K
Q

OpenVPN Client in Kubernetes Pod

11/24/2021

I am looking at how to make OpenVPN client work on a pod's container, I explain what I do, but you can skip all my explanation and offer your solution directly, I don't care replacing all the below with your steps if it works, I want to make my container to use a VPN (ExpressVPN for example) in a way that both external and internal networking works.

I have a docker image that is an OpenVPN Client, it works find with the command:

docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun my-app /bin/bash

The docker image had an entry point bash script:

curl https://vpnvendor/configurations.zip -o /app/configurations.zip
mkdir -p /app/open_vpn/ip_vanish/config
unzip /app/configurations.zip -d /app/open_vpn/config
printf "username\npassword\n" > /app/open_vpn/vpn-auth.conf
cd /app/open_vpn/config
openvpn --config ./config.ovpn --auth-user-pass /app/open_vpn/vpn-auth.conf

It works fine, but when I deploy it as a container in a K8S Pod, it breaks, it is understandable, K8S clusters need internal network communication between the nodes, so the VPN breaks it ... how do I make it work? the Google search was frustrating, none of the solutions worked and there were just a few, there is one with similar issue: https://stackoverflow.com/questions/65494743/openvpn-client-pod-on-k8s-local-network-unreachable/65504666 But did not understand it very well, please help.

Since IPVanish is well known, let's take their ovpn example, I use other vendor but had access to an IPVanish account and it does not work either:

client
dev tun
proto udp
remote lon-a52.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name lon-a52.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

I accept responses in Golang or YAML it does not matter, although I use go-client, my code for pod creation is:

podObj := &v1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "mypod",
			Namespace: "default",
		},
		Spec: v1.PodSpec{
			Containers: []v1.Container{
				{
					Name:            "worker1",
					Image:           "192.168.1.138:5000/myimage",
					ImagePullPolicy: v1.PullAlways,
					Stdin: true,
					TTY:   true,
					/* Trying to simulate --device=/dev/net/tun I copied the below, but it does not work
// https://garunski.medium.com/openvpn-and-minikube-25511099f8de
					VolumeMounts: []v1.VolumeMount{
						{
							ReadOnly:  true,
							Name:      "dev-tun",
							MountPath: "/dev/net/tun",
						},
					},*/
					SecurityContext: &v1.SecurityContext{
						// Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
						Privileged: boolPtr(true),
						Capabilities: &v1.Capabilities{
							Add: []v1.Capability{
								"NET_ADMIN",
							},
						},
					},
				},
			},
			NodeName: "worker-node01",
		},
	}
clientset.CoreV1().Pods("default").Create(context.Background(), podObj, metav1.CreateOptions{})

I can add the NET_ADMIN capability, but I need also to give access to the /dev/net/tun device and that's the problem, but even If I find a way, it will break internal networking.

Update one

I made external networking work, by adding the following two lines in my docker's entry point:

# Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
-- Melardev
kubernetes
networking
openvpn
vpn

Similar Questions

Kubernetes activeDeadlineSeconds not killing process
Kubernetes difference between activeDeadlineSeconds in Job and Pod
How to keep minkube kube-apiserver from using up a tone of %CPU?
OpenShift :: POD is not inheriting "name label" from the deployment config
loop on output and delete in bash

2 Answers

11/24/2021

Here is a minimal example of a pod with OpenVPN client. I used kylemanna/openvpn as a server and to generate a basic client config. I only added two routes to the generated config to make it working. See below:

apiVersion: v1
kind: Pod
metadata:
  name: ovpn
  namespace: default
spec:
  containers:
    - name: ovpn
      image: debian:buster
      args:
        - bash
        - -c
        # install OpenVPN and curl; use curl in an endless loop to print external IP
        - apt update && apt install -y openvpn curl && cd /config && openvpn client & while sleep 5; do echo $(date; curl --silent ifconfig.me/ip); done
      volumeMounts:
        - mountPath: /dev/net/tun
          readOnly: true
          name: tun-device
        - mountPath: /config
          name: config
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  volumes:
    - name: tun-device
      hostPath:
        path: /dev/net/tun
    - name: config
      secret:
        secretName: ovpn-config
---
apiVersion: v1
kind: Secret
metadata:
  name: ovpn-config
  namespace: default
stringData:
  client: |

    # A sample config generated by https://github.com/kylemanna/docker-openvpn server
    client
    nobind
    dev tun

    # Remote server params
    remote PASTE.SERVER.IP.HERE 1194 udp

    # Push all traffic through the VPN
    redirect-gateway def1
    # except these two k8s subnets
    route 10.43.0.0 255.255.0.0 net_gateway
    route 10.42.0.0 255.255.0.0 net_gateway

    # Below goes irrelevant TLS config
    remote-cert-tls server
    <key>
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    </key>
    <cert>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </cert>
    <ca>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </ca>
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----
    </tls-auth>
-- anemyte
Source: StackOverflow
11/25/2021

Try Tailscale. https://tailscale.com/ It's much simpler. And they have a cool free-tier

-- Pierre
Source: StackOverflow