Hosting split in two OpenStack tenants


In the case where

  • two OpenStack tenants are available and resources should be split between them
  • private networks (i.e. non public IPs) are involved

How can they be connected so that the Enough infrastructure be deployed? Let’s first assume an OpenStack tenant was deployed manually as follows:

user -> Manual VPN -> service in

And the other OpenStack tenant is deployed with Enough as follows:

user -> Enough VPN -> service in

The Manual VPN can be made to connect to the Enough VPN and allow it to access the subnet. And the Enough VPN allows the Manual VPN to access the subnet.

The hosts in the Manual VPN can then be accessed by (for instance) the icinga monitoring service from the Enough VPN.

Technical details

The user connecting to the Manual VPN are pushed routes to both and, which allows them to access services bound to private IPs and located in both OpenStack tenants.

To connect the user

Assuming the user connects to the Manual VPN, including the user running ansible, /etc/openvpn/server.conf should contain:

push "route"
push "route"

To connect Manual VPN to Enough VPN

A set of keys is created on the Enough VPN with the manual-vpn common name and the /etc/openvpn/ccd/manual-vpn should inform the server that when the Manual VPN connects, it will route the subnet:


But it is not enough to know that the route is available, the /etc/openvpn/server.conf file needs instructions to modify the routing table of the host it is running on with:


The key is then copied over the the to the Manual VPN and renamed enough-vpn for clarity since we’re on the other side. It is then run with:

systemctl enable openvpn@enough-vpn
systemctl start openvpn@enough-vpn

To connect Enough VPN to Manual VPN

The Enough VPN already provides a route to the when a client connects to it. And since the Manual VPN has been configured to be a client to the Enough VPN, it has access to this subnet and there is nothing special to do about it.