K8S中创建VPN

VPN产品

  • 产品名称:SoftEther VPN
  • 镜像版本:siomiz/softethervpn:4.43镜像地址

前期准备

云商安全组开通TCP:30555端口,UDP:31194

  • 30555端口映射的是5555端口,for SoftEther VPN
  • 31194端口映射的是1194端口,OpenVPN
# 创建日志存储位置
mkdir -p /data/k8s/softEtherVPN/data /data/k8s/softEtherVPN/logs/server_log /data/k8s/softEtherVPN/logs/packet_log /data/k8s/softEtherVPN/logs/security_log


# 创建命令空间
kubectl create namespace softether-vpn

创建服务

此yaml不要在kuboard中执行,kuboard有BUG不能识别securityContext.capabilities的配置

# 其中 vpn_server.config 首次没有先不挂载
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations: {}
  labels:
    k8s.kuboard.cn/name: vpn-server
  name: vpn-server
  namespace: softether-vpn
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s.kuboard.cn/name: vpn-server
  template:
    metadata:
      labels:
        k8s.kuboard.cn/name: vpn-server
    spec:
      containers:
        - env:
            - name: USERS
              value: 'qi:client'
            - name: SPW
              value: qiSPW
            - name: HPW
              value: qiHPW
          image: 'siomiz/softethervpn:4.43'
          securityContext:
            capabilities:
              add: ["NET_ADMIN"]
          imagePullPolicy: IfNotPresent
          name: vpn-server
          ports:
            - containerPort: 5555
              protocol: TCP
            - containerPort: 1194
              protocol: UDP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /usr/vpnserver/server_log
              name: volume-mskma
            - mountPath: /usr/vpnserver/packet_log
              name: volume-2zemn
            - mountPath: /usr/vpnserver/security_log
              name: volume-43d82
              #- mountPath: /usr/vpnserver/vpn_server.config
              #name: volume-i8i3z
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      volumes:
        - hostPath:
            path: /data/k8s/softEtherVPN/logs/server_log
            type: DirectoryOrCreate
          name: volume-mskma
        - hostPath:
            path: /data/k8s/softEtherVPN/logs/packet_log
            type: DirectoryOrCreate
          name: volume-2zemn
        - hostPath:
            path: /data/k8s/softEtherVPN/logs/security_log
            type: DirectoryOrCreate
          name: volume-43d82
        #- hostPath:
        #    path: /data/k8s/softEtherVPN/data/vpn_server.config
        #    type: FileOrCreate
        #  name: volume-i8i3z

---
apiVersion: v1
kind: Service
metadata:
  annotations: {}
  labels:
    k8s.kuboard.cn/name: vpn-server
  name: vpn-server
  namespace: softether-vpn
spec:
  ports:
    - name: mehnzd
      nodePort: 30555
      port: 5555
      protocol: TCP
      targetPort: 5555
    - name: xysfyb
      nodePort: 31194
      port: 1194
      protocol: UDP
      targetPort: 1194
  selector:
    k8s.kuboard.cn/name: vpn-server
  type: NodePort

执行kubectl apply -f vpn-server.yaml

拷贝数据文件

# 获取POD名称
kubectl get pods -n softether-vpn

# 拷贝文件到本地
kubectl cp softether-vpn/vpn-server-5478ccbc6c-wf2zl:/usr/vpnserver/vpn_server.config /data/k8s/softEtherVPN/data/vpn_server.config

# 放开yaml文件中的挂载注释
# 重新应用配置文件
kubectl apply -f vpn-server.yaml

连接VPN

安装管理端

下载地址

  • 组件:SoftEther VPN Server Manager for Windows或SoftEther VPN Server Manager for Mac OS X
  • 系统根据实际情况下载

配置:

image-20240331210052188

主机名:填写实际公网IP

端口号:为映射for SoftEther VPN的端口号

密码:为环境变量SPW设置的密码

安装客户端

下载地址

  • 组件:SoftEther VPN Client
  • 系统根据实际情况下载

配置:

image-20240331210506407

主机名:填写实际公网IP

端口号:为映射for SoftEther VPN的端口号

用户名/密码:为环境变量USERS设置的用户名密码

验证

客户端连接上,打开CMD,执行curl命令curl http://10.96.0.107,有返回值,即为成功。

说明:

  • 此IP为之前搭建的一个nginx测试pod的clusterIP,开放了80端口,参考地址

问题

  • client端能成功连接,但是马上断开,一直在反复重连。检查得知电脑上挂了另一个VPN,关掉即可。
  • MAC系统无法连接,官方虽然在做,但还是实验版本,官方现在不推荐。只要走OpenVPN的端口就行,找了个Mac 但是没试!!!
最后修改:2024 年 03 月 31 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