mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-04-05 14:13:37 +03:00
Code Issues Projects Releases Wiki Activity

add kubernetes deployment

Browse source
This commit is contained in:
Jonathan Prado 2021-01-20 23:16:13 -03:00
parent 27dc3d25f2
commit 0999376568
8 changed files with 179 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
kubernetes/00-namespace.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vpn

55
kubernetes/01-deploy.yaml Normal file
View file

@ -0,0 +1,55 @@
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: vpn
namespace: vpn
labels:
app: ipsec-vpn-server
spec:
replicas: 1
selector:
matchLabels:
app: ipsec-vpn-server
template:
metadata:
labels:
app: ipsec-vpn-server
spec:
containers:
- image: hwdsl2/ipsec-vpn-server
name: vpn
imagePullPolicy: Always
# Uncomment if you need your own rules
#lifecycle:
# postStart:
# exec:
# command:
# - "sh"
# - "-c"
# - |
# ip route add 192.168.99.0/24 dev eth0;
# ip route add 192.168.98.0/24 dev eth0;
securityContext:
privileged: true
resources:
limits:
cpu: 600m
memory: 650Mi
requests:
cpu: 200m
memory: 300Mi
ports:
- name: vpnisakmp
containerPort: 500
protocol: UDP
- name: vpnike
containerPort: 4500
protocol: UDP
env:
- name: "VPN_IPSEC_PSK"
value: "SuperDuperPSK"
- name: "VPN_USER"
value: "vpnuser"
- name: "VPN_PASSWORD"
value: "VPN-SuperMegaPassword.1!"

38
kubernetes/02-service.yaml Normal file
View file

@ -0,0 +1,38 @@
---
apiVersion: v1
kind: Service
metadata:
namespace: vpn
name: ipsec-vpn-server-aws-nlb
annotations:
prometheus.io/scrape: 'true'
prometheus.io/path: /metrics
prometheus.io/port: '9100'
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "environment=dev,owner=SRE,job=ipsec-vpn-server"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "6"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "20"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5"
service.kubernetes.io/local-svc-only-bind-node-with-pod: "true"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels:
app: ipsec-vpn-server
spec:
type: LoadBalancer
ports:
- name: vpnisakmp
port: 500
targetPort: 500
protocol: UDP
- name: vpnike
port: 4500
targetPort: 4500
protocol: UDP
- name: port1701
port: 1701
targetPort: 1701
protocol: UDP
selector:
app: ipsec-vpn-server

BIN
kubernetes/POD-VPN.jpeg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 626 KiB

80
kubernetes/README.md Normal file
View file

@ -0,0 +1,80 @@
# VPN on Kubernetes Pod
### How to Run
<pre>
kubectl apply -f .
namespace/vpn created
deployment.apps/vpn created
service/ipsec-vpn-server-aws-nlb created
</pre>
<br><br>
### Architecture
<div align="center">
<img src="POD-VPN.jpeg" height="400" width="900" />
</div>
### R53
<br>
<div align="center">
<img src="aws-R53.png" />
</div>
<br>
<br>
### Configure your system
<div align="center">
<img src="config-vpn-01.png" />
<br>
<img src="config-vpn-02.png" />
</div>
<br>
### kubectl get all -n vpn
<pre>
NAME READY STATUS RESTARTS AGE
pod/vpn-7477d97f87-7jfvj 1/1 Running 0 28m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ipsec-vpn-server-aws-nlb LoadBalancer 5.5.5.5 foobar.elb.z.amazonaws.com 500:32399/UDP,4500:31327/UDP,1701:31028/UDP 27m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/vpn 1/1 1 1 28m
NAME DESIRED CURRENT READY AGE
replicaset.apps/vpn-7477d97f87 1 1 1 28m
</pre>
### netcat
<pre>
$ nc -vzu foobar.elb.z.amazonaws.com 500
Connection to oobar.elb.z.amazonaws.com 500 port [udp/isakmp] succeeded!
</pre>
### tcpdump -i eth0 udp (in the Pod)
<pre>
19:36:14.046396 IP 1-1-1-1.kubelet.kube-system.svc.cluster.local.55912 > vpn-7477d97f87-7jfvj.500: |isakmp|
19:36:14.046734 IP vpn-7477d97f87-7jfvj.50692 > kube-dns.kube-system.svc.cluster.local.53: 40024+ PTR? 2.2.2.2.in-addr.arpa. (44) 19:36:14.046895 IP kube-dns.kube-system.svc.cluster.local.53 > vpn-7477d97f87-7jfvj.50692: 40024*- 1/0/0 PTR 1-1-1-1.kubelet.kube-system.svc.cluster.local. (135)
19:36:14.046986 IP vpn-7477d97f87-7jfvj.39097 > kube-dns.kube-system.svc.cluster.local.53: 51793+ PTR? 3.3.3.3.in-addr.arpa. (42)
19:36:14.047109 IP kube-dns.kube-system.svc.cluster.local.53 > vpn-7477d97f87-7jfvj.39097: 51793*- 1/0/0 PTR kube-dns.kube-system.svc.cluster.local. (118)
19:36:14.050323 IP 1-1-1-1.kubelet.kube-system.svc.cluster.local.55912 > vpn-7477d97f87-7jfvj.500: |isakmp|
19:36:15.047801 IP 1-1-1-1.kubelet.kube-system.svc.cluster.local.55912 > vpn-7477d97f87-7jfvj.500: |isakmp|
19:36:16.047829 IP 1-1-1-1.kubelet.kube-system.svc.cluster.local.55912 > vpn-7477d97f87-7jfvj.500: |isakmp|
19:36:17.046943 IP 1-1-1-1.kubelet.kube-system.svc.cluster.local.55912 > vpn-7477d97f87-7jfvj.500: |isakmp|
</pre>

BIN
kubernetes/aws-R53.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
kubernetes/config-vpn-01.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
kubernetes/config-vpn-02.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB