Kubernetes Pod 中的 OpenVPN 客户端
OpenVPN Client in Kubernetes Pod
我正在研究如何让 OpenVPN 客户端在 pod 的容器上工作,我解释了我所做的,但是你可以跳过我的所有解释并直接提供你的解决方案,我不在乎用你的替换下面的所有内容步骤 如果它有效,我想让我的容器以外部和内部网络都有效的方式使用 VPN(例如 ExpressVPN)。
我有一个 docker 图像,它是一个 OpenVPN 客户端,它可以通过以下命令找到:
docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun my-app /bin/bash
docker 图像有一个入口点 bash 脚本:
curl https://vpnvendor/configurations.zip -o /app/configurations.zip
mkdir -p /app/open_vpn/ip_vanish/config
unzip /app/configurations.zip -d /app/open_vpn/config
printf "username\npassword\n" > /app/open_vpn/vpn-auth.conf
cd /app/open_vpn/config
openvpn --config ./config.ovpn --auth-user-pass /app/open_vpn/vpn-auth.conf
它工作正常,但是当我将它作为容器部署在 K8S Pod 中时,它中断了,这是可以理解的,K8S 集群需要节点之间的内部网络通信,所以 VPN 中断了它......我怎么办让它起作用? Google 搜索令人沮丧,none 的解决方案有效,只有少数几个,有一个有类似的问题:
但是不是很明白,请大家帮忙
由于 IPVanish 众所周知,让我们以他们的 ovpn 为例,我使用其他供应商但可以访问 IPVanish 帐户但它也不起作用:
client
dev tun
proto udp
remote lon-a52.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name lon-a52.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
我接受 Golang 或 YAML 中的响应没关系,虽然我使用 go-client,但我创建 pod 的代码是:
podObj := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "mypod",
Namespace: "default",
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "worker1",
Image: "192.168.1.138:5000/myimage",
ImagePullPolicy: v1.PullAlways,
Stdin: true,
TTY: true,
/* Trying to simulate --device=/dev/net/tun I copied the below, but it does not work
// https://garunski.medium.com/openvpn-and-minikube-25511099f8de
VolumeMounts: []v1.VolumeMount{
{
ReadOnly: true,
Name: "dev-tun",
MountPath: "/dev/net/tun",
},
},*/
SecurityContext: &v1.SecurityContext{
// Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
Privileged: boolPtr(true),
Capabilities: &v1.Capabilities{
Add: []v1.Capability{
"NET_ADMIN",
},
},
},
},
},
NodeName: "worker-node01",
},
}
clientset.CoreV1().Pods("default").Create(context.Background(), podObj, metav1.CreateOptions{})
我可以添加 NET_ADMIN 功能,但我还需要授予对 /dev/net/tun 设备的访问权限,这就是问题所在,但即使我找到了方法,它也会破坏内部网络。
更新一个
我通过在 docker 的入口点添加以下两行来实现外部网络:
# Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
这里是带有 OpenVPN 客户端的 pod 的最小示例。我使用 kylemanna/openvpn 作为服务器并生成基本的客户端配置。我只向生成的配置添加了两条路由以使其正常工作。见下文:
apiVersion: v1
kind: Pod
metadata:
name: ovpn
namespace: default
spec:
containers:
- name: ovpn
image: debian:buster
args:
- bash
- -c
# install OpenVPN and curl; use curl in an endless loop to print external IP
- apt update && apt install -y openvpn curl && cd /config && openvpn client & while sleep 5; do echo $(date; curl --silent ifconfig.me/ip); done
volumeMounts:
- mountPath: /dev/net/tun
readOnly: true
name: tun-device
- mountPath: /config
name: config
securityContext:
capabilities:
add: ["NET_ADMIN"]
volumes:
- name: tun-device
hostPath:
path: /dev/net/tun
- name: config
secret:
secretName: ovpn-config
---
apiVersion: v1
kind: Secret
metadata:
name: ovpn-config
namespace: default
stringData:
client: |
# A sample config generated by https://github.com/kylemanna/docker-openvpn server
client
nobind
dev tun
# Remote server params
remote PASTE.SERVER.IP.HERE 1194 udp
# Push all traffic through the VPN
redirect-gateway def1
# except these two k8s subnets
route 10.43.0.0 255.255.0.0 net_gateway
route 10.42.0.0 255.255.0.0 net_gateway
# Below goes irrelevant TLS config
remote-cert-tls server
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
试试 Tailscale。 https://tailscale.com/ 就简单多了。他们有一个很酷的免费套餐
