference VPN implementation in Neutron at this time is [IPSec] VPN, and the IPSec driver is [OPENSWAN].

Currently, there is no Chef cookbook support to configure and start Neutron VPN service.

Proposed change

Add a recipe, and related attribute/unit tests to cookbook-openstack-network to install, configure and start VPN service.

The packages need to be installed are:

  • Ubuntu: neutron-plugin-vpn-agent

  • RedHat: openstack-neutron

  • Suse: openstack-neutron-vpn-agent

The attributes need to be added includes:

  • A new attribute to decide if VPN agent or L3 agent should be started:

    ['openstack']['network']['enable_vpn']
    
  • New attributes for VPN configurations in /etc/neutron/vpn_agent.ini:

    ['openstack']['network']['vpn']['vpn_device_driver']
    ['openstack']['network']['vpn']['ipsec_status_check_interval']
    

The recipe will check if VPN service should be installed, configured and started, then uses the attribute value to configure VPN agent configuration file and start VPN service.

Alternatives

No alternatives at this time.

Data model impact

No Data model impact

REST API impact

No API change

Security impact

Right now only IKE with “PSK” (Pre-Shared Key) authentication mode is implemented in Neutron VPNaaS for simplicity. And the psk is a input of IPsec site connection establishment process.

For example, “secret” psk can be used in a new IPsec site connection:

neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn
--ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233
--peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret

Since the authentication and key exchange are not in the scope of starting and configuring VPN service, there should be no security impact of this Spec.

Notifications impact

No notification impact

Other end user impact

Performance Impact

Other deployer impact

Developer impact

Implementation

Assignee(s)

Primary assignee:

Work Items

  • Add a new attribute value to decide if VPN agent or L3 agent should be started, since these two services cannot be started at the same time.

  • Add new attributes for VPN configurations in /etc/neutron/vpn_agent.ini and a new vpn template.

  • Add a new recipe to install the VPN packages, configure the [VPN_TEMPLATE] and start VPN service

  • Enable VPN support in Horizon [VPN_HORIZON] Configure /opt/stack/horizon/openstack_dashboard/local/local_settings.py:

    OPENSTACK_NEUTRON_NETWORK = {
         'enable_vpn': True,
    }
    
  • Add validations to ensure VPN service is up and running correctly.

  • Add unit tests

  • ref to ask openstack on this topic [HOW_TO_SETUP_VPN]

Dependencies

Testing

  • Add unit tests for the new recipe.

  • For function tests and CI integration tests, at least one node with three NICs is recommanded. One NIC is used for external network connection, one NIC is used for data network and the other is used for management network.

Documentation Impact

  • Configure attribute [‘openstack’][‘network’][‘enable_vpn’] = ‘True’ to enable VPN service.

  • Configure VPN related attributes, for example:

    ['openstack']['network']['vpn']['vpn_device_driver'] =
    neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
    ['openstack']['network']['vpn']['ipsec_status_check_interval'] = 60