Netris VPN: create vpc gateway with specified IP (#63)

weizhouapache · nvazquez · commit 6504f81d9cbf · 2025-03-24T09:49:38.000-03:00
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/CreateVpnGatewayCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vpn/CreateVpnGatewayCmd.java
@@ -28,6 +28,7 @@
 import org.apache.cloudstack.api.BaseAsyncCreateCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.IPAddressResponse;
 import org.apache.cloudstack.api.response.Site2SiteVpnGatewayResponse;
 import org.apache.cloudstack.api.response.VpcResponse;
 import org.apache.cloudstack.context.CallContext;
@@ -44,9 +45,15 @@ public class CreateVpnGatewayCmd extends BaseAsyncCreateCmd {
                type = CommandType.UUID,
                entityType = VpcResponse.class,
                required = true,
-               description = "public ip address id of the vpn gateway")
+               description = "id of the vpc")
     private Long vpcId;
 
+    @Parameter(name = ApiConstants.IP_ADDRESS_ID,
+            type = CommandType.UUID,
+            entityType = IPAddressResponse.class,
+            description = "the public IP address ID for which VPN gateway is being enabled. By default the source NAT IP or router IP will be used.")
+    private Long ipAddressId;
+
     @Parameter(name = ApiConstants.FOR_DISPLAY, type = CommandType.BOOLEAN, description = "an optional field, whether to the display the vpn to the end user or not", since = "4.4", authorized = {RoleType.Admin})
     private Boolean display;
 
@@ -58,6 +65,10 @@ public Long getVpcId() {
         return vpcId;
     }
 
+    public Long getIpAddressId() {
+        return ipAddressId;
+    }
+
     @Deprecated
     public Boolean getDisplay() {
         return display;
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -3799,6 +3799,9 @@ public IPAddressVO getIpAddressForVpcVr(Vpc vpc, IPAddressVO ipAddress, boolean
             }
             return ipAddressForVR;
         } else if (ipAddress != null) {
+            if (ipAddress.isSourceNat()) {
+                throw new InvalidParameterValueException("Vpn service can not be configured on the Source NAT IP of VPC id=" + ipAddress.getVpcId());
+            }
             return ipAddress;
         }
 
diff --git a/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
@@ -226,16 +226,16 @@ public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRan
             Pair<String, Integer> cidr = null;
 
             if (networkId != null) {
+                Network network = _networkMgr.getNetwork(networkId);
                 long ipAddressOwner = ipAddr.getAccountId();
                 vpnVO = _remoteAccessVpnDao.findByAccountAndNetwork(ipAddressOwner, networkId);
                 if (vpnVO != null) {
                     if (vpnVO.getState() == RemoteAccessVpn.State.Added) {
                         return vpnVO;
                     }
 
-                    throw new InvalidParameterValueException(String.format("A remote access VPN already exists for the account [%s].", ipAddressOwner));
+                    throw new InvalidParameterValueException(String.format("A remote access VPN already exists for the network %s.", network));
                 }
-                Network network = _networkMgr.getNetwork(networkId);
                 if (!_networkMgr.areServicesSupportedInNetwork(network.getId(), Service.Vpn)) {
                     throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId());
                 }
@@ -311,9 +311,6 @@ private void validateIpAddressForVpnServiceOnVpc(Vpc vpc, IPAddressVO ipAddress)
             if (isVpcVRSourceNat && !ipAddress.isSourceNat()) {
                 throw new InvalidParameterValueException("Vpn service can only be configured on the Source NAT IP of VPC id=" + ipAddress.getVpcId());
             }
-            if (!isVpcVRSourceNat && ipAddress.isSourceNat()) {
-                throw new InvalidParameterValueException("Vpn service can not be configured on the Source NAT IP of VPC id=" + ipAddress.getVpcId());
-            }
             if (!isVpcVRSourceNat) {
                 IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVr(vpc, ipAddress, true);
                 if (!vpcManager.configStaticNatForVpcVr(vpc, ipAddressForVpcVR)) {
diff --git a/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -149,7 +149,8 @@ public Site2SiteVpnGateway createVpnGateway(CreateVpnGatewayCmd cmd) {
             throw new InvalidParameterValueException(String.format("The VPN gateway of VPC %s already existed!", vpc));
         }
 
-        IPAddressVO ipAddress = getIpAddressIdForVpn(vpcId, vpc.getVpcOfferingId());
+        IPAddressVO requestedIp = _ipAddressDao.findById(cmd.getIpAddressId());
+        IPAddressVO ipAddress = getIpAddressIdForVpn(vpcId, vpc.getVpcOfferingId(), requestedIp);
         Site2SiteVpnGatewayVO gw = new Site2SiteVpnGatewayVO(owner.getAccountId(), owner.getDomainId(), ipAddress.getId(), vpcId);
 
         if (cmd.getDisplay() != null) {
@@ -160,15 +161,15 @@ public Site2SiteVpnGateway createVpnGateway(CreateVpnGatewayCmd cmd) {
         return gw;
     }
 
