1

I started OpenVPN on my k8s cluster and now clients can directly connect to the ClusterIP services but i need masquerade for it because pods (except OpenVPN pod) do not know route to clients.

Is there possibility to add custom route to Kubernetes pods and direct traffic for specific IP range to OpenVPN service - ClusterIP?

user3069488
  • 159
  • 2
  • 3
  • 18

1 Answers1

1

Due to the fact that you have already connected OpenVPN Node to the Kubernetes cluster using ClusterIP services, which are managed by kube-proxy, it is recommended to route network packets via iptables. Now it's time to configure kube-proxy for transferring all requests to internal CNI network via OpenVPN Node:

kube-proxy — kubeconfig=./kube-config/config.yaml — bind-address=xx.xx.xx.xx — cluster-cidr=yy.yy.yy.yy/cc — proxy-mode=iptables — masquerade-all

xx.xx.xx.xx - your OpenVPN node IP address

yy.yy.yy.0/cc - Cluster CIDR

Ensure that OpenVPN Pod is configured to connect the Kubernetes network:

push “route yy.yy.0.0 255.255.0.0”

To create routes from your Node services to the OpenVPN gateway, consider using Site-to-site routing via OpenVPN explained in this Article.

Nick_Kh
  • 568
  • 4
  • 7
  • So i should start kube-proxy in openvpn pod blinded to tun device? Why that masquerade is needed, why should i mask all traffic from cluster to vpn clients, will they know then who is answering if they will be connecting to other IPs (services ips)? – user3069488 Aug 06 '18 at 19:34
  • If you define Service type `ClusterIP` for your Pod the cluster will assign internal IP for this Pod, therefore it will be reachable only within a cluster, however to expose this Pod outside might help `kube-proxy` routing network traffic via `iptables`. – Nick_Kh Aug 07 '18 at 14:11
  • Sorry im not feeling You answering my question or not understand something. What will be masquerading this kube-proxy settings and where should it be started, in the OpenVPN pod on tun interface? I need to contact VPN clients directly from cluster by theirs IP and services from VPN clients. – user3069488 Aug 08 '18 at 15:45
  • You have to run `kube-proxy` on the VPN Node in order to connect to your kubernetes cluster services, however check this [link](https://github.com/pieterlange/kube-openvpn) if you are looking for routing back traffic to VPN clients. – Nick_Kh Aug 13 '18 at 13:16
  • But kube-proxy is working there already (installed with kubeadm) and i can connect services (via ClusterIP) from clients but need both way communication without masquerading by OpenVPN Pod. Thats why i was asking how to add additional custom routeing tables which will be seen by all pods in cluster. Other way.. how to let other Pods to know they need to route via OpenVPN Pod/Service IP to look for vpn clients ips range - which is not same as pods or cluster services IPs range. – user3069488 Aug 13 '18 at 17:08
  • Maybe this [Article](https://blog.zencoffee.org/2014/06/openvpn-routing-server-client/) can be applicable as a concept of routing back solution for your cluster Pods. – Nick_Kh Aug 17 '18 at 13:32
  • I know how to do that on standard server. Problem is that Pods in cluster do not know "outside" IPs range for VPN clients. There need to be added static route for kubernetes cluster to let Pods "know" they can connect this IP range via VPN service ClusterIP. – user3069488 Aug 29 '18 at 09:55