)]}'
{"specs/train/vpnaas-openvpn-driver.rst":[{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"aea24f7b1d2fef2eff9e0275dc5063e5edb3f83e","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Problem Description"},{"line_number":8,"context_line":"-------------------"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"The current IPSEC VPN driver allows connecting two separate networks via a "},{"line_number":11,"context_line":"VPN link. Policy based routing is used to direct traffic between the"},{"line_number":12,"context_line":"two networks."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_67cb0172","line":10,"range":{"start_line":10,"start_character":74,"end_line":10,"end_character":75},"updated":"2019-09-20 01:08:45.000000000","message":"Please remove this blank at EOL. You have several below","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"21d2b3bee4d70ad5020259048862cc2eadba7e12","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Problem Description"},{"line_number":8,"context_line":"-------------------"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"The current IPSEC VPN driver allows connecting two separate networks via a "},{"line_number":11,"context_line":"VPN link. Policy based routing is used to direct traffic between the"},{"line_number":12,"context_line":"two networks."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_ee33c912","line":10,"range":{"start_line":10,"start_character":74,"end_line":10,"end_character":75},"in_reply_to":"3fa7e38b_67cb0172","updated":"2019-09-27 09:14:16.000000000","message":"Done","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"dd348809dec84b14717de160269dde4b75ee109b","unresolved":false,"context_lines":[{"line_number":12,"context_line":"two networks."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This proposal introduces a VPN service that allows remote client logins to"},{"line_number":15,"context_line":"Neutron networks, placing the remote clients into the same L2 domain as"},{"line_number":16,"context_line":"the instances."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_e8eb36d9","line":15,"range":{"start_line":15,"start_character":18,"end_line":15,"end_character":68},"updated":"2019-09-20 15:10:22.000000000","message":"it\u0027s better to explain the use case which requires this effort.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"21d2b3bee4d70ad5020259048862cc2eadba7e12","unresolved":false,"context_lines":[{"line_number":12,"context_line":"two networks."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This proposal introduces a VPN service that allows remote client logins to"},{"line_number":15,"context_line":"Neutron networks, placing the remote clients into the same L2 domain as"},{"line_number":16,"context_line":"the instances."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_6e27d9cb","line":15,"range":{"start_line":15,"start_character":18,"end_line":15,"end_character":68},"in_reply_to":"3fa7e38b_e8eb36d9","updated":"2019-09-27 09:14:16.000000000","message":"Done","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"aea24f7b1d2fef2eff9e0275dc5063e5edb3f83e","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This proposal introduces a VPN service that allows remote client logins to"},{"line_number":15,"context_line":"Neutron networks, placing the remote clients into the same L2 domain as"},{"line_number":16,"context_line":"the instances."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Proposed Change"},{"line_number":19,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_27c5095c","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":13},"updated":"2019-09-20 01:08:45.000000000","message":"here you mean Nova instances ports, correct?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"b287bf694f254c7eb0b102d42ae1f7545c001b88","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This proposal introduces a VPN service that allows remote client logins to"},{"line_number":15,"context_line":"Neutron networks, placing the remote clients into the same L2 domain as"},{"line_number":16,"context_line":"the instances."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Proposed Change"},{"line_number":19,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_ed36ebe7","line":16,"range":{"start_line":16,"start_character":4,"end_line":16,"end_character":13},"in_reply_to":"3fa7e38b_27c5095c","updated":"2019-09-20 14:01:24.000000000","message":"Yes, correct.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"983bee8e3be2a8a92736619e54c881858b81d378","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"We use OpenVPN to provide VPN connectivity, using the option \"-dev tap\""},{"line_number":22,"context_line":"to provide L2 access (as opposed to \"-dev tun\")."},{"line_number":23,"context_line":"The OpenVPN server process runs in the namespace of a Router, and it listens"},{"line_number":24,"context_line":"on the Router\u0027s external IP address. OpenVPN client traffic flows through a"},{"line_number":25,"context_line":"tap device created by the VPN server."},{"line_number":26,"context_line":"We create a Linux bridge to connect this tap device to the Router\u0027s"},{"line_number":27,"context_line":"internal port (see diagram)."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_ad723348","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":35},"updated":"2019-09-20 12:40:11.000000000","message":"does this mean this server is also reachable from the internal network, 192.168.0.0/24 ?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"21d2b3bee4d70ad5020259048862cc2eadba7e12","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"We use OpenVPN to provide VPN connectivity, using the option \"-dev tap\""},{"line_number":22,"context_line":"to provide L2 access (as opposed to \"-dev tun\")."