To install both OpenVPN and WireGuard VPN for remote access in a Kubernetes cluster without modifying the underlying infrastructure, follow these steps using Helm charts and Kubernetes resources. This guide covers both VPN installations and assumes you have the prerequisites in place.
- Kubernetes Cluster: Ensure you have a running Kubernetes cluster.
- kubectl: Command-line tool for Kubernetes.
- Helm: Kubernetes package manager installed.
-
Install Helm
If you don't have Helm installed, follow the official guide here.
-
Add Helm Repository
Add the Helm repository for OpenVPN.
helm repo add stable https://charts.helm.sh/stable helm repo update
-
Create a Namespace for OpenVPN
kubectl create namespace openvpn
-
Install OpenVPN using Helm
Use the Helm chart to install OpenVPN.
helm install openvpn stable/openvpn --namespace openvpn
-
Retrieve Client Configuration
To retrieve client configuration files, use the following command:
kubectl exec -it $(kubectl get pod -l app=openvpn -n openvpn -o jsonpath='{.items[0].metadata.name}') -n openvpn -- cat /etc/openvpn/ccd/client1 > client1.ovpn
-
Add Helm Repository for WireGuard
There is no official Helm chart for WireGuard, but we can use a community-maintained chart. First, add the Helm repository:
helm repo add wireguard https://jfelten.github.io/wireguard-helm/ helm repo update
-
Create a Namespace for WireGuard
kubectl create namespace wireguard
-
Install WireGuard using Helm
Install WireGuard with the default configuration.
helm install wireguard wireguard/wireguard --namespace wireguard
-
Retrieve Client Configuration
WireGuard typically uses configuration files stored in a Kubernetes secret. Retrieve the secret and extract the configuration files:
kubectl get secret wireguard-config -n wireguard -o jsonpath='{.data}' | jq -r '.["client.conf"]' | base64 --decode > client.conf
-
Update OpenVPN Service to NodePort
kubectl patch svc openvpn -n openvpn -p '{"spec": {"type": "NodePort", "ports": [{"port": 1194, "nodePort": 30000}]}}'
-
Update WireGuard Service to NodePort
kubectl patch svc wireguard -n wireguard -p '{"spec": {"type": "NodePort", "ports": [{"port": 51820, "nodePort": 30001}]}}'
For secure access, set up an Ingress controller and use it to expose your services.
-
Install NGINX Ingress Controller
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install ingress-nginx ingress-nginx/ingress-nginx --namespace openvpn
-
Create Ingress Resources for OpenVPN and WireGuard
Ingress for OpenVPN:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: openvpn-ingress namespace openvpn annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - host: <openvpn-your-domain> http: paths: - path: / pathType: Prefix backend: service: name: openvpn port: number: 1194 tls: - hosts: - <openvpn-your-domain> secretName: openvpn-tls
Ingress for WireGuard:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wireguard-ingress namespace: wireguard annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - host: <wireguard-your-domain> http: paths: - path: / pathType: Prefix backend: service: name: wireguard port: number: 51820 tls: - hosts: - <wireguard-your-domain> secretName: wireguard-tls
By following these steps, you can deploy both OpenVPN and WireGuard in your Kubernetes cluster without touching the underlying infrastructure. Using Helm simplifies the deployment and management process, while NodePort or Ingress Controllers provide flexible ways to expose your services. Ensure proper security configurations, such as TLS/SSL, to secure your connections.