OpenVPN

The source code and default configuration of the Building Block is available in our GitLab.

Adding the Building Block

Add the directory syseleven-openvpn to your control repository. Add a .gitlab-ci.yml to the directory with the following content:

include:
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobDevelopment.yaml
    ref: 3.0.1
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobStaging.yaml
    ref: 3.0.1
  - project: syseleven/building-blocks/helmfiles/openvpn
    file: JobProduction.yaml
    ref: 3.0.1

Remove environments you are not using by removing their include.

Required configuration

No configuration is required.

Configuring external-dns

You can setup external-dns to automatically publish your openvpn-server to your DNS zone.
Add the following yaml to your values-*.yaml file:

service:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: vpn.myhostname.com

openvpn:
  clientConfServer: "vpn.myhostname.com"

Create a client certificate

The helm chart will print the following commands to the shell when deploying. If you changed any of the configuration, check the CI pipeline deploy run for the appropriate commands

# Set the name for the key
KEY_NAME=example-user

POD_NAME=$(kubectl get pods --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_NAME=$(kubectl get svc --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_IP=$(kubectl get svc --namespace "syseleven-managed-openvpn" "$SERVICE_NAME" -o go-template='{{ range $k, $v := (index .status.loadBalancer.ingress 0)}}{{ $v }}{{end}}')

kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP"
kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" cat "/etc/openvpn/certs/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn"

Copy the resulting $KEY_NAME.ovpn file to your open vpn client (ex: in tunnelblick, just double click on the file). Do this for each user that needs to connect to the VPN. Change KEY_NAME for each additional user.

Revoking certificates

To revoke a certificate, execute the following:

# This needs to be the same as it was generated as
KEY_NAME=example-user

POD_NAME=$(kubectl get pods -n "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{.items[0].metadata.name}')
kubectl -n "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME

As for the creation of certificates, if you changed any config, please check the CI pipeline deploy run for the appropriate commands.

Monitoring

Additional alertrules

  • None

Additional Grafana dashboards

  • None

Scaling Setup

  • Currently the OpenVPN Upstream helm chart is designed to only run with replicas=1
  • Requests/limits for CPU/memory can be adjusted