[stable/openvpn] systemd-resolved, ip_forward, nodeport, ubuntu fixes (…

…helm#16381) * ipv4 forwarding init container Signed-off-by: Kamil Szczygieł <kamil@szczygiel.io> * typo Signed-off-by: Kamil Szczygieł <kamil@szczygiel.io> * openvpn: systemd-resolved, ip_forward, ubuntu fixes - routing / ip_forward issue and workaround - Ubuntu systemd-resolved and vpn gui issues - Move openvpn.conf to openvpn.serverConf for custom lines written to the server config file - Add openvpn.clientConf for custom lines written to the client config file - Major version bump for these breaking change - If chart is deployed using NodePort service, have clients connect to NodePort instead of externalPort Signed-off-by: Jon Stelly <967068+jonstelly@users.noreply.github.com> * Updates per PR comments/suggestions Signed-off-by: Jon Stelly <967068+jonstelly@users.noreply.github.com> * remove whitespace from values.yaml Signed-off-by: Jon Stelly <967068+jonstelly@users.noreply.github.com> * Add newlines - Ensure newClientCert.sh contains newlines for each config option, prevents multiple openvpn directives from ending up on same line and being invalid Signed-off-by: Jon Stelly <967068+jonstelly@users.noreply.github.com> Co-authored-by: Kamil Szczygieł <kamil@szczygiel.io>
vboulineau · Jan 12, 2020 · 26b4683 · 26b4683
1 parent b6172bd
commit 26b4683
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 8 deletions.
diff --git a/stable/openvpn/Chart.yaml b/stable/openvpn/Chart.yaml
@@ -3,7 +3,7 @@ description: A Helm chart to install an openvpn server inside a kubernetes clust
   generation is also part of the deployment, and this chart will generate client keys
   as needed.
 name: openvpn
-version: 3.15.0
+version: 4.0.0
 appVersion: 1.1.0
 maintainers:
 - name: jasongwartz

diff --git a/stable/openvpn/README.md b/stable/openvpn/README.md
@@ -104,7 +104,8 @@ Parameter | Description | Default
 `openvpn.OVPN_K8S_SVC_NETWORK`       | Kubernetes service network (optional)                                | `nil`
 `openvpn.OVPN_K8S_SVC_SUBNET`        | Kubernetes service network subnet (optional)                         | `nil`
 `openvpn.dhcpOptionDomain`           | Push a `dhcp-option DOMAIN` config                                   | `true`
-`openvpn.conf`                       | Arbitrary lines appended to the end of the server configuration file | `nil`
+`openvpn.serverConf`                 | Lines appended to the end of the server configuration file (optional)| `nil`
+`openvpn.clientConf`                 | Lines appended into the client configuration file (optional)         | `nil`
 `openvpn.redirectGateway`            | Redirect all client traffic through VPN                              | `true`
 `openvpn.useCrl`                     | Use/generate a certificate revocation list (crl.pem)                 | `false`
 `openvpn.taKey`                      | Use/generate a ta.key file for hardening security                    | `false`
@@ -114,6 +115,7 @@ Parameter | Description | Default
 `openvpn.iptablesExtra`              | Custom iptables rules for clients                                    | `[]`
 `nodeSelector`                       | Node labels for pod assignment                                       | `{}`
 `tolerations`                        | Tolerations for node taints                                          | `[]`
+`ipForwardInitContainer`             | Add privileged init container to enable IPv4 forwarding              | `false`
 
 This chart has been engineered to use kube-dns and route all network traffic to kubernetes pods and services,
 to disable this behaviour set `openvpn.OVPN_K8S_POD_NETWORK` and `openvpn.OVPN_K8S_POD_SUBNET` to `null`.
@@ -152,3 +154,41 @@ And optionally (see openvpn.taKey setting):
  `/etc/openvpn/certs/pki/ta.key`
 