-    private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId) {
+    private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId, IPAddressVO requestedIp) {
         VpcOfferingServiceMapVO mapForSourceNat = vpcOfferingServiceMapDao.findByServiceProviderAndOfferingId(Network.Service.SourceNat.getName(), Network.Provider.VPCVirtualRouter.getName(), vpcOferingId);
         VpcOfferingServiceMapVO mapForVpn = vpcOfferingServiceMapDao.findByServiceProviderAndOfferingId(Network.Service.Vpn.getName(), Network.Provider.VPCVirtualRouter.getName(), vpcOferingId);
         if (mapForSourceNat == null && mapForVpn != null) {
             // Use Static NAT IP of VPC VR
             logger.debug(String.format("The VPC VR provides %s Service, however it does not provide %s service, trying to configure using IP of VPC VR", Network.Service.Vpn.getName(), Network.Service.SourceNat.getName()));
 
             Vpc vpc = _vpcDao.findById(vpcId);
-            IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVr(vpc, null, true);
+            IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVr(vpc, requestedIp, true);
             if (!vpcManager.configStaticNatForVpcVr(vpc, ipAddressForVpcVR)) {
                 throw new CloudRuntimeException("Failed to enable static nat for VPC VR as part of vpn gateway");
             }
@@ -179,6 +180,9 @@ private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId) {
             if (ips.size() != 1) {
                 throw new CloudRuntimeException("Cannot found source nat ip of vpc " + vpcId);
             }
+            if (requestedIp != null && requestedIp.getId() != ips.get(0).getId()) {
+                throw new CloudRuntimeException(String.format("Cannot use requested IP %s as it is not the Source NAT IP", requestedIp.getAddress().addr()));
+            }
             return ips.get(0);
         }
     }
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
@@ -3011,6 +3011,7 @@
 "message.delete.vpn.connection": "Please confirm that you want to delete VPN connection.",
 "message.delete.vpn.customer.gateway": "Please confirm that you want to delete this VPN customer gateway.",
 "message.delete.vpn.gateway": "Please confirm that you want to delete this VPN Gateway.",
+"message.delete.vpn.gateway.failed": "Failed to delete VPN Gateway.",
 "message.delete.webhook": "Please confirm that you want to delete this Webhook.",
 "message.delete.webhook.delivery": "Please confirm that you want to delete this Webhook delivery.",
 "message.deleting.firewall.policy": "Deleting Firewall Policy",
@@ -3573,6 +3574,7 @@
 "message.success.delete.tungsten.router.table": "Successfully removed Router Table",
 "message.success.delete.tungsten.tag": "Successfully removed Tag",
 "message.success.delete.vm": "Successfully deleted Instance",
+"message.success.delete.vpn.gateway": "Successfully deleted VPN gateway",
 "message.success.disable.saml.auth": "Successfully disabled SAML authorization",
 "message.success.disable.vpn": "Successfully disabled VPN",
 "message.success.edit.acl": "Successfully edited ACL rule",
diff --git a/ui/src/views/network/VpnDetails.vue b/ui/src/views/network/VpnDetails.vue
@@ -21,7 +21,6 @@
       <p>{{ $t('message.enabled.vpn') }} <strong>{{ remoteAccessVpn.publicip }}</strong></p>
       <p>{{ $t('message.enabled.vpn.ip.sec') }} <strong>{{ remoteAccessVpn.presharedkey }}</strong></p>
       <a-divider/>
-      <a-button><router-link :to="{ path: '/vpnuser'}">{{ $t('label.manage.vpn.user') }}</router-link></a-button>
       <a-button
         style="margin-left: 10px"
         type="primary"
@@ -30,6 +29,7 @@
         :disabled="!('deleteRemoteAccessVpn' in $store.getters.apis)">
         {{ $t('label.disable.vpn') }}
       </a-button>
+      <a-button><router-link :to="{ path: '/vpnuser'}">{{ $t('label.manage.vpn.user') }}</router-link></a-button>
     </div>
 
     <a-modal
@@ -53,7 +53,11 @@
 
   </div>
   <div v-else>
-    <a-button :disabled="!('createRemoteAccessVpn' in $store.getters.apis)" type="primary" @click="enableVpn = true">
+    <a-button
+      :disabled="!('createRemoteAccessVpn' in $store.getters.apis)"
+      type="primary"
+      style="margin-left: 10px"
+      @click="enableVpn = true">
       {{ $t('label.enable.vpn') }}
     </a-button>
 
