openVPN accesses the K8S cluster, it access the POD of the host where the server is located,cannot access the POD of other hosts in the cluster

8/27/2021

I deployed the OpenVPN server in the K8S cluster and deployed the OpenVPN client on a host outside the cluster. However, when I use client access, I can only access the POD on the host where the OpenVPN server is located, but cannot access the POD on other hosts in the cluster. The network used by the cluster is Calico. I also added the following iptables rules to the openVPN server host in the cluster:

I found that I did not receive the package back when I captured the package of tun0 on the server.

-- yong.zhang
kubernetes
openvpn

2 Answers

8/27/2021

Not sure how you set up iptables inside the server pod as iptables/netfilter was not accessible on most kube clusters I saw.

If you want to have full access to cluster networking over that OpenVPN server you probably want to use hostNetwork: true on your vpn server. The problem is that you still need proper MASQ/SNAT rule to get response across to your client.

You should investigate your traffic going out of the server pod to see if it has a properly rewritten source address, otherwise the nodes in cluster will have no knowledge on how to route the response.

You probably have a common gateway for your nodes, depending on your kube implementation you might get around this issue by setting the route back to your vpn, but that likely will require some scripting around vpn server it self to make sure the route is updated each time server pod is rescheduled.

-- Radek 'Goblin' Pieczonka
Source: StackOverflow

8/30/2021

When the server is deployed on hostnetwork, a forward rule is missing in the iptables field.

-- yong.zhang
Source: StackOverflow