本文介绍了Kubernetes Pod中的OpenVPN客户端的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在研究如何让OpenVPN客户端在Pod的容器上工作,我解释了我的操作,但您可以跳过我的所有说明,直接提供您的解决方案,如果有效,我不在乎用您的步骤替换以下所有步骤,我想让我的容器以一种外部和内部网络都能工作的方式使用VPN(例如ExpressVPN)。
我有一个停靠镜像,它是OpenVPN客户端,它使用以下命令查找:
docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun my-app /bin/bash
停靠图像具有入口点bash脚本:
curl https://vpnvendor/configurations.zip -o /app/configurations.zip
mkdir -p /app/open_vpn/ip_vanish/config
unzip /app/configurations.zip -d /app/open_vpn/config
printf "username
password
" > /app/open_vpn/vpn-auth.conf
cd /app/open_vpn/config
openvpn --config ./config.ovpn --auth-user-pass /app/open_vpn/vpn-auth.conf
很好,但是当我把它作为容器部署在K8S Pod中时,它破裂了,这是可以理解的,K8S集群需要节点之间的内部网络通信,所以VPN破坏了它...我怎么才能让它起作用呢?谷歌搜索令人沮丧,没有一个解决方案起作用,只有几个,有一个有类似的问题:OpenVPN-Client Pod on K8s - Local network unreachable但不太理解,请帮帮忙。
由于IPVanish是众所周知,让我们以他们的ovpn为例,我使用了其他供应商,但有权访问IPVanish帐户,它也无法工作:
client
dev tun
proto udp
remote lon-a52.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name lon-a52.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
我接受Golang或YAML格式的回复无关紧要,虽然我使用Go-Client,但我创建Pod的代码是:
podObj := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "mypod",
Namespace: "default",
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "worker1",
Image: "192.168.1.138:5000/myimage",
ImagePullPolicy: v1.PullAlways,
Stdin: true,
TTY: true,
/* Trying to simulate --device=/dev/net/tun I copied the below, but it does not work
// https://garunski.medium.com/openvpn-and-minikube-25511099f8de
VolumeMounts: []v1.VolumeMount{
{
ReadOnly: true,
Name: "dev-tun",
MountPath: "/dev/net/tun",
},
},*/
SecurityContext: &v1.SecurityContext{
// Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
Privileged: boolPtr(true),
Capabilities: &v1.Capabilities{
Add: []v1.Capability{
"NET_ADMIN",
},
},
},
},
},
NodeName: "worker-node01",
},
}
clientset.CoreV1().Pods("default").Create(context.Background(), podObj, metav1.CreateOptions{})
我可以添加NET_ADMIN功能,但我还需要授予对/dev/net/tun设备的访问权限,这就是问题所在,但即使我找到方法,它也会中断内部网络。
更新一个
我在docker的入口点中添加了以下两行代码,从而实现了外部网络:
# Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
推荐答案
这里是一个带有OpenVPN客户端的Pod的最小示例。我使用kylemanna/openvpn作为服务器并生成基本的客户端配置。我只向生成的配置中添加了两条路由来使其正常工作。见下图:
apiVersion: v1
kind: Pod
metadata:
name: ovpn
namespace: default
spec:
containers:
- name: ovpn
image: debian:buster
args:
- bash
- -c
# install OpenVPN and curl; use curl in an endless loop to print external IP
- apt update && apt install -y openvpn curl && cd /config && openvpn client & while sleep 5; do echo $(date; curl --silent ifconfig.me/ip); done
volumeMounts:
- mountPath: /dev/net/tun
readOnly: true
name: tun-device
- mountPath: /config
name: config
securityContext:
capabilities:
add: ["NET_ADMIN"]
volumes:
- name: tun-device
hostPath:
path: /dev/net/tun
- name: config
secret:
secretName: ovpn-config
---
apiVersion: v1
kind: Secret
metadata:
name: ovpn-config
namespace: default
stringData:
client: |
# A sample config generated by https://github.com/kylemanna/docker-openvpn server
client
nobind
dev tun
# Remote server params
remote PASTE.SERVER.IP.HERE 1194 udp
# Push all traffic through the VPN
redirect-gateway def1
# except these two k8s subnets
route 10.43.0.0 255.255.0.0 net_gateway
route 10.42.0.0 255.255.0.0 net_gateway
# Below goes irrelevant TLS config
remote-cert-tls server
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
这篇关于Kubernetes Pod中的OpenVPN客户端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!