apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.11k stars 1.11k forks source link

Support the setting "remote.access.vpn.client.iprange" per VPC/Single Isolated Network #9707

Open kiranchavala opened 2 months ago

kiranchavala commented 2 months ago

ISSUE TYPE

Enhancement/Improvement request

COMPONENT NAME

Component: VPC

CLOUDSTACK VERSION

Cloudstack version 4.19.1.1

SUMMARY

Support the (global) setting "remote.access.vpn.client.iprange" for per vpc level, and also per simple/single Isolated networks (which also support remote VPN)

Currently we support the setting "remote.access.vpn.client.iprange" at

  1. Global settings
  2. Account level

There are limitaions in this case

Limitation 1

  1. Have Multiple VPC's in a account (VPC 1 and VPC2)

VPC 1 Cidr >>> 10.0.0.0/8 VPC 2 Cidr >>> 172.16.0.0/16

  1. Default account level setting of parameter "remote.access.vpn.client.iprange" >> "10.1.2.1-10.1.2.8"

  2. Enable site to site vpn between the 2 vpc's or have a customer gateteway.

  3. Enable VPN service in vpc 1

  4. Connect a end user to vpn service of vpc1.

End user will get succesfully connected to vpn network but the routing will not work.

User cannot reach the vm's associated in vpc1, since the

As per this rule if VR sees a packet matching src 10.0.0.0/8 dst 172.16.0.0/16 it will apply the IPsec policy routing for the S2S VPN

As workaround Admin user has to change the value of parameter "remote.access.vpn.client.iprange" and Disable and enable the vpn

Since this is at account level is could affect other vpc's present in the account

Limitation 2

  1. Have Multiple VPC's in a account (VPC 1 and VPC2)

  2. Enable VPN service in both VPC's

  3. The end user connects to vpc1 vpn service will be assigned a ip from remote.access.vpn.client.iprange

  4. The end user connects to vpc2 vpn service will also be assigned a ip from remote.access.vpn.client.iprange

If the setting is at vpc level, It will be easy of the admin/account user to identify the probelmatic vpc and troubleshoot the issue


Expected behaviour

It would be beneficial for the end user if Cloudstack can provide an option of specifying the vpn client address range during the vpc creation time

Also cloudstack should not allow to change the value till the lifetime of vpc

Hyperscalers such as AWS, Azure support it at VPC level

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool

weizhouapache commented 2 months ago

I remember there were some work in the past to support network settings and vpc settings. however I was not able to find the PR

DaanHoogland commented 2 months ago

There are network_details and vpc_details tables, so network and vpc level setting can be defined. The setting needs adding and the logic implementing.