VPNaaS custom script - Provisioning VPN as a Service based on Firezone
This python script provisions VPN as a Service based on Firezone in OpenStack in Waldur. It uses Flatcar Linux and a butane binary that the user needs to provide inside a Docker container used for running Waldur custom scripts.
An additional requirement is an OpenID Connect provider for end-user authentication in Firezone. Default VPN port: UDP/51820.
System requirements
- Keycloak with admin access for OpenID Connect client creation
- Butane for converting Flarcar Linux yaml config into json
- OpenStack nova for running the Firezone VM
- OpenStack designate for the VM FQDN generation. Firezone will use that FQDN for HTTPS certificate generation.
Firezone VM needs Internet connection for Let's Encrypt certificate generation and Github access for script download.
Setup guide
- Prepare waldur custom script runner container to have Butane and required Python packages
- Paste the create.py into the creation script and terminate.py into the termination script
- Populate environment variables
- Add user input field with internal name "tenant" and type - "Select OpenStack tenant", make it a required field
Environment Variables
The following environment variables need to be provided in the Waldur custom script:
WALDUR_API_URL
- API URL of Waldur that holds OpenStackWALDUR_API_TOKEN
- Waldur API tokenKEYCLOAK_URL
- Keycloak address for creating OpenID connect clientsKEYCLOAK_USERNAME
- Keycloak admin usernameKEYCLOAK_PASSWORD
- Keycloak admin passwordKEYCLOAK_REALM
- Keycloak realmCREATOR_EMAIL
- Email of the user, that created the VPN instanceIMAGE
- OpenStack imageFLAVOR
- OpenStack flavorSYSTEM_VOLUME_SIZE
- Size of the system volume for OpenStack VMRUN_BUTANE_IN_DOCKER
- When set to True - run butane in docker container instead of just binary