-
-
Save adawolfs/2ea9e823e3dbb3e92a6f381959ec0530 to your computer and use it in GitHub Desktop.
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: vpn | |
spec: | |
selector: | |
matchLabels: | |
app: vpn | |
serviceName: vpn | |
replicas: 1 | |
template: | |
metadata: | |
labels: | |
app: vpn | |
spec: | |
containers: | |
- name: vpn | |
image: hanyifeng/alpine-ikev2-vpn | |
imagePullPolicy: Always | |
env: | |
- name: VPNUSER | |
value: vpn-user | |
- name: VPNPASS | |
value: please_change_me | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.hostIP | |
securityContext: | |
privileged: true <---- Its required to access kernel features due IPsec | |
ports: | |
- containerPort: 500 | |
#hostPort: 500 <--- You can enable hostPort but its not a good practice | |
name: vpn-isakmp | |
protocol: UDP | |
- containerPort: 4500 | |
#hostPort: <--- You can enable hostPort but its not a good practice | |
name: vpn-ike | |
protocol: UDP | |
volumeMounts: | |
- mountPath: /lib/modules | |
name: modules | |
volumes: | |
- name: modules | |
hostPath: | |
path: /lib/modules | |
--- | |
# You will have to setup node ports 30500 and 30501 at your client | |
# Or use something like nginx with streams enabled: | |
# to forward udp traffic to port 500 and 4500 | |
# https://nginx.org/en/docs/stream/ngx_stream_core_module.html | |
# Rememer that nginx does not supports domain based reverse proxy. | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
name: vpn | |
spec: | |
selector: | |
app: vpn | |
type: NodePort | |
ports: | |
- name: vpn-isakmp | |
port: 500 | |
targetPort: vpn-isakmp | |
protocol: UDP | |
nodePort: 30500 | |
- name: vpn-ike | |
port: 4500 | |
targetPort: vpn-ike | |
protocol: UDP | |
nodePort: 30501 |
actually, i just got this working, i needed to change the DHCP range allocated for the initiators to match the range allocated in the pod
so ill maybe write this up over the weekend what ive done and publish a changed container for reference and you can cross reference it if you feel like working on this more, thanks for this anyway it was a good inspiration. I still must have been down to the iptables rules being incorrect or me not understanding something
hello @rossbeazley, @AdaWOlf, im having problems with port forwading, i saw this message " # You will have to setup node ports 30500 and 30501 at your client " could you explain me a bit how to do this?, thanks in advance
I use the android strongswan client and it has an option for "server port", my experience of using other clients such as windows is you will need to expose standard ports to the public gateway. what client/OS are you initiating the tunnel
my specific use case i am currently looking into is to deploy a strongswan responder on my home bare metal k3s cluster in order to be able to do the classic roadwarrior setup. Specifically establish a tunnel from the internet and use this for web browsing as well as access lan (which is technically outside of the cluster).
Im able to connect but i think the iptables rules in the container might be messing stuff up, im no sure but it certainly smells that way