},{"line_number":23,"context_line":"The OpenVPN server process runs in the namespace of a Router, and it listens"},{"line_number":24,"context_line":"on the Router\u0027s external IP address. OpenVPN client traffic flows through a"},{"line_number":25,"context_line":"tap device created by the VPN server."},{"line_number":26,"context_line":"We create a Linux bridge to connect this tap device to the Router\u0027s"},{"line_number":27,"context_line":"internal port (see diagram)."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_2e2001f7","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":35},"in_reply_to":"3fa7e38b_08d0121f","updated":"2019-09-27 09:14:16.000000000","message":"The remote client can\u0027t reach it via the VPN. Even if all other client traffic is routed through the tunnel, the original route from the client to the VPN server has to remain, else the tunnel would collapse.\n\nNova instances on the internal network could reach the VPN server. I already use an OpenVPN hook to authenticate clients. It would be easy to refuse connections from the internal network, based on the client\u0027s IP.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"dd348809dec84b14717de160269dde4b75ee109b","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"We use OpenVPN to provide VPN connectivity, using the option \"-dev tap\""},{"line_number":22,"context_line":"to provide L2 access (as opposed to \"-dev tun\")."},{"line_number":23,"context_line":"The OpenVPN server process runs in the namespace of a Router, and it listens"},{"line_number":24,"context_line":"on the Router\u0027s external IP address. OpenVPN client traffic flows through a"},{"line_number":25,"context_line":"tap device created by the VPN server."},{"line_number":26,"context_line":"We create a Linux bridge to connect this tap device to the Router\u0027s"},{"line_number":27,"context_line":"internal port (see diagram)."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_08d0121f","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":35},"in_reply_to":"3fa7e38b_38a8bfd9","updated":"2019-09-20 15:10:22.000000000","message":"the complex network topology scared me a bit.\neven the remote client itself can reach this via the vpn, right?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"b287bf694f254c7eb0b102d42ae1f7545c001b88","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"We use OpenVPN to provide VPN connectivity, using the option \"-dev tap\""},{"line_number":22,"context_line":"to provide L2 access (as opposed to \"-dev tun\")."},{"line_number":23,"context_line":"The OpenVPN server process runs in the namespace of a Router, and it listens"},{"line_number":24,"context_line":"on the Router\u0027s external IP address. OpenVPN client traffic flows through a"},{"line_number":25,"context_line":"tap device created by the VPN server."},{"line_number":26,"context_line":"We create a Linux bridge to connect this tap device to the Router\u0027s"},{"line_number":27,"context_line":"internal port (see diagram)."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_38a8bfd9","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":35},"in_reply_to":"3fa7e38b_ad723348","updated":"2019-09-20 14:01:24.000000000","message":"Technically, yes, I think it is reachable (haven\u0027t actually tried it, though).\n\nOf course it does not make much sense for a client already on the internal network to connect to it. Do you think there should be measures to prevent connections from such clients?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"983bee8e3be2a8a92736619e54c881858b81d378","unresolved":false,"context_lines":[{"line_number":34,"context_line":"  .-----------------------.            .-----------------------."},{"line_number":35,"context_line":"  | external port         |            | internal port         |"},{"line_number":36,"context_line":"  | qg-* (10.0.0.42/24)   |            | qr-* (192.168.0.1/24) |"},{"line_number":37,"context_line":"  \u0027-----------------------\u0027            \u0027-----------------------\u0027"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"With VPN:"},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_2dae4398","line":37,"updated":"2019-09-20 12:40:11.000000000","message":"openvpn clients live in the external network and connect to 10.0.0.42 ?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"b287bf694f254c7eb0b102d42ae1f7545c001b88","unresolved":false,"context_lines":[{"line_number":34,"context_line":"  .-----------------------.            .-----------------------."},{"line_number":35,"context_line":"  | external port         |            | internal port         |"},{"line_number":36,"context_line":"  | qg-* (10.0.0.42/24)   |            | qr-* (192.168.0.1/24) |"},{"line_number":37,"context_line":"  \u0027-----------------------\u0027            \u0027-----------------------\u0027"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"With VPN:"},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_ad29d39b","line":37,"in_reply_to":"3fa7e38b_2dae4398","updated":"2019-09-20 14:01:24.000000000","message":"Yes.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"aea24f7b1d2fef2eff9e0275dc5063e5edb3f83e","unresolved":false,"context_lines":[{"line_number":54,"context_line":"            |                       ^"},{"line_number":55,"context_line":"            \u0027---client traffic -----\u0027"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Q: should we have the VPN server listen on the internal port? The current"},{"line_number":58,"context_line":"proposal runs into problems when we have multiple internal networks for which"},{"line_number":59,"context_line":"we want to configure VPN services."