Recently had to deal with a Openstack Spice connectivity issue. Had to figure out how to connect to the virtual machine consoles when the controller node API network is behind a firewall. The controller node API network is only accessible via a Jump host.

spice connection

Gaining access to the Horizon Dashboard

In this example, the Horizon dashboard is hosted on the Controller node at

Set up a SSH Tunnel. Specify an unused TCP port on your local machine. Then provide the local port, remote IP address and remote port number of the Horizon dashboard portal.

ssh -L 9999: -p 16333

(Explain Shell)

After login, type in https://localhost:9999 on your browser.

horizon dashboard

Gain access to the VM Console through a SSH tunnel.

The following configuration on the compute nodes provides access to the VM Console through the firewall.

/etc/nova/nova.conf (compute node)

agent_enabled = True
enabled = True
keymap = en-us
# Console Url and binds
html5proxy_base_url = http://localhost:6082/spice_auto.html
server_listen =
server_proxyclient_address =

enabled = False

# * is the compute node host IP

Update the ssh port forwarding command provided when gaining access to the Horizon dashboard. The update creates a second SSH tunnel for VM console traffic.

ssh -L 9999: -L 6082: -p 16333

On the Horizon dashboard the user will be presented a console connection link that looks something like this:

https://localhost:6082/spice_auto.html?token=_(token string)_

spice console screen

Solution Summary

  • html5proxy_base_url determines the base url presented to the user on the horizon dashboard. In this case it starts with http://localhost:6082

  • The localhost:6082 address maps to a SSH tunnel endpoint. On the other side of the SSH tunnel it connects to

  • At the controller, there is a spice server proxy running on

  • When the spice proxy server receives a connection request, it identifies the target based on the token in the URL, for example a Virtual Machine Spice console on the compute node.

The reference docs are not super clear on this topic, especially if you not a proxy or firewall expert. Through trial and error, it became clear how VM console proxy works.


Official Openstack Remote Access Console Guide