Openvpn – Kubernetes custom routes

kubernetesopenvpnroute

I started OpenVPN on my k8s cluster and now clients can directly connect to the ClusterIP services but i need masquerade for it because pods (except OpenVPN pod) do not know route to clients.

Is there possibility to add custom route to Kubernetes pods and direct traffic for specific IP range to OpenVPN service – ClusterIP?

Best Answer

Due to the fact that you have already connected OpenVPN Node to the Kubernetes cluster using ClusterIP services, which are managed by kube-proxy, it is recommended to route network packets via iptables. Now it's time to configure kube-proxy for transferring all requests to internal CNI network via OpenVPN Node:

kube-proxy — kubeconfig=./kube-config/config.yaml — bind-address=xx.xx.xx.xx — cluster-cidr=yy.yy.yy.yy/cc — proxy-mode=iptables — masquerade-all

xx.xx.xx.xx - your OpenVPN node IP address

yy.yy.yy.0/cc - Cluster CIDR

Ensure that OpenVPN Pod is configured to connect the Kubernetes network:

push “route yy.yy.0.0 255.255.0.0”

To create routes from your Node services to the OpenVPN gateway, consider using Site-to-site routing via OpenVPN explained in this Article.

Related Solutions

Openvpn – Running OpenVPN within k8s container

Had the same problem and made this solution:

Try it and let me know if it works for you.

Instructions:

docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 \
-v $PWD:/etc/openvpn:z -ti ptlange/openvpn ovpn_initpki
docker run --user=$(id -u) -e EASYRSA_CRL_DAYS=180 \
-v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa gen-crl

get the service ID

$ ./kube/deploy.sh
Usage: ./kube/deploy.sh <namespace> <OpenVPN URL> <service cidr> <pod cidr>

$ ./kube/deploy.sh default tcp://vpn.my.fqdn:1194 10.3.0.0/24 10.2.0.0/16
secret "openvpn-pki" created
configmap "openvpn-settings" created
configmap "openvpn-ccd" created
deployment "openvpn" created
You have exposed your service on an external port on all nodes in your
cluster.  If you want to expose this service to the external internet, you may
need to set up firewall rules for the service port(s) (tcp:30xxx) to serve traffic.

See http://releases.k8s.io/release-1.3/docs/user-guide/services-firewalls.md for
more details. service "openvpn-ingress" created

Routing traffic through OpenVPN on Kubernetes with Calico

Calico has an annotation where you can specifying the IP address for Pod:

annotations:
        "cni.projectcalico.org/ipAddrs": "[\"192.168.0.1\"]"

You can specify address for your OpenVPN pod in the annotation and then create the static rout for OpenVPN clients.

Best Answer

Related Solutions

Openvpn – Running OpenVPN within k8s container

Routing traffic through OpenVPN on Kubernetes with Calico

Related Topic