@@ -77,6 +81,62 @@
     </a-modal>
 
   </div>
+
+  <br>
+  <div v-if="vpnGateway">
+    <div>
+      <a-button
+        :disabled="!('deleteVpnGateway' in $store.getters.apis)"
+        style="margin-left: 10px"
+        danger
+        type="primary"
+        @click="deleteVpnGateway = true">
+        {{ $t('label.delete.vpn.gateway') }}
+      </a-button>
+    </div>
+    <a-modal
+      :visible="deleteVpnGateway"
+      :footer="null"
+      :title="$t('label.enable.vpn')"
+      :maskClosable="false"
+      :closable="true"
+      @cancel="deleteVpnGateway = false">
+      <div v-ctrl-enter="handleDeleteVpnGateway">
+        <p>{{ $t('message.delete.vpn.gateway') }}</p>
+        <div :span="24" class="action-button">
+          <a-button @click="deleteVpnGateway = false">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" type="primary" @click="handleDeleteVpnGateway" ref="submit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </div>
+    </a-modal>
+  </div>
+  <div v-else-if="vpnGatewayEnabled">
+    <div>
+      <a-button
+        :disabled="!('createVpnGateway' in $store.getters.apis)"
+        style="margin-left: 10px"
+        type="primary"
+        @click="createVpnGateway = true">
+        {{ $t('label.add.vpn.gateway') }}
+      </a-button>
+    </div>
+    <a-modal
+      :visible="createVpnGateway"
+      :footer="null"
+      :title="$t('label.add.vpn.gateway')"
+      :maskClosable="false"
+      :closable="true"
+      @cancel="createVpnGateway = false">
+      <div v-ctrl-enter="handleCreateVpnGateway">
+        <p>{{ $t('message.add.vpn.gateway') }}</p>
+        <div :span="24" class="action-button">
+          <a-button @click="createVpnGateway = false">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" type="primary" @click="handleCreateVpnGateway" ref="submit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </div>
+    </a-modal>
+  </div>
+
 </template>
 
