How to Set Up a VPN-Based Proxy Server in a Kubernetes Cluster

By -


Setting up a VPN-based proxy server in a Kubernetes cluster can provide additional privacy and security for services running in the cluster. This guide will walk you through the process of configuring a VPN-based proxy server using OpenVPN and deploying it within a Kubernetes environment. By using this setup, you can ensure that traffic from your pods is routed securely through the VPN tunnel, thereby protecting your internal services from direct exposure to the public internet.

Prerequisites

  • A Kubernetes cluster up and running (local or cloud-based).
  • kubectl configured to access the cluster.
  • Helm package manager installed on your machine.
  • Docker installed for building custom images (if necessary).

Step 1: Setting Up OpenVPN in Kubernetes

First, we need to deploy an OpenVPN server inside the Kubernetes cluster. You can use Helm to deploy OpenVPN quickly and efficiently.

helm repo add openvpn https://charts.openvpn.net/openvpn3/kubernetes
helm repo update
helm install openvpn openvpn/openvpn3

This command adds the OpenVPN Helm chart repository, updates it, and installs OpenVPN within your Kubernetes cluster. The OpenVPN server will be configured with the necessary certificates and configurations.

Step 2: Creating VPN Client Configuration

Once OpenVPN is running in the cluster, you need to create client configurations for the pods that will route traffic through the VPN. These configurations are critical as they define how the client connects to the VPN server.

You can generate client configurations using the following command:

openvpn3 config gen-client –config /etc/openvpn3/cacerts –name client_name

Copy the configuration file generated and ensure that it’s stored securely as it will be needed by the Kubernetes pods to initiate the VPN connection.

Step 3: Deploying a Proxy Server Using Nginx

Next, you will deploy an Nginx server to act as the proxy that forwards traffic through the VPN. This server will be used by other pods within the cluster to route their traffic through the VPN tunnel. You can create a simple Nginx configuration file that sets up a proxy server.

server {
    listen 80;
    location / {
        proxy_pass http://:;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Save this configuration and mount it as a ConfigMap inside your Kubernetes deployment for Nginx.

Step 4: Configuring the VPN Client in Kubernetes Pods

To make the pods route traffic through the VPN tunnel, you need to configure each pod with the OpenVPN client. First, create a Kubernetes secret to store the client configuration you generated earlier:

kubectl create secret generic vpn-client-config --from-file=client.ovpn=/path/to/client.ovpn

Then, update your pod’s deployment to mount the VPN client configuration and start the OpenVPN client. Below is an example of a deployment configuration for a pod that will use the VPN connection:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-service
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: my-service
    spec:
      containers:
      - name: my-service
        image: my-service-image
        volumeMounts:
        - name: vpn-config
          mountPath: /etc/openvpn/client.ovpn
          subPath: client.ovpn
        - name: vpn-credentials
          mountPath: /etc/openvpn/credentials
      volumes:
      - name: vpn-config
        secret:
          secretName: vpn-client-config
      - name: vpn-credentials
        secret:
          secretName: vpn-credentials

This configuration mounts the VPN client configuration and any necessary credentials to the pod. The OpenVPN client will use this configuration to connect to the OpenVPN server on startup.

Step 5: Configuring Network Policies

Finally, you may want to ensure that only specific services or pods within your Kubernetes cluster are able to access the VPN tunnel. You can achieve this by setting up Kubernetes network policies.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: vpn-traffic-policy
spec:
  podSelector:
    matchLabels:
      app: my-service
  ingress:
    - from:
      - podSelector:
          matchLabels:
            app: vpn-client
      ports:
      - protocol: TCP
        port: 80

This network policy ensures that only traffic from pods labeled app: vpn-client is allowed to communicate with the service running through the VPN tunnel.

Step 6: Testing the Setup

Once everything is deployed, you should test the setup to verify that traffic is being routed correctly through the VPN. You can use curl or similar tools to test external access from within your Kubernetes pods. Check if the response headers indicate that the request has been routed through the VPN.

kubectl exec -it my-service- -- curl -I http://example.com

We earn commissions using affiliate links.

14 Privacy Tools You Should Have

Learn how to stay safe online in this free 34-page eBook.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top