OpenStack openvpn access

Neutron networking in OpenStack does not support cloudpipe anymore and no alternative is available. In the openstack setup we use, we do not have enough route-able IP addresses available to give every virtual machine an IP that is accessible from outside OpenStack.

I solved this by running a virtual machine inside OpenStack with a public (floating) IP. This virtual machine runs a OpenVPN server with password based authentication that is passed through to Keystone, so the credentials for OpenVPN and OpenStack are the same.

OpenVPN can use a script to verify user credentials. The auth.py tries to authenticate to keystone with the credentials of the user and to the openvpn tenant. This allows the administrator to limit openvpn access. Change the address on line 29 to the address of your keystone server.

In the OpenVPN config add this line:

auth-user-pass-verify /etc/openvpn/auth.py via-file

Leave a Reply