 Note: using mounted secret makes creation of new client certificates impossible inside openvpn pod, since easyrsa needs to write in certs directory, which is read-only.
+
+## Issues
+
+### 1. Routing / ip_forward
+
+Issue: https://github.com/helm/charts/issues/6398
+
+If routes look correct on the client but data is not returning from the vpn then the kubernetes node running openvpn may not have ip_forward enabled.  Set the `ipForwardInitContainer` value to `true` to run an init container that enables ip forwarding.
+
+### 2. Ubuntu/systemd-resolved DNS
+
+Recent Ubuntu releases use systemd-resolved for DNS which by default [won't honor/apply DNS settings from openvpn](https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn).
+
+Install the update-systemd-resolved package (`apt install update-systemd-resolved`) and add the following settings to the client ovpn file.
+
+```
+script-security 2
+up /etc/openvpn/update-systemd-resolved
+up-restart
+down /etc/openvpn/update-systemd-resolved
+down-pre
+```
+
+If all of your clients are Ubuntu you can set the `openvpn.clientConf` value when deploying this chart to have these lines added to all generated client ovpn files:
+
+```yaml
+openvpn:
+  clientConf: |
+    script-security 2
+    up /etc/openvpn/update-systemd-resolved
+    up-restart
+    down /etc/openvpn/update-systemd-resolved
+    down-pre
+```
+
+### 3. Ubuntu Networking GUIs
+
+Importing the client ovpn file from either of the Ubuntu network/connection management GUIs (Settings or Advanced Networking app) do not successfully import all settings.  They seem to remove important parts of the configuration (DNS and Domains).  The most reliable method of initiating the connection is to run `sudo openvpn --config <FILE>`.
diff --git a/stable/openvpn/templates/config-openvpn.yaml b/stable/openvpn/templates/config-openvpn.yaml
@@ -59,12 +59,19 @@ data:
       client
       nobind
       dev tun
+{{- if eq .Values.service.type "NodePort" }}
+      remote ${MY_IP_ADDR} {{ .Values.service.nodePort }} {{ .Values.openvpn.OVPN_PROTO }}
+{{- else }}
       remote ${MY_IP_ADDR} {{ .Values.service.externalPort }} {{ .Values.openvpn.OVPN_PROTO }}
-      {{- if .Values.openvpn.cipher }}
+{{- end }}
+      {{ if .Values.openvpn.cipher }}
       cipher {{ .Values.openvpn.cipher }}
       {{- end }}
-      {{- if .Values.openvpn.redirectGateway }}
+      {{ if .Values.openvpn.redirectGateway }}
       redirect-gateway def1
+      {{- end }}
+      {{ if .Values.openvpn.clientConf }}
+{{ indent 6 .Values.openvpn.clientConf }}
       {{- end }}
       <key>
       `cat ${EASY_RSA_LOC}/pki/private/$1.key`
@@ -208,6 +215,6 @@ data:
 {{ end }}
       push "dhcp-option DNS OVPN_K8S_DNS"
 
-      {{- if .Values.openvpn.conf }}
-{{ indent 6 .Values.openvpn.conf }}
+      {{- if .Values.openvpn.serverConf }}
+{{ indent 6 .Values.openvpn.serverConf }}
       {{- end -}}
diff --git a/stable/openvpn/templates/openvpn-deployment.yaml b/stable/openvpn/templates/openvpn-deployment.yaml
@@ -28,6 +28,23 @@ spec:
 {{ toYaml .Values.podAnnotations | indent 8 }}
         {{- end }}
     spec:
+{{- if .Values.ipForwardInitContainer }}
+      initContainers:
+        - args:
+            - -c
+            - sysctl -w net.ipv4.ip_forward=1
+          command:
+            - /bin/sh
+          image: busybox:1.29
+          imagePullPolicy: IfNotPresent
+          name: sysctl
+          resources:
+            requests:
+              cpu: 1m
+              memory: 1Mi
+          securityContext:
+            privileged: true
+{{- end }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

diff --git a/stable/openvpn/values.yaml b/stable/openvpn/values.yaml
@@ -32,6 +32,10 @@ service:
 # podAnnotations:
 #   backup.ark.heptio.com/backup-volumes: certs
 podAnnotations: {}
+
+# Add privileged init container to enable IPv4 forwarding
+ipForwardInitContainer: false
+
 resources:
   limits:
     cpu: 300m
@@ -94,10 +98,22 @@ openvpn:
   taKey: false
   # Override default cipher
   # cipher: AES-256-CBC
-  # Arbitrary lines appended to the end of the server configuration file
-  # conf: |
+  # Lines appended to the end of the server configuration file
+  # serverConf: |
   #  max-clients 100
   #  client-to-client
+
+  # Lines appended to the end of the client configuration file
+  # Example: if all of your clients are Ubuntu (18.04+) you may need to install
+  # the update-systemd-resolved package (apt install update-systemd-resolved) then
+  # set the following to make sure systemd-resolved routes DNS requests correctly:
+  # clientConf: |
+  #  script-security 2
+  #  up /etc/openvpn/update-systemd-resolved
+  #  up-restart
+  #  down /etc/openvpn/update-systemd-resolved
+  #  down-pre
+
   # Enable istio support for openvpn connections
   istio:
     enabled: false