OpenVPN server on Kubernetes cluster / DNS and Service resolution
Solution 1
finally my config looks like this:
docker run -v /etc/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig \
-u udp://192.168.10.152:1194 \
-n 10.3.0.10 \
-n 192.168.10.1 \
-n 8.8.8.8 \
-n 75.75.75.75 \
-n 75.75.75.76 \
-s 10.8.0.0/24 \
-N \
-p "route 10.2.0.0 255.255.0.0" \
-p "route 10.3.0.0 255.255.0.0" \
-p "dhcp-option DOMAIN-SEARCH cluster.local" \
-p "dhcp-option DOMAIN-SEARCH svc.cluster.local" \
-p "dhcp-option DOMAIN-SEARCH default.svc.cluster.local"
-u
for the VPN server address and port
-n
for all the DNS servers to use
-s
to define the VPN subnet (as it defaults to 10.2.0.0 which is used by Kubernetes already)
-d
to disable NAT
-p
to push options to the client
-N
to enable NAT: it seems critical for this setup on Kubernetes
the last part, pushing the search domains to the client, was the key to getting nslookup
etc.. to work.
note that curl didn't work at first, but seems to start working after a few seconds. So it does work but it takes a bit of time for curl to be able to resolve.
Solution 2
Ran into the same issue a year ago and decided to make something specific for kubernetes: https://github.com/pieterlange/kube-openvpn
(based on kylemanna's openvpn docker image)
Related videos on Youtube
MrE
Updated on September 18, 2022Comments
-
MrE over 1 year
I have a Kubernetes cluster running applications (currently on a set of Vagrant CoreOS VMs on a local server)
I want to be able to debug a particular application locally on my laptop, so I worked on setting up VPN into the cluster: a client/server VPN based on
kylemanna/docker-openvpn
, deployed as a regular PodI created the cert/key pairs, client certs etc... I can connect to the VPN fine.
Now, connecting to the VPN server doesn't get me much if I can't access the Services. I have the DNS addon running skyDNS in the cluster. I can
nslookup
my services from other pods in the cluster, so all that works fine, but I can't resolve Services by name on the VPN client. I can ping Pods by IP from the VPN client (in the subnet10.2.0.0/16
) but I can't resolve with DNSa
nslookup
from the client returns:nslookup myservice 10.3.0.10 Server: 10.3.0.10 Address: 10.3.0.10#53 ** server can't find myservice: SERVFAIL
One of the problems of troubleshooting is that neither
ping
nortraceroute
work on the DNS IP (from any pod), yet it resolves services, sonslookup
is the way I know to check, but that is not very informative.The VPN host IP the Pod binds to is
192.168.10.152
The Kubernetes subnet is10.2.0.0/16
The SkyDNS server is at10.3.0.10
The VPN server subnet is
10.8.0.0/24
On the VPN server ifconfig gives:eth0 Link encap:Ethernet HWaddr 02:42:0A:02:16:45 inet addr:10.2.22.69 Bcast:0.0.0.0 Mask:255.255.255.0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
So
10.2.22.69
is the Pod IP and the VPN Server IP is10.8.0.1
with the Gateway being10.8.0.2
i guess.On the VPN server pod the routign table looks like:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.2.22.1 0.0.0.0 UG 0 0 0 eth0 10.2.22.0 * 255.255.255.0 U 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0 192.168.254.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
I can reach my applications by IP (and get data) but couldn't when using the service IP (the proxy IP which is on the 10.3.0.0 subnet)
I added the route
route add -net 10.3.0.0/16 gw 10.8.0.2
to the VPN Server and I can then use the Service IP to get data but thenslookup
just times out then.I guess the traffic may not be coming back from the DNS. DNS is itself a proxied service in Kubernetes, so that adds a level of complexity. Not sure how to fix this.
-
phk about 7 yearsCould you please add some additional information about it here, e.g. in case the link stops working.