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"OpenVPN server configuration"},{"line_number":62,"context_line":"----------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_a7aed995","line":59,"range":{"start_line":57,"start_character":3,"end_line":59,"end_character":34},"updated":"2019-09-20 01:08:45.000000000","message":"what sort of problems are you running into? How would listening in the internal port fix that?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"b287bf694f254c7eb0b102d42ae1f7545c001b88","unresolved":false,"context_lines":[{"line_number":54,"context_line":"            |                       ^"},{"line_number":55,"context_line":"            \u0027---client traffic -----\u0027"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Q: should we have the VPN server listen on the internal port? The current"},{"line_number":58,"context_line":"proposal runs into problems when we have multiple internal networks for which"},{"line_number":59,"context_line":"we want to configure VPN services."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"OpenVPN server configuration"},{"line_number":62,"context_line":"----------------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_4de93f18","line":59,"range":{"start_line":57,"start_character":3,"end_line":59,"end_character":34},"in_reply_to":"3fa7e38b_a7aed995","updated":"2019-09-20 14:01:24.000000000","message":"Thinking about it, listening on the router\u0027s internal Port is also not a good solution.\nThe problem arises when the user sets up multiple vpn services in one router. The VPN servers need to listen somewhere. I see three options:\n- Don\u0027t allow multiple VPN services in one router. This way, the VPN server listens on the router\u0027s external IP, openvpn\u0027s default port 1194.\n- Have all VPN servers listen on the router\u0027s external IP, but on different ports. This would mean we need to explicitly configure the ports, and VPN clients need to be aware of this.\n- Have the VPN servers listen on the router\u0027s internal IPs, using the default port. This would mean the VPN clients must be able to reach the internal network, i.e. have a route set up.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"dd348809dec84b14717de160269dde4b75ee109b","unresolved":false,"context_lines":[{"line_number":114,"context_line":"Neutron, and is be obtained by the client through the Neutron DHCP service. "},{"line_number":115,"context_line":"The DHCP service of the OpenVPN server is disabled."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Does not need additional API objects or fields."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Alternative 3:"},{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_489fea02","line":117,"updated":"2019-09-20 15:10:22.000000000","message":"if you know the number of possible clients and it isn\u0027t huge, just having pre-created set of ports somehow associated to the vpn might be fine.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"21d2b3bee4d70ad5020259048862cc2eadba7e12","unresolved":false,"context_lines":[{"line_number":114,"context_line":"Neutron, and is be obtained by the client through the Neutron DHCP service. "},{"line_number":115,"context_line":"The DHCP service of the OpenVPN server is disabled."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Does not need additional API objects or fields."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Alternative 3:"},{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_9148342d","line":117,"in_reply_to":"3fa7e38b_489fea02","updated":"2019-09-27 09:14:16.000000000","message":"As discussed, we will favor Alternative 1. In this scenario, pre-created ports are also possible.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":4694,"name":"Miguel Lavalle","email":"miguel@mlavalle.com","username":"minsel"},"change_message_id":"aea24f7b1d2fef2eff9e0275dc5063e5edb3f83e","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Does not need additional API objects or fields."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Alternative 3:"},{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"},{"line_number":121,"context_line":"for remote clients that does not overlap with the addresses given out by "},{"line_number":122,"context_line":"Neutron\u0027s DHCP service. We enable the DHCP service of the OpenVPN server and "}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_e734d1fd","line":119,"updated":"2019-09-20 01:08:45.000000000","message":"Seems simpler to me","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"21d2b3bee4d70ad5020259048862cc2eadba7e12","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Does not need additional API objects or fields."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Alternative 3:"},{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"},{"line_number":121,"context_line":"for remote clients that does not overlap with the addresses given out by "},{"line_number":122,"context_line":"Neutron\u0027s DHCP service. We enable the DHCP service of the OpenVPN server and "}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_514e3c38","line":119,"in_reply_to":"3fa7e38b_e734d1fd","updated":"2019-09-27 09:14:16.000000000","message":"Abandoning this option in favor of Alternative 1.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"dd348809dec84b14717de160269dde4b75ee109b","unresolved":false,"context_lines":[{"line_number":117,"context_line":"Does not need additional API objects or fields."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Alternative 3:"},{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"},{"line_number":121,"context_line":"for remote clients that does not overlap with the addresses given out by "},{"line_number":122,"context_line":"Neutron\u0027s DHCP service. We enable the DHCP service of the OpenVPN server and "},{"line_number":123,"context_line":"have it allocate addresses from this new range."