Softether VPN opens up Kubernetes debugging network

Softether VPN Introduction:

Open up the Kubernetes debug network through Softether VPN, including the version without split tunneling restrictions, you can customize the push route.

Softether VPN Introduce


Kubernetes provides a variety of ways to expose services externally
For development and debugging, it is very convenient to use VPN to open up the network between the local development environment and the Cluster

SoftEther VPN
The main reason for choosing SoftEther VPN is

Support multiple VPN access methods through a single port, such as SoftEtherVPN Client, OpenVPN
There are unified account management, group management, permission control, split tunneling, and other functions

Softether VPN, Deployment introduction

Custom deployment: support split tunneling function, need to download client for management.

Quick deployment without configuration: does not support split tunneling function, can not connect to remote management, out-of-the-box.

Softether VPN, Custom Deployment

Use the image abyssviper / softethervpn , the image is compiled based on the alpine base image, only the VPN server is retained , very lightweight
push custom routes to VPN clients

Full profile

Create a release configuration file deployment -softethervpn.yaml
apiVersion : apps/v1
kind : Deployment
metadata :
name : vpn
namespace : devops
spec :
selector :
matchLabels :
app : softether-vpnserver
template :
metadata:
labels:
app: softether-vpnserver
spec:
containers:
- name: softether-vpn-alpine
image: abyssviper/softethervpn
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5555
name: connect
protocol: TCP
livenessProbe:
tcpSocket:
port: 5555
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
readinessProbe:
tcpSocket:
port: 5555
resources:
limits:
cpu: 1000m
memory: 200Mi
requests:
cpu: 500m
memory: 100Mi
volumeMounts:
- name: softether-vpn-storge
subPath: softethervpn/vpn_server.config
mountPath: /opt/vpnserver/vpn_server.config
- name: softether-vpn-storge
subPath: softethervpn/server_log
mountPath: /opt/vpnserver/server_log
- name: softether-vpn-storge
subPath: softethervpn/packet_log
mountPath: /opt/vpnserver/packet_log
- name: softether-vpn-storge

subPath: softethervpn/security_log
mountPath: /opt/vpnserver/security_log
volumes:
- name: softether-vpn-storge
persistentVolumeClaim:
claimName: vpn-pvc
---
apiVersion: v1
kind: Service
metadata:
name: vpn
namespace: devops
spec:
selector:
app: softether-vpnserver
type : NodePort
ports :
- name : connect
port : 5555
nodePort : 30003

Create PV, PVC configuration file pvc-softethervpn.yaml This article uses NFS
apiVersion : v1
kind : PersistentVolume
metadata :
name : vpn-pv
spec :
capacity :
storage: 100Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Delete
nfs:
server: 192.168.7.40
path: /data/kubernetes
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vpn-pvc
namespace : devops
spec :
accessModes :
- ReadWriteMany
resources :
requests :
storage : 1Gi

First create release PV, PVC configuration
kubectl apply -f pvc -softethervpn.yaml
kubectl apply -f deployment -softethervpn.yaml

manage
Management tool download
the Manager tool officially provided by SoftEtherVPN ( download link )

Connection configuration
Configure the server address and port , the first connection needs to manually set the management password

Configure SecureNAT and Users
After the connection is successful, manage the Virtual HUB (A) - " Virtual NAT and Virtual DHCP Server (V) - " Enable SecureNAT (E) - " SecureNAT Configuration (C)

Gateway configuration : If filled in, the local VPN client traffic will be routed to the server by default , and there is no need to push the route; it is recommended to use the local gateway + route push method
DNS configuration : If you need to use DNS resolution (example: my-nginx.default.svc.cluster.local ), you need to configure the Service address of CoreDNS in the cluster
Route push : The route push format is as shown in the figure, IP network address/subnet mask/gateway IP address , gateway IP address fill in the gateway address configured by SecureNAT ; generally need to push Kubernetes Calico network segment and SVC network segment
In the management virtual HUB (A) , add a user

Configure OpenVPN
Through the VPN management tool, enable the OpenVPN function, and generate the OpenVPN Client configuration sample file

After unzipping, edit access_l3.ovpn

Modify according to the following configuration, where

Remote: The Service address of the VPN configuration file published by Kubernetes above

Proto : Use TCP as the connection protocol, or UDP, pay attention to modify the port mapping configuration of the YAML configuration file when publishing the VPN

