Running OpenVPN in Kubernetes
I condemn Russian invasion to Ukraine. I hope the war ends soon. I wish Ukrainians can take their country back and start rebuilding. I wish there was no more suffering.
There is another, less bloody but still important war happening right now. The informational war between Putin and regular residents of Russia. It's been going on for a really long time but escalated dramatically in the last few weeks. Thousands of people were arrested for participating in anti-war protests. Many, if not all independent news sources were blocked so that Putin can continue spreading lies through the government-controlled channels without facing any criticism. And the sad part is that Putin appears to be winning this war. Many Russians are now brainwashed. I've been watching for years how many of my acquaintances become angrier and more and more radicalized. Thanfully my close friends (those few who are still in Russia) were spared and still have their critical thinking intact. But for how long?
So I've decided to help them and set up a VPN service which will help them to get access to free information.
OpenVPN
I've decided to do it using OpenVPN. Primarily because I've used it before and was somewhat familiar with it. But also because it can work over https on tcp port 443 which should hopefully make it a bit harder to detect & block.
And, since I already had a hammer Kubernetes cluster, I've decided to run it there.
Docker image
I could not find an up-to-date and supported image for OpenVPN so I've built my own here. It is based on Gentoo and the Dockerfile is in my sundry repo.
Server setup
CA and keys
While OpenVPN supports several authorization/authentication methods, I've decided to use a fairly simple way of setting up PKI (public key infrastructure). It is possible to set PKI via unsecure channel, but I had a secure one so I've decided to just generate certificate authority along with server and client keys in one place and then just distribute generated files as appropriate.
I've used easy-rsa for this:
alias easyrsa=/usr/share/easy-rsa/easyrsa easyrsa init-pki easyrsa build-ca nopass # Put your server name instead of example.com easyrsa build-server-full example.com nopass # Place distinguishable client name instead of 'username1' easyrsa build-client-full username1 nopass easyrsa build-client-full username2 nopass easyrsa gen-dh
The set of command created CA (with public and private keys), server key and two pairs of private/public keys for two clients. OpenVPN server would need server key, clients will need their private/public pair, and everyone will need CA public certificate. All of these are placed into not-so-trivial folder hierarchy under pki/.
The following script took care of packaging necessary for server files in a flat directory and storing it as Kubernetes secret:
#!/bin/bash mkdir -p etc-openvpn cp pki/ca.crt etc-openvpn cp pki/issued/example.com.crt etc-openvpn cp pki/private/example.com.key etc-openvpn cp pki/dh.pem etc-openvpn kubectl -n vpn create secret generic etc-openvpn --dry-run=client --from-file=etc-openvpn -o yaml > openvpn-config.yaml kubectl apply -f openvpn-config.yaml kubectl -n vpn rollout restart deployment openvpn-tcp
Server config
For now I've just set OpenVPN via TCP on port 30749. It had to be in range 30000-31000 so I can use NodePort service later on. It does not use TLS auth so may be vulnerable to DOS, and does not provide adequate protection from MITM. The goal of the service is to circumvent censorship, not to provide perfect security. I expect my clients to use https and other secure protocols, though DNS may be still vulnerable.
I've used following server config:
proto tcp port 30749 dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/example.com.crt key /etc/openvpn/example.com.key dh /etc/openvpn/dh.pem topology subnet # Give clients IP in 10.185.162.0/24 server 10.185.162.0 255.255.255.0 # Set default gateway through VPN push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" # Allows same client to connect more than once. duplicate-cn keepalive 10 120 max-clients 10 # Enable compression compress lz4-v2 push "compress lz4-v2" allow-compression yes user openvpn group openvpn persist-key persist-tun log /dev/stdout # Logging settings verb 4 mute 20 # run /etc/openvpn/up.sh when the connection is set up. This will set up NAT. script-security 2 up "/bin/sh /etc/openvpn/up.sh"
up.sh script sets up NAT so that clients have Internet connectivity:
#!/bin/sh set -e echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.185.162.0/24 -o eth0 -j MASQUERADE
The config and up.sh are put into etc-openvpn folder and therefore put into etc-openvpn Secret by the above script.
In order for iptables command in up.sh to work, ip_tables module needs to be loaded on the host. I did this by running modprobe ip_tables on all of my Kubernetes hosts, and by putting "ip_tables" to /etc/modules-load.d/iptables.conf.
Kubernetes deployment
Here's how my deployment currently looks like:
apiVersion: apps/v1 kind: Deployment metadata: name: openvpn-tcp namespace: vpn labels: app: openvpn-tcp spec: replicas: 1 selector: matchLabels: app: openvpn-tcp strategy: type: Recreate template: metadata: labels: app: openvpn-tcp spec: containers: - name: openvpn-tcp image: vrusinov/openvpn:2.5.2-r1 command: ["/bin/openvpn"] args: - "/etc/openvpn/openvpn.conf" ports: - name: ovpn containerPort: 30749 protocol: TCP resources: requests: cpu: "0.01" memory: "16Mi" limits: cpu: "1" memory: "32Mi" volumeMounts: - name: openvpn-config-volume mountPath: /etc/openvpn/ securityContext: capabilities: add: - NET_ADMIN - SYS_ADMIN privileged: true securityContext: runAsUser: 0 runAsGroup: 0 # 394 is the ID of the `openvpn` user in my image. fsGroup: 394 volumes: - name: openvpn-config-volume secret: defaultMode: 420 secretName: etc-openvpn
The main downside is that since OpenVPN needs to create new network interfaces, it had to run in privileged mode with some dangerous capabilities. In theory it should have been possible to run in non-privileged mode just with capabilities but I didn't manage to figure it out yet.
Kubernetes service
I've used NodePort service so that clients can connect to the server:
apiVersion: v1 kind: Service metadata: name: openvpn-tcp namespace: vpn spec: selector: app: openvpn-tcp ports: - name: ovpn-tcp protocol: TCP port: 30749 targetPort: 30749 nodePort: 30749 type: NodePort
Client setup
I've created following template for the client config:
client dev tun proto tcp4 nobind resolv-retry infinite remote example.com 30749 # Try to preserve some state across restarts. persist-key persist-tun comp-lzo verb 3
It's only the template because it's missing certificates. I've created make-ovpn.sh script to create per-user .ovpn file which can be then shared with clients and used by either Linux or Windows clients:
#!/bin/bash # Creates ovpn file with bundled keys client_name=$1 F="${client_name}.ovpn" cp openvpn-client.conf $F if [[ ! -f pki/private/${client_name}.key ]] then easyrsa build-client-full $client_name nopass fi echo "<ca>" >> $F cat pki/ca.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $F echo "</ca>" >> $F echo "<cert>" >> $F cat pki/issued/${client_name}.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $F echo "</cert>" >> $F echo "<key>" >> $F cat pki/private/${client_name}.key >> $F echo "</key>" >> $F
Now, I could create all necessary keys and client-specific config by running ./make-ovpn test. This would create test.ovpn file which can be later used by clients like so: openvpn test.ovpn.
Future work
This was set up in a relatively quick and dirty way. There are many possible incremental improvements, especially for security and hardening:
- Set up server certificate verification to prevent MITM.
- Set up tls-auth.
- Limit egress from OpenVPN using
NetworkPolicy. - Set up UDP server.
- Set up server working through Ingress on port 443.
- Remove dangerous privileges from OpenVPN container and try to run it as a regular user.
- Set up IPv6.
- Create
down.shscript to clean up NAT properly. - Tighten up OpenVPN deployment - set up probes, run more than one instance, etc.
Comments