},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_8805e2c4","line":121,"range":{"start_line":120,"start_character":62,"end_line":121,"end_character":18},"updated":"2019-09-20 15:10:22.000000000","message":"a user likely needs to tweak SG rules to accept this range, right?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":6854,"name":"YAMAMOTO Takashi","email":"yamamoto@midokura.com","username":"yamamoto"},"change_message_id":"983bee8e3be2a8a92736619e54c881858b81d378","unresolved":false,"context_lines":[{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"},{"line_number":121,"context_line":"for remote clients that does not overlap with the addresses given out by "},{"line_number":122,"context_line":"Neutron\u0027s DHCP service. We enable the DHCP service of the OpenVPN server and "},{"line_number":123,"context_line":"have it allocate addresses from this new range."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"An additional API object/field is required, holding IP address range for"},{"line_number":126,"context_line":"the remote clients."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_cdf9af80","line":123,"updated":"2019-09-20 12:40:11.000000000","message":"is openvpn\u0027s dhcp service smart enough to avoid racing with neutron dhcp in the same l2 domain?","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"},{"author":{"_account_id":17021,"name":"Adriaan Schmidt","email":"adriaan.schmidt@siemens.com","username":"adriaan42"},"change_message_id":"b287bf694f254c7eb0b102d42ae1f7545c001b88","unresolved":false,"context_lines":[{"line_number":120,"context_line":"No Neutron Ports are created for remote clients. We configure an IP range"},{"line_number":121,"context_line":"for remote clients that does not overlap with the addresses given out by "},{"line_number":122,"context_line":"Neutron\u0027s DHCP service. We enable the DHCP service of the OpenVPN server and "},{"line_number":123,"context_line":"have it allocate addresses from this new range."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"An additional API object/field is required, holding IP address range for"},{"line_number":126,"context_line":"the remote clients."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_ed1fcb6d","line":123,"in_reply_to":"3fa7e38b_cdf9af80","updated":"2019-09-20 14:01:24.000000000","message":"Good point. My expectation is a structure like this:\n\nVPNClient \u003c--\u003e OpenVPN \u003c--\u003e tapdevice \u003c--\u003e internal network\n\nI expect that openvpn\u0027s dhcp will only serve its clients, and their DHCP requests don\u0027t reach the internal network, and it would ignore DHCP requests from the internal network.\n\nBut I will have to check to confirm this.","commit_id":"4e0c36d77a19907fa5ecf598a9c465161f330571"}],"specs/ussuri/vpnaas-openvpn-driver.rst":[{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"829dd0887eb6dfad051ce5e6aca706a9044b78ba","unresolved":false,"context_lines":[{"line_number":76,"context_line":"  * Listen on the external IP, but make the port configurable. Configuration"},{"line_number":77,"context_line":"    of the port would need to be done by the user. We would need an API"},{"line_number":78,"context_line":"    field to store the port. VPN clients would have to be aware they need"},{"line_number":79,"context_line":"    to connect to a non-standard port."},{"line_number":80,"context_line":"  * Listen on the router\u0027s internal IP. This would mean clients need"},{"line_number":81,"context_line":"    to have a route configured to reach the internal network."},{"line_number":82,"context_line":"  * Listen on a different IP in the external network. Can we create a Neutron"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1fa4df85_3fa145f9","line":79,"updated":"2020-03-20 09:59:38.000000000","message":"IMO this option is the best and most \u0027natural\u0027 one. And also eve if there is one VPN, I can imagine use case where user wants to use custom port for it :)\nThe only thing which we need to remember is to add some db level unique constraint for router-vpn_port pair.","commit_id":"bd9d11535a1ea36a35637738af0270a395fb79c7"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"829dd0887eb6dfad051ce5e6aca706a9044b78ba","unresolved":false,"context_lines":[{"line_number":137,"context_line":""},{"line_number":138,"context_line":"To identify Ports managed by the OpenVPN driver (also across agent restarts),"},{"line_number":139,"context_line":"information about the VPN client is stored in the Port object."},{"line_number":140,"context_line":"(Q: is the `binding:profile` field a good place for this?)"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"References"},{"line_number":143,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1fa4df85_bfc3f588","line":140,"updated":"2020-03-20 09:59:38.000000000","message":"IMHO it would be good place","commit_id":"bd9d11535a1ea36a35637738af0270a395fb79c7"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"829dd0887eb6dfad051ce5e6aca706a9044b78ba","unresolved":false,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"https://bugs.launchpad.net/neutron/+bug/1799656 (agent/linux/bridge_lib: Not"},{"line_number":149,"context_line":"all methods of BridgeDevice respect namespaces): This affects the"},{"line_number":150,"context_line":"implementation, as it creates a Linux bridge inside the router namespace."},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"1fa4df85_1f06c9cf","line":150,"updated":"2020-03-20 09:59:38.000000000","message":"So we will need to change implementation of those methods in bridge_lib when needed :)","commit_id":"bd9d11535a1ea36a35637738af0270a395fb79c7"}]}