Kubernetes Pod 中的 OpenVPN 客户端
[英]OpenVPN Client in Kubernetes Pod
问题描述
I am looking at how to make OpenVPN client work on a pod's container, I explain what I do, but you can skip all my explanation and offer your solution directly, I don't care replacing all the below with your steps if it works, I want to make my container to use a VPN (ExpressVPN for example) in a way that both external and internal networking works.
我正在研究如何使 OpenVPN 客户端在 pod 的容器上工作,我解释了我的工作,但您可以跳过我的所有解释并直接提供您的解决方案,如果可行,我不在乎用您的步骤替换以下所有内容,我想让我的容器以外部和内部网络都可以工作的方式使用 VPN(例如 ExpressVPN)。
I have a docker image that is an OpenVPN Client, it works find with the command:我有一个 docker 映像,它是一个 OpenVPN 客户端,它可以使用以下命令查找:
docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun my-app /bin/bash
The docker image had an entry point bash script: docker 映像有一个入口点 bash 脚本:
curl https://vpnvendor/configurations.zip -o /app/configurations.zip
mkdir -p /app/open_vpn/ip_vanish/config
unzip /app/configurations.zip -d /app/open_vpn/config
printf "username\npassword\n" > /app/open_vpn/vpn-auth.conf
cd /app/open_vpn/config
openvpn --config ./config.ovpn --auth-user-pass /app/open_vpn/vpn-auth.conf
It works fine, but when I deploy it as a container in a K8S Pod, it breaks, It is understandable, K8S clusters need internal network communication between the nodes, so the VPN breaks it... how do I make it work?它工作正常,但是当我将它作为容器部署在 K8S Pod 中时,它会中断,这是可以理解的,K8S 集群需要节点之间的内部网络通信,所以 VPN 会中断它......我该如何让它工作? the Google search was frustrating, none of the solutions worked and there were just a few, there is one with similar issue: OpenVPN-Client Pod on K8s - Local network unreachable But did not understand it very well, please help.谷歌搜索令人沮丧,没有一个解决方案有效,只有几个,有一个有类似问题: OpenVPN-Client Pod on K8s - Local network unreachable但不太了解,请帮忙。
Since IPVanish is well known, let's take their ovpn example, I use other vendor but had access to an IPVanish account and it does not work either:由于 IPVanish 众所周知,让我们以他们的 ovpn 为例,我使用其他供应商但可以访问 IPVanish 帐户,但它也不起作用:
client
dev tun
proto udp
remote lon-a52.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name lon-a52.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
I accept responses in Golang or YAML it does not matter, although I use go-client, my code for pod creation is:我接受 Golang 或 YAML 中的响应没关系,虽然我使用 go-client,但我的 pod 创建代码是:
podObj := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "mypod",
Namespace: "default",
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "worker1",
Image: "192.168.1.138:5000/myimage",
ImagePullPolicy: v1.PullAlways,
Stdin: true,
TTY: true,
/* Trying to simulate --device=/dev/net/tun I copied the below, but it does not work
// https://garunski.medium.com/openvpn-and-minikube-25511099f8de
VolumeMounts: []v1.VolumeMount{
{
ReadOnly: true,
Name: "dev-tun",
MountPath: "/dev/net/tun",
},
},*/
SecurityContext: &v1.SecurityContext{
// Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
Privileged: boolPtr(true),
Capabilities: &v1.Capabilities{
Add: []v1.Capability{
"NET_ADMIN",
},
},
},
},
},
NodeName: "worker-node01",
},
}
clientset.CoreV1().Pods("default").Create(context.Background(), podObj, metav1.CreateOptions{})
basically I am able to add the NET_ADMIN capability, but I need also to give access to the /dev/net/tun device and that's the problem, but even If I find a way, it would break internal networking.基本上我可以添加NET_ADMIN功能,但我还需要授予对/dev/net/tun设备的访问权限,这就是问题所在,但即使我找到了一种方法,它也会破坏内部网络。
Update 1更新 1
I made external networking work, by adding the following two lines in my docker's entry point:我通过在我的 docker 入口点添加以下两行来使外部网络工作:
# Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
2 个解决方案
解决方案1
1 已采纳 2021-11-24 18:42:15
Here is a minimal example of a pod with OpenVPN client.这是一个带有 OpenVPN 客户端的 pod 的最小示例。 I used kylemanna/openvpn as a server and to generate a basic client config.我使用kylemanna/openvpn作为服务器并生成基本的客户端配置。 I only added two routes to the generated config to make it working.我只向生成的配置添加了两条路由以使其正常工作。 See below:见下文:
apiVersion: v1
kind: Pod
metadata:
name: ovpn
namespace: default
spec:
containers:
- name: ovpn
image: debian:buster
args:
- bash
- -c
# install OpenVPN and curl; use curl in an endless loop to print external IP
- apt update && apt install -y openvpn curl && cd /config && openvpn client & while sleep 5; do echo $(date; curl --silent ifconfig.me/ip); done
volumeMounts:
- mountPath: /dev/net/tun
readOnly: true
name: tun-device
- mountPath: /config
name: config
securityContext:
capabilities:
add: ["NET_ADMIN"]
volumes:
- name: tun-device
hostPath:
path: /dev/net/tun
- name: config
secret:
secretName: ovpn-config
---
apiVersion: v1
kind: Secret
metadata:
name: ovpn-config
namespace: default
stringData:
client: |
# A sample config generated by https://github.com/kylemanna/docker-openvpn server
client
nobind
dev tun
# Remote server params
remote PASTE.SERVER.IP.HERE 1194 udp
# Push all traffic through the VPN
redirect-gateway def1
# except these two k8s subnets
route 10.43.0.0 255.255.0.0 net_gateway
route 10.42.0.0 255.255.0.0 net_gateway
# Below goes irrelevant TLS config
remote-cert-tls server
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
解决方案2
0 2021-11-25 08:21:17
Try Tailscale.试试尾鳞。 https://tailscale.com/ It's much simpler. https://tailscale.com/ 就简单多了。 And they have a cool free-tier他们有一个很酷的免费套餐
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.