Configuring VPNaaS for DevStack¶
Multinode vs All-In-One¶
Devstack typically runs in single or “All-In-One” (AIO) mode. However, it can also be deployed to run on multiple nodes. For VPNaaS, running on an AIO setup is simple, as everything happens on the same node. However, to deploy to a multinode setup requires the following things to happen:
Each controller node requires database migrations in support of running VPNaaS.
Each network node that would run VPNaaS L3 agent extension.
Therefore, the devstack plugin script needs some extra logic.
How to Configure¶
To configure VPNaaS, it is only necessary to enable the neutron-vpnaas
devstack plugin by adding the following line to the
section of devstack’s local.conf file:
enable_plugin neutron-vpnaas <GITURL> [BRANCH]
<GITURL> is the URL of a neutron-vpnaas repository
[BRANCH] is an optional git ref (branch/ref/tag). The default is master.
enable_plugin neutron-vpnaas https://opendev.org/openstack/neutron-vpnaas stable/kilo
The default implementation for IPSEC package under DevStack is ‘strongswan’. However, depending upon the Linux distribution, you may need to override this value. Select ‘libreswan’ for Fedora/RHEL/CentOS.
For example, install libreswan for CentOS/RHEL 7:
This VPNaaS devstack plugin code will then
Install the common VPNaaS configuration and code,
Apply database migrations on nodes that are running the controller (as determined by enabling the q-svc service),