Yes, the idea is to have the VPN clients in the same L2 domain.
Currently this is done by creating a Linux bridge in the qrouter namespace that connects the qr-* port with the tap device created by the VPN server. This is possibly another point we should discuss in more detail.
Technically, I can bypass Neutron IPAM. I can have the OpenVPN server assign IP addresses from a range that is not part of a Neutron allocation pool, and Neutron will never know about these clients. But it's probably not a good idea to do this.
One difficulty I faced: the VPN server calls a hook script on client connect/disconnect events. This does not run in the agent/driver context, so I'm not sure if I can make RPC calls from there (to allocate IPs, create Ports, ...).
Yes, the idea is to have the VPN clients in the same L2 domain.
Currently this is done by creating a Linux bridge in the qrouter namespace that connects the qr-* port with the tap device created by the VPN server. This is possibly another point we should discuss in more detail.
Technically, I can bypass Neutron IPAM. I can have the OpenVPN server assign IP addresses from a range that is not part of a Neutron allocation pool, and Neutron will never know about these clients. But it's probably not a good idea to do this.
One difficulty I faced: the VPN server calls a hook script on client connect/disconnect events. This does not run in the agent/driver context, so I'm not sure if I can make RPC calls from there (to allocate IPs, create Ports, ...).