我正在研究如何让 OpenVPN 客户端在 pod 的容器上工作,我解释了我所做的,但是你可以跳过我的所有解释并直接提供你的解决方案,我不在乎用你的替换下面的所有内容步骤 如果它有效,我想让我的容器以外部和内部网络都有效的方式使用 VPN(例如 ExpressVPN)。
我有一个 docker 图像,它是一个 OpenVPN 客户端,它可以通过以下命令找到:
docker run --rm -it --cap-add=NET_ADMIN --device=/dev/net/tun my-app /bin/bash
docker 图像有一个入口点 bash 脚本:
curl https://vpnvendor/configurations.zip -o /app/configurations.zip
mkdir -p /app/open_vpn/ip_vanish/config
unzip /app/configurations.zip -d /app/open_vpn/config
printf "username\npassword\n" > /app/open_vpn/vpn-auth.conf
cd /app/open_vpn/config
openvpn --config ./config.ovpn --auth-user-pass /app/open_vpn/vpn-auth.conf
它工作正常,但是当我将它作为容器部署在 K8S Pod 中时,它中断了,这是可以理解的,K8S 集群需要节点之间的内部网络通信,所以 VPN 中断了它......我怎么办让它起作用? Google 搜索令人沮丧,none 的解决方案有效,只有少数几个,有一个有类似的问题:
由于 IPVanish 众所周知,让我们以他们的 ovpn 为例,我使用其他供应商但可以访问 IPVanish 帐户但它也不起作用:
client
dev tun
proto udp
remote lon-a52.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name lon-a52.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
我接受 Golang 或 YAML 中的响应没关系,虽然我使用 go-client,但我创建 pod 的代码是:
podObj := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "mypod",
Namespace: "default",
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "worker1",
Image: "192.168.1.138:5000/myimage",
ImagePullPolicy: v1.PullAlways,
Stdin: true,
TTY: true,
/* Trying to simulate --device=/dev/net/tun I copied the below, but it does not work
// https://garunski.medium.com/openvpn-and-minikube-25511099f8de
VolumeMounts: []v1.VolumeMount{
{
ReadOnly: true,
Name: "dev-tun",
MountPath: "/dev/net/tun",
},
},*/
SecurityContext: &v1.SecurityContext{
// Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
Privileged: boolPtr(true),
Capabilities: &v1.Capabilities{
Add: []v1.Capability{
"NET_ADMIN",
},
},
},
},
},
NodeName: "worker-node01",
},
}
clientset.CoreV1().Pods("default").Create(context.Background(), podObj, metav1.CreateOptions{})
我可以添加 NET_ADMIN 功能,但我还需要授予对 /dev/net/tun 设备的访问权限,这就是问题所在,但即使我找到了方法,它也会破坏内部网络。
更新一个
我通过在 docker 的入口点添加以下两行来实现外部网络:
# Taken from https://caveofcode.com/how-to-setup-a-vpn-connection-from-inside-a-pod-in-kubernetes/
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
这里是带有 OpenVPN 客户端的 pod 的最小示例。我使用 kylemanna/openvpn 作为服务器并生成基本的客户端配置。我只向生成的配置添加了两条路由以使其正常工作。见下文:
apiVersion: v1
kind: Pod
metadata:
name: ovpn
namespace: default
spec:
containers:
- name: ovpn
image: debian:buster
args:
- bash
- -c
# install OpenVPN and curl; use curl in an endless loop to print external IP
- apt update && apt install -y openvpn curl && cd /config && openvpn client & while sleep 5; do echo $(date; curl --silent ifconfig.me/ip); done
volumeMounts:
- mountPath: /dev/net/tun
readOnly: true
name: tun-device
- mountPath: /config
name: config
securityContext:
capabilities:
add: ["NET_ADMIN"]
volumes:
- name: tun-device
hostPath:
path: /dev/net/tun
- name: config
secret:
secretName: ovpn-config
---
apiVersion: v1
kind: Secret
metadata:
name: ovpn-config
namespace: default
stringData:
client: |
# A sample config generated by https://github.com/kylemanna/docker-openvpn server
client
nobind
dev tun
# Remote server params
remote PASTE.SERVER.IP.HERE 1194 udp
# Push all traffic through the VPN
redirect-gateway def1
# except these two k8s subnets
route 10.43.0.0 255.255.0.0 net_gateway
route 10.42.0.0 255.255.0.0 net_gateway
# Below goes irrelevant TLS config
remote-cert-tls server
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
试试 Tailscale。 https://tailscale.com/ 就简单多了。他们有一个很酷的免费套餐