Installing VPNaaS in OpenStack Queens

OpenStack has build-in VPN tools can VPN as a Service (VPNaaS). With these tools, we can create site-to-site IPsec tunneling between private network OpenStack with another technology. This tutorial trying to create site-to-site IPsec tunnel between 2 private networks in OpenStack that separate with a different router.


OpenStack SONA Tutorial

This tutorial is a a extended version from official documentation of SONA. I use ubuntu 18.04 system for all of nodes and use devstack to build OpenStack and SONA, I am using Pike version.


Separate Neutron Services onto Separate Nodes in OpenStack

OpenStack builds with good architecture for scalability. For example, if you want to separate neutron service from the controller node into a dedicated network node, this can be done on OpenStack.


AIO Tungsten Fabric & OpenStack Queens

Tungsten Fabric adalah controller Software Defined Networking


Manual Instalation Octavia OpenStack Queens

I am using packstack to build the openstack environment and install Octavia manual with this step. Im using Centos 7.5 and OpenStack Queens. Lets follow the step :

Create Octavia Token

You must first create the Octavia token to communicate with OpenStack. The example is in /root/octaviarc

export OS_USERNAME=octavia
export OS_PASSWORD='octavia'
export OS_AUTH_URL=http://KEYSTONE_IP:5000/v3
export PS1='[\u@\h \W(octavia_admin)]\$ '    
export OS_PROJECT_NAME=services
export OS_USER_DOMAIN_NAME=Default

Create Octavia User & Service (using admin user)

the project is services, in another hand can be the only service

openstack user create octavia --domain default --password octavia
openstack role add --user octavia --project services admin
openstack service create --name octavia --description "OpenStack Octavia" load-balancer
openstack endpoint create --region RegionOne octavia public http://Octavia_IP:9876
openstack endpoint create --region RegionOne octavia internal http://Octavia_IP:9876
openstack endpoint create --region RegionOne octavia admin http://Octavia_IP:9876

Create Amphora Security Group (Using Octavia user)

you need to create a Security group for Amphora. It is needed by OpenStack itself to access the Amphora VM.

openstack security group create lb-mgmt-sec-grp
openstack security group rule create --protocol icmp lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 5555 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 80 lb-mgmt-sec-grp

Create Amphora Images

yum -y install qemu curl kpartx git jq python-pip
pip install argparse Babel>=1.3 dib-utils PyYAML diskimage-builder
cd /tmp
git clone
git clone
cd octavia/diskimage-create
./ -i centos -s 3

Add Images into OpenStack (Using Octavia user)

openstack image create amphora-x64-haproxy --public --container-format bare --disk-format qcow2 --file amphora-x64-haproxy.qcow2
openstack image set amphora-x64-haproxy --tag amphora

Create Amphora Flavor (Using Octavia user)

openstack flavor create --id 200 --vcpus 2 --ram 1024 --disk 10 "m1.amphora" --public

Create Amphora Certificate

source /tmp/octavia/bin/ /etc/octavia/certs /tmp/octavia/etc/certificates/openssl.cnf
chmod -R 755 /etc/octavia/certs

Install Octavia

yum -y install python-octavia.noarch
yum -y install openstack-octavia-common.noarch
yum -y install openstack-octavia-diskimage-create.noarch
yum -y install openstack-octavia-housekeeping.noarch
yum -y install openstack-octavia-api.noarch
yum -y install openstack-octavia-health-manager.noarch
yum -y install openstack-octavia-worker.noarch
yum -y install openstack-octavia-amphora-agent.noarch
yum -y install openstack-octavia-ui.noarch
yum -y install python2-octaviaclient.noarch
systemctl restart httpd memcached

Create Database Octavia

mysql -u root -p
CREATE USER 'octavia' IDENTIFIED BY 'Password123';
GRANT ALL PRIVILEGES ON octavia.* TO 'octavia' ;

Create Management Network Amphora (Using Octavia user)

this network is required by OpenStack to send configuration into Amphora VM. Create a neutron port and add the port into the bridge.

The subnet is created with a default gateway and DNS, so you must remove the gateway and DNS when using dhclient or create subnet without gateway and DNS.


OCTAVIA_AMP_NETWORK_ID=$(neutron net-create lb-mgmt-net | awk '/ id / {print $4}')
neutron subnet-create --name lb-mgmt-subnet --allocation-pool start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END lb-mgmt-net $OCTAVIA_MGMT_SUBNET

neutron port-create --name octavia-health-manager-listen-port --binding:host_id=$CONTROLLER_HOSTNAME lb-mgmt-net
MGMT_PORT_ID=$(neutron port-show octavia-health-manager-listen-port | awk '/ id / {print $4}')
MGMT_PORT_MAC=$(neutron port-show octavia-health-manager-listen-port | awk '/ mac_address / {print $4}')

sudo ovs-vsctl -- --may-exist add-port br-int o-hm0 -- set Interface o-hm0 type=internal -- set Interface o-hm0 external-ids:iface-status=active -- set Interface o-hm0 external-ids:attached-mac=$MGMT_PORT_MAC -- set Interface o-hm0 external-ids:iface-id=$MGMT_PORT_ID
sudo ip link set dev o-hm0 address $MGMT_PORT_MAC
sudo dhclient -v o-hm0

Add Octavia Configuration (/etc/octavia/octavia.conf)

adjust the configuration with your environment.


bind_host =
bind_port = 9876

connection = mysql+pymysql://OCTAVIA_DB_USER:OCTAVIA_DB_PASSWORD@

event_streamer_driver = noop_event_streamer
heartbeat_key = insecure
controller_ip_port_list =
bind_ip =
bind_port = 5555

www_authenticate_uri = http://KEYSTONE_IP:5000/v3
auth_url = http://KEYSTONE_IP:35357/v3
username = OCTAVIA_USER
project_name = services
project_domain_name = Default
user_domain_name = Default
auth_type = password

ca_certificate = /etc/octavia/certs/ca_01.pem
ca_private_key = /etc/octavia/certs/private/cakey.pem
ca_private_key_passphrase = foobar


bind_host =
bind_port = 9443
client_cert = /etc/octavia/certs/client.pem
server_ca = /etc/octavia/certs/ca_01.pem
base_path = /var/lib/octavia
base_cert_dir = /var/lib/octavia/certs
connection_max_retries = 1500
connection_retry_interval = 1
rest_request_conn_timeout = 10
rest_request_read_timeout = 120

amp_image_tag = amphora
amp_secgroup_list = SECURITY_GROUP_ID
amp_boot_network_list = NETWORK_ID
amp_flavor_id = 200
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
amphora_driver = amphora_haproxy_rest_driver
loadbalancer_topology = SINGLE


rpc_thread_pool_size = 2
topic = octavia_prov
event_stream_transport_url = rabbit://RABBIT_DB_USER:RABBIT_DB_PASSWORD@


project_domain_name = Default
project_name = services
user_domain_name = Default
password = OCTAVIA_USER
auth_type = password
auth_url = http://KEYSTONE_IP:35357/v3


Populate Database

octavia-db-manage upgrade head

Enable and Activate Octavia

systemctl start octavia-api.service octavia-health-manager.service octavia-housekeeping.service octavia-worker.service
systemctl enable octavia-api.service octavia-health-manager.service octavia-housekeeping.service octavia-worker.service
systemctl status octavia-api.service octavia-health-manager.service octavia-housekeeping.service octavia-worker.service