Traffic from inside the cluster to the connected VPN client #3
Comments
|
i think i have the same use-case and i'm working on a openvpn server based on kylemanna/docker-openvpn for kubernetes specifically, with some NAT rules to route back to openvpn clients. I POC'ed it today and it seems to work for me. Keep you posted. |
|
Sounds great. I got it working for e.g. vagrant environment, where I have an external router/bridge under my control. But in a setting like DigitalOcean where the router connecting the private network is not under my control I was not able to get NAT right. I stopped then trying and simply installed OpenVPN outside of kubernetes on all nodes and connected them. On one node I extended the kube-proxy iptables rules, such, that I can access the kubernetes services. First I was kind of disappointed to not have OpenVPN in the kubernetes cluster. But the more I think about it, the better I like that my development VPN doesn't affect the production cluster configuration. |
|
Yes, this repo has limited use case, that it just routes traffic destinated to kubernetes services, which is how people usually use it. If you manage to integrate other use cases and not complicate this container too much, it would be also nice :) |
|
I forked this yesterday but i'm grateful for your work on this as you made it clear it was easy to host this from native kubernetes primitives. My fork enables the use case in this issue. Feel free (of course) to merge anything back. My fork is at https://github.com/pieterlange/kube-openvpn |
|
Hi pieterlange: Can this be used to allow containers in a pod to access outside the K8s cluster to an external on-premise server, let database? I have a need for this. Pls advise. |
|
I've used this to run database migrations from on prem to cloud and to expose internal (legacy) services to services in the cluster. So yes, that's possible. 👍 |
|
@pieterlange : Follow up on what you just said, I want to just let containers/services from pods in namespace N, say to communicate to outside VPN server. Is this possible? I don't want any pods/services that are not authorized to make VPN connections to outside. |
|
@pieterlange: As @bklau asked, is possible to user your container just as a client and not as a server? I have the same use case as @pieterlange I want route traffic from my pod to an external VPN |
|
kube-openvpn functions as a VPN server, but can expose ports from clients in the cluster through NAT. Access restriction needs to be done through kubernetes NetworkPolicies. I guess it'd be a small change to allow kube-openvpn to be used as VPN client as well, but it's not on my roadmap. |
Hey,
really cool project! I got it working, and I'm able to communicate with my VPN client from outside the kubernetes cluster to pods inside. So far so good.
Unfortunately the software I try to use, wants to connect back to the clients P2P IP Address of the tun0 device. This is not possible. I can just connect back from the openvpn pod which the client is directly connected to. I use flannel overlay network.
Regards.
Joachim
The text was updated successfully, but these errors were encountered: