When deploying a VPN service to connect from the office branche to your local OpenStack networking it's nessesary to adjust the OpenStack network configuration using the option allow address pair to allow a remote VPN netwerk to connect to an OpenStack netwerk range.
"Allowed address pairs feature allows one port to add additional IP/MAC address pairs on that port to allow traffic that matches those specified values."
For adjusting the openstack network configuration access to the OpenStack CLI tools is mandatory
The example below shows a VPN setup using a Public network interface en a connection using a second network interdace to your private network range within the OpenStack environment.
- Public IP for the VPN server : 188.8.131.52
- Private network range: 192.168.0.0/24
- VPN network range: 192.168.1.0/24
When connecting to the VPN server a remote workstation get's an IP assigned from the network range 192.168.1/24 to connect to a system withing the OpenStack environment with the IP range 192.168.0.0/24. The problem is the ip range 192.168.1.0/24 as it is not allowed by the OpenStack networking environment. For this a few adjustsments are needed fro the OpenStack Command Line Interface ( CLI ) by creating an "Allow Address Pair".
192.168.0.1 in this example is linked to the private interface on the VPN instance.
openstack port list | grep 192.168.0.1 | cut -d \| -f 2
After running the command the result back is a UUID: 6b832dfe-f271-443c-abad-629961414a73
Execute the following 2 command to allow the remote VPN network range to the local OpenStack network.
openstack port set --no-allowed-address <PORT_UUID> openstack port set --allowed-address ip-address=192.168.0.0/24 --allowed-addres 192.168.1.0/24 <PORT_UUID>