0

Our scenario: We've got an OpenVPN server installed on a GKE pod with VPN clients that want to connect to our VPN. We need to expose to clients a service on another pod in our GKE cluster (an MQTT adapter specifically). Address 10.86.12.209 is a private IP on our GCP VPC, pointing to the MQTT adapter pod (please have a look at the image below).

Network scenario

A snippet of our server conf is:

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.86.12.0 255.255.255.0"
push "route 240.5.0.0 255.255.0.0"
push "route 240.6.0.0 255.255.0.0"
topology subnet

sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"

A route print of a Windows client connecting to our OpenVPN server is

 Network address        Mask            Gateway         Interface    Metric

          0.0.0.0          0.0.0.0    192.168.178.1   192.168.178.29     35
         10.8.0.0    255.255.255.0         On-link          10.8.0.8    281
         10.8.0.8  255.255.255.255         On-link          10.8.0.8    281
       10.8.0.255  255.255.255.255         On-link          10.8.0.8    281
       10.86.12.0    255.255.255.0         10.8.0.1         10.8.0.8    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.25.192.0    255.255.240.0         On-link      172.25.192.1    271
     172.25.192.1  255.255.255.255         On-link      172.25.192.1    271
   172.25.207.255  255.255.255.255         On-link      172.25.192.1    271
    192.168.178.0    255.255.255.0         On-link    192.168.178.29    291
   192.168.178.29  255.255.255.255         On-link    192.168.178.29    291
  192.168.178.255  255.255.255.255         On-link    192.168.178.29    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.8.0.8    281
        224.0.0.0        240.0.0.0         On-link    192.168.178.29    291
        224.0.0.0        240.0.0.0         On-link      172.25.192.1    271
        240.5.0.0      255.255.0.0         10.8.0.1         10.8.0.8    281
        240.6.0.0      255.255.0.0         10.8.0.1         10.8.0.8    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.8    281
  255.255.255.255  255.255.255.255         On-link    192.168.178.29    291
  255.255.255.255  255.255.255.255         On-link      172.25.192.1    271

Our issue: client connects to VPN successfully but it can't reach the MQTT pod. We suspect we lack of some config on K8S side to make OpenVPN pod reach MQTT adapter POD

Simone Pulcini
  • 51
  • 5
  • What OS are you running on your clients? If they're running linux, can you show the output of `ip route` after establishing a successful VPN connection? – larsks Sep 16 '22 at 20:33
  • @larsks I've put the information needed in the issue description. Hope this helps – Simone Pulcini Sep 19 '22 at 13:16
  • what's your GKE subnet? you may want to add it to your OpenVPN server configuration, e,g, `push "route 240.0.0.0 255.0.0.0"`. – mforsetti Sep 22 '22 at 06:13
  • @mforsetti updated the post...we have added two more routes to our server conf with no success at all. During our troubleshooting we noticed that we can establish a telenet session between OpenVPN pod and the MQTT adpater one with success...but it's suddenly closed after connetion has been established. We will investigate with a tcp dump soon, hoping it could be related to this issue too – Simone Pulcini Sep 22 '22 at 07:38
  • any updated routing table on your client, since it seems that the routes are not pushed to client? – mforsetti Sep 22 '22 at 09:31
  • @SimonePulcini Any ports were disabled for SSL and opened all the ports , Refer to this [document](https://assetwolf.com/learn/how-to-connect-to-using-secure-mqtt ) for more information. – Ramesh kollisetty Sep 22 '22 at 13:00
  • @mforsetti updated client routing table. My fault, just forgot to modify it in the post. – Simone Pulcini Sep 22 '22 at 13:34

0 Answers0