Ca : Add the ca label, fill in the certificate information in the VPN Server configuration, see the following for the method of obtaining the certificate information

``` ini
dev tun
proto tcp
remote 192.168.7.200 30003 _
cipher AES-128-CBC
auth SHA1
resolv -retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

-----BEGIN CERTIFICATE-----
Obtained from the following configuration
-----END CERTIFICATE-----


Certificate information can be found by opening Edit Settings (D) or Encryption & Networking (E) Export Profile

connect
SoftEtherVPN Client
Download and connect the client through the official website HYPERLINK "https://www.softether-download.com/?product=softether" "_blank" , suitable for Windows / Linux ; the method of using OpenVPN in Linux and OSX is recommended
You need to fill in the host name, port number, virtual HUB name, account password
SoftEtherVPN Client supports connecting to multiple VPNServers at the same time, just need to create multiple virtual network adapters

Softether VPN,OpenVPN
Download Open VPN client: Windows download link , OSX download link
You can connect through the configuration file configured above
SoftEtherVPN Server can set up multiple virtual HUBs ; for OpenVPN, specify the HUB through the username @HUB , and use the username directly to default to the Default HUB
For example: user test in VPN HUB, user name: test@VPN

verify
After the VPN connection is successful, you can perform DNS resolution settings and access test
Take ArgoCD as an example for access test

Data persistence
Configuration persistence : only need to persist vpn_server.config
Persistence of logs: server_log packet_log The three folders of security_log can be persisted
Note: It should be noted that SoftEtherVPN Server will not write vpn_server.config immediately after changing the configuration (adding users, changing SecuretNAT, etc. )

Quick deployment without configuration
For quick deployment configuration, the selected image is siomiz / softethervpn . This image also has an alpine -based version, and will perform quick initialization when the container is started, and create an available account, which is very convenient; however, this image does not support the split tunneling function and cannot Push custom routes
configuration file
Create a release configuration file deployment -softethervpn.yaml
apiVersion: apps/v1
kind: Deployment
metadata :
name : VPN
namespace: DevOps
spec:
selector:
matchLabels:
app: softether-vpnserver
template:
metadata:
labels:
app: softether-vpnserver
spec:
containers:
- name: softether-vpn-alpine
image: siomiz/softethervpn
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5555
name: connect
protocol: TCP
livenessProbe:
tcpSocket:
port: 5555
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
readinessProbe:
tcpSocket:
port: 5555
resources:
limits:
cpu: 1000m
memory: 200Mi
requests:
cpu: 500m
memory: 100Mi
---
apiVersion: v1
kind: Service
metadata:
name: vpn
namespace: devops
spec:
selector:
app: softether-vpnserver
type: NodePort
ports:
- name: connect
port: 5555
nodePort: 30003

Publish to Kubernetes
kubectl apply -f deployment -softethervpn.yaml

View connection information
View log information through logs , and view the SoftEtherVPN account and OpenVPN configuration file generated by default.
kubectl logs -f -n devops vpn-b55fb8f4-jmxqh
As follows, it can be seen that the user name is user9703, the password is 6758.1071.6532.2086.9735, the OpenVPN configuration file and other information
•proto and remote information of the OpenVPN connection needs to be changed to appropriate ones. For details, please refer to Custom Deployment
# [!!] This image requires --cap-add NET_ADMIN
# =========================
#user9703
# 6758.1071.6532.2086.9735
# =========================
# Version 4.34 Build 9745 ( English)
dev tun
proto udp
remote _unregistered_vpn528125132.v4.softether.net 1194
;http -proxy-retry
;http -proxy [proxy server] [proxy port]
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgIBADANBgkqhkiG9w0BAQsFADBkMRswGQYDVQQDDBJ2cG4t
YjU1ZmI4ZjQtam14cWgxGzAZBgNVBAoMEnZwbi1iNTVmYjhmNC1qbXhxaDEbMBkG
A1UECwwSdnBuLWI1NWZiOGY0LWpteHFoMQswCQYDVQQGEwJVUzAeFw0yMDA4MzEx
NjM2NDNaFw0zNzEyMzExNjM2NDNaMGQxGzAZBgNVBAMMEnZwbi1iNTVmYjhmNC1q
bXhxaDEbMBkGA1UECgwSdnBuLWI1NWZiOGY0LWpteHFoMRswGQYDVQQLDBJ2cG4t
YjU1ZmI4ZjQtam14cWgxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA9j ++ 0cYr7 / 1enukSjhzA37s01SWNazUcpgEjrclfikuzKiw0
M7bJGEjM8eJTUqvtIwJOkWVbrVfVTX1zV / yCenFns05WRSud2oEGyXWh0oa8aChv
w / S + KYdGub4sLkwDbIfGEhJQIXO3iQ9ecdjX + QFUlOL7PdCDyxc6wao2ZsjwCeLt
oamj8AOVH + w0E24OC0H3eiJ5YMKWo56JwH0spbwl / xONq1PfUuP494dG6C7sOMWS
DIW3OD3Bo071B9A5OGtE / fRUe56ZxsOZySlhaI1Yl8LZvZtSdkAhLByKYTjmKd7J
NbCWJUMiLCSIxRFAjxCDjmBrEBGkAtM4v + PC1wIDAQABo4GGMIGDMA8GA1UdEwEB
/ wQFMAMBAf8wCwYDVR0PBAQDAgH2MGMGA1UdJQRcMFoGCCsGAQUFBwMBBggrBgEF
BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsG
AQUFBwMHBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBALRC
1HKokh3KwpgKjznMwOR83bPu8QveHWr0GrlzseKxqHGJcTy0sxnkfk3mAu9v8m4a
UACj3H0opouRAqOTdbogCWXcERwLM1084wehyeUZKX9gfcWGbAPWVjcY1kC5KePs
IXWhEMC56wIGMFs4mS5vx7aNVE9k4Ssrnf7T3mkM/ACrN9dg+/H2CVxNr5FTQIwy
IGTC3AP5WLPVfEk5SByEOZqFRiBIDDhvKU4gT4cD2+FHLM6OM8Z09qGs8uq6KLr6
LfUjc/c5CI+FInmm1hLB3NZug17TEaVchXeQNs921wKOOWoCKucToOPXkwYE1V/c
zc7doXSaSkrKyIwCqCY=
-----END CERTIFICATE-----

;
;-----BEGIN CERTIFICATE-----
;
;-----END CERTIFICATE-----
;

;
;-----BEGIN RSA PRIVATE KEY-----
;
;-----END RSA PRIVATE KEY-----
;

# Creating user(s): user9703
# [initial setup OK]

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00