OpenVPN

Overview

The source code and default configuration of the Building Block is available in our code.sysEleven.de. Infos on release notes and new features please follow Release note on openvpn

Openvpn

Authentication and authorization component to securely access your internal cluster resources.

Prerequisites on Openvpn

You need to provide a storage provider for this Building Block. Proceed with the following prerequisite description to use the Velero Building Block out of the box.

A recommended resource overview is listed in the table below.

CPU / vCPU Memory
3 6000MiB

No further activities need to be carried out in advance.

Adding the Building Block

Add the directory syseleven-openvpn to your control repository. Add a .gitlab-ci.yml to the directory with the following content:

include:
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobDevelopment.yaml
    ref: 3.24.0
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobStaging.yaml
    ref: 3.24.0
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobProduction.yaml
    ref: 3.24.0

Remove environments you are not using by removing their include.

Required configuration

No configuration is required.

Configuring external-dns

You can set up external-dns to automatically publish your openvpn-server to your DNS zone.
Add the following yaml to your values-*.yaml file:

service:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: vpn.myhostname.com

openvpn:
  clientConfServer: "vpn.myhostname.com"

Create a client certificate

The helm chart will print the following commands to the shell when deploying. If you changed any of the configuration, check the CI pipeline deploy run for the appropriate commands

# Set the name for the key
KEY_NAME=example-user

POD_NAME=$(kubectl get pods --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_NAME=$(kubectl get svc --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_IP=$(kubectl get svc --namespace "syseleven-managed-openvpn" "$SERVICE_NAME" -o go-template='{{ range $k, $v := (index .status.loadBalancer.ingress 0)}}{{ $v }}{{end}}')

kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP"
kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" cat "/etc/openvpn/certs/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn"

Copy the resulting $KEY_NAME.ovpn file to your open vpn client (ex: in tunnelblick, just double click on the file). Do this for each user that needs to connect to the VPN. Change KEY_NAME for each additional user.

Revoking certificates

To revoke a certificate, execute the following:

# This needs to be the same as it was generated as
KEY_NAME=example-user

POD_NAME=$(kubectl get pods -n "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{.items[0].metadata.name}')
kubectl -n "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME

As for the creation of certificates, if you changed any config, please check the CI pipeline deploy run for the appropriate commands.

Monitoring

Additional alertrules

  • None

Additional Grafana dashboards

  • None

Scaling Setup

Technical limitation on OpenVPN as for :

  • currently the OpenVPN Upstream helm chart is designed to only run with replicas=1
  • requests/limits for CPU/memory can be adjusted

Release-Notes

Please find more infos on release notes and new features Release notes OpenVPN