In the case where
- two OpenStack tenants are available and resources should be split between them
- private networks (i.e. non public IPs) are involved
How can they be connected so that the Enough infrastructure be deployed? Let’s first assume an OpenStack tenant was deployed manually as follows:
user -> Manual VPN -> service in 10.100.0.0/24
And the other OpenStack tenant is deployed with Enough as follows:
user -> Enough VPN -> service in 10.200.0.0/24
The Manual VPN can be made to connect to the Enough VPN and allow it to access the 10.100.0.0/24 subnet. And the Enough VPN allows the Manual VPN to access the 10.200.0.0/24 subnet.
The hosts in the Manual VPN can then be accessed by (for instance) the icinga monitoring service from the Enough VPN.
The user connecting to the Manual VPN are pushed routes to both 10.100.0.0/24 and 10.200.0.0/24, which allows them to access services bound to private IPs and located in both OpenStack tenants.
To connect the user
Assuming the user connects to the Manual VPN, including the user running ansible,
/etc/openvpn/server.conf should contain:
push "route 10.100.0.0 255.255.255.0" push "route 10.200.0.0 255.255.255.0"
To connect Manual VPN to Enough VPN
A set of keys is created on the Enough VPN with the manual-vpn common name and the
/etc/openvpn/ccd/manual-vpn should inform the server that when the Manual VPN connects, it will route the 10.100.0.0/24 subnet:
iroute 10.100.0.0 255.255.255.0
But it is not enough to know that the route is available, the
/etc/openvpn/server.conf file needs instructions to modify the routing table of the host it is running on with:
route 10.100.0.0 255.255.255.0
The key is then copied over the the to the Manual VPN and renamed enough-vpn for clarity since we’re on the other side. It is then run with:
systemctl enable openvpn@enough-vpn systemctl start openvpn@enough-vpn
To connect Enough VPN to Manual VPN
The Enough VPN already provides a route to the 10.200.0.0/24 when a client connects to it. And since the Manual VPN has been configured to be a client to the Enough VPN, it has access to this subnet and there is nothing special to do about it.