🔐 Kubernetes native OpenVPN
Clone or download
pieterlange Merge pull request #58 from pieterlange/metrics
Change metrics collection from logs to prometheus
Latest commit d563f00 Apr 2, 2018



Docker Repository on Quay Docker Repository on Docker Hub


Simple OpenVPN deployment using native kubernetes semantics. There is no persistent storage, CA management (key storage, cert signing) needs to be done outside of the cluster for now. I think this is better - unless you leave your keys on your dev laptop.


The main motivator for this project was having the ability to route service requests back to local apps (running on the VPN client), making life much easier for development environments where developers cannot run the entire app stack locally but need to iterate on 1 app quickly.


First, you need to initialize your PKI infrastructure. Easyrsa is bundled in this container, so this is fairly easy. Replace OVPN_SERVER_URL with your endpoint to-be.

$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn:z -ti ptlange/openvpn ovpn_initpki

Follow the instructions on screen. Remember (or better: securely store) your secure password for the CA. You are now left with a pki folder in your current working directory.

Generate the initial Certificate Revocation List. This file needs to be updated every $EASYRSA_CRL_DAYS. All clients will be blocked when this file expires.

$ docker run --user=$(id -u) -e EASYRSA_CRL_DAYS=180 -v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa gen-crl

Getting service_cidr and pod_cidr within google cloud:


gcloud container clusters describe <your clustername> | grep servicesIpv4Cidr


gcloud container clusters describe <your clustername> | grep clusterIpv4Cidr

Deploy the VPN server (namespace needs to exist already):

$ ./kube/deploy.sh
Usage: ./kube/deploy.sh <namespace> <OpenVPN URL> <service cidr> <pod cidr>

$ ./kube/deploy.sh default tcp://vpn.my.fqdn:1194
secret "openvpn-pki" created
configmap "openvpn-settings" created
configmap "openvpn-ccd" created
deployment "openvpn" created
You have exposed your service on an external port on all nodes in your
cluster.  If you want to expose this service to the external internet, you may
need to set up firewall rules for the service port(s) (tcp:30xxx) to serve traffic.

See http://releases.k8s.io/release-1.3/docs/user-guide/services-firewalls.md for more details.
service "openvpn-ingress" created

Your VPN endpoint is now reachable on every node in the cluster on port 30XXX. This port can be easily exposed by setting the Type field of the openvpn Service to LoadBalancer if you're running your cluster within a public cloud. Assign the correct CNAME/A address to your loadbalancer or replace the original servername with the DNS name of your newly created loadbalancer in your client configuration.

Accessing the cluster

With the pki still in $PWD/pki we can create a new VPN user and grab the .ovpn configuration file:

# Generate VPN client credentials for CLIENTNAME without password protection; leave 'nopass' out to enter password
$ docker run --user=$(id -u) -v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa build-client-full CLIENTNAME nopass
$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn:z --rm ptlange/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

CLIENTNAME.ovpn can now be used to connect to the cluster and interact with k8s services and pods directly. Whoohoo!

One-way traffic

Routing back to the client

In order to route cluster traffic back to a service running on the client, we need to assign CLIENTNAME a static IP. If you have not configured an $OVPN_NETWORK you need to pick something in the range.

Edit the CCD (client configuration directory) configmap:

$ kubectl edit configmap openvpn-ccd

Look at the example and add another entry for the CLIENTNAME you added before. You do not have to restart openvpn but if you are already connected you will need to reconnect to get the static IP.

Next you have to define what port on the openvpn pod to route back to the client. The port forwarding will automatically load after the configmap has been updated.

$ kubectl edit configmap openvpn-portmapping

Two-way traffic

You can now reach the openvpn client! If you want to substitute a kubernetes service for a service running on the client, simply modify the label selector to match your openvpn endpoint address and the targetPort just configured in the openvpn-portmapping configmap.

Exampe service definition routing service myapp on port 80 to the example client's service running on port 80.

apiVersion: v1
kind: Service
  name: myapp
  - port: 80
    targetPort: 20080
    openvpn: vpn.my.fqdn

Custom openvpn configuration

User-specific settings need to be set in the client config directory by editing the openvpn-ccd ConfigMap

You can also use your own openvpn configuration by mounting in a openvpn.tmpl file in /etc/openvpn/templates/. Create your own openvpn.tmpl from the example in this repository. Load it into a configmap with kubectl create configmap openvpn-template --from-file=openvpn.tmpl. Now edit the openvpn deployment configuration and add in an extra mountpoint at /etc/openvpn/templates for the openvpn-template configmap.

Note that you can use environment variables in the template!

Updating the CRL

Use the crl-update.sh script. This extends the CRL for another 182 days by default. If you automate this i recommend setting this far shorter.

$ ./kube/update-crl default


NONE. See next section.


Please file issues on github. PR's are welcomed.


I used kylemanna/openvpn extensively for a long time and lend quite a few of his scripts for easing the PKI handling. offlinehacker/openvpn-k8s provided some inspiration as well and showed i can run openvpn without any persistent storage, prompting me to write this collection of scripts.