Connects to OpenVPN but no access to local network or internet in Kubernetes GKE with Calico

Question

I've been using VPN (openvpn in helm) to access internal services in my cluster for development.
I enabled network policy in nodes in GKE to manage access of services, that enabled Calico network in my network, after this my openvpn connection stopped working, I can connect to it, but can't access internet or LAN.

I've used default config: https://github.com/helm/charts/blob/master/stable/openvpn/values.yaml

here is iptables-saves output:

➜  cat iptables-save_output_on_one_of_k8s_node.txt | grep stagingvpn
-A KUBE-FW-W5MFW2XRXQ2S2XVL -m comment --comment "develop/stagingvpn-openvpn:openvpn loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-W5MFW2XRXQ2S2XVL -m comment --comment "develop/stagingvpn-openvpn:openvpn loadbalancer IP" -j KUBE-SVC-W5MFW2XRXQ2S2XVL
-A KUBE-FW-W5MFW2XRXQ2S2XVL -m comment --comment "develop/stagingvpn-openvpn:openvpn loadbalancer IP" -j KUBE-MARK-DROP
-A KUBE-NODEPORTS -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn" -m tcp --dport 32093 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn" -m tcp --dport 32093 -j KUBE-SVC-W5MFW2XRXQ2S2XVL
-A KUBE-SEP-APWPTBIASIKM3IVR -s 10.12.3.16/32 -m comment --comment "develop/stagingvpn-openvpn:openvpn" -j KUBE-MARK-MASQ
-A KUBE-SEP-APWPTBIASIKM3IVR -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn" -m tcp -j DNAT --to-destination 10.12.3.16:443
-A KUBE-SERVICES ! -s 10.12.0.0/14 -d 10.15.247.123/32 -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.15.247.123/32 -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn cluster IP" -m tcp --dport 443 -j KUBE-SVC-W5MFW2XRXQ2S2XVL
-A KUBE-SERVICES -d MYPUBLICIP/32 -p tcp -m comment --comment "develop/stagingvpn-openvpn:openvpn loadbalancer IP" -m tcp --dport 443 -j KUBE-FW-W5MFW2XRXQ2S2XVL
-A KUBE-SVC-W5MFW2XRXQ2S2XVL -m comment --comment "develop/stagingvpn-openvpn:openvpn" -j KUBE-SEP-APWPTBIASIKM3IVR

How can I fix it?
I'm playing with ip ranges in configs, but no success, don't know what I should do next to debug my issue..
Any advices very welcome, much thx!!

What I tried already: change nodeport in config from 32085 to 32093 - no luck
change OVPN_NETWORK and OVPN_MASK in config from to 10.12.3.16/32 - no luck

similar issue: https://github.com/helm/charts/issues/6398

Possible duplicate of [Routing traffic through OpenVPN on Kubernetes with Calico](https://serverfault.com/questions/911247/routing-traffic-through-openvpn-on-kubernetes-with-calico) — hachemon, Mar 01 '19 at 01:27
@blackjid no :CC calico core developer said that it's because of calico blocks ip spoofing in openvpn, but I didn't find any workaround, he said to use node host network if I want to use vpn, but don't know how to vpn into cluster network now :( — animekun, Mar 06 '19 at 05:50
I just solved a similar problem, but for me, the problem wasn't Calico. The symptoms in my cluster where the same. I had network policies w/calico enabled and I was able to connect to the vpn, but no traffic was routed to the cluster except for the openvpn own pod ip address. — blackjid, Mar 06 '19 at 19:48
Did you tried setting up `net.ipv4.ip_forward=1` in the openvpn container. ? — blackjid, Mar 06 '19 at 19:50

Connects to OpenVPN but no access to local network or internet in Kubernetes GKE with Calico

0 Answers0