2

I'm using GKE for deployments.

Edit: I need to access a customer's API endpoint which is only accessible when using their VPN. So far I can run a container which connects to this VPN and I can cURL the endpoint successfully.

For the above, I have configured a Debian docker image which successfully connects to a VPN (specifically, using Kerio Control VPN) when deployed. Whenever I make a net request from this container, it runs through the VPN connection, as expected.

I have another image which runs a .NET Core program which makes necessary HTTP requests.

From this guide I know it is possible to run a container's traffic through another using pure docker. Specifically using the --net=container:something option (trimmed the example):

docker run \
  --name=jackett \
  --net=container:vpncontainer \
  linuxserver/jackett

However, I have to use Kubernetes for this deployment so I think it would be good to use a 2-container pod. I want to keep the VPN connection logic and the program separated.

How can I achieve this?

picheto
  • 331
  • 2
  • 13
  • 2
    Can you provide some use case? You want to access GKE using 3rd party VPN to connect to your app. Then those request should also go trough this VPN to outside or it will be something else? Honestly I am not sure what you want to achieve using VPN connection to GKE using 3rd party software. Many things can be achive using [Cloud Nat](https://cloud.google.com/nat/docs/overview) or [Cloud VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview) If you would like to bypass geolocation you can use different locations. – PjoterS Jan 18 '21 at 11:19
  • Thanks. I need to access a customer's API endpoint which is only accessible when using their VPN. So far I can run a container which connects to this VPN and I can cURL the endpoint successfully. Adding this to the question body. – picheto Jan 18 '21 at 16:49
  • It would worth to check if you could implement something similar to Istio injection mechanism, when initContainer configure Pod's iptables and forward all traffic to sidecar container port which runs envoy proxy (because Pod containers share the same network namespace, it's actually a localhost port). https://istio.io/latest/blog/2019/data-plane-setup/#sidecar-injection Auto-injection feature helps to avoid changing workload manifests. – VAS Jan 26 '21 at 16:49

3 Answers3

1

Each container in pod have shared network resources. If you run vpn client in one container them all containers in this pod will have access to network via vpn.

Sekru
  • 515
  • 2
  • 11
  • Thanks. Indeed, just running the VPN container and the .NET Core program container in the same pod did the trick. – picheto Jan 28 '21 at 03:49
1

Based on your comment I think I can advise you two methods.

  1. Private GKE Cluster with CloudNAT

In this setup, you should you use Private GKE cluster with CloudNAT for external communication. You would need to to use manual externalIP. This scenario is using specific externalIP for VPN connection, but it's required from your customer to whitelist access for this IP.

  1. Site to site VPN using CloudVPN

You can configure your VPN to forward packets to your cluster. For details you should check other Stackoverflow threads:

PjoterS
  • 12,841
  • 1
  • 22
  • 54
0

I'm using a similar approach. I have a Django app for whose static files to be served files I need nginx. I want the app to be accessible through VPN for which I'm using OpenVPN. Both the nginx container and the django container are in the same pod. My limited understanding is that it would be enough to run VPN in the background in the nginx container and it should successfully route requests to the backend using localhost because they're in the same pod. But this doesn't seem to be working. I get a 504 Time-Out in the browser and the nginx logs confirm that the upstream timed out. Have you done anything extra to make this work in your case?

Erokos
  • 106
  • 1
  • 6