redscaresu/strongswan.yaml

## strongswan.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vpn
spec:
  selector:
    matchLabels:
      app: vpn
  serviceName: vpn
  replicas: 1
  template:
    metadata:
      labels:
        app: vpn
    spec:
      containers:
        - name: vpn
          image: hanyifeng/alpine-ikev2-vpn
          imagePullPolicy: Always
          env:
            - name: VPNUSER
              value: vpn-user
            - name: VPNPASS
              value: please_change_me
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
          securityContext:
            privileged: true <---- Its required to access kernel features due IPsec
          ports:
            - containerPort: 500
              #hostPort: 500  <--- You can enable hostPort but its not a good practice
              name: vpn-isakmp
              protocol: UDP
            - containerPort: 4500
              #hostPort: <--- You can enable hostPort but its not a good practice
              name: vpn-ike
              protocol: UDP
          volumeMounts:
            - mountPath: /lib/modules
              name: modules
      volumes:
        - name: modules
          hostPath:
            path: /lib/modules
---
# You will have to setup node ports 30500 and 30501 at your client
# Or use something like nginx with streams enabled:
# to forward udp traffic to port 500 and 4500
# https://nginx.org/en/docs/stream/ngx_stream_core_module.html
# Rememer that nginx does not supports domain based reverse proxy.

kind: Service
apiVersion: v1
metadata:
  name: vpn
spec:
  selector:
    app: vpn
  type: NodePort
  ports:
    - name: vpn-isakmp
      port: 500
      targetPort: vpn-isakmp
      protocol: UDP
      nodePort: 30500
    - name: vpn-ike
      port: 4500
      targetPort: vpn-ike
      protocol: UDP
      nodePort: 30501
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	name: vpn
	spec:
	selector:
	matchLabels:
	app: vpn
	serviceName: vpn
	replicas: 1
	template:
	metadata:
	labels:
	app: vpn
	spec:
	containers:
	- name: vpn
	image: hanyifeng/alpine-ikev2-vpn
	imagePullPolicy: Always
	env:
	- name: VPNUSER
	value: vpn-user
	- name: VPNPASS
	value: please_change_me
	- name: HOST_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	securityContext:
	privileged: true <---- Its required to access kernel features due IPsec
	ports:
	- containerPort: 500
	#hostPort: 500 <--- You can enable hostPort but its not a good practice
	name: vpn-isakmp
	protocol: UDP
	- containerPort: 4500
	#hostPort: <--- You can enable hostPort but its not a good practice
	name: vpn-ike
	protocol: UDP
	volumeMounts:
	- mountPath: /lib/modules
	name: modules
	volumes:
	- name: modules
	hostPath:
	path: /lib/modules
	---
	# You will have to setup node ports 30500 and 30501 at your client
	# Or use something like nginx with streams enabled:
	# to forward udp traffic to port 500 and 4500
	# https://nginx.org/en/docs/stream/ngx_stream_core_module.html
	# Rememer that nginx does not supports domain based reverse proxy.

	kind: Service
	apiVersion: v1
	metadata:
	name: vpn
	spec:
	selector:
	app: vpn
	type: NodePort
	ports:
	- name: vpn-isakmp
	port: 500
	targetPort: vpn-isakmp
	protocol: UDP
	nodePort: 30500
	- name: vpn-ike
	port: 4500
	targetPort: vpn-ike
	protocol: UDP
	nodePort: 30501