[SOLVED] OpenVPN configuration - cannot connect but cannot read pods / cluster Ips

Hi everyone,

I’m trying to setup a VPN to access my cluster’s workloads without setting public endpoints.Service is deployed using the OpenVPN helm chart,

  • replacing L4 loadbalacer with a simple service discovery

  • edit configMap to allow TCP to go through the loadbalancer and reach the VPN What does / doesn’t work:

  • Cannot ping public servers

  • Cannot ping Kubernetes services or pods

  • Can ping openvpn cluster IP “10.42.2.11”

My files
vars.yml :

---
replicaCount: 1
nodeSelector:
openvpn: "true"
openvpn:
OVPN_K8S_POD_NETWORK: "10.42.0.0"
OVPN_K8S_POD_SUBNET: "255.255.0.0"
OVPN_K8S_SVC_NETWORK: "10.43.0.0"
OVPN_K8S_SVC_SUBNET: "255.255.0.0"
persistence:
storageClass: "local-path"
service:
externalPort: 444

Connection works, but I’m not able to hit any ip inside my cluster.
The only ip I’m able to reach is the openvpn cluster ip. openvpn.conf :

server 10.240.0.0 255.255.0.0
verb 3key /etc/openvpn/certs/pki/private/server.key
ca /etc/openvpn/certs/pki/ca.crt
cert /etc/openvpn/certs/pki/issued/server.crt
dh /etc/openvpn/certs/pki/dh.pemkey-direction 0
keepalive 10 60
persist-key
persist-tunproto tcp
port 443
dev tun0
status /tmp/openvpn-status.loguser nobody
group nogrouppush "route 10.42.2.11 255.255.255.255"push "route 10.42.0.0 255.255.0.0"push "route 10.43.0.0 255.255.0.0"push "dhcp-option DOMAIN-SEARCH openvpn.svc.cluster.local"
push "dhcp-option DOMAIN-SEARCH svc.cluster.local"
push "dhcp-option DOMAIN-SEARCH cluster.local"

client.ovpn

client
nobind
dev tunremote xxxx xxx tcp
CERTS CERTSdhcp-option DOMAIN openvpn.svc.cluster.local
dhcp-option DOMAIN svc.cluster.local
dhcp-option DOMAIN cluster.local
dhcp-option DOMAIN [online.net](http://online.net/)

Actually solved by adding a sidecar to the pods to execute:
net.ipv4.ip_forward=1

The sidecar ni privileged rights.

For anybody looking for a working sample, this is going to go into your openvpn deployment along side your container definition:

  initContainers:
  - args:
    - -w
    - net.ipv4.ip_forward=1
    command:
    - sysctl
    image: busybox
    name: openvpn-sidecar
    securityContext:
      privileged: true