• Introduction
• Contributing
• Prerequisites
• Installation
• Quick Start
• Configuration Parameters

Dockerfile to run openvpn inside kubernetes.

NOTE this fork attempts to detect service/pod subnets and DNS address/domain when hosted on Google Container Engine

If you find this image useful you can help by doing one of the following:

• Send a Pull Request: you can add new features to the docker image, which will be integrated into the official image.
• Report a Bug: if you notice a bug, please issue a bug report at Issues, so we can fix it as soon as possible.

Automated builds of the image are available on Dockerhub and is the recommended method of installation.

docker pull offlinehacker/openvpn-k8s:latest

Alternatively you can build the image locally.

git clone https://github.com/offlinehacker/openvpn-k8s.git
cd openvpn
docker build -t offlinehacker/openvpn-k8s .

This image was created to simply have openvpn access to kubernetes cluster.

First you will need to create secret volume with dh params and server certificate in pkcs12 format.

• Create kubernetes secret volume:

openvpn-secrets.yaml file:

apiVersion: v1
kind: Secret
metadata:
  name: openvpn
data:
  dh.pem: <base64_encoded_dh_pem_file>
  certs.p12: <base64_encoded_certs_file>

kubectl create -f openvpn-secrets.yaml

• Create kubernetes replication controller:

openvpn-controller.yaml file:

apiVersion: v1
kind: ReplicationController
metadata:
  name: openvpn
  labels:
    name: openvpn
spec:
  replicas: 2
  selector:
    name: openvpn
  template:
    metadata:
      labels:
        name: openvpn
    spec:
      containers:
        - name: openvpn
          image: offlinehacker/openvpn-k8s
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
          env:
            - name: OVPN_NETWORK
              value: 10.240.0.0
            - name: OVPN_SUBNET
              value: 255.255.0.0
            - name: OVPN_PROTO
              value: tcp
            - name: OVPN_K8S_SERVICE_NETWORK
              value: 10.241.240.0
            - name: OVPN_K8S_SERVICE_SUBNET
              value: 255.255.240.0
            - name: OVPN_K8S_DNS
              value: 10.241.240.10
          ports:
            - name: openvpn
              containerPort: 1194
          volumeMounts:
            - mountPath: /etc/openvpn/pki
              name: openvpn
      volumes:
        - name: openvpn
          secret:
            secretName: openvpn

• Create kubernetes service:

openvpn-service.yaml file:

kind: Service
apiVersion: v1
metadata:
  name: openvpn
spec:
  ports:
    - name: openvpn
      port: 1194
      targetPort: 1194
  selector:
    name: openvpn
  type: LoadBalancer

kubectl create -f openvpn-service.yaml

Below is the complete list of available options that can be used to customize your packetbeat container instance.

• OVPN_NETWORK: Network allocated for openvpn clients (default: 10.240.0.0).
• OVPN_SUBNET: Network subnet allocated for openvpn client (default: 255.255.0.0).
• OVPN_PROTO: Protocol used by openvpn tcp or udp (default: udp).
• OVPN_NATDEVICE: Device connected to kuberentes service network (default: eth0).
• OVPN_K8S_SERVICE_NETWORK: Kubernetes service network (required).
• OVPN_K8S_SERVICE_SUBNET: Kubernetes service network subnet (required).
• OVPN_K8S_DOMAIN: Kuberentes cluster domain (default: cluster.local).
• OVPN_K8S_DNS: Kuberentes cluster dns server (required).
• OVPN_K8S_DH: Openvpn dh.pem file path (default: /etc/openvpn/pki/dh.pem).
• OVPN_K8S_CERTS: Openvpn certs.p12 file path (default: /etc/openvpn/pki/certs.p12).
• MORE_OPTS: Misc Openvpn options, one per line, for example duplicate-cn
• OVPN_K8S_POD_NETWORK: Kubernetes pod network (optional).
• OVPN_K8S_POD_SUBNET: Kubernetes pod network subnet (optional).