 <script>
@@ -94,6 +154,10 @@ export default {
       remoteAccessVpn: null,
       enableVpn: false,
       disableVpn: false,
+      vpnGateway: null,
+      vpnGatewayEnabled: false,
+      createVpnGateway: false,
+      deleteVpnGateway: false,
       isSubmitted: false
     }
   },
@@ -124,6 +188,23 @@ export default {
         console.log(error)
         this.$notifyError(error)
       })
+      if (this.resource.vpcid) {
+        this.vpnGatewayEnabled = true
+        api('listVpnGateways', {
+          vpcid: this.resource.vpcid,
+          listAll: true
+        }).then(response => {
+          const vpnGateways = response.listvpngatewaysresponse.vpngateway || []
+          for (const vpnGateway of vpnGateways) {
+            if (vpnGateway.publicip === this.resource.ipaddress) {
+              this.vpnGateway = vpnGateway
+            }
+          }
+        }).catch(error => {
+          console.log(error)
+          this.$notifyError(error)
+        })
+      }
     },
     handleCreateVpn () {
       if (this.isSubmitted) return
@@ -211,6 +292,85 @@ export default {
         this.parentToggleLoading()
         this.isSubmitted = false
       })
+    },
+    handleCreateVpnGateway () {
+      if (this.isSubmitted) return
+      this.isSubmitted = true
+      this.parentToggleLoading()
+      this.createVpnGateway = false
+      const params = {
+        vpcid: this.resource.vpcid,
+        ipaddressid: this.resource.id
+      }
+      api('createVpnGateway', params).then(response => {
+        this.$pollJob({
+          jobId: response.createvpngatewayresponse.jobid,
+          successMessage: this.$t('message.success.add.vpn.gateway'),
+          successMethod: result => {
+            this.fetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          },
+          errorMessage: this.$t('message.add.vpn.gateway.failed'),
+          errorMethod: () => {
+            this.fetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          },
+          loadingMessage: this.$t('message.add.vpn.gateway.processing'),
+          catchMessage: this.$t('error.fetching.async.job.result'),
+          catchMethod: () => {
+            this.fetchData()
+            this.parentFetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          }
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+        this.fetchData()
+        this.parentFetchData()
+        this.parentToggleLoading()
+        this.isSubmitted = false
+      })
+    },
+    handleDeleteVpnGateway () {
+      if (this.isSubmitted) return
+      this.isSubmitted = true
+      this.parentToggleLoading()
+      this.deleteVpnGateway = false
+      api('deleteVpnGateway', {
+        id: this.vpnGateway.id
+      }).then(response => {
+        this.$pollJob({
+          jobId: response.deletevpngatewayresponse.jobid,
+          successMessage: this.$t('message.success.delete.vpn.gateway'),
+          successMethod: () => {
+            this.fetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          },
+          errorMessage: this.$t('message.delete.vpn.gateway.failed'),
+          errorMethod: () => {
+            this.fetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          },
+          catchMessage: this.$t('error.fetching.async.job.result'),
+          catchMethod: () => {
+            this.fetchData()
+            this.parentFetchData()
+            this.parentToggleLoading()
+            this.isSubmitted = false
+          }
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+        this.fetchData()
+        this.parentFetchData()
+        this.parentToggleLoading()
+        this.isSubmitted = false
+      })
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -3799,6 +3799,9 @@ public IPAddressVO getIpAddressForVpcVr(Vpc vpc, IPAddressVO ipAddress, boolean`
`3799`	`3799`	`}`
`3800`	`3800`	`return ipAddressForVR;`
`3801`	`3801`	`} else if (ipAddress != null) {`
	`3802`	`+ if (ipAddress.isSourceNat()) {`
	`3803`	`+ throw new InvalidParameterValueException("Vpn service can not be configured on the Source NAT IP of VPC id=" + ipAddress.getVpcId());`
	`3804`	`+ }`
`3802`	`3805`	`return ipAddress;`
`3803`	`3806`	`}`
`3804`	`3807`
Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,8 @@ public Site2SiteVpnGateway createVpnGateway(CreateVpnGatewayCmd cmd) {`
`149`	`149`	`throw new InvalidParameterValueException(String.format("The VPN gateway of VPC %s already existed!", vpc));`
`150`	`150`	`}`
`151`	`151`
`152`		`- IPAddressVO ipAddress = getIpAddressIdForVpn(vpcId, vpc.getVpcOfferingId());`
	`152`	`+ IPAddressVO requestedIp = _ipAddressDao.findById(cmd.getIpAddressId());`
	`153`	`+ IPAddressVO ipAddress = getIpAddressIdForVpn(vpcId, vpc.getVpcOfferingId(), requestedIp);`
`153`	`154`	`Site2SiteVpnGatewayVO gw = new Site2SiteVpnGatewayVO(owner.getAccountId(), owner.getDomainId(), ipAddress.getId(), vpcId);`
`154`	`155`
`155`	`156`	`if (cmd.getDisplay() != null) {`
`@@ -160,15 +161,15 @@ public Site2SiteVpnGateway createVpnGateway(CreateVpnGatewayCmd cmd) {`
`160`	`161`	`return gw;`
`161`	`162`	`}`
`162`	`163`
`163`		`- private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId) {`
	`164`	`+ private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId, IPAddressVO requestedIp) {`
`164`	`165`	`VpcOfferingServiceMapVO mapForSourceNat = vpcOfferingServiceMapDao.findByServiceProviderAndOfferingId(Network.Service.SourceNat.getName(), Network.Provider.VPCVirtualRouter.getName(), vpcOferingId);`
`165`	`166`	`VpcOfferingServiceMapVO mapForVpn = vpcOfferingServiceMapDao.findByServiceProviderAndOfferingId(Network.Service.Vpn.getName(), Network.Provider.VPCVirtualRouter.getName(), vpcOferingId);`
`166`	`167`	`if (mapForSourceNat == null && mapForVpn != null) {`
`167`	`168`	`// Use Static NAT IP of VPC VR`
`168`	`169`	`logger.debug(String.format("The VPC VR provides %s Service, however it does not provide %s service, trying to configure using IP of VPC VR", Network.Service.Vpn.getName(), Network.Service.SourceNat.getName()));`
`169`	`170`
`170`	`171`	`Vpc vpc = _vpcDao.findById(vpcId);`
`171`		`- IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVr(vpc, null, true);`
	`172`	`+ IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVr(vpc, requestedIp, true);`
`172`	`173`	`if (!vpcManager.configStaticNatForVpcVr(vpc, ipAddressForVpcVR)) {`
`173`	`174`	`throw new CloudRuntimeException("Failed to enable static nat for VPC VR as part of vpn gateway");`
`174`	`175`	`}`
`@@ -179,6 +180,9 @@ private IPAddressVO getIpAddressIdForVpn(Long vpcId, Long vpcOferingId) {`
`179`	`180`	`if (ips.size() != 1) {`
`180`	`181`	`throw new CloudRuntimeException("Cannot found source nat ip of vpc " + vpcId);`
`181`	`182`	`}`
	`183`	`+ if (requestedIp != null && requestedIp.getId() != ips.get(0).getId()) {`
	`184`	`+ throw new CloudRuntimeException(String.format("Cannot use requested IP %s as it is not the Source NAT IP", requestedIp.getAddress().addr()));`
	`185`	`+ }`
`182`	`186`	`return ips.get(0);`
`183`	`187`	`}`
`184`	`188`	`}`