K
Q

OpenVPN-Client Pod on K8s - Local network unreachable

12/29/2020

I'm currently trying to get OpenVPN client running inside of a K8s Pod. The goal i'm trying to achieve is that Im able access the internet over the VPN connection while also be able to communicate with other containers on my namespace at the same time. The problem is that im unable to interact with 10.42.0.0, 10.43.0.0 network (for pods and services) as soon as the VPN connection is established :(

Can smb give me a hint on how to interact with the two mentioned networks while connected with the vpn?

my client config (might be very faulty)

client
dev tun
proto udp
remote some.vpnserver.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
redirect-gateway def1 bypass-dns
dhcp-option DOMAIN-SEARCH cluster.local
dhcp-option DOMAIN-SEARCH svc.cluster.local
dhcp-option DOMAIN-SEARCH default.svc.cluster.local
dhcp-option DNS 10.43.0.10
pull-filter ignore block-outside-dns
pull-filter ignore redirect-gateway
pull-filter ignore explicit-exit-notify
pull-filter ignore "dhcp-option DNS"

verify-x509-name some.vpnserver.com name
auth-user-pass
comp-lzo
keepalive 10 60
verb 3
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

I also added the following to my deployment yaml:

  capabilities:
    add:
      - NET_ADMIN
      - SYS_MODULE
  dnsConfig:
    nameservers:
      - 10.43.0.10 # K8s CoreDNS
    options:
      - name: ndots
        value: "2"
      - name: edns0
  • Ping 8.8.8.8 works for me while connected. But inside of the K8s namespace im not able to reache anything at all.

  • DNS does not work at all as soon as the VPN connection is established. The only way to make DNS work is to set the following at the deployment yaml:

    dnsConfig:
  nameservers:
    - 1.1.1.1

which still not solve the issue of interacting with the local network or local DNS/Pods etc?

Im working on

  • OpenVPN 2.5.0
  • K8s 1.19.4
  • CNI: Calico

Thanks in advance, Im thanksful for every hint, I'm working on this since days

-- user14389292
kubernetes
openvpn

Similar Questions

kubeadm join on another computer in internal wifi network
How can I server multiple paths on same service through one Ingress?
Can't see Istio metrics in Apache SkyWalking
Why can't I attach a service type ClusterIP to Ingress on GKE?
How to deploy MariaDB on kubernetes with some default schema and data?

1 Answer

12/30/2020

As @anemyte wrote remove route 10.42.0.0 255.255.0.0 and route 10.43.0.0 255.255.0.0. Those mean to use VPN for the subnets, you want opposite.
By default local network traffic is not routed with redirect-gateway.. Then try bringing the routes back but this time add net_gateway to the end of each. This makes the route use default gateway instead of VPN. This should look like this route 10.42.0.0 255.255.0.0 net_gateway.

Take a look: openvpnclient-pod, openvpn-kubernetes.

-- Malgorzata
Source